Creating an Nmap Scan Instance
License:
FireSIGHT
You can set up a separate scan instance for each Nmap module that you want to use to scan your network for vulnerabilities. You can set up scan instances for the local Nmap module on your Defense Center and for any devices you want to use to run scans remotely. The results of each scan are always stored on the Defense Center where you configure the scan, even if you run the scan from a remote device. To prevent accidental or malicious scanning of mission-critical hosts, you can create a blacklist for the instance to indicate the hosts that should never be scanned with the instance.
Note that you cannot add a scan instance with the same name as any existing scan instance.
To create a scan instance:
Access:
Admin/Discovery Admin
Step 1 Select
Policies > Actions > Scanners
.
The Scanners page appears.
Step 2 Click
Add Nmap Instance
.
The Instance Detail page appears.
Step 3 In the
Instance Name
field, enter a name that includes 1 to 63 alphanumeric characters, with no spaces and no special characters other than underscore (_) and dash (-).
Step 4 In the
Description
field, specify a description with 0 to 255 alphanumeric characters, which can include spaces and special characters.
Step 5 Optionally, in the
Black Listed Scan hosts
field, specify any hosts or networks that should
never
be scanned with this scan instance, using the following syntax:
-
For IPv6 hosts, an exact IP address (for example,
2001:DB8::fedd:eeff
)
-
For IPv4 hosts, an exact IP address (for example,
192.168.1.101
) or an IP address block using CIDR notation (for example,
192.168.1.0/24
scans the 254 hosts between
192.168.1.1
and
192.168.1.254
, inclusive)
-
Note that you cannot use an exclamation mark (!) to negate an address value.
If you specifically target a scan to a host that is in a blacklisted network, that scan will not run.
Step 6 Optionally, to run the scan from a remote device instead of the Defense Center, specify the IP address or name of the device as it appears in the Information page for the device in the Defense Center web interface, in the
Remote Device Name
field.
Step 7 Click
Create
.
The scan instance is created.
Creating an Nmap Scan Target
License:
FireSIGHT
You can create and save scan targets that identify specific hosts and ports. Then, when you perform an on-demand scan or schedule a scan, you can use one of the saved scan targets.
For scans of targets with IPv4 addresses, you can use an IP address, a list of IP addresses, CIDR notation, or Nmap scan octets to select the hosts to scan. You can also specify a range of addresses using a hyphen. Separate addresses and ranges in a list with commas or spaces.
For scans of IPv6 addresses, use an IP address. Ranges are not supported.
Note that Nmap-supplied server and operating system data remains static until you run another Nmap scan. If you plan to scan a host using Nmap, you may want to set up regularly scheduled scans to keep any Nmap-supplied operating system and server data up to date. For more information, see Automating Nmap Scans. Also note that if the host is deleted from the network map, any Nmap scan results for that host are discarded.
To create a scan target:
Access:
Admin/Discovery Admin
Step 1 Select
Policies > Actions > Scanners
.
The Scanners page appears.
Step 2 On the toolbar, click
Targets
.
The Scan Target List page appears.
Step 3 Click
Create Scan Target
.
The Scan Target page appears.
Step 4 In the
Name
field, type the name you want to use for this scan target.
Step 5 In the
IP Range
text box, specify the host or hosts you want to scan, using the following syntax:
-
for IPv6 hosts, an exact IP address (for example,
2001:DB8::fedd:eeff
)
-
for IPv4 hosts, an exact IP address (for example,
192.168.1.101
) or comma-separated list of IP addresses
-
for IPv4 hosts, an IP address block using CIDR notation (for example,
192.168.1.0/24
scans the 254 hosts between 192.168.1.1 and 192.168.1.254, inclusive)
For information on using CIDR notation in the FireSIGHT System, see IP Address Conventions.
-
for IPv4 hosts, an IP address range using octet range addressing (for example,
192.168.0-255.1-254
scans all addresses in the
192.168.x.x
range, except those that end in .0 and or .255)
-
for IPv4 hosts, an IP address range using hyphenation (for example,
192.168.1.1
-
192.168.1.5
scans the 6 hosts between 192.168.1.1 and 192.168.1.5, inclusive)
-
for IPv4 hosts, a list of addresses or ranges separated by commas or spaces (for example, for example,
192.168.1.0/24, 194.168.1.0/24
scans the 254 hosts between 192.168.1.1 and 192.168.1.254, inclusive and the 254 hosts between 194.168.1.1 and 194.168.1.254, inclusive)
Note The IP Range text box accepts up to 255 characters. In addition, note that if you use a comma in a list of IP addresses or ranges in a scan target, the comma converts to a space when you save the target.
Step 6 In the
Ports
field, specify the ports you want to scan.
You can enter any of the following, using values from 1 to 65535:
-
a port number
-
a list of ports separated by commas
-
a range of port numbers separated by a dash
-
ranges of port numbers separated by dashes, separated by commas
Step 7 Click
Save
.
The scan target is created.
Creating an Nmap Remediation
License:
FireSIGHT
You can define the settings for an Nmap scan by creating an Nmap remediation. An Nmap remediation can be used as a response in a correlation policy, run on demand, or scheduled to run at a specific time. In order for the results of an Nmap scan to appear in the network map, the scanned host must already exist in the network map.
For more information on the specific settings in an Nmap remediation, see Understanding Nmap Remediations.
Note that Nmap-supplied server and operating system data remains static until you run another Nmap scan. If you plan to scan a host for operating system and server data using Nmap, you may want to set up regularly scheduled scans to keep any Nmap-supplied operating system and server data up-to-date. For more information, see Automating Nmap Scans. Also note that if the host is deleted from the network map, any Nmap scan results for that host are discarded.
For general information about Nmap functionality, refer to the Nmap documentation at
http://insecure.org
.
To create an Nmap remediation:
Access:
Admin/Discovery Admin
Step 1 Select
Policies > Actions > Scanners
.
The Scanners page appears.
Step 2 Click
Add Remediation
next to the scan instance where you want to add a remediation.
The Edit Remediation page appears.
Step 3 In the
Remediation Name
field, type a name for the remediation that includes 1 to 63 alphanumeric characters, with no spaces and no special characters other than underscore (_) and dash (-).
Step 4 In the
Description
field, type a description for the remediation that includes 0 to 255 alphanumeric characters, including spaces and special characters.
Step 5 If you plan to use this remediation in response to a correlation rule that triggers on an intrusion event, a connection event, or a user event, configure the
Scan Which Address(es) From Event?
option:
-
Select
Scan Source and Destination Addresses
to scan the hosts represented by the source IP address and the destination IP address in the event.
-
Select
Scan Source Address Only
to scan the host represented by the event’s source IP address.
-
Select
Scan Destination Address Only
to scan the host represented by the event’s destination IP address.
If you plan to use this remediation in response to a correlation rule that triggers on a discovery event or a host input event, by default the remediation scans the IP address of the host involved in the event; you do not need to configure this option.
Note Do not assign an Nmap remediation as a response to a correlation rule that triggers on a traffic profile change.
Step 6 Configure the
Scan Type
option:
-
To scan quickly in stealth mode on hosts where the
admin
account has raw packet access or where IPv6 is not running, by initiating TCP connections but not completing them, select
TCP Syn Scan
.
-
To scan by using a system
connect()
call, which can be used on hosts where the
admin
account on your Defense Center does not have raw packet access or where IPv6 is running, select
TCP Connect Scan
.
-
To send an ACK packet to check whether ports are filtered or unfiltered, select
TCP ACK Scan
.
-
To send an ACK packet to check whether ports are filtered or unfiltered but also to determine whether a port is open or closed, select
TCP Window Scan
.
-
To identify BSD-derived systems using a FIN/ACK probe, select
TCP Maimon Scan
.
Step 7 Optionally, to scan UDP ports in addition to TCP ports, select
On
for the
Scan for UDP ports
option.
Tip A UDP portscan takes more time than a TCP portscan. To speed up your scans, leave this option disabled.
