Cisco Cisco Firepower Management Center 2000
C H A P T E R
42-1
FireSIGHT System User Guide
42
Enhancing Network Discovery
The information about your network traffic collected by the FireSIGHT System is most valuable to you
when the system can correlate this information to identify the hosts on your network that are most
vulnerable and most important.
when the system can correlate this information to identify the hosts on your network that are most
vulnerable and most important.
As an example, if you have several devices on your network running a customized version of SuSE
Linux, the system cannot identify that operating system and so cannot map vulnerabilities to the hosts.
However, knowing that the system has a list of vulnerabilities for SuSE Linux, you may want to create
a custom fingerprint for one of the hosts that can then be used to identify the other hosts running the
same operating system. You can include a mapping of the vulnerability list for SuSE Linux in the
fingerprint to associate that list with each host that matches the fingerprint.
Linux, the system cannot identify that operating system and so cannot map vulnerabilities to the hosts.
However, knowing that the system has a list of vulnerabilities for SuSE Linux, you may want to create
a custom fingerprint for one of the hosts that can then be used to identify the other hosts running the
same operating system. You can include a mapping of the vulnerability list for SuSE Linux in the
fingerprint to associate that list with each host that matches the fingerprint.
The system also allows you to input host data from third-party systems directly into the network map,
using the host input feature. However, third-party operating system or application data does not
automatically map to vulnerability information. If you want to see vulnerabilities and perform impact
correlation for hosts using third-party operating system, server, and application protocol data, you must
map the vendor and version information from the third-party system to the vendor and version listed in
the vulnerability database (VDB). You also may want to maintain the host input data on an ongoing
basis. Note that even if you map application data to FireSIGHT System vendor and version definitions,
imported third-party vulnerabilities are not used for impact assessment for clients or web applications.
using the host input feature. However, third-party operating system or application data does not
automatically map to vulnerability information. If you want to see vulnerabilities and perform impact
correlation for hosts using third-party operating system, server, and application protocol data, you must
map the vendor and version information from the third-party system to the vendor and version listed in
the vulnerability database (VDB). You also may want to maintain the host input data on an ongoing
basis. Note that even if you map application data to FireSIGHT System vendor and version definitions,
imported third-party vulnerabilities are not used for impact assessment for clients or web applications.
If the system cannot identify application protocols running on hosts on your network, you can create
user-defined application protocol detectors that allow the system to identify the applications based on a
port or a pattern. You can also import, activate, and deactivate certain application detectors to further
customize the application detection capability of the FireSIGHT System.
user-defined application protocol detectors that allow the system to identify the applications based on a
port or a pattern. You can also import, activate, and deactivate certain application detectors to further
customize the application detection capability of the FireSIGHT System.
You can also replace detection of operating system and application data using scan results from the
Nmap active scanner or augment the vulnerability lists with third-party vulnerabilities. The system may
reconcile data from multiple sources to determine the identity for an application. For more information
on how the system does this, see
Nmap active scanner or augment the vulnerability lists with third-party vulnerabilities. The system may
reconcile data from multiple sources to determine the identity for an application. For more information
on how the system does this, see
. For more information on
active scanning, see
For more information, see the following sections:
•
•
•
•
•