Creating Remediations
License:
FireSIGHT
In addition to alerts, which are simple notifications of a correlation policy violation, you can also configure responses called
remediations
. Remediations are programs that the Defense Center runs when a correlation policy is violated. These programs use information provided in the event that triggered the violation to perform a specific action.
The FireSIGHT System ships with several predefined remediation modules:
-
The Cisco IOS Null Route module, which, if you are running Cisco routers that use Cisco IOS® Version 12.0 or higher, allows you to dynamically block traffic sent to an IP address or network that violates a correlation policy.
See Configuring Remediations for Cisco IOS Routers for more information.
-
The Cisco PIX Shun module, which, if you are running Cisco PIX® Firewall Version 6.0 or higher, allows you to dynamically block traffic sent from an IP address that violates a correlation policy.
See Configuring Remediations for Cisco PIX Firewalls for more information.
-
The Nmap Scanning module, which allows you to actively scan specific targets to determine operating systems and servers running on those hosts.
See Configuring Nmap Remediations for more information.
-
The Set Attribute Value module, which allows you to set a host attribute on a host where a correlation event occurs.
See Configuring Set Attribute Remediations.
You can create multiple instances for each remediation module, where each instance represents a connection to a specific appliance. For example, if you have four Cisco IOS routers where you want to send remediations, you should configure four instances of the Cisco IOS remediation module.
When you create an instance, you specify the configuration information necessary for the Defense Center to establish a connection with the appliance. Then, for each configured instance, you add remediations that describe the actions you want the appliance to perform when a policy is violated.
After they are configured, you can add remediations to what are called response groups, or you can assign the remediations specifically to rules within correlation policies. When the system executes these remediations, it generates a remediation status event, which includes details such as the remediation name, the policy and rule that triggered it, and the exit status message. For more information on these events, see Working with Remediation Status Events.
In addition to the default modules that Cisco provides, you can write custom remediation modules that perform other specific tasks when policy violations trigger. Refer to the
Remediation API Guide
for more information about writing your own remediation modules and installing them on the Defense Center. If you are installing a custom module, you can use the Modules page to install, view, and delete new modules.
To install a new module on the Defense Center:
Access:
Admin/Discovery Admin
Step 1 Select
Policies > Actions > Modules
.
The Modules page appears.
Step 2 Click
Browse
to navigate to the location where you saved the file that contains the custom remediation module (refer to the
Remediation API Guide
for more information).
Step 3 Click
Install
.
The custom remediation module installs.
To view or delete a module from the Defense Center:
Access:
Admin/Discovery Admin
Step 1 Select
Policies > Actions > Modules
.
The Modules page appears.
Step 2 Perform one of the following actions:
-
Click
View
to view the module.
The Module Detail page appears.
-
Click
Delete
next to the module you want to delete. You
cannot
delete default modules provided by Cisco.
The remediation module is deleted.
Configuring Remediations for Cisco IOS Routers
License:
FireSIGHT
Cisco provides a Cisco IOS Null Route remediation module that allows you to block a single IP address or an entire block of addresses using Cisco’s “null route” command when a correlation policy is violated. This forwards all traffic sent to the host or network listed as the source or destination host in the event that violated the correlation policy to the router’s NULL interface, causing it to be dropped (note that this will not block traffic sent
from
the violating host or network).
The Cisco IOS Null Route remediation module supports Cisco routers running Cisco IOS 12.0 and higher. You must have level 15 administrative access to the router to execute Cisco IOS remediations.
Note A destination-based remediation only works if you configure it to launch when a correlation rule that is based on a connection event or intrusion event triggers. Discovery events only transmit source hosts.
Caution When a Cisco IOS remediation is activated, there is no timeout period. To remove the blocked IP address or network from the router, you must manually clear the routing change from the router itself.
To create remediations for routers running Cisco IOS:
Access:
Admin/Discovery Admin
Step 1 Enable Telnet on the Cisco router.
