Cisco Cisco Firepower Management Center 4000
42-8
FireSIGHT System User Guide
Chapter 42 Enhancing Network Discovery
Using Custom Fingerprinting
want to create a custom fingerprint for one of the hosts that can then be used to identify the other hosts
running the same operating system. You can include a mapping of the vulnerability list for Microsoft
Windows in the fingerprint to associate that list with each host that matches the fingerprint.
running the same operating system. You can include a mapping of the vulnerability list for Microsoft
Windows in the fingerprint to associate that list with each host that matches the fingerprint.
When you create a custom fingerprint, you can add a customized display of operating system
information, and you can select the operating system vendor, product name, and product version for the
operating system which the system should use as a model for the vulnerability list for the fingerprint.
The Defense Center lists the set of vulnerabilities associated with that fingerprint for any hosts running
the same operating system. If the custom fingerprint you create does not have any vulnerabilities
mappings in it, the system uses the fingerprint to assign the custom operating system information you
provide in the fingerprint. When the system sees new traffic from a host that has already been detected
and currently resides in the network map, the system updates the host with the new fingerprint
information. the system also uses the new fingerprint to identify any new hosts with that operating
system the first time they are detected.
information, and you can select the operating system vendor, product name, and product version for the
operating system which the system should use as a model for the vulnerability list for the fingerprint.
The Defense Center lists the set of vulnerabilities associated with that fingerprint for any hosts running
the same operating system. If the custom fingerprint you create does not have any vulnerabilities
mappings in it, the system uses the fingerprint to assign the custom operating system information you
provide in the fingerprint. When the system sees new traffic from a host that has already been detected
and currently resides in the network map, the system updates the host with the new fingerprint
information. the system also uses the new fingerprint to identify any new hosts with that operating
system the first time they are detected.
Before attempting to fingerprint a host, you should determine why the host is not being identified
correctly to decide whether custom fingerprinting is a viable solution. For more information, see
correctly to decide whether custom fingerprinting is a viable solution. For more information, see
.
You can create two types of fingerprints with the system:
•
Client fingerprints, which identify operating systems based on the SYN packet that the host sends
when it connects to a TCP application running on another host on the network.
when it connects to a TCP application running on another host on the network.
See
for information about how to obtain a client fingerprint for a
host.
•
Server fingerprints, which identify operating systems based on the SYN-ACK packet that the host
uses to respond to an incoming connection to a running TCP application.
uses to respond to an incoming connection to a running TCP application.
See
a host.
After creating fingerprints, you must activate them before the system can associate them with hosts. See
for more information.
Note
If both a client and server fingerprint match the same host, the client fingerprint is used.
Fingerprinting Clients
License:
FireSIGHT
Client fingerprints identify operating systems based on the SYN packet a host sends when it connects to
a TCP application running on another host on the network.
a TCP application running on another host on the network.
If the Defense Center does not have direct contact with monitored hosts, you can specify a device that
is managed by the Defense Center and is closest to the host you intend to fingerprint when specifying
client fingerprint properties.
is managed by the Defense Center and is closest to the host you intend to fingerprint when specifying
client fingerprint properties.
Before you begin the fingerprinting process, obtain the following information about the host you want
to fingerprint:
to fingerprint:
•
The number of network hops between the host and the Defense Center or the device you use to
obtain the fingerprint. (Cisco strongly recommends that you directly connect the Defense Center or
the device to the same subnet that the host is connected to.)
obtain the fingerprint. (Cisco strongly recommends that you directly connect the Defense Center or
the device to the same subnet that the host is connected to.)
•
The network interface (on the Defense Center or the device) that is connected to the network where
the host resides.
the host resides.