Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
1765
Configuring Active Scanning
Understanding Nmap Scans
Chapter 41
•
•
Understanding Nmap Scans
L
ICENSE
: FireSIGHT
Nmap allows you to actively scan ports on hosts on your network to determine
operating system and server data for the hosts, which allows you to enhance your
network map and fine-tune the accuracy of the vulnerabilities mapped to scanned
hosts. Note that a host must exist in the network map before Nmap can append
its results to the host profile. You can also view scan results in a results file.
When you scan a host using Nmap, servers on previously undetected open ports
When you scan a host using Nmap, servers on previously undetected open ports
are added to the Servers list in the host profile for that host. The host profile lists
any servers detected on filtered or closed TCP ports or on UDP ports in the Scan
Results section. By default, Nmap scans more than 1660 TCP ports.
Nmap compares the results of the scan to over 1500 known operating system
Nmap compares the results of the scan to over 1500 known operating system
fingerprints to determine the operating system and assigns scores to each. The
operating system assigned to the host is the operating system fingerprint with
the highest score.
If the system recognizes a server identified in an Nmap scan and has a
If the system recognizes a server identified in an Nmap scan and has a
corresponding server definition, the system maps vulnerabilities for that server to
the host. The system maps the names Nmap uses for servers to the
corresponding Sourcefire server definitions, and then uses the vulnerabilities
mapped to each server in the system. Similarly, the system maps Nmap
operating system names to Sourcefire operating system definitions. When Nmap
detects an operating system for a host, the system assigns vulnerabilities from
the corresponding Sourcefire operating system definition to the host.
For more information the underlying Nmap technology used to scan, refer to the
For more information the underlying Nmap technology used to scan, refer to the
Nmap documentation at
.
For more information on Nmap on your Sourcefire appliance, see the following
topics:
•
•
•
Understanding Nmap Remediations
L
ICENSE
: FireSIGHT
You can define the settings for an Nmap scan by creating an Nmap remediation.
An Nmap remediation can be used as a response in a correlation policy, run on
demand, or scheduled to run at a specific time. In order for the results of an
Nmap scan to appear in the network map, the scanned host must already exist in
the network map.