Refer to the documentation provided with your Cisco router or IOS software for more information about enabling Telnet.
Step 2 On the Defense Center, add a Cisco IOS Null Route instance for each Cisco IOS router you plan to use with the Defense Center.
See Adding a Cisco IOS Instance for the procedures.
Step 3 Create specific remediations for each instance, based on the type of response you want to elicit on the router when correlation policies are violated.
Each available remediation type is described in the following sections:
Step 4 Begin assigning Cisco IOS remediations to specific correlation policy rules.
Adding a Cisco IOS Instance
License:
FireSIGHT
After you configure Telnet access on the Cisco IOS router (refer to the documentation provided with your Cisco router or IOS software for more information about enabling Telnet access), you can add an instance to the Defense Center. If you have multiple routers where you want to send remediations, you must create a separate instance for each router.
To add a Cisco IOS instance:
Access:
Admin/Discovery Admin
Step 1 Select
Policies > Actions > Instances
.
The Instances page appears.
Step 2 From the
Add a New Instance
list, select
Cisco IOS Null Route (v1.0)
and click
Add
.
The Edit Instance page appears.
Step 3 In the
Instance Name
field, enter a name for the instance.
The name you choose should contain no spaces or special characters and should be descriptive. For example, if you intend to connect more than one Cisco IOS router, you will have multiple instances, so you may want to choose a name such as
IOS_01
and
IOS_02
.
Step 4 In the
Router IP
field, enter the IP address of the Cisco IOS router you want to use for the remediation.
Step 5 In the
Username
field, enter the Telnet user name for the router. This user must have level 15 administrative access on the router.
Step 6 In the
Connection Password
fields, enter the Telnet user’s user password. The password entered in both fields must match.
Step 7 In the
Enable Password
fields, enter the Telnet user’s enable password. This is the password used to enter privileged mode on the router. The password entered in both fields must match.
Step 8 In the
White List
field, enter IP addresses that you want to exempt from the remediation, one per line. You can also use CIDR notation or a specific IP address. For example, the following white list would be accepted by the system:
Note that this white list is not associated with any compliance white lists you have created. For information on using CIDR notation in the FireSIGHT System, see IP Address Conventions.
Step 9 Click
Create
.
The instance is created and remediations appear in the Configured Remediations section of the page. You must add specific remediations for them to be used by correlation policies. See the following sections for more information:
Cisco IOS Block Destination Remediations
License:
FireSIGHT
The Cisco IOS Block Destination remediation allows you to block traffic sent from the router to the destination host in a correlation event.
Note Do not use this remediation as a response to a correlation rule that is based on a discovery event; discovery events only transmit a source host and not a destination host. You can use this remediation in response to correlation rules that are based on connection events or intrusion events.
To add the remediation:
Access:
Admin/Discovery Admin
Step 1 Select
Policies > Actions > Instances
.
The Instances page appears.
Step 2 Next to the instance where you want to add the remediation, click the view icon (
).
If you have not yet added an instance, see Adding a Cisco IOS Instance.
The Edit Instance page appears.
Step 3 In the
Configured Remediations
section, select
Block Destination
and click
Add
.
The Edit Remediation page appears.
Step 4 In the
Remediation Name
field, enter a name for the remediation.
The name you choose cannot contain spaces or special characters and should be descriptive. For example, if you have multiple Cisco IOS router instances and multiple remediations for each instance, you may want to specify a name such as
IOS_01_BlockDest
.
Step 5 Optionally, in the
Description
field, enter a description of the remediation.
Step 6 Click
Create
, then click
Done
.
The remediation is added.
Cisco IOS Block Destination Network Remediations
License:
FireSIGHT
The Cisco IOS Block Destination Network remediation allows you to block any traffic sent from the router to the network of the destination host in a correlation event.
