Cisco Cisco Firepower Management Center 4000
42-3
FireSIGHT System User Guide
Chapter 42 Enhancing Network Discovery
Assessing Your Detection Strategy
identify it as Linux 2.4 instead of Mac OS X. If you create a custom fingerprint for the Mac OS X host,
it may cause all legitimate Linux 2.4 hosts to be erroneously identified as Mac OS X hosts. In this case,
if Nmap correctly identifies the host, you could schedule regular Nmap scans for that host.
it may cause all legitimate Linux 2.4 hosts to be erroneously identified as Mac OS X hosts. In this case,
if Nmap correctly identifies the host, you could schedule regular Nmap scans for that host.
If you import data from a third-party system using host input, you must map the vendor, product, and
version strings that the third party uses to describe servers and application protocols to the Cisco
definitions for those products. For more information, see
version strings that the third party uses to describe servers and application protocols to the Cisco
definitions for those products. For more information, see
. Note that even if you map application data to FireSIGHT System vendor and version
definitions, imported third-party vulnerabilities are not used for impact assessment for clients or web
applications.
applications.
The system may reconcile data from multiple sources to determine the current identity for an operating
system or application. For more information on how the system does this, see
system or application. For more information on how the system does this, see
.
For Nmap data, you can schedule regular Nmap scans. For host input data, you can regularly run the Perl
script for the import or the command line utility. However, note that active scan data and host input data
may not be updated with the frequency of discovery data.
script for the import or the command line utility. However, note that active scan data and host input data
may not be updated with the frequency of discovery data.
Can the FireSIGHT System Identify All Applications?
License:
FireSIGHT
If a host is correctly identified by the system but has unidentified applications, you can create a
user-defined detector to provide the system with port and pattern matching information to help identify
the application. For more information, see
user-defined detector to provide the system with port and pattern matching information to help identify
the application. For more information, see
Have You Applied Patches that Fix Vulnerabilities?
License:
FireSIGHT
If the system correctly identifies a host but does not reflect applied fixes, you can use the host input
feature to import patch information. When you import patch information, you must map the fix name to
a fix in the database. For more information, see
feature to import patch information. When you import patch information, you must map the fix name to
a fix in the database. For more information, see
Do You Want to Track Third-Party Vulnerabilities?
License:
FireSIGHT
If you have vulnerability information from a third-party system that you want to use for impact
correlation, you can map the third-party vulnerability identifiers for servers and application protocols to
vulnerability identifiers in the Cisco database and then import the vulnerabilities using the host input
feature. For more information on using the host input feature, see the FireSIGHT System Host Input API
Guide. For more information on mapping third-party vulnerabilities, see
correlation, you can map the third-party vulnerability identifiers for servers and application protocols to
vulnerability identifiers in the Cisco database and then import the vulnerabilities using the host input
feature. For more information on using the host input feature, see the FireSIGHT System Host Input API
Guide. For more information on mapping third-party vulnerabilities, see
. Note that even if you map application data to FireSIGHT System vendor and
version definitions, imported third-party vulnerabilities are not used for impact assessment for clients or
web applications.
web applications.