Custom Application Detector and User-Defined Application Fields

Custom Application Detector Fields: General

You can use the following fields to configure custom application detectors and user-defined applications.

Use the following fields to configure basic and advanced custom application detectors.

Application Protocol

The application protocol you want to detect. This can be a system-provided application or a user-defined application.

If you want the application to be available for exemption from active authentication (configured in your identity rules), you must select or create an application protocol with the User-Agent Exclusion tag.

Description

A description for the application detector.

Name

A name for the application detector.

Detector Type

The type of detector, Basic or Advanced. Basic application detectors are created in the web interface as a series of fields. Advanced application detectors are created externally and uploaded as custom .lua files.

Custom Application Detector Fields: Detection Patterns

Use the following fields to configure the detection patterns for basic custom application detectors.

Direction

The source of the traffic the detector should inspect, Client or Server.

Offset

The location in a packet, in bytes from the beginning of the packet payload, where the system should begin searching for the pattern.

Because packet payloads start at byte 0, calculate the offset by subtracting 1 from the number of bytes you want to move forward from the beginning of the packet payload. For example, to look for the pattern in the fifth bit of the packet, type 4 in the Offset field.

Pattern

The pattern string associated with the Type you selected.

Ports

The port of the traffic the detector should inspect.

Protocol

The protocol you want to detect. Your protocol selection determines whether the Type or the URL field displays.

The protocol (and, in some cases, your subsequent selections in the Type and Direction fields) determine the type of application detector you create: web application, client, or application protocol.


Detector Type	Protocol	Type or Direction
Web Application	HTTP	Type is `Content Type` or `URL`
	RTMP	Any
	SSL	Any
Client	HTTP	Type is `User Agent`
	SIP	Any
	TCP or UDP	Direction is `Client`
Application Protocol	TCP or UDP	Direction is `Server`

Type

The type of pattern string you entered. The options you see are determined by the Protocol you selected. If you selected RTMP as the protocol, the URL field displays instead of the Type field.

Note	If you select `User Agent` as the Type, the system automatically sets the Tag for the application to `User-Agent Exclusion`.

Type Selection

String Characteristics

Ascii

The string is ASCII encoded.

Common Name

The string is the value in the commonName field within the server response message.

Content Type

The string is the value in the content-type field within the server response header.

Hex

The string is in hexadecimal notation.

Organizational Unit

The string is the value in the organizationName field within the server response message.

SIP Server

The string is the value in the From field within the message header.

SSL Host

The string is the value in the server_name field within the ClientHello message.

URL

The string is a URL.

Note	The detector assumes that the string you enter is a complete section of the URL. For example, entering `cisco.com` would match `www.cisco.com/support` and `www.cisco.com`, but not `www.wearecisco.com`.

User Agent

The string is the value in the user-agent field within the GET request header. It is also available for the SIP protocol and indicates that the string is the value in the User-Agent field within the SIP message header.

URL

Either a full URL or a section of a URL from the swfURL field within the C2 message of a RTMP packet. This field displays instead of the Type field when you select RTMP as the Protocol.

Note	The detector assumes that the string you enter is a complete section of the URL. For example, entering `cisco.com` would match `www.cisco.com/support` and `www.cisco.com`, but not `www.wearecisco.com`.

User-Defined Application Fields

Use the following fields to configure user-defined applications within basic and advanced custom application detectors.

Business Relevance: The likelihood that the application is used within the context of your organization’s business operations, as opposed to recreationally: Very High, High, Medium, Low, or Very Low. Select the option that best describes the application.
Categories: A general classification for the application that describes its most essential function.
Description: A description for the application.
Name: A name for the application.
Risk: The likelihood that the application is used for purposes that might be against your organization’s security policy: Very High, High, Medium, Low, or Very Low. Select the option that best describes the application.
Tags: One or more predefined tags that provide additional information about the application. If you want an application to be available for exemption from active authentication (configured in your identity rules), you must add the User-Agent Exclusion tag to your application.