Note Do not use this remediation as a response to a correlation rule that is based on a discovery event; discovery events only transmit a source host and not a destination host. You can use this remediation in response to correlation rules that are based on connection events or intrusion events.
To add the remediation:
Access:
Admin/Discovery Admin
Step 1 Select
Policies > Actions > Instances
.
The Instances page appears.
Step 2 Next to the instance where you want to add the remediation, click
View
.
If you have not yet added an instance, see Adding a Cisco IOS Instance.
The Edit Instance page appears.
Step 3 In the
Configured Remediations
section, select
Block Destination Network
and click
Add
.
The Edit Remediation page appears.
Step 4 In the
Remediation Name
field, enter a name for the remediation.
The name you choose cannot contain spaces or special characters and should be descriptive. For example, if you have multiple Cisco IOS router instances and multiple remediations for each instance, you may want to specify a name such as
IOS_01_BlockDestNet
.
Step 5 Optionally, in the
Description
field, enter a description of the remediation.
Step 6 In the
Netmask
field, enter the subnet mask or use CIDR notation to describe the network that you want to block traffic to.
For example, to block traffic to an entire Class C network when a single host triggered a rule (this is not recommended), use
255.255.255.0
or
24
as the netmask.
As another example, to block traffic to 30 addresses that include the triggering IP address, specify
255.255.255.224
or
27
as the netmask. In this case, if the IP address
10.1.1.15
triggers the remediation, all IP addresses between
10.1.1.1
and
10.1.1.30
are blocked. To block only the triggering IP address, leave the field blank, enter
32
, or enter
255.255.255.255
.
Step 7 Click
Create
, then click
Done
.
The remediation is added.
Cisco IOS Block Source Remediations
License:
FireSIGHT
The Cisco IOS Block Source remediation allows you to block any traffic sent from the router to the source host included in a correlation event that violates a correlation policy. The source host is the source IP address in the connection event or intrusion event upon which the correlation rule is based, or the host IP address in a discovery event.
To add the remediation:
Access:
Admin/Discovery Admin
Step 1 Select
Policies > Actions > Instances
.
The Instances page appears.
Step 2 Next to the instance where you want to add the remediation, click
View
.
If you have not yet added an instance, see Adding a Cisco IOS Instance.
The Edit Instance page appears.
Step 3 In the
Configured Remediations
section, select
Block Source
and click
Add
.
The Edit Remediation page appears.
Step 4 In the
Remediation Name
field, enter a name for the remediation.
The name you choose cannot contain spaces or special characters and should be descriptive. For example, if you have multiple Cisco IOS router instances and multiple remediations for each instance, you may want to specify a name such as
IOS_01_BlockSrc
.
Step 5 Optionally, in the
Description
field, enter a description of the remediation.
Step 6 Click
Create
, then click
Done
.
The remediation is added.
Cisco IOS Block Source Network Remediations
License:
FireSIGHT
The Cisco IOS Block Source Network remediation allows you to block any traffic sent from the router to the network of the source host in a correlation event. The source host is the source IP address in the connection event or intrusion event upon which the correlation rule is based, or the host IP address in a discovery event.
To add the remediation:
Access:
Admin/Discovery Admin
Step 1 Select
Policies > Actions > Instances
.
The Instances page appears.
Step 2 Next to the instance where you want to add the remediation, click
View
.
If you have not yet added an instance, see Adding a Cisco IOS Instance.
The Edit Instance page appears.
Step 3 In the
Configured Remediations
section, select
Block Source Network
and click
Add
.
The Edit Remediation page appears.
Step 4 In the
Remediation Name
field, enter a name for the remediation.
The name you choose should contain no spaces or special characters and should be descriptive. For example, if you have multiple Cisco IOS router instances and multiple remediations for each instance, you may want to specify a name such as
IOS_01_BlockSourceNet
.
Step 5 Optionally, in the
Description
field, enter a description of the remediation.
Step 6 In the
Netmask
field, enter the subnet mask or CIDR notation that describes the network that you want to block traffic to.
