User Defined Application

This feature gives you the ability to classify the applications by the DPI engine. This allows unclassified TCP, UDP, HTTP, and HTTPS applications to be identified and named with the help of user defined application signatures.

To configure User Defined Application signatures :

Step Number Task Refer the following

1

Create rules under User Defined Application Section

Create rules under User Defined Application

2

Configure Application Intelligence Session

 

For Physical:

Application Intelligence Session

For Virtual:

Configure Application Intelligence Session

3

Monitor User Defined Application

View the Application Intelligence Dashboard

 

Create Rules under User Defined Application

1. Click Inventory.

2. Click User Defined Applications to create rules based on a set of Supported Protocols and Attributes. For information on Supported protocols and Attributes refer User Defined Application topic. This helps the physical or virtual node to classify the traffic based on the protocols and attributes selected in the created rule.

3. Click New in the User Defined Applications screen to create a new rule.

4. Enter Application Name.

5. Enter Priority. The value must be between 1 and 120.

Note: The least value will have the highest priority.

6. In the created rule:

a. Choose the Protocol from the list of protocols.
b. Choose the Attributes from the list of attributes.
c. Choose the Values from the list of values.

7. Click Apply. The rule is now created. For information on the limitations for creating rules refer Configuration Limitations section.

8. Click the application listed under the Applications column.

9. Click the Rule tab.

10. Select a rule to view its protocol details.

Supported Protocols and Attributes

The DPI engine will match the rules defined based on the following protocols and attributes within the first 500 bytes of a packet payload.

For supported Regex patterns, refer Supported RegExp Syntax

Protocol Attributes

Attribute

Labels

Description

 

Direction Supported Data Type Example Value
http cts-uri Request URI Partially Normalized URL (path + request) Client to Server Only REGEXP \/fupload\/(create_file|new_slice|upload_slice)\?.*upload_token=.*
cts-server Server Name Web Server Name from URI or Host Client to Server Only REGEXP (.*\.)?gigamon\.com
mime_type MIME Type Content type of Request or the Web page Both, Client to Server or Server to Client REGEXP http
cts-user_agent User Agent Software / Browser used for request Client to Server Only REGEXP mozilla
cts-referer Referer URI Source address where client got the URI Client to Server Only REGEXP http:\/\/gigamon.com\/
stc-server_agent Server Agent Software used for the server Server to Client Only REGEXP NWS_TCloud_PX
stc-location Redirect Location Destination address where the client is redirected to Server to Client Only REGEXP .*\/football\/.*
  cts-cookie Cookie (Raw) Raw value of the HTTP Cookie header line Client to Server Only REGEXP .*tEstCoOkie.*
  content Content Message body content

Both, Client to Server or Server to Client

REGEXP

.*GIGAMON.*

mindata = 206

Refer Mindata

 

ssl common_name Domain Name Domain name from Client Hello message or the certificate   REGEXP (.*\.)?gigamon\.com
stc-subject_alt_name Subject Alt Name(s) List of host names which belong to the same certificate Server to Client Only REGEXP (.*\.)?gigamon\.com
rtmp cts-page_url Page URL URL of the webpage where the audio/video content is streamed Client to Server Only REGEXP http:\/\/www.music.tv\/recorded\/1234567
tcp stream Payload Data Data payload for a packet, excluding the header.   REGEXP

.*GIGAMON.*

mindata = 70

Refer Mindata

port Server Port Server (listen) port number   UINT16 RANGE as REGEXP String 80-4350
udp stream Payload Data Data payload for a packet, excluding the header   REGEXP

.*GIGAMON.*

mindata = 100

Refer Mindata

port Server Port Server (listen) port number   UINT16 RANGE as REGEXP String 80-4350
sip user_agent User Agent Software used Both, Client to Server or Server to Client REGEXP GVUE-release 6.2.0
icmp code Message Code Code of the ICMP message Both, Client to Server or Server to Client UINT8 as REGEXP String 200
typeval Message Type Type of ICMP message Both, Client to Server or Server to Client UINT8 as REGEXP String 10
ip address Server IP Address IP address of the server   IPV4 as REGEXP String 62.132.12.30\/24
  dscp DSCP Value DSCP from Differentia ted Service (DS) Field in IP header   UINT8 as REGEXP String 33
  resolv_ name DNS Name Server's DNS name   REGEXP gigamon.com
ipv6 address Server IP Address IP address of the server   IPV6 as REGEXP String 2001:0:9d38:6ab8:307b:16a 4:9c66:5f4 2001:0:9d38::9c66:5f4/64
  dscp DSCP Value DSCP from Differentia ted Service (DS) Field in IP header   UINT8 as REGEXP String 43

Mindata

The mindata value is the number of payload bytes to buffer and match a given pattern. You can configure mindata value for HTTP content, TCP stream, and UDP stream. The buffer size is calculated from the start of the payload and the default buffer size is different for each protocol (HTTP - 206, TCP - 67, and UDP - 48.)

For example, for pattern ".*TEST.*" that may be present within the first 67 bytes of TCP payload, you can specify the mindata value as 4 (which is the length of the input string) or as 67 (which is the default buffer size of TCP payload). In case, the pattern is present in between 65 to 68 bytes of the payload and the mindata is specified as 4 or 67, it will not match. For this case, you must specify the mindata value as 68.

Supported RegExp Syntax

Pattern Description
. Matches any symbol
* Searches for 0 or more occurrences of the symbol or character set that precedes it
+ Searches for 1 or more occurrences of the symbol or character set that precedes it
? Searches for 0 or 1 occurrence of the symbol or character set that precedes it

( )

[ ]

Groups a series of expressions together

Matches any value included within the bracket at its current position

Example: [Dd]ay matches Day and day

|

[<start>-<end>]

Separates values contained in ( ). Searches for any one of the values that it separates. Example: The following expression matches dog or cat: (dog | cat). Matches any value contained within the defined range (a hyphen indicates the range). You can mix character class and a hexadecimal range

Example: [AaBbCcDdEeFf0-9]

\0 <octal_number> Matches for a direct binary with octal input
\x<hexadecimal-number>\x Matches for a direct binary with hexadecimal input
\[<character-set>\] Matches a character set while ignoring case. WARNING: Not performance friendly

Limitations

■   The maximum number of user defined application that can be configured is 120 per FM. These applications can be spread across one or more application intelligence sessions.
■   The maximum number of rules that can be created per application is 8.
■   The maximum number of protocols that can be configured per rule is 3.