Cisco Cisco Firepower Management Center 4000
36-8
FireSIGHT System User Guide
Chapter 36 Using the Network Map
Working with the Vulnerabilities Network Map
profiles for those hosts show deactivated vulnerabilities as invalid, though you can manually mark them
as valid for individual hosts; see
as valid for individual hosts; see
for more
information.
If there is an identity conflict for an application or operating system on a host, the system lists the
vulnerabilities for both potential identities. When the identity conflict is resolved, the vulnerabilities
remain associated with the current identity. For more information, see
vulnerabilities for both potential identities. When the identity conflict is resolved, the vulnerabilities
remain associated with the current identity. For more information, see
and
By default, the vulnerability network map displays the vulnerabilities of a detected application only if
the packet contains the application’s vendor and version. However, you can configure the system to list
the vulnerabilities for applications lacking vendor and version data by enabling the vulnerability
mapping setting for the application in the system policy. For information on setting the vulnerability
mapping for an application, see
the packet contains the application’s vendor and version. However, you can configure the system to list
the vulnerabilities for applications lacking vendor and version data by enabling the vulnerability
mapping setting for the application in the system policy. For information on setting the vulnerability
mapping for an application, see
The numbers next to a vulnerability ID (or range of vulnerability IDs) represent two counts:
•
The first number is a count of non-unique hosts that are affected by a vulnerability or vulnerabilities.
If a host is affected by more than one vulnerability, it is counted multiple times. Therefore, it is
possible for the count to be higher than the number of hosts on your network. Deactivating a
vulnerability decrements this count by the number of hosts that are potentially affected by the
vulnerability. If you have not deactivated any vulnerabilities for any of the potentially affected hosts
for a vulnerability or range of vulnerabilities, this count is not displayed.
If a host is affected by more than one vulnerability, it is counted multiple times. Therefore, it is
possible for the count to be higher than the number of hosts on your network. Deactivating a
vulnerability decrements this count by the number of hosts that are potentially affected by the
vulnerability. If you have not deactivated any vulnerabilities for any of the potentially affected hosts
for a vulnerability or range of vulnerabilities, this count is not displayed.
•
The second number is a similar count of the total number of non-unique hosts that the system has
determined are potentially affected by a vulnerability or vulnerabilities.
determined are potentially affected by a vulnerability or vulnerabilities.
Deactivating a vulnerability renders it inactive only for the hosts you designate. You can deactivate a
vulnerability for all hosts that have been judged vulnerable or for a specified individual vulnerable host.
If the system subsequently detects the vulnerability on a host where it has not been deactivated (for
example, on a new host in the network map), the system activates the vulnerability for that host. You
have to explicitly deactivate the newly discovered vulnerability. Also, if the system detects an operating
system or application change for a host, it may reactivate associated deactivated vulnerabilities.
vulnerability for all hosts that have been judged vulnerable or for a specified individual vulnerable host.
If the system subsequently detects the vulnerability on a host where it has not been deactivated (for
example, on a new host in the network map), the system activates the vulnerability for that host. You
have to explicitly deactivate the newly discovered vulnerability. Also, if the system detects an operating
system or application change for a host, it may reactivate associated deactivated vulnerabilities.
To view the vulnerabilities network map:
Access:
Admin/Any Security Analyst
Step 1
Select
Analysis > Hosts > Network Map > Vulnerabilities
.
The vulnerabilities network map appears.
Step 2
From the
Type
drop-down list, select the class of vulnerability you want to view. By default,
vulnerabilities are displayed by Sourcefire vulnerability ID (SVID).
Step 3
Drill down to the specific vulnerability you want to investigate.
To filter by IP or MAC addresses, type an address in the search field. To clear the search, click the clear
icon (
icon (
).
The vulnerability details appear. For details on the information provided, see
.
In addition, on the network map, the Defense Center displays the IP addresses of affected hosts. You can
click any IP address to display the host profile for that host.
click any IP address to display the host profile for that host.
Step 4
Optionally, deactivate the vulnerability:
•
To deactivate the vulnerability for all hosts affected by the vulnerability, click the delete icon (
)
next to the vulnerability number.