For example, to block traffic to an entire Class C network when a single host triggered a rule (this is not recommended), use
255.255.255.0
or
24
as the netmask.
As another example, to block traffic to 30 addresses that include the triggering IP address, specify
255.255.255.224
or
27
as the netmask. In this case, if the IP address
10.1.1.15
triggers the remediation, all IP addresses between
10.1.1.1
and
10.1.1.30
are blocked. To block only the triggering IP address, leave the field blank, enter
32
, or enter
255.255.255.255
.
Step 7 Click
Create
, then click
Done
.
The remediation is added.
Configuring Remediations for Cisco PIX Firewalls
License:
FireSIGHT
Cisco provides a Cisco PIX Shun remediation module that allows you to block an IP address or network using Cisco’s “shun” command. This blocks all traffic sent from either the source or destination host that violated the correlation policy and closes all current connections (note that this will not block traffic sent through the firewall
to
the host).
The Cisco PIX Shun remediation module supports Cisco PIX Firewall 6.0 and higher. You must have level 15 administrative access or higher to launch Cisco PIX remediations.
Note A destination-based remediation only works if you configure it to launch when a correlation rule that is based on a connection event or intrusion event triggers. Discovery events only transmit source hosts.
Caution When a Cisco PIX remediation is activated, no timeout period is used. To unblock the IP address or network, you must manually remove the rule from the firewall.
To create remediations for Cisco PIX firewalls:
Access:
Admin/Discovery Admin
Step 1 Enable Telnet or SSH (Cisco recommends SSH) on the firewall.
Refer to the documentation provided with your Cisco PIX firewall for more information about enabling SSH or Telnet.
Step 2 On the Defense Center, add a Cisco PIX Shun instance for each Cisco PIX firewall you plan to use with the Defense Center.
See Adding a Cisco PIX Instance for the procedures.
Step 3 Create specific remediations for each instance, based on the type of response you want to elicit on the firewall when correlation policies are violated.
The available remediation types are described in the following sections:
Step 4 Begin assigning Cisco PIX remediations to specific correlation policy rules.
Adding a Cisco PIX Instance
License:
FireSIGHT
After you configure SSH or Telnet on the Cisco PIX firewall, you can add an instance to the Defense Center. If you have multiple firewalls you want to send remediations to, you must create a separate instance for each firewall.
Note Cisco recommends that you use an SSH connection instead of a Telnet connection. Data transmitted using SSH is encrypted, making it much more secure than Telnet.
To add a Cisco PIX instance:
Access:
Admin/Discovery Admin
Step 1 Select
Policies > Actions > Instances
.
The Instances page appears.
Step 2 From the
Add a New Instance
list, select
Cisco PIX Shun
and click
Add
.
The Edit Instance page appears.
Step 3 In the
Instance Name
field, type a name for the instance.
The name you choose cannot contain spaces or special characters and should be descriptive. For example, if you intend to connect more than one Cisco firewall, you will have multiple instances, so you may want to choose a name such as
PIX_01
,
PIX_02
, and so on.
Step 4 Optionally, type a description for the instance in the
Description
field.
Step 5 In the
PIX IP
field, enter the IP address of the Cisco PIX firewall you want to use for the remediation.
Step 6 If you require a specific username other than the default (
pix
), type it in the
Username
field.
Step 7 In the
Connection Password
fields, enter the password required to connect to the firewall using SSH or Telnet. The password entered in both fields must match.
Step 8 In the
Enable Password
fields, enter the SSH or Telnet enable password. This is the password used to enter privileged mode on the firewall. The password entered in both fields must match.
Step 9 In the
White List
field, enter IP addresses that you want to exempt from the remediation, one on each line. You can also use CIDR notation or a specific IP address. For example, the following white list is accepted by the system:
Note that this white list is not associated with any compliance white lists you have created. For information on using CIDR notation in the FireSIGHT System, see IP Address Conventions.
