Configuring Traffic-Based User Detection

When you enable traffic-based user detection in a network discovery rule, host discovery is automatically enabled. For more information about traffic-based detection, see The Traffic-Based Detection Identity Source.

Procedure

Step 1	Choose Policies > Network Discovery.
Step 2	Click Users.
Step 3	Click Edit ().
Step 4	Check the check boxes for protocols where you want to detect logins or clear check boxes for protocols where you do not want to detect logins, and choose whether you want to Capture Failed Login Attempts.
Step 5	Click Save.

What to do next

Caution

Enabling or disabling non-authoritative, traffic-based user detection over the HTTP, FTP, or MDNS protocols, using the network discovery policy restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort Restart Traffic Behavior for more information.

Configure network discovery rules to discover users as described in Configuring Network Discovery Rules.
Deploy configuration changes.