Cisco Cisco FirePOWER Appliance 8250
42-19
FireSIGHT System User Guide
Chapter 42 Enhancing Network Discovery
Working with Application Detectors
You have full control over imported and user-defined detectors; you can activate, deactivate, edit,
import, export, and delete them. An example of a pattern-based detector is a user-defined detector
using a pattern in the packet header to detect traffic for a custom application.
import, export, and delete them. An example of a pattern-based detector is a user-defined detector
using a pattern in the packet header to detect traffic for a custom application.
Keep in mind that the detector list may change depending on the version of the FireSIGHT System and
the VDB you have installed, as well as on any individual detectors you may have imported or created.
You should carefully read the release notes for each FireSIGHT System update as well as the advisories
for each VDB update for information on updated detectors.
the VDB you have installed, as well as on any individual detectors you may have imported or created.
You should carefully read the release notes for each FireSIGHT System update as well as the advisories
for each VDB update for information on updated detectors.
For more information, see:
•
•
•
Creating a User-Defined Application Protocol Detector
License:
FireSIGHT
If you use custom applications on your network, you can create user-defined application protocol
detectors that provide the system with the information it needs to identify those applications. You can
base application protocol detection on the port or ports used by application traffic, patterns within the
traffic, or on both ports and patterns.
detectors that provide the system with the information it needs to identify those applications. You can
base application protocol detection on the port or ports used by application traffic, patterns within the
traffic, or on both ports and patterns.
For example, if you expect traffic for a custom application protocol to use port 1180, you can create an
application protocol detector that detects traffic on that port. As another example, if you know that the
header for any packet containing application protocol traffic has a string of
application protocol detector that detects traffic on that port. As another example, if you know that the
header for any packet containing application protocol traffic has a string of
ApplicationName
in it, you
can create a detector that registers the ASCII string of
ApplicationName
as a pattern to match.
You can only create user-defined application detectors for application protocols, not for clients or for
web applications. Note that client sessions must include a response from the server for application
detection to occur.
web applications. Note that client sessions must include a response from the server for application
detection to occur.
Caution
When you create and activate a new application detector, a short pause in traffic flow and processing may
occur on your managed devices, which may also cause a few packets to pass uninspected.
occur on your managed devices, which may also cause a few packets to pass uninspected.
User-defined application protocol detectors must use either a port or a pattern match; you cannot create
a detector that uses neither, even if you base the detector on an existing detector. You can also create a
detector that uses both criteria; this increases the likelihood of correctly identifying traffic for that
application protocol.
a detector that uses neither, even if you base the detector on an existing detector. You can also create a
detector that uses both criteria; this increases the likelihood of correctly identifying traffic for that
application protocol.
Tip
If you have already created a detector on another Defense Center, you can export it and then import it
onto this Defense Center. You can then edit the imported detector to suit your needs. You can export and
import user-defined detectors as well as detectors provided by Cisco Professional Services. However,
you cannot export or import any other type of Cisco-provided detectors. For more information, see
onto this Defense Center. You can then edit the imported detector to suit your needs. You can export and
import user-defined detectors as well as detectors provided by Cisco Professional Services. However,
you cannot export or import any other type of Cisco-provided detectors. For more information, see
To create a user-defined application protocol detector:
Access:
Admin/Discovery Admin
Step 1
Select
Policies > Application Detectors
.