Cisco Cisco Firepower Management Center 4000
43-2
FireSIGHT System User Guide
Chapter 43 Configuring Active Scanning
Understanding Nmap Scans
Nmap compares the results of the scan to over 1500 known operating system fingerprints to determine
the operating system and assigns scores to each. The operating system assigned to the host is the
operating system fingerprint with the highest score.
the operating system and assigns scores to each. The operating system assigned to the host is the
operating system fingerprint with the highest score.
If the system recognizes a server identified in an Nmap scan and has a corresponding server definition,
the system maps vulnerabilities for that server to the host. The system maps the names Nmap uses for
servers to the corresponding Cisco server definitions, and then uses the vulnerabilities mapped to each
server in the system. Similarly, the system maps Nmap operating system names to Cisco operating
system definitions. When Nmap detects an operating system for a host, the system assigns vulnerabilities
from the corresponding Cisco operating system definition to the host.
the system maps vulnerabilities for that server to the host. The system maps the names Nmap uses for
servers to the corresponding Cisco server definitions, and then uses the vulnerabilities mapped to each
server in the system. Similarly, the system maps Nmap operating system names to Cisco operating
system definitions. When Nmap detects an operating system for a host, the system assigns vulnerabilities
from the corresponding Cisco operating system definition to the host.
For more information on Nmap on your Cisco appliance, see the following topics:
•
•
•
Understanding Nmap Remediations
License:
FireSIGHT
You can define the settings for an Nmap scan by creating an Nmap remediation. An Nmap remediation
can be used as a response in a correlation policy, run on demand, or scheduled to run at a specific time.
In order for the results of an Nmap scan to appear in the network map, the scanned host must already
exist in the network map.
can be used as a response in a correlation policy, run on demand, or scheduled to run at a specific time.
In order for the results of an Nmap scan to appear in the network map, the scanned host must already
exist in the network map.
Note that Nmap-supplied server and operating system data remain static until you run another Nmap
scan. If you plan to scan a host for operating system and server data using Nmap, you may want to set
up regularly scheduled scans to keep any Nmap-supplied operating system and server data up-to-date.
For more information, see
scan. If you plan to scan a host for operating system and server data using Nmap, you may want to set
up regularly scheduled scans to keep any Nmap-supplied operating system and server data up-to-date.
For more information, see
. Also note that if the host is deleted from
the network map, any Nmap scan results for that host are discarded.