Table of Contents
Advertisement
Enabling OS Fingerprinting
Copyright © 2010, Juniper Networks, Inc.
OS fingerprinting passively detects the operating system of an end-host by analyzing
TCP handshake packets. To ensure that this works, you need to verify that OS
fingerprinting is first enabled on the profiled device. After you have configured the Profiler
with the tracked hosts, contexts, you must update the device.
OS fingerprinting works only for packets that contain a full-fledged TCP connection, one
that has a SYN, a SYN/ACK, and a FIN connection. OS fingerprinting only works for
operating systems that are supported on the device. A list of the supported operating
systems is available on the device in a file called
directory.
Configuring Network Objects
The first part of configuring the Profiler is to tell the device which network objects you
want the device to profile. When you start the Profiler, the device begins collecting data
from the selected hosts.
In the Tracked Hosts tab, select the network objects that represent your internal hosts.
The device collects detailed information about traffic that passes between internal hosts,
and groups traffic that does not match an internal host in a special IP:
Communication between an internal host and an external host is recorded only once.
For example, the device records internal host A communicating to
as one entry in the Profiler DB.
www.cnn.com
You can select unlimited internal network objects.
You can also use the Exclude List tab to select the network objects that represent internal
hosts you do not want to include in IDP profiling. You might want to exclude a host from
the Profiler if you selected a group of network objects in the Tracked Host tab but want
to exclude specific members of that group.
Configuring Context Profiles
Next, determine which contexts you want the device to record. In the Contexts to Profile
tab, the context list includes only the contexts that can clearly identify a host, a user, or
an application. Select contexts that the device profiles. When you start the Profiler, the
device begins collecting data on traffic that matches the selected contexts.
Example: Selecting Contexts
To track FTP logins, usernames, and commands, select the FTP contexts in the Contexts
to Profile tab. After the Profiler is started, the device begins collecting information about
FTP logins, usernames, and commands, enabling you to quickly identify who is using FTP
on your network and what they are doing over that protocol.
When you first configure the Profiler, select all contexts. This enables the device to collect
data about every context on your network, giving you a complete view of your network
traffic. Later, when you have analyzed your traffic, you can eliminate contexts that you
know will not be used on your network.
Chapter 17: Analyzing Your Network
in the
fingerprints.set
/usr/idp/device/cfg/
73.78.69.84
www.yahoo.com
.
and
687
Advertisement
Table of Contents