Step 10 From the
Protocol
list, select the method you want to use to connect to the firewall.
Step 11 Click
Create
.
The instance is created and remediations appear in the Configured Remediations section of the page. You must add specific remediations for them to be used in correlation policies. See the following sections for more information:
Cisco PIX Block Destination Remediations
License:
FireSIGHT
The Cisco PIX Block Destination remediation allows you to block traffic sent from the destination host in a correlation event.
Note Do not use this remediation as a response to a correlation rule that is based on a discovery event; discovery events only transmit a source host and not a destination host. You can use this remediation in response to correlation rules that are based on connection events or intrusion events.
To add the remediation:
Access:
Admin/Discovery Admin
Step 1 Select
Policies > Actions > Instances
.
The Instances page appears.
Step 2 Next to the instance where you want to add the remediation, click
View
.
If you have not yet added an instance, see Adding a Cisco PIX Instance.
The Edit Instance page appears.
Step 3 In the
Configured Remediations
section, select
Block Destination
and click
Add
.
The Edit Remediation page appears.
Step 4 In the
Remediation Name
field, enter a name for the remediation.
The name you choose cannot contain spaces or special characters and should be descriptive. For example, if you have multiple Cisco PIX firewall instances and multiple remediations for each instance, you may want to specify a name such as
PIX_01_BlockDest
.
Step 5 Optionally, in the
Description
field, enter a description of the remediation.
Step 6 Click
Create
, then click
Done
.
The remediation is added.
Cisco PIX Block Source Remediations
License:
FireSIGHT
The Cisco PIX Block Source remediation allows you to block any traffic sent from the source host included in the event that violates a correlation policy. The source host is the source IP address in the connection event or intrusion event upon which the correlation rule is based, or the host IP address in a discovery event.
To add the remediation:
Access:
Admin/Discovery Admin
Step 1 Select
Policies > Actions > Instances
.
The Instances page appears.
Step 2 Next to the instance where you want to add the remediation, click
View
.
If you have not yet added an instance, see Adding a Cisco PIX Instance.
The Edit Instance page appears.
Step 3 In the
Configured Remediations
section, select
Block Source
and click
Add
.
The Edit Remediation page appears.
Step 4 In the
Remediation Name
field, enter a name for the remediation.
The name you choose cannot contain spaces or special characters and should be descriptive. For example, if you have multiple Cisco PIX firewall instances and multiple remediations for each instance, you may want to specify a name such as
PIX_01_BlockSrc
.
Step 5 Optionally, in the
Description
field, enter a description of the remediation.
The remediation is added.
Configuring Nmap Remediations
License:
FireSIGHT
You can respond to a correlation event by scanning the host where the triggering event occurred. You can choose to scan only the port from the event that triggered the correlation event.
To set up Nmap scanning in response to a correlation event, you must first create an Nmap scan instance, then add an Nmap scan remediation. You can then configure Nmap scanning as responses to violations of rules within the policy.
See the following sections:
Adding an Nmap Scan Instance
License:
FireSIGHT
You can set up a separate scan instance for each Nmap module that you want to use to scan hosts on your network for operating system and server information. You can set up scan instances for the local Nmap module on your Defense Center and for any managed devices you want to use to run scans remotely. The results of each scan are always stored on the Defense Center where you configure the scan, even if you run the scan from a remote managed device. To prevent accidental or malicious scanning of mission-critical hosts, you can create a blacklist for the instance to indicate the hosts that should never be scanned with the instance.
Note that you cannot add a scan instance with the same name as any existing scan instance.
To create a scan instance:
Access:
Admin/Discovery Admin
Step 1 Select
Policies > Actions > Instances
.
The Instances page appears.
Step 2 Select
Nmap Remediation (v1.0)
from the
Add a module type
drop-down list and click
Add
.
The Edit Instance page appears.
