Cisco Cisco Firepower Management Center 4000
43-6
FireSIGHT System User Guide
Chapter 43 Configuring Active Scanning
Understanding Nmap Scans
•
an IP address range using octet range addressing (for example,
192.168.0-255.1-254
scans all
addresses in the
192.168.x.x
range, except those that end in .0 and or .255)
•
an IP address range using hyphenation (for example, 192.168.1.1 - 192.168.1.5 scans the six hosts
between 192.168.1.1 and 192.168.1.5, inclusive)
between 192.168.1.1 and 192.168.1.5, inclusive)
•
a list of addresses or ranges separated by commas or spaces (for example, for example,
192.168.1.0/24, 194.168.1.0/24
scans the 254 hosts between 192.168.1.1 and 192.168.1.254,
inclusive and the 254 hosts between 194.168.1.1 and 194.168.1.254, inclusive)
Ideal scan targets for Nmap scans include hosts with operating systems that the system is unable to
identify, hosts with unidentified servers, or hosts recently detected on your network. Remember that
Nmap results cannot be added to the network map for hosts that do not exist in the network map.
identify, hosts with unidentified servers, or hosts recently detected on your network. Remember that
Nmap results cannot be added to the network map for hosts that do not exist in the network map.
Caution
Nmap-supplied server and operating system data remains static until you run another Nmap scan. If you
plan to scan a host using Nmap, you may want to set up regularly scheduled scans to keep any
Nmap-supplied operating system and server data up to date. For more information, see
plan to scan a host using Nmap, you may want to set up regularly scheduled scans to keep any
Nmap-supplied operating system and server data up to date. For more information, see
. Also note that if the host is deleted from the network map, any Nmap scan
results are discarded. In addition, make sure you have permission to scan your targets. Using Nmap to
scan hosts that do not belong to you or your company may be illegal.
scan hosts that do not belong to you or your company may be illegal.
Selecting Appropriate Ports to Scan
License:
FireSIGHT
For each scan target you configure, you can select the ports you want to scan. You can designate
individual port numbers, port ranges, or a series of port numbers and port ranges to identify the exact set
of ports that should be scanned on each target.
individual port numbers, port ranges, or a series of port numbers and port ranges to identify the exact set
of ports that should be scanned on each target.
By default, Nmap scans TCP ports 1 through 1024. If you plan to use the remediation as a response in a
correlation policy, you can cause the remediation to scan only the port specified in the event that triggers
the correlation response. If you run the remediation on demand or as a scheduled task, or if you do not
use the port from the event, you can use other port options to determine which ports are scanned. You
can choose to scan only the TCP ports listed in the
correlation policy, you can cause the remediation to scan only the port specified in the event that triggers
the correlation response. If you run the remediation on demand or as a scheduled task, or if you do not
use the port from the event, you can use other port options to determine which ports are scanned. You
can choose to scan only the TCP ports listed in the
nmap-services
file, ignoring other port settings. You
can also scan UDP ports in addition to TCP ports. Note that scanning for UDP ports may be
time-consuming, so avoid using that option if you want to scan quickly. To select the specific ports or
range of ports to scan, use Nmap port specification syntax to identify ports.
time-consuming, so avoid using that option if you want to scan quickly. To select the specific ports or
range of ports to scan, use Nmap port specification syntax to identify ports.
Setting Host Discovery Options
License:
FireSIGHT
You can decide whether to perform host discovery before starting a port scan for a host, or you can
assume that all the hosts you plan to scan are online. If you choose not to treat all hosts as online, you
can choose what method of host discovery to use and, if needed, customize the list of ports scanned
during host discovery. Host discovery does not probe the ports listed for operating system or server
information; it uses the response over a particular port only to determine whether a host is active and
available. If you perform host discovery and a host is not available, Nmap does not scan ports on that
host.
assume that all the hosts you plan to scan are online. If you choose not to treat all hosts as online, you
can choose what method of host discovery to use and, if needed, customize the list of ports scanned
during host discovery. Host discovery does not probe the ports listed for operating system or server
information; it uses the response over a particular port only to determine whether a host is active and
available. If you perform host discovery and a host is not available, Nmap does not scan ports on that
host.
Sample Nmap Scanning Profiles
License:
FireSIGHT