Cisco Cisco Firepower Management Center 4000
42-7
FireSIGHT System User Guide
Chapter 42 Enhancing Network Discovery
Using Custom Fingerprinting
A user with Administrator privileges can resolve identity conflicts automatically by choosing to always
use the passive identity or always use the active identity. Unless you disable automatic resolution of
identity conflicts, identity conflicts are always automatically resolved.
use the passive identity or always use the active identity. Unless you disable automatic resolution of
identity conflicts, identity conflicts are always automatically resolved.
A user with Administrator privileges can also configure the system to generate an event when an identity
conflict occurs. That user can then set up a correlation policy with a correlation rule that uses an Nmap
scan as a correlation response. When an event occurs, Nmap scans the host to obtain updated host
operating system and application data.
conflict occurs. That user can then set up a correlation policy with a correlation rule that uses an Nmap
scan as a correlation response. When an event occurs, Nmap scans the host to obtain updated host
operating system and application data.
Using Custom Fingerprinting
License:
FireSIGHT
The FireSIGHT System includes operating system fingerprints that the system uses to identify the
operating system on each host it detects. However, sometimes the system cannot identify a host operating
system or misidentifies it because no fingerprints exist that match the operating system. To correct this
problem, you can create a custom fingerprint, which provides a pattern of operating system
characteristics unique to the unknown or misidentified operating system, to supply the name of the
operating system for identification purposes.
operating system on each host it detects. However, sometimes the system cannot identify a host operating
system or misidentifies it because no fingerprints exist that match the operating system. To correct this
problem, you can create a custom fingerprint, which provides a pattern of operating system
characteristics unique to the unknown or misidentified operating system, to supply the name of the
operating system for identification purposes.
If the system cannot match a host’s operating system, it cannot identify the vulnerabilities for the host,
because the system derives the list of vulnerabilities for each host from its operating system fingerprint.
For example, if the system detects a host running Microsoft Windows, the system has a stored Microsoft
Windows vulnerability list that it adds to the host profile for that host based on the detected Windows
operating system.
because the system derives the list of vulnerabilities for each host from its operating system fingerprint.
For example, if the system detects a host running Microsoft Windows, the system has a stored Microsoft
Windows vulnerability list that it adds to the host profile for that host based on the detected Windows
operating system.
As an example, if you have several devices on your network running a new beta version of Microsoft
Windows, the system cannot identify that operating system and so cannot map vulnerabilities to the
hosts. However, knowing that the system has a list of vulnerabilities for Microsoft Windows, you may
Windows, the system cannot identify that operating system and so cannot map vulnerabilities to the
hosts. However, knowing that the system has a list of vulnerabilities for Microsoft Windows, you may