Cisco Cisco FirePOWER Appliance 8130
37-25
FireSIGHT System User Guide
Chapter 37 Using Host Profiles
Working with Vulnerabilities in the Host Profile
The Vulnerabilities sections of the host profile list the vulnerabilities that affect that host.
The Sourcefire Vulnerabilities section lists vulnerabilities based on the operating system, servers, and
applications that the system detected on the host.
applications that the system detected on the host.
If there is an identity conflict for either the identity of the host’s operating system or one of the
application protocols on the host, the system lists vulnerabilities for both identities until the conflict is
resolved.
application protocols on the host, the system lists vulnerabilities for both identities until the conflict is
resolved.
Because there is no operating system information available for hosts added to the network map based on
NetFlow data, the Defense Center cannot determine which vulnerabilities may affect those hosts, unless
you use the host input feature to manually set the hosts’ operating system identity.
NetFlow data, the Defense Center cannot determine which vulnerabilities may affect those hosts, unless
you use the host input feature to manually set the hosts’ operating system identity.
Server vendor and version information is often not included in traffic. By default, the system does not
map the associated vulnerabilities for the sending and receiving hosts of such traffic. However, using the
system policy, you can configure the system to map vulnerabilities for specific application protocols that
do not have vendor or version information. For more information, see
map the associated vulnerabilities for the sending and receiving hosts of such traffic. However, using the
system policy, you can configure the system to map vulnerabilities for specific application protocols that
do not have vendor or version information. For more information, see
If you use the host input feature to add third-party vulnerability information for the hosts on your
network, additional Vulnerabilities sections appear. For example, if you import vulnerabilities from a
QualysGuard Scanner, host profiles on your include a QualysGuard Vulnerabilities section.
network, additional Vulnerabilities sections appear. For example, if you import vulnerabilities from a
QualysGuard Scanner, host profiles on your include a QualysGuard Vulnerabilities section.
You can associate third-party vulnerabilities with operating systems and application protocols, but not
clients. For information on importing third-party vulnerabilities, see the FireSIGHT System Host Input
API Guide.
clients. For information on importing third-party vulnerabilities, see the FireSIGHT System Host Input
API Guide.
Description of the columns in the Vulnerabilities sections of the host profile follow.
Name
The name of the vulnerability.
Remote
Indicates whether the vulnerability can be remotely exploited. If this column is blank, the
vulnerability definition does not include this information.
vulnerability definition does not include this information.
Component
The name of the operating system, application protocol, or client associated with the vulnerability.
Port
A port number, if the vulnerability is associated with an application protocol running on a specific
port.
port.
Keep in mind that for third-party vulnerabilities, the information in the corresponding Vulnerabilities
section in the host profile is limited to the information that you provided when you imported the
vulnerability data using the host input feature.
section in the host profile is limited to the information that you provided when you imported the
vulnerability data using the host input feature.
When viewing vulnerabilities in the host profile, you can:
•
sort the columns in the
Vulnerabilities
sections by clicking a column heading. To reverse the sort,
click again.
•
view technical details about a vulnerability, including known solutions, by clicking the name of the
vulnerability. See
vulnerability. See
for more information. Note that you
can also access vulnerability details from the vulnerability event views or the Vulnerabilities
network map.
network map.
•
prevent a vulnerability from being used to evaluate impact correlations. See
for more information.