Cisco Cisco FirePOWER Appliance 7010
43-3
FireSIGHT System User Guide
Chapter 43 Configuring Active Scanning
Understanding Nmap Scans
Table 43-1
Nmap Remediation Options
Option
Description
Corresponding Nmap
Option
Option
Scan Which
Address(es) From
Event?
Address(es) From
Event?
When you use an Nmap scan as a response to a correlation rule, select an
option to control which address in the event is scanned, that of the source
host, the destination host, or both.
option to control which address in the event is scanned, that of the source
host, the destination host, or both.
N/A
Scan Types
Select how Nmap scans ports:
•
The
TCP Syn
scan connects quickly to thousand of ports without using a
complete TCP handshake. This options allows you to scan quickly in
stealth mode on hosts where the
stealth mode on hosts where the
admin
account has raw packet access
or where IPv6 is not running, by initiating TCP connections but not
completing them. If a host acknowledges the Syn packet sent in a TCP
Syn scan, Nmap resets the connection.
completing them. If a host acknowledges the Syn packet sent in a TCP
Syn scan, Nmap resets the connection.
•
The
TCP Connect
scan uses the
connect()
system call to open
connections through the operating system on the host. You can use the
TCP Connect scan if the
TCP Connect scan if the
admin
user on your Defense Center or
managed device does not have raw packet privileges on a host or you
are scanning IPv6 networks. In other words, use this option in
situations where the TCP Syn scan cannot be used.
are scanning IPv6 networks. In other words, use this option in
situations where the TCP Syn scan cannot be used.
•
The
TCP ACK
scan sends an ACK packet to check whether ports are
filtered or unfiltered.
•
The
TCP Window
scan works in the same way as a TCP ACK scan but
can also determine whether a port is open or closed.
•
The
TCP Maimon
scan identifies BSD-derived systems using a FIN/ACK
probe.
TCP Syn
:
-sS
TCP Connect
:
-sT
TCP ACK
:
-sA
TCP Window
:
-sW
TCP Maimon
:
-sM
Scan for UDP ports
Enable to scan UDP ports in addition to TCP ports. Note that scanning UDP
ports may be time-consuming, so avoid using this option if you want to scan
quickly.
ports may be time-consuming, so avoid using this option if you want to scan
quickly.
-sU
Use Port From Event
If you plan to use the remediation as a response in a correlation policy,
enable to cause the remediation to scan only the port specified in the event
that triggers the correlation response.
enable to cause the remediation to scan only the port specified in the event
that triggers the correlation response.
Tip
You can also control whether Nmap collects information about
operating system and server information. Enable the
operating system and server information. Enable the
Use Port From
Event
option to scan the port associated with the new server.
N/A
Scan from reporting
detection engine
detection engine
Enable to scan a host from the appliance where the detection engine that
reported the host resides.
reported the host resides.
N/A
Fast Port Scan
Enable to scan only the TCP ports listed in the
nmap-services
file located
in the
/var/sf/nmap/share/nmap/nmap-services
directory on the device
that does the scanning, ignoring other port settings. Note that you cannot
use this option with the
use this option with the
Port Ranges and Scan Order
option.
-F
Port Ranges and Scan
Order
Order
Set the specific ports you want to scan, using Nmap port specification
syntax, and the order you want to scan them. Note that you cannot use this
option with the
syntax, and the order you want to scan them. Note that you cannot use this
option with the
Fast Port Scan
option.
-p