How to apply fingerprint to all traffic on a particular network for a particular port

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
I would like to be able to categorize all CIFS traffic on a particular network using fingerprints within Netsight/purview (7.0.4.29) into a given Application/Application Group.  The problem I'm having is that we have a network for backups that talks to another production storage network to grab files for the backup.  

When I look at my flows, I try to add a fingerprint by right clicking on the flow and specifying add fingerprint for Address with Port.  When I do this, the address is the server for the production storage network, not the backup network.  I thought I would get smart and edit the myappid.xml file and manually enter the backup network IP/CIDR, but that doesn't seem to be foolproof, as I'm still seeing flows incorrectly categorized.  

I believe this has to do with how purview handles client/server communications - in this case, the backup network initiates the communication, which is categorized as the client.  It seems purview only wants to apply fingerprints for networks based on the server side of the communication.

In short, how can I use fingerprints to say all traffic from "client" network A on port 445 belongs to a particular application/application group?
Photo of Andrew Martin

Andrew Martin

  • 142 Points 100 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Dudley, Jeff

Dudley, Jeff, Employee

  • 934 Points 500 badge 2x thumb
Hi Andrew,

There is the option of making a Fingerprint "from scratch" in the Fingerprints tab;Create option.  Does this give you the options you are looking for?

Thanks
Jeff
Photo of Andrew Martin

Andrew Martin

  • 142 Points 100 badge 2x thumb
Hi Jeff,
Thanks for the reply, I appreciate it.  I originally started down this path by creating the fingerprints from scratch.  I still had traffic that was showing up in the generic CIFS group though.  After reading the manual, I went the path of right clicking on the actual flow to fingerprint it that way.

Essentially, what I've done is created fingerprints for TCP 139, 445 on network A and UDP 137, 138 on network A, categorize as Backup CIFS.  When I say network A, I'm adding a fingerprint by address, mask and port.  So I say 12.34.56.78/24 on 445 is Backup CIFS.

However, when I look at the flows, I see traffic on TCP 445 on network A as generic CIFS.  Some of the traffic does match as it should, which is where I start to scratch my head.  Is there a gotcha to fingerprinting client traffic?  I think the issue is that the backup software initiates a CIFS connection, which tells purview that it's the client.  I'm not sure if fingerprints have a bias towards identifying the server side of the traffic?

Thanks much.

Andrew
Photo of Dudley, Jeff

Dudley, Jeff, Employee

  • 934 Points 500 badge 2x thumb
Hi Andrew,

The product is client based when it comes to reporting but from identification point of view, I don't think so.   The options you mentioned; IP and Port don't even have source or destination values.

If we are viewing the flow grid, perhaps the old CIFS application is hitting on a long running flow?

If available I am happy to run a remote session and take a look at this together. 

Outside of a remote perhaps try and identify what flows are hitting on the new and which are hitting on the old.


Thanks
Jeff
Photo of Andrew Martin

Andrew Martin

  • 142 Points 100 badge 2x thumb
Hi Jeff,

Given these are backup jobs, your theory of a long running flow is absolutely possible.  I'll give it some more time and report back.

Thanks,
Andrew
Photo of Dudley, Jeff

Dudley, Jeff, Employee

  • 934 Points 500 badge 2x thumb
Hi Andrew.

Hope this went well for you.

Regards
Jeff