User Defined Application
This feature gives you the ability to classify the applications by the DPI engine. This allows unclassified TCP, UDP, HTTP, and HTTPS applications to be identified and named with the help of user defined application signatures.
To configure User Defined Application signatures :
Step Number | Task | Refer the following |
1 |
Create rules under User Defined Application Section |
Create rules under User Defined Application |
2 |
Configure Application Intelligence Session
|
For Physical: Application Intelligence Session For Virtual: |
3 |
Monitor User Defined Application |
Create Rules under User Defined Application
1. Click Inventory.
2. Click User Defined Applications to create rules based on a set of Supported Protocols and Attributes. For information on Supported protocols and Attributes refer User Defined Application topic. This helps the physical or virtual node to classify the traffic based on the protocols and attributes selected in the created rule.
3. Click New in the User Defined Applications screen to create a new rule.
4. Enter Application Name.
5. Enter Priority. The value must be between 1 and 120.
Note: The least value will have the highest priority.
6. In the created rule:
a. | Choose the Protocol from the list of protocols. |
b. | Choose the Attributes from the list of attributes. |
c. | Choose the Values from the list of values. |
7. Click Apply. The rule is now created. For information on the limitations for creating rules refer Configuration Limitations section.
8. Click the application listed under the Applications column.
9. Click the Rule tab.
10. Select a rule to view its protocol details.
Supported Protocols and Attributes
The DPI engine will match the rules defined based on the following protocols and attributes within the first 500 bytes of a packet payload.
For supported Regex patterns, refer Supported RegExp Syntax
Protocol | Attributes |
Attribute Labels |
Description
|
Direction | Supported Data Type | Example Value |
http | cts-uri | Request URI | Partially Normalized URL (path + request) | Client to Server Only | REGEXP | \/fupload\/(create_file|new_slice|upload_slice)\?.*upload_token=.* |
cts-server | Server Name | Web Server Name from URI or Host | Client to Server Only | REGEXP | (.*\.)?gigamon\.com | |
mime_type | MIME Type | Content type of Request or the Web page | Both, Client to Server or Server to Client | REGEXP | http | |
cts-user_agent | User Agent | Software / Browser used for request | Client to Server Only | REGEXP | mozilla | |
cts-referer | Referer URI | Source address where client got the URI | Client to Server Only | REGEXP | http:\/\/gigamon.com\/ | |
stc-server_agent | Server Agent | Software used for the server | Server to Client Only | REGEXP | NWS_TCloud_PX | |
stc-location | Redirect Location | Destination address where the client is redirected to | Server to Client Only | REGEXP | .*\/football\/.* | |
cts-cookie | Cookie (Raw) | Raw value of the HTTP Cookie header line | Client to Server Only | REGEXP | .*tEstCoOkie.* | |
content | Content | Message body content |
Both, Client to Server or Server to Client |
REGEXP |
.*GIGAMON.* mindata = 206 Refer Mindata
|
|
ssl | common_name | Domain Name | Domain name from Client Hello message or the certificate | REGEXP | (.*\.)?gigamon\.com | |
stc-subject_alt_name | Subject Alt Name(s) | List of host names which belong to the same certificate | Server to Client Only | REGEXP | (.*\.)?gigamon\.com | |
rtmp | cts-page_url | Page URL | URL of the webpage where the audio/video content is streamed | Client to Server Only | REGEXP | http:\/\/www.music.tv\/recorded\/1234567 |
tcp | stream | Payload Data | Data payload for a packet, excluding the header. | REGEXP |
.*GIGAMON.* mindata = 70 Refer Mindata |
|
port | Server Port | Server (listen) port number | UINT16 RANGE as REGEXP String | 80-4350 | ||
udp | stream | Payload Data | Data payload for a packet, excluding the header | REGEXP |
.*GIGAMON.* mindata = 100 Refer Mindata |
|
port | Server Port | Server (listen) port number | UINT16 RANGE as REGEXP String | 80-4350 | ||
sip | user_agent | User Agent | Software used | Both, Client to Server or Server to Client | REGEXP | GVUE-release 6.2.0 |
icmp | code | Message Code | Code of the ICMP message | Both, Client to Server or Server to Client | UINT8 as REGEXP String | 200 |
typeval | Message Type | Type of ICMP message | Both, Client to Server or Server to Client | UINT8 as REGEXP String | 10 | |
ip | address | Server IP Address | IP address of the server | IPV4 as REGEXP String | 62.132.12.30\/24 | |
dscp | DSCP Value | DSCP from Differentia ted Service (DS) Field in IP header | UINT8 as REGEXP String | 33 | ||
resolv_ name | DNS Name | Server's DNS name | REGEXP | gigamon.com | ||
ipv6 | address | Server IP Address | IP address of the server | IPV6 as REGEXP String | 2001:0:9d38:6ab8:307b:16a 4:9c66:5f4 2001:0:9d38::9c66:5f4/64 | |
dscp | DSCP Value | DSCP from Differentia ted Service (DS) Field in IP header | UINT8 as REGEXP String | 43 |
Mindata
The mindata value is the number of payload bytes to buffer and match a given pattern. You can configure mindata value for HTTP content, TCP stream, and UDP stream. The buffer size is calculated from the start of the payload and the default buffer size is different for each protocol (HTTP - 206, TCP - 67, and UDP - 48.)
For example, for pattern ".*TEST.*" that may be present within the first 67 bytes of TCP payload, you can specify the mindata value as 4 (which is the length of the input string) or as 67 (which is the default buffer size of TCP payload). In case, the pattern is present in between 65 to 68 bytes of the payload and the mindata is specified as 4 or 67, it will not match. For this case, you must specify the mindata value as 68.
Supported RegExp Syntax
Pattern | Description |
. | Matches any symbol |
* | Searches for 0 or more occurrences of the symbol or character set that precedes it |
+ | Searches for 1 or more occurrences of the symbol or character set that precedes it |
? | Searches for 0 or 1 occurrence of the symbol or character set that precedes it |
( ) [ ] |
Groups a series of expressions together Matches any value included within the bracket at its current position Example: [Dd]ay matches Day and day |
| [<start>-<end>] |
Separates values contained in ( ). Searches for any one of the values that it separates. Example: The following expression matches dog or cat: (dog | cat). Matches any value contained within the defined range (a hyphen indicates the range). You can mix character class and a hexadecimal range Example: [AaBbCcDdEeFf0-9] |
\0 <octal_number> | Matches for a direct binary with octal input |
\x<hexadecimal-number>\x | Matches for a direct binary with hexadecimal input |
\[<character-set>\] | Matches a character set while ignoring case. WARNING: Not performance friendly |
Limitations
The maximum number of user defined application that can be configured is 120 per FM. These applications can be spread across one or more application intelligence sessions. |
The maximum number of rules that can be created per application is 8. |
The maximum number of protocols that can be configured per rule is 3. |