ExtremeAnalytics Custom Fingerprints


Custom fingerprints are either new user-defined fingerprints or modifications of system fingerprints. Custom fingerprints can be deleted. If a custom fingerprint was overriding a system fingerprint, then deleting the custom fingerprint will reload the original system fingerprint.

The Fingerprints view is divided into a left-panel tree and a table with six columns. The left-panel tree displays all the application groups and the fingerprints assigned to that group. The table on the right displays detailed information for each fingerprint. You can filter the information displayed in the table by selecting a single application group or fingerprint in the left-panel.

Fingerprint Table

The Fingerprint table displays detailed fingerprint information. Above the table, in the top left corner, is a Menu icon , where you can access various system and fingerprint actions.

If you have multiple ExtremeAnalytics engines, an Engine menu is available that allows you to select an engine to use as the source for the fingerprint Matches data.

Use the In Use checkbox to filter the table to only show fingerprints that have had a match for the selected engine. Use the Customized checkbox to filter the table to display only custom fingerprints.

Menu

Use the Menu icon to access the following system and fingerprint actions. (You must have a fingerprint selected to enable the Fingerprint menu options.) Most of the options are also available by right-clicking on a fingerprint.

  • Create Fingerprint — Add a new fingerprint.
  • Modify Fingerprint — Change a fingerprint's description.
  • Reset Fingerprint Counters — Reset the Matches counters.
  • Delete Custom Fingerprint — Delete custom fingerprints, which can be identified by a in the Custom column.
  • Fingerprint Definition — View the XML definition for a fingerprint.

Column Definitions

Following are definitions for the table columns. All columns are sortable in ascending and descending order and can be filtered by text or numeric values.

Application

Name of the application this fingerprint detects. Select an Application link to view client, flow, and usage information for that specific application.

Fingerprint

Name of the fingerprint.

Confidence

Reliability of this fingerprint. Higher confidence fingerprints override lower confidence fingerprints when determining a match for a traffic flow. The values are from 1 to 100, with 100 being absolutely reliable.

Custom

A check mark indicates the fingerprint is a custom (user-defined) fingerprint. It is custom if it is a new fingerprint that has been added, a system fingerprint that has been modified, or a system fingerprint that has been disabled.

Application Group

The group this fingerprint's application belongs to. Application groups organize fingerprints into different types of applications such as Web applications or Business applications. You can sort the Application Flows view by application group, making it easier to view data for a specific type of flow. An application can only belong to one application group.

Matches

The total number of times a traffic flow has matched this fingerprint for the selected engine. A match is an occurrence of the ExtremeAnalytics engine making a final determination that a flow matches a fingerprint after all refinements are completed. The corresponding flow in the opposite direction, if there is one, is also matched. See Notes below.

  NOTES:
  • Matches are stored and displayed per engine. If you have multiple engines, use the Engine menu to select an engine to use as the source for the Hits and Matches data.
  • If a flow generates hits on multiple fingerprints, and one fingerprint has a higher confidence than another fingerprint, a hit is counted for each fingerprint, but a match is only recorded for the final, highest confidence fingerprint.
  • If you need to reset the Matches counters, use the Reset Fingerprint Counters option from the Menu icon ().

Type

The fingerprint type refers to how the fingerprint determines a match.

  • FlexFire — These fingerprints execute specific matching algorithms encoded into the engine. Disabling the fingerprint disables the specific code that implements the fingerprint.
  • PCRE — These fingerprints search using Perl Compatible Regular Expressions (PCRE).
  • Port-based — These fingerprints search for traffic on a specific port (typically, server-only ports). These are very low-confidence fingerprints and are generally just used for wider coverage.
  • Web-App Rule — These fingerprints search for a specific hostname in the URI of web requests.
  • SSL Name — These fingerprints search for values in the SSL common name.
  • Http Host — These fingerprints search for values in the HTTP hostname.
  • Decoder — These fingerprints extract protocol metadata from a flow that is provided when we generate a match on that flow.
  • General — Any fingerprint that isn't included in one of the other types. Typically, these fingerprints search for a straight pattern, or for a specific port and/or IP address with custom fingerprints (excluding custom Web-App Rule fingerprints).

Enabled

A indicates the fingerprint is enabled. When a fingerprint is enabled, it will be used to identify applications. When it is disabled, it will be ignored.

Last Modified

Date that the fingerprint was last modified.

Created

Date that the fingerprint was created.

Description

Description of the fingerprint.


For information on related help topics: