Cisco Cisco FirePOWER Appliance 7120
43-7
FireSIGHT System User Guide
Chapter 43 Configuring Active Scanning
Understanding Nmap Scans
The following scenarios provide examples of how Nmap might be used on your network:
•
•
Example: Resolving Unknown Operating Systems
License:
FireSIGHT
If the system cannot determine the operating system on a host on your network, you can use Nmap to
actively scan the host. Nmap uses the information it obtains from the scan to rate the possible operating
systems. It then uses the operating system that has the highest rating as the host operating system
identification.
actively scan the host. Nmap uses the information it obtains from the scan to rate the possible operating
systems. It then uses the operating system that has the highest rating as the host operating system
identification.
Using Nmap to challenge new hosts for operating system and server information deactivates the system’s
monitoring of that data for scanned hosts. If you use Nmap to discover host and server operating system
for hosts the system marks as having unknown operating systems, you may be able to identify groups of
hosts that are similar. You can then create a custom fingerprint based on one of them to cause the system
to associate the fingerprint with the operating system you know is running on the host based on the Nmap
scan. Whenever possible, create a custom fingerprint rather than inputting static data through a
third-party source like Nmap because the custom fingerprint allows the system to continue to monitor
the host operating system and update it as needed.
monitoring of that data for scanned hosts. If you use Nmap to discover host and server operating system
for hosts the system marks as having unknown operating systems, you may be able to identify groups of
hosts that are similar. You can then create a custom fingerprint based on one of them to cause the system
to associate the fingerprint with the operating system you know is running on the host based on the Nmap
scan. Whenever possible, create a custom fingerprint rather than inputting static data through a
third-party source like Nmap because the custom fingerprint allows the system to continue to monitor
the host operating system and update it as needed.
To discover operating systems with Nmap:
Access:
Admin/Discovery Admin
Step 1
Configure a scan instance for an Nmap module.
For more information, see
Step 2
Create an Nmap remediation using the following settings:
•
Enable
Use Port From Event
to scan the port associated with the new server.
•
Enable
Detect Operating System
to detect operating system information for the host.
•
Enable
Probe open ports for vendor and version information
to detect server vendor and version
information.
•
Enable
Treat All Hosts as Online
, because you know the host exists.
For information on creating Nmap remediations, see
.
Step 3
Create a correlation rule that triggers when the system detects a host with an unknown operating system.
The rule should trigger when
an discovery event occurs
and
the OS information for a host has changed
and it
meets the following conditions:
OS Name is unknown
.
For information on creating correlation rules, see
Step 4
Create a correlation policy that contains the correlation rule.
For more information on creating correlation policies, see
.
Step 5
In the correlation policy, add the Nmap remediation you created in step
as a response to the rule you
created in step
.
Step 6
Activate the correlation policy.
Step 7
Purge the hosts on your network map to force network discovery to restart and rebuild the network map.