Cisco Cisco Firepower Management Center 4000

Page of 1844
 
42-3
FireSIGHT System User Guide
 
Chapter 42      Enhancing Network Discovery
  Assessing Your Detection Strategy
identify it as Linux 2.4 instead of Mac OS X. If you create a custom fingerprint for the Mac OS X host, 
it may cause all legitimate Linux 2.4 hosts to be erroneously identified as Mac OS X hosts. In this case, 
if Nmap correctly identifies the host, you could schedule regular Nmap scans for that host.
If you import data from a third-party system using host input, you must map the vendor, product, and 
version strings that the third party uses to describe servers and application protocols to the Cisco 
definitions for those products. For more information, see 
. Note that even if you map application data to FireSIGHT System vendor and version 
definitions, imported third-party vulnerabilities are not used for impact assessment for clients or web 
applications.
The system may reconcile data from multiple sources to determine the current identity for an operating 
system or application. For more information on how the system does this, see 
For Nmap data, you can schedule regular Nmap scans. For host input data, you can regularly run the Perl 
script for the import or the command line utility. However, note that active scan data and host input data 
may not be updated with the frequency of discovery data. 
Can the FireSIGHT System Identify All Applications?
License: 
FireSIGHT
If a host is correctly identified by the system but has unidentified applications, you can create a 
user-defined detector to provide the system with port and pattern matching information to help identify 
the application. For more information, see 
Have You Applied Patches that Fix Vulnerabilities?
License: 
FireSIGHT
If the system correctly identifies a host but does not reflect applied fixes, you can use the host input 
feature to import patch information. When you import patch information, you must map the fix name to 
a fix in the database. For more information, see 
Do You Want to Track Third-Party Vulnerabilities?
License: 
FireSIGHT
If you have vulnerability information from a third-party system that you want to use for impact 
correlation, you can map the third-party vulnerability identifiers for servers and application protocols to 
vulnerability identifiers in the Cisco database and then import the vulnerabilities using the host input 
feature. For more information on using the host input feature, see the FireSIGHT System Host Input API 
Guide
. For more information on mapping third-party vulnerabilities, see 
. Note that even if you map application data to FireSIGHT System vendor and 
version definitions, imported third-party vulnerabilities are not used for impact assessment for clients or 
web applications.