Step 3 In the
Instance Name
field, enter a name that includes 1 to 63 alphanumeric characters, with no spaces and no special characters other than underscore (_) and dash (-).
Step 4 In the
Description
field, specify a description that includes 0 to 255 alphanumeric characters, including spaces and special characters.
Step 5 Optionally, in the
Black Listed Scan hosts
field, specify any hosts or networks that should
never
be scanned with this scan instance, using the following syntax:
-
For IPv6 hosts, an exact IP address (for example,
2001:DB8::fedd:eeff
)
-
For IPv4 hosts, an exact IP address (for example,
192.168.1.101
) or an IP address block using CIDR notation (for example,
192.168.1.0/24
scans the 254 hosts between
192.168.1.1
and
192.168.1.254
, inclusive)
If you specifically target a scan to a host that is in a blacklisted network, that scan will not run. For information on using CIDR notation in the FireSIGHT System, see IP Address Conventions.
Step 6 Optionally, to run the scan from a remote managed device instead of the Defense Center, specify the name or IP address of the managed device in the
Remote Device Name
field.
Step 7 Click
Create
.
The scan instance is created.
Nmap Scan Remediations
License:
FireSIGHT
You can define the settings for an Nmap scan by creating an Nmap remediation. An Nmap remediation can be used as a response in a correlation policy, run on demand, or scheduled to run at a specific time. In order for the results of an Nmap scan to appear in the network map, the scanned host must already exist in the network map. Note that NetFlow, the host input feature, and the system itself can add hosts to the network map.
For more information on the specific settings in an Nmap remediation, see Understanding Nmap Remediations.
Note that Nmap-supplied server and operating system data remains static until you run another Nmap scan. If you plan to scan a host for operating system and server data using Nmap, you may want to set up regularly scheduled scans to keep any Nmap-supplied operating system and server data up-to-date. For more information, see Automating Nmap Scans. Also note that if the host is deleted from the network map, any Nmap scan results for that host are discarded.
For general information about Nmap functionality, refer to the Nmap documentation at
http://insecure.org
.
To create a Nmap remediation:
Access:
Admin/Discovery Admin
Step 1 Select
Policies > Actions > Scanners
.
The Scanners page appears.
Step 2 Click
Add Remediation
next to the scan instance where you want to add a remediation.
The Edit Remediation page appears.
Step 3 In the
Remediation Name
field, type a name for the remediation that includes 1 to 63 alphanumeric characters, with no spaces and no special characters other than underscore (_) and dash (-).
Step 4 In the
Description
field, type a description for the remediation that includes 0 to 255 alphanumeric characters, including spaces and special characters.
Step 5 If you plan to use this remediation in response to a correlation rule that triggers on an intrusion event, a connection event, or a user event, configure the
Scan Which Address(es) From Event?
option.
-
Select
Scan Source and Destination Addresses
to scan the hosts represented by the source IP address and the destination IP address in the event.
-
Select
Scan Source Address Only
to scan the host represented by the event’s source IP address.
-
Select
Scan Destination Address Only
to scan the host represented by the event’s destination IP address.
If you plan to use this remediation in response to a correlation rule that triggers on a discovery event or a host input event, by default the remediation scans the IP address of the host involved in the event; you do not need to configure this option.
Note Do not assign a Nmap remediation as a response to a correlation rule that triggers on a traffic profile change.
Step 6 Configure the
Scan Type
option:
-
To scan quickly in stealth mode on hosts where the
admin
account has raw packet access or where IPv6 is not running, by initiating TCP connections but not completing them, select
TCP Syn Scan
.
-
To scan by using a system
connect()
call, which can be used on hosts where the
admin
account on your Defense Center does not have raw packet access or where IPv6 is running, select
TCP Connect Scan
.
-
To send an ACK packet to check whether ports are filtered or unfiltered, select
TCP ACK Scan
.
