Cisco Cisco Firepower Management Center 4000
43-8
FireSIGHT System User Guide
Chapter 43 Configuring Active Scanning
Understanding Nmap Scans
Step 8
After a day or two, search for events generated by the correlation policy. Analyze the Nmap results for
the operating systems detected on the hosts to see if there is a particular host configuration on your
network that the system does not recognize.
the operating systems detected on the hosts to see if there is a particular host configuration on your
network that the system does not recognize.
For more information on analyzing Nmap results, see
Step 9
If you find hosts with unknown operating systems whose Nmap results are identical, create a custom
fingerprint for one of those hosts and use it to identify similar hosts in the future.
fingerprint for one of those hosts and use it to identify similar hosts in the future.
For more information, see
Example: Responding to New Hosts
License:
FireSIGHT
When the system detects a new host in a subnet where intrusions may be likely, you may want to scan
that host to make sure you have accurate vulnerability information for it.
that host to make sure you have accurate vulnerability information for it.
You can accomplish this by creating and activating a correlation policy that detects when a new host
appears in this subnet, and that launches a remediation that performs an Nmap scan on the host.
appears in this subnet, and that launches a remediation that performs an Nmap scan on the host.
After you activate the policy, you can periodically check the remediation status view (
Policy & Response
> Responses > Remediations > Status
) to see when the remediation launched. The remediation’s dynamic
scan target should include the IP addresses of the hosts it scanned as a result of the server detection.
Check the host profile for those hosts to see if there are vulnerabilities that need to be addressed for the
host, based on the operating system and servers detected by Nmap.
Check the host profile for those hosts to see if there are vulnerabilities that need to be addressed for the
host, based on the operating system and servers detected by Nmap.
Caution
If you have a large or dynamic network, detection of a new host may be too frequent an occurrence to
respond to using a scan. To prevent resource overload, avoid using Nmap scans as a response to events
that occur frequently. In addition, note that using Nmap to challenge new hosts for operating system and
server information deactivates Cisco monitoring of that data for scanned hosts.
respond to using a scan. To prevent resource overload, avoid using Nmap scans as a response to events
that occur frequently. In addition, note that using Nmap to challenge new hosts for operating system and
server information deactivates Cisco monitoring of that data for scanned hosts.
To scan in response to the appearance of a new host:
Access:
Admin/Discovery Admin
Step 1
Configure a scan instance for an Nmap module.
For more information, see
Step 2
Create an Nmap remediation using the following settings:
•
Enable
Use Port From Event
to scan the port associated with the new server.
•
Enable
Detect Operating System
to detect operating system information for the host.
•
Enable
Probe open ports for vendor and version information
to detect server vendor and version
information.
•
Enable
Treat All Hosts as Online
, because you know the host exists.
For information on creating Nmap remediations, see
.
Step 3
Create a correlation rule that triggers when the system detects a new host on a specific subnet.
The rule should trigger when
a discovery event occurs
and
a new host is detected
.
For information on creating correlation rules, see
Step 4
Create a correlation policy that contains the correlation rule.