Cisco Cisco Firepower Management Center 4000
42-23
FireSIGHT System User Guide
Chapter 42 Enhancing Network Discovery
Working with Application Detectors
Step 3
Type a string of the type you specified in the
Pattern String
field.
Step 4
Optionally, specify where in a packet the system should begin searching for the pattern; this is called the
offset.
offset.
Type the offset (in bytes from the beginning of the packet payload) in the
Offset
field.
Because packet payloads start at byte 0, calculate the offset by subtracting 1 from the number of bytes
you want to move forward from the beginning of the packet payload. For example, to look for the pattern
in the fifth bit of the packet, type
you want to move forward from the beginning of the packet payload. For example, to look for the pattern
in the fifth bit of the packet, type
4
in the
Offset
field.
Step 5
Optionally, repeat steps
to
to add additional patterns.
Tip
To delete a pattern, click the delete icon (
) next to the pattern you want to delete.
Step 6
You have the following options:
•
If you want to test the new detector against the contents of one or more PCAP files, continue with
the procedure in the next section,
the procedure in the next section,
.
•
If you are done creating the detector, click
Save
.
The application protocol detector is saved.
Note
You must activate the detector before the system can use it to analyze application protocol
traffic. For more information, see
traffic. For more information, see
.
Testing an Application Protocol Detector Against Packet Captures
License:
FireSIGHT
If you have a packet capture (PCAP) file that contains packets with traffic from the application protocol
you want to detect, you can test a user-defined application protocol detector against that PCAP file. Note
that PCAP files must be 32KB or smaller; if you try to test your detector against a larger PCAP file, the
Defense Center automatically truncates it.
you want to detect, you can test a user-defined application protocol detector against that PCAP file. Note
that PCAP files must be 32KB or smaller; if you try to test your detector against a larger PCAP file, the
Defense Center automatically truncates it.
To test an application protocol detector against a PCAP file:
Access:
Admin/Discovery Admin
Step 1
On the Create Detector page, in the Packet Captures section, click
Add
.
A pop-up window appears.
Step 2
Browse to the PCAP file and click
OK
.
The PCAP file appears in the Packet Captures file list.
Step 3
To test your detector against the contents of the PCAP file, click the evaluate icon next to the PCAP file.
A message appears, indicating whether the test succeeded.
Step 4
Optionally, repeat steps
to
to test the detector against additional PCAP files.
Tip
To delete a PCAP file, click the delete icon (
) next to the file you want to delete.