Cisco Cisco Firepower Management Center 4000
35-13
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Understanding Discovery Data Collection
Implied Application Protocol Detection from Client Detection
License:
FireSIGHT
If the system can identify the client used in a connection between a monitored host accessing a
non-monitored server, the Defense Center infers that the connection is using the application protocol that
corresponds with the client. (Because the system tracks applications only on monitored networks,
connection logs usually do not include application protocol information for connections where a
monitored host is accessing a non-monitored server.)
non-monitored server, the Defense Center infers that the connection is using the application protocol that
corresponds with the client. (Because the system tracks applications only on monitored networks,
connection logs usually do not include application protocol information for connections where a
monitored host is accessing a non-monitored server.)
There are several consequences of the implied detection of an application protocol from the detection of
a client:
a client:
•
Because the system does not generate a New TCP Port or New UDP Port event for these servers, the
server does not appear in the Servers table. In addition, you cannot trigger either discovery event
alerts or correlation rules using the detection of these application protocol as a criterion.
server does not appear in the Servers table. In addition, you cannot trigger either discovery event
alerts or correlation rules using the detection of these application protocol as a criterion.
•
Because the application protocol is not associated with a host, you cannot view its details in host
profiles, set its server identity, or use its information in host profile qualifications for traffic profiles
or correlation rules. In addition, the system does not associate vulnerabilities with hosts based on
this type of detection.
profiles, set its server identity, or use its information in host profile qualifications for traffic profiles
or correlation rules. In addition, the system does not associate vulnerabilities with hosts based on
this type of detection.
You can, however, trigger correlation events on the application protocol information in a connection. You
can also use the application protocol information in connection logs to create connection trackers and
traffic profiles.
can also use the application protocol information in connection logs to create connection trackers and
traffic profiles.
Table 35-3
FireSIGHT System Identification of Application Protocols
Application
Description
the application protocol
name
name
The Defense Center identifies an application protocol with its name if the application protocol
was:
was:
•
positively identified by the system
•
identified using NetFlow data and there is a port-application protocol correlation in
/etc/sf/services
•
manually identified using the host input feature
•
identified by Nmap or another active source
pending
The Defense Center identifies an application protocol as
pending
if the system can neither
positively nor negatively identify the application.
Most often, the system needs to collect and analyze more connection data (from which
applications are identified) before it can identify a pending application.
applications are identified) before it can identify a pending application.
In the Application Details and Servers tables and in the host profile, the
pending
status appears
only for application protocols where specific application protocol traffic was detected (rather
than implied by detected client or web application traffic).
than implied by detected client or web application traffic).
unknown
The Defense Center identifies an application protocol as
unknown
if the application:
•
does not match any of the system’s detectors
•
the application protocol was identified using NetFlow data, but there is no port-application
protocol correlation in
protocol correlation in
/etc/sf/services
blank
All available detected data has been examined and no application protocol was identified. In the
Application Details and Servers tables and in the host profile, the application protocol is left
blank for non-HTTP generic client traffic with no detected application protocol.
Application Details and Servers tables and in the host profile, the application protocol is left
blank for non-HTTP generic client traffic with no detected application protocol.