-
To send an ACK packet to check whether ports are filtered or unfiltered but also determine whether a port is open or closed, select
TCP Window Scan
.
-
To identify BSD-derived systems using a FIN/ACK probe, select
TCP Maimon Scan
.
Step 7 Optionally, to scan UDP ports in addition to TCP ports, select
On
for the
Scan for UDP ports
option.
Tip A UDP portscan takes more time than a TCP portscan. To speed up your scans, leave this option disabled.
Step 8 If you plan to use this remediation in response to correlation policy violations, configure the
Use Port From Event
option:
-
Select
On
to scan the port in the correlation event, rather than the ports you specify in step
12
.
If you scan the port in the correlation event, note that the remediation scans the port on the IP addresses that you specified in step
8
. These ports are also added to the remediation’s dynamic scan target.
-
Select
Off
to scan only the ports you will specify in step
12
.
Step 9 If you plan to use this remediation in response to correlation policy violations and want to run the scan using the appliance running the detection engine that detected the event, configure the
Scan from reporting detection engine
option:
-
To scan from the appliance running the reporting detection engine, select
On
.
-
To scan from the appliance configured in the remediation, select
Off
.
Step 10 Configure the
Fast Port Scan
option:
-
To only scan ports listed in the
nmap-services
file located in the
/var/sf/nmap/share/nmap/nmap-services
directory on the managed device that does the scanning, ignoring other port settings, select
On
.
-
To scan all TCP ports, select
Off
.
Step 11 In the
Port Ranges and Scan Order
field, type the ports you want to scan by default, using Nmap syntax, in the order you want to scan those ports.
Specify values from 1 to 65535. Separate ports using commas or spaces. You can also use a hyphen to indicate a port range. When scanning for both TCP and UDP ports, preface the list of TCP ports you want to scan with a T and the list of UDP ports with a U. For example, to scan ports 53 and 111 for UDP traffic, then scan ports 21-25 for TCP traffic, enter
U:53,111,T:21-25
.
Note that the
Use Port From Event
option overrides this setting when the remediation is launched in response to a correlation policy violation, as described in step
8
.
Step 12 To probe open ports for server vendor and version information, configure
Probe open ports for vendor and version information:
-
Select
On
to scan open ports on the host for server information to identify server vendors and versions.
-
Select
Off
to continue using server information for the host.
Step 13 If you choose to probe open ports, set the number of probes used by selecting a number from the
Service Version Intensity
drop-down list:
-
To use more probes for higher accuracy with a longer scan, select a higher number.
-
To use fewer probes for less accuracy with a faster scan, select a lower number.
Step 14 To scan for operating system information, configure
Detect Operating System
settings:
-
Select
On
to scan the host for information to identify the operating system.
-
Select
Off
to continue using operating system information for the host.
Step 15 To determine whether or not host discovery occurs and whether port scans are only run against available hosts, configure
Treat All Hosts As Online
:
-
To skip the host discovery process and run a port scan on every host in the target range, select
On
.
-
To perform host discovery using the settings for
Host Discovery Method
and
Host Discovery Port List
and skip the port scan on any host that is not available, select
Off
.
Step 16 Select the method to be used when Nmap tests to see if a host is present and available:
-
To send an empty TCP packet with the SYN flag set and elicit an RST response on a closed port or a SYN/ACK response on an open port on available hosts, select
TCP SYN
.
Note that this option scans port 80 by default and that TCP SYN scans are less likely to be blocked by a firewall with stateful firewall rules.
-
To send an empty TCP packet with the ACK flag set and elicit an RST response on available hosts, select
TCP ACK.
Note that this option scans port 80 by default and that TCP ACK scans are less likely to be blocked by a firewall with stateless firewall rules.
-
To send a UDP packet to elicit port unreachable responses from closed ports on available hosts, select
UDP
. This option scans port 40125 by default.
Step 17 If you want to scan a custom list of ports during host discovery, type a list of ports appropriate for the host discovery method you selected, separated by commas, in
Host Discovery Port List
.
Step 18 Configure the
Default NSE Scripts
option to control whether to use the default set of Nmap scripts for host discovery and server, operating system, and vulnerability discovery:
-
To run the default set of Nmap scripts, select
On
.
-
To skip the default set of Nmap scripts, select
Off
.
See
http://nmap.org/nsedoc/categories/default.html for the list of default scripts
.
Step 19 To set the timing of the scan process, select a timing template number; select a higher number for a faster, less comprehensive scan and a lower number for a slower, more comprehensive scan.
Step 20 Click
Save
, then click
Done
.
The remediation is created.
Configuring Set Attribute Remediations
License:
FireSIGHT
You can respond to a correlation event by setting a host attribute value on the host where the triggering event occurred. For text host attributes, you can choose to use the description from the event as the attribute value. For more information on host attributes, see Working with the Predefined Host Attributes and Working with User-Defined Host Attributes.
To configure setting an attribute value in response to a correlation event, you must first create a set attribute instance, then add a set attribute remediation. You can then configure attribute value updates as responses to violations of rules within the policy.
For more information, see the following sections:
Adding a Set Attribute Value Instance
License:
FireSIGHT
You can set up an instance to set attribute values in response to correlation rule violations.
To create a set attribute instance:
Access:
Admin/Discovery Admin
Step 1 Select
Policies > Actions > Instances
.
The Instances page appears.
Step 2 Select
Set Attribute Value (v1.0)
from the
Add a module type
drop-down list and click
Add
.
The Edit Instance page appears.
Step 3 In the
Instance Name
field, enter a name that includes 1 to 63 alphanumeric characters, with no spaces and no special characters other than underscore (_) and dash (-).
Step 4 In the
Description
field, specify a description that includes 0 to 255 alphanumeric characters, including spaces and special characters.
Step 5 Click
Create
.
The instance is created.
Set Attribute Value Remediations
License:
FireSIGHT
You can create a set attribute value remediation for each attribute value you want to be able to set in response to a correlation rule violation. If the attribute you want to set is a text attribute, you can set the remediation to use the description from the event as the attribute value.
To create a set attribute value remediation:
Access:
Admin/Discovery Admin
Step 1 Select
Policies > Actions > Instances
.
The Instances page appears.
Step 2 Click
View
next to the scan instance where you want to add a remediation.
The Edit Instance page appears.
Step 3 Select
Set Attribute Value
from the
Add a new remediation of type
drop-down list.
The Edit Remediation page appears.
Step 4 In the
Remediation Name
field, type a name for the remediation that includes 1 to 63 alphanumeric characters, with no spaces and no special characters other than underscore (_) and dash (-).
Step 5 In the
Description
field, type a description for the remediation that includes 0 to 255 alphanumeric characters, including spaces and special characters.
Step 6 If you plan to use this remediation in response to a correlation rule that triggers on an intrusion event, user event, or a connection event, configure the
Update Which Host(s) From Event
option.
-
Select
Update Source and Destination Hosts
to update the attribute value on the hosts represented by the source IP address and the destination IP address in the event.
-
Select
Update Source Host Only
to update the attribute value on the host represented by the event’s source IP address.
-
Select
Update Destination Host Only
to update the attribute value on the host represented by the event’s destination IP address.
If you plan to use this remediation in response to a correlation rule that triggers on a discovery event or host input event, by default the remediation scans the IP address of the host involved in the event; you do not need to configure this option.
Step 7 Configure the
Use Description From Event For Attribute Value (text attributes only)
option:
-
To use the description from the event as the attribute value, select
On
.
-
To use the Attribute Value setting for the remediation as the attribute value, select
Off
.
Step 8 If you are not planning to use the event description, type the attribute value you want to set in the
Attribute Value
field.
Step 9 Click
Save
, then click
Done
.
The remediation is created.