User Defined Application

This feature allows you to identify unclassified TCP, UDP, HTTP, and HTTPS applications and extract their application name and ID.

Refer to the following topic for more detailed information:

Supported Protocols and Attributes

The DPI engine will match the rules defined based on the following protocols and attributes within the first 500 bytes of a packet payload.

For supported Regex patterns, refer Supported RegExp Syntax

Protocol Attributes

Attribute

Labels

Description

 

 Direction Supported Data Type Example Value
http cts-uri Request URI Partially Normalized URL (path + request) Client to Server Only REGEXP \/fupload\/(create_file|new_slice|upload_slice)\?.*upload_token=.*
cts-server Server Name Web Server Name from URI or Host Client to Server Only REGEXP (.*\.)?gigamon\.com
mime_type MIME Type Content type of Request or the Web page Both, Client to Server or Server to Client REGEXP http
cts-user_agent User Agent Software / Browser used for request Client to Server Only REGEXP mozilla
cts-referer Referer URI Source address where client got the URI Client to Server Only REGEXP http:\/\/gigamon.com\/
stc-server_agent Server Agent Software used for the server Server to Client Only REGEXP NWS_TCloud_PX
stc-location Redirect Location Destination address where the client is redirected to Server to Client Only REGEXP .*\/football\/.*
  cts-cookie Cookie (Raw) Raw value of the HTTP Cookie header line Client to Server Only REGEXP .*tEstCoOkie.*
  content Content Message body content

Both, Client to Server or Server to Client

 REGEXP

.*GIGAMON.*

mindata = 206

Refer Mindata

 
http2 cts-uri Request URI Partially Normalized URL (path + request) Client to Server Only REGEXP \/fupload\/(create_file|new_slice|upload_slice)\?.*upload_token=.*
  cts-server Server Name Web Server Name from URI or Host Client to Server Only REGEXP (.*\.)?gigamon\.com
  cts-user_agent User Agent Software / Browser used for request Client to Server Only REGEXP mozilla
  cts-referer Referer URI Source address where client got the URI Client to Server Only REGEXP http:\/\/gigamon.com\/
ssl common_name Domain Name Domain name from Client Hello message or the certificate   REGEXP (.*\.)?gigamon\.com
stc-subject_alt_name Subject Alt Name(s) List of host names which belong to the same certificate Server to Client Only REGEXP (.*\.)?gigamon\.com
rtmp cts-page_url Page URL URL of the webpage where the audio/video content is streamed Client to Server Only REGEXP http:\/\/www.music.tv\/recorded\/1234567
tcp stream Payload Data Data payload for a packet, excluding the header.   REGEXP

.*GIGAMON.*

mindata = 70

Refer Mindata
port Server Port Server (listen) port number   UINT16 RANGE as REGEXP String 80-4350
udp stream Payload Data Data payload for a packet, excluding the header   REGEXP

.*GIGAMON.*

mindata = 100

Refer Mindata
port Server Port Server (listen) port number   UINT16 RANGE as REGEXP String 80-4350
sip user_agent User Agent Software used Both, Client to Server or Server to Client REGEXP GVUE-release 6.2.0
icmp code Message Code Code of the ICMP message Both, Client to Server or Server to Client UINT8 as REGEXP String 200
typeval Message Type Type of ICMP message Both, Client to Server or Server to Client UINT8 as REGEXP String 10
ip address Server IP Address IP address of the server   IPV4 as REGEXP String 62.132.12.30\/24
  dscp DSCP Value DSCP from Differentia ted Service (DS) Field in IP header   UINT8 as REGEXP String 33
  resolv_ name DNS Name Server's DNS name   REGEXP gigamon.com
ipv6 address Server IP Address IP address of the server   IPV6 as REGEXP String 2001:0:9d38:6ab8:307b:16a 4:9c66:5f4 2001:0:9d38::9c66:5f4/64
  dscp DSCP Value DSCP from Differentia ted Service (DS) Field in IP header   UINT8 as REGEXP String 43

Mindata

The mindata value is the number of payload bytes to buffer and match a given pattern. You can configure mindata value for HTTP content, TCP stream, and UDP stream. The buffer size is calculated from the start of the payload and the default buffer size is different for each protocol (HTTP - 206, TCP - 67, and UDP - 48.)

For example, for pattern ".*TEST.*" that may be present within the first 67 bytes of TCP payload, you can specify the mindata value as 4 (which is the length of the input string) or as 67 (which is the default buffer size of TCP payload). In case, the pattern is present in between 65 to 68 bytes of the payload and the mindata is specified as 4 or 67, it will not match. For this case, you must specify the mindata value as 68.

Supported RegExp Syntax

Pattern Description
. Matches any symbol
* Searches for 0 or more occurrences of the symbol or character set that precedes it
+ Searches for 1 or more occurrences of the symbol or character set that precedes it
? Searches for 0 or 1 occurrence of the symbol or character set that precedes it

( )

[ ]

Groups a series of expressions together

Matches any value included within the bracket at its current position

Example: [Dd]ay matches Day and day

|

[<start>-<end>]

Separates values contained in ( ). Searches for any one of the values that it separates. Example: The following expression matches dog or cat: (dog | cat). Matches any value contained within the defined range (a hyphen indicates the range). You can mix character class and a hexadecimal range

Example: [AaBbCcDdEeFf0-9]
\0 <octal_number> Matches for a direct binary with octal input
\x<hexadecimal-number>\x Matches for a direct binary with hexadecimal input
\[<character-set>\] Matches a character set while ignoring case. WARNING: Not performance friendly

Limitations

■   The maximum number of user defined application that can be configured is 120 per FM. These applications can be spread across one or more application intelligence sessions.
■   The maximum number of rules that can be created per application is 8.
■   The maximum number of protocols that can be configured per rule is 3.