Cisco Cisco Firepower Management Center 4000
42-22
FireSIGHT System User Guide
Chapter 42 Enhancing Network Discovery
Working with Application Detectors
When creating a user-defined application protocol detector, you must specify the protocol of traffic
(TCP, UDP, or both) the detector should inspect. Optionally, you can specify a port that the traffic uses.
(TCP, UDP, or both) the detector should inspect. Optionally, you can specify a port that the traffic uses.
Note that if you do not specify a port, you must configure the detector to inspect traffic for matches to
one or more patterns, as described in
one or more patterns, as described in
To specify detection criteria for an application protocol detector:
Access:
Admin/Discovery Admin
Step 1
On the Create Detector page, from the
Protocol
drop-down list, select the protocol for traffic the detector
should inspect.
Detectors can inspect TCP, UDP, or TCP and UDP traffic.
Step 2
Optionally, to identify application protocol traffic based on the port it uses, type a port from 1 to 65535
in the
in the
Port(s)
field. To use multiple ports, separate them by commas.
Step 3
You have the following options:
•
If you want to configure the application protocol detector to inspect traffic for matches to one or
more patterns that occurs in traffic for that application protocol, continue with the procedure in the
next section,
more patterns that occurs in traffic for that application protocol, continue with the procedure in the
next section,
•
.
•
If you are done creating the detector, click
Save
.
The application protocol detector is saved.
Note that you must activate the detector before the system can use it to analyze application protocol
traffic. For more information, see
traffic. For more information, see
.
Adding Detection Patterns to an Application Protocol Detector
License:
FireSIGHT
If you know that the header for any packet containing application protocol traffic contains a particular
pattern string, you can configure a user-defined application protocol detector to search for that pattern.
pattern string, you can configure a user-defined application protocol detector to search for that pattern.
Application protocol detectors can search for ASCII or hexadecimal patterns, using any offset. You can
also configure detectors to search for multiple patterns; in that case the application protocol traffic must
match all of the patterns for the detector to positively identify the application protocol.
also configure detectors to search for multiple patterns; in that case the application protocol traffic must
match all of the patterns for the detector to positively identify the application protocol.
Note that if you do not specify a pattern, you must configure the detector to inspect traffic that uses one
or more ports, as described in
or more ports, as described in
To add a detection pattern to an application protocol detector:
Access:
Admin/Discovery Admin
Step 1
On the Create Detector page, in the Detection Patterns section, click
Add
.
The Add Pattern pop-up window appears.
Step 2
Specify the pattern type you want to detect:
Ascii
or
Hex
.