Cisco Cisco Firepower Management Center 4000
41-13
FireSIGHT System User Guide
Chapter 41 Configuring Remediations
Creating Remediations
To create a Nmap remediation:
Access:
Admin/Discovery Admin
Step 1
Select
Policies > Actions > Scanners
.
The Scanners page appears.
Step 2
Click
Add Remediation
next to the scan instance where you want to add a remediation.
The Edit Remediation page appears.
Step 3
In the
Remediation Name
field, type a name for the remediation that includes 1 to 63 alphanumeric
characters, with no spaces and no special characters other than underscore (_) and dash (-).
Step 4
In the
Description
field, type a description for the remediation that includes 0 to 255 alphanumeric
characters, including spaces and special characters.
Step 5
If you plan to use this remediation in response to a correlation rule that triggers on an intrusion event, a
connection event, or a user event, configure the
connection event, or a user event, configure the
Scan Which Address(es) From Event?
option.
•
Select
Scan Source and Destination Addresses
to scan the hosts represented by the source IP address
and the destination IP address in the event.
•
Select
Scan Source Address Only
to scan the host represented by the event’s source IP address.
•
Select
Scan Destination Address Only
to scan the host represented by the event’s destination IP address.
If you plan to use this remediation in response to a correlation rule that triggers on a discovery event or
a host input event, by default the remediation scans the IP address of the host involved in the event; you
do not need to configure this option.
a host input event, by default the remediation scans the IP address of the host involved in the event; you
do not need to configure this option.
Note
Do not assign a Nmap remediation as a response to a correlation rule that triggers on a traffic
profile change.
profile change.
Step 6
Configure the
Scan Type
option:
•
To scan quickly in stealth mode on hosts where the
admin
account has raw packet access or where
IPv6 is not running, by initiating TCP connections but not completing them, select
TCP Syn Scan
.
•
To scan by using a system
connect()
call, which can be used on hosts where the
admin
account on
your Defense Center does not have raw packet access or where IPv6 is running, select
TCP Connect
Scan
.
•
To send an ACK packet to check whether ports are filtered or unfiltered, select
TCP ACK Scan
.
•
To send an ACK packet to check whether ports are filtered or unfiltered but also determine whether
a port is open or closed, select
a port is open or closed, select
TCP Window Scan
.
•
To identify BSD-derived systems using a FIN/ACK probe, select
TCP Maimon Scan
.
Step 7
Optionally, to scan UDP ports in addition to TCP ports, select
On
for the
Scan for UDP ports
option.
Tip
A UDP portscan takes more time than a TCP portscan. To speed up your scans, leave this option disabled.
Step 8
If you plan to use this remediation in response to correlation policy violations, configure the
Use Port From
Event
option:
•
Select
On
to scan the port in the correlation event, rather than the ports you specify in step
.