Step 8 If you plan to use this remediation in response to correlation policy violations, configure the
Use Port From Event
option:
-
Select
On
to scan the port in the correlation event, rather than the ports you specify in step
11
.
If you scan the port in the correlation event, note that the remediation scans the port on the IP addresses that you specified in step
5
. These ports are also added to the remediation’s dynamic scan target.
-
Select
Off
to scan only the ports you will specify in step
11
.
Step 9 If you plan to use this remediation in response to correlation policy violations and want to run the scan using the appliance running the detection engine that detected the event, configure the
Scan from reporting detection engine
option:
-
To scan from the appliance running the reporting detection engine, select
On
.
-
To scan from the appliance configured in the remediation, select
Off
.
Step 10 Configure the
Fast Port Scan
option:
-
To scan only the ports listed in the
nmap-services
file located in the
/var/sf/nmap/share/nmap/nmap-services
directory on the device that does the scanning, ignoring other port settings, select
On
.
-
To scan all TCP ports, select
Off
.
Step 11 In the
Port Ranges and Scan Order
field, type the ports you want to scan by default, using Nmap syntax, in the order you want to scan those ports.
Specify values from 1 to 65535. Separate ports using commas or spaces. You can also use a hyphen to indicate a port range. When scanning for both TCP and UDP ports, preface the list of TCP ports you want to scan with a T and the list of UDP ports with a U. For example, to scan ports 53 and 111 for UDP traffic, then scan ports 21-25 for TCP traffic, enter
U:53,111,T:21-25
.
Note that the
Use Port From Event
option overrides this setting when the remediation is launched in response to a correlation policy violation, as described in step
8
.
Step 12 To probe open ports for server vendor and version information, configure
Probe open ports for vendor and version information:
-
Select
On
to scan open ports on the host for server information to identify server vendors and versions.
-
Select
Off
to continue using Cisco server information for the host.
Step 13 If you choose to probe open ports, set the number of probes used by selecting a number from the
Service Version Intensity
drop-down list:
-
To use more probes for higher accuracy with a longer scan, select a higher number.
-
To use fewer probes for less accuracy with a faster scan, select a lower number.
Step 14 To scan for operating system information, configure
Detect Operating System
settings:
-
Select
On
to scan the host for information to identify the operating system.
-
Select
Off
to continue using Cisco operating system information for the host.
Step 15 To determine whether host discovery occurs and whether port scans are only run against available hosts, configure
Treat All Hosts As Online
:
-
To skip the host discovery process and run a port scan on every host in the target range, select
On
.
-
To perform host discovery using the settings for
Host Discovery Method
and
Host Discovery Port List
and skip the port scan on any host that is not available, select
Off
.
Step 16 Select the method you want Nmap to use when it tests for host availability:
-
To send an empty TCP packet with the SYN flag set and elicit an RST response on a closed port or a SYN/ACK response on an open port on available hosts, select
TCP SYN
.
Note that this option scans port 80 by default and that TCP SYN scans are less likely to be blocked by a firewall with stateful firewall rules.
-
To send an empty TCP packet with the ACK flag set and elicit an RST response on available hosts, select
TCP ACK.
Note that this option scans port 80 by default and that TCP ACK scans are less likely to be blocked by a firewall with stateless firewall rules.
-
To send a UDP packet to elicit port unreachable responses from closed ports on available hosts, select
UDP
. This option scans port 40125 by default.
Step 17 If you want to scan a custom list of ports during host discovery, type a list of ports appropriate for the host discovery method you selected, separated by commas, in the
Host Discovery Port List
field.
Step 18 Configure the
Default NSE Scripts
option to control whether to use the default set of Nmap scripts for host discovery and server, operating system, and vulnerability discovery:
-
To run the default set of Nmap scripts, select
On
.
-
To skip the default set of Nmap scripts, select
Off
.
See
http://nmap.org/nsedoc/categories/default.html
for the list of default scripts.
Step 19 To set the timing of the scan process, select a timing template number; select a higher number for a faster, less comprehensive scan and a lower number for a slower, more comprehensive scan.
Step 20 Click
Save
, then click
Done
.
The remediation is created.