Cisco Cisco Firepower Management Center 4000
43-13
FireSIGHT System User Guide
Chapter 43 Configuring Active Scanning
Setting up Nmap Scans
If you scan the port in the correlation event, note that the remediation scans the port on the IP
addresses that you specified in step
addresses that you specified in step
. These ports are also added to the remediation’s dynamic scan
target.
•
Select
Off
to scan only the ports you will specify in step
Step 9
If you plan to use this remediation in response to correlation policy violations and want to run the scan
using the appliance running the detection engine that detected the event, configure the
using the appliance running the detection engine that detected the event, configure the
Scan from reporting
detection engine
option:
•
To scan from the appliance running the reporting detection engine, select
On
.
•
To scan from the appliance configured in the remediation, select
Off
.
Step 10
Configure the
Fast Port Scan
option:
•
To scan only the ports listed in the
nmap-services
file located in the
/var/sf/nmap/share/nmap/nmap-services
directory on the device that does the scanning, ignoring
other port settings, select
On
.
•
To scan all TCP ports, select
Off
.
Step 11
In the
Port Ranges and Scan Order
field, type the ports you want to scan by default, using Nmap syntax, in
the order you want to scan those ports.
Specify values from 1 to 65535. Separate ports using commas or spaces. You can also use a hyphen to
indicate a port range. When scanning for both TCP and UDP ports, preface the list of TCP ports you
want to scan with a T and the list of UDP ports with a U. For example, to scan ports 53 and 111 for UDP
traffic, then scan ports 21-25 for TCP traffic, enter
indicate a port range. When scanning for both TCP and UDP ports, preface the list of TCP ports you
want to scan with a T and the list of UDP ports with a U. For example, to scan ports 53 and 111 for UDP
traffic, then scan ports 21-25 for TCP traffic, enter
U:53,111,T:21-25
.
Note that the
Use Port From Event
option overrides this setting when the remediation is launched in
response to a correlation policy violation, as described in step
Step 12
To probe open ports for server vendor and version information, configure
Probe open ports for vendor and
version information:
•
Select
On
to scan open ports on the host for server information to identify server vendors and
versions.
•
Select
Off
to continue using Cisco server information for the host.
Step 13
If you choose to probe open ports, set the number of probes used by selecting a number from the
Service
Version Intensity
drop-down list:
•
To use more probes for higher accuracy with a longer scan, select a higher number.
•
To use fewer probes for less accuracy with a faster scan, select a lower number.
Step 14
To scan for operating system information, configure
Detect Operating System
settings:
•
Select
On
to scan the host for information to identify the operating system.
•
Select
Off
to continue using Cisco operating system information for the host.
Step 15
To determine whether host discovery occurs and whether port scans are only run against available hosts,
configure
configure
Treat All Hosts As Online
:
•
To skip the host discovery process and run a port scan on every host in the target range, select
On
.
•
To perform host discovery using the settings for
Host Discovery Method
and
Host Discovery Port List
and
skip the port scan on any host that is not available, select
Off
.
Step 16
Select the method you want Nmap to use when it tests for host availability:
•
To send an empty TCP packet with the SYN flag set and elicit an RST response on a closed port or
a SYN/ACK response on an open port on available hosts, select
a SYN/ACK response on an open port on available hosts, select
TCP SYN
.