Custom Fingerprint Examples
The ExtremeAnalytics feature uses fingerprints to identify to which application a network traffic flow belongs. A fingerprint is a description of a pattern of network traffic which can be used to identify an application. ExtremeCloud IQ Site Engine provides thousands of system fingerprints with the ExtremeAnalytics feature. In addition, you can create new custom fingerprints.
For additional information, see Getting Started with ExtremeAnalytics.
This Help topic provides examples of three different types of custom fingerprints you can create:
- Fingerprints Based on a Flow
- Fingerprints Based on an Application or Application Group
- Fingerprints Based on a Destination Address
For additional information, see Add and Modify Fingerprints.
Fingerprints Based on a Flow
This example demonstrates how to create a custom fingerprint based on X Window System network traffic.
In the ExtremeCloud IQ Site Engine Flows table (with the Show Unclassified View selected) you notice several flows that had an X Window System source port 6049. Since these flows are not currently identified with a fingerprint, you can create a fingerprint for those flows based on the port that x11 traffic normally runs over.
Use the following steps to create the fingerprint.
- Select the Analytics tab.
- Select the Application Flows tab.
- In the table, select the Show Unclassified View.
- Right-click on a flow with the x11 Source Port and select Fingerprints > Add Fingerprint.
- The Add Fingerprint window opens.
- Use the drop-down list to select matching Portx11 [6049].
- Set the Application Name to X Window System.
- Set the Application Group to Protocols.
- Set the Confidence level to 60 (the default). A fingerprint with a confidence higher than 60 can supersede this fingerprint, if it also matches the flow.
- Select OK to create the fingerprint.
- Enforce to push the new fingerprint to your engines.
Fingerprints Based on an Application or Application Group
This example demonstrates how to create a fingerprint for some unclassified web traffic.
In the ExtremeCloud IQ Site Engine Application Flows table (with the Show Unclassified Web Traffic View selected) you noticed several flows for the "yahoo ads" application that are part of the Web Applications group. You want to create a fingerprint that provides an application and application group specifically for this traffic, instead of letting it default to the Web Applications group. The new fingerprint categorizes "yahoo ads" flows into the Yahoo Ads ld application and the Advertising application group.
Use the following steps to create the fingerprint.
- Select the Analytics tab in ExtremeCloud IQ Site Engine.
- Select the Application Flows tab.
- In the table, select the Show Unclassified Web Traffic View.
- Right-click on a flow with the yahoo ads application and select Fingerprints > Add Fingerprint.
- The Add Fingerprint window opens.
- Use the drop-down list to select matching the "yahoo ads" host.
- Set the Application Name to Yahoo Ads.
- Set the Application Group to Advertising.
- Set the Confidence level to 60 (the default). A fingerprint with a confidence higher than 60 can supersede this fingerprint, if it also matches the flow.
- Select OK to create the fingerprint.
- Enforce to push the new fingerprint to your engines.
Fingerprints Based on a Destination Address
In both of the previous examples, you created a new custom fingerprint to cover a case where no appropriate fingerprint existed. You can also create a new fingerprint for traffic flows already identified as one application, but should be categorized as something else.
For example, let's say you have a Git repository on your network. Git repositories (a source code management system used in software development) are frequently accessed via SSH on port 22 (the standard TCP port assigned for SSH traffic). In this case, the SSH traffic flows is identified using the system SSH port-based fingerprint.
But what if you would like to more closely monitor who is accessing the Git repository? If you know you are running the Git server on a certain system (10.20.117.102 port 22, for our example), you can create a custom fingerprint to identify the Git traffic flows.
The fingerprint is based on one of the SSH flows using the IP address/port of the Git server and have a higher confidence than the system port-based fingerprint. The higher confidence fingerprint will override the lower confidence fingerprint when determining a match for the traffic flow.
Use the following steps to create the fingerprint.
- Select the Analytics tab in ExtremeCloud IQ Site Engine.
- Select the Application Flows tab.
- In the table, right-click on an SSH port-based flow with the Git server destination address and select Fingerprints > Add Fingerprint.
- The Add Fingerprint window opens.
- Use the drop-down list to select matching the Git server IP address and port.
- Set the Application Name to Git.
- Select an Application Group that makes the most sense for your network. It might be Web Collaboration, Databases, Business Applications, or Storage. You can also create a new Application Group by entering a new required value.
- Set the Confidence level to 60, which is a higher confidence than the current fingerprint which is set at 10.
- Select OK to create the fingerprint.
- Enforce to push the new fingerprint to your engines.
For information on related help topics: