NMAP Trigger Scan - Profiling

Arjun176 — Thu, 16 May 2019 12:19:00 GMT

Hi,

Am try to use NMAP trigger Scan in the profiling for Printers.

Below is the step i have done.

1. Create a Condition for printer to match OUI

2. Create a Profiling policy(CF 20) set NMAP scan action for OS and SNMP ports.

3. in the 1st rule create a condition to match MAC address beginning with xx:xx:xx with CF 20

4. 2nd rule i match the OUI condition and set the NMAP scan action.

5. Created a Child policy created two conditions and set CF as 20.

I do not see the NMAP scan working, do i need to configure the NMAP scan action in rule 1 in parent policy.

How should i configure the NMAP trigger scan in best way.

Re: NMAP Trigger Scan - Profiling

hslai — Thu, 16 May 2019 22:35:48 GMT

I tried what you described and it worked for me.

2019-05-16 22:30:06,977 DEBUG  [EndpointHandlerWorker-3-35-thread-1][] profiler.infrastructure.probemgr.event.EndpointHandler -::- Endpoint.11:22:33:04:05:CB matched testNmapTriggerScan
2019-05-16 22:30:06,978 INFO   [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapEventHandler -:NMAPNodeScan:- Scanning 10.0.0.201 for endpoint 11:22:33:04:05:CB
2019-05-16 22:30:06,978 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapEventHandler -:NMAPNodeScan:- Validating binding for Mac 11:22:33:04:05:CB and IP 10.0.0.201
2019-05-16 22:30:06,978 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.infrastructure.cache.ARPCache -:NMAPNodeScan:- Find the endpoint from ipv4 cache using ip  : 10.0.0.201
2019-05-16 22:30:06,979 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.infrastructure.cache.ARPCache -:NMAPNodeScan:- Found the endpoint for MAC:11:22:33:04:05:CB ip : 10.0.0.201
2019-05-16 22:30:06,986 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapCmdExecuter -:NMAPNodeScan:- CMD IPV6 -6
2019-05-16 22:30:06,986 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapCmdExecuter -:NMAPNodeScan:- CMD SERVICE_VERSION -sV --script mcafee-epo-agent.nse
2019-05-16 22:30:06,986 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapCmdExecuter -:NMAPNodeScan:- CMD DEBUG_ARGS -v
2019-05-16 22:30:06,986 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapCmdExecuter -:NMAPNodeScan:- CMD COMMON_PORTS_ARG -sTU -p
2019-05-16 22:30:06,986 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapCmdExecuter -:NMAPNodeScan:- CMD SCAN_SMB_DISCOVERY_SCRIPT --script smb-os-discovery.nse
2019-05-16 22:30:06,986 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapCmdExecuter -:NMAPNodeScan:- CMD COMMON_PORTS T:21,22,23,25,53,80,110,135,139,143,443,445,3306,3389,8080,9100,U:53,67,68,123,135,137,138,139,161,445,500,520,631,1434,1900
2019-05-16 22:30:06,986 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapCmdExecuter -:NMAPNodeScan:- CMD SUDO_CMD /usr/bin/sudo
2019-05-16 22:30:06,986 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapCmdExecuter -:NMAPNodeScan:- CMD LOG_ARGS -oN /opt/CSCOcpm/logs/nmap.log --append-output -oX -
2019-05-16 22:30:06,986 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapCmdExecuter -:NMAPNodeScan:- CMD SCAN_ARGS_FOR_NAD_DISCOVERY -sU -p 161 --open -oN /opt/CSCOcpm/logs/nmapSubnet.log --append-output -oX -
2019-05-16 22:30:06,986 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapCmdExecuter -:NMAPNodeScan:- CMD OPERATING_SYS -sS -O -F
2019-05-16 22:30:06,986 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapCmdExecuter -:NMAPNodeScan:- CMD HOST_TIMEOUT --host-timeout 30
2019-05-16 22:30:06,986 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapCmdExecuter -:NMAPNodeScan:- CMD SKIP_HOST_DISCOVERY --disable-arp-ping
2019-05-16 22:30:06,986 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapCmdExecuter -:NMAPNodeScan:- CMD SUBNET_SCAN_ARGS -O -sU -p U:161,162 -oN /opt/CSCOcpm/logs/nmapSubnet.log --append-output -oX -
2019-05-16 22:30:06,986 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapCmdExecuter -:NMAPNodeScan:- CMD SCAN_SMB_DISCOVERY_PORTS T:445,139,U:137
2019-05-16 22:30:06,986 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapCmdExecuter -:NMAPNodeScan:- CMD NMAP_CMD /usr/bin/nmap
2019-05-16 22:30:06,986 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapCmdExecuter -:NMAPNodeScan:- CMD SUBNET_CANCEL_SCRIPT /opt/CSCOcpm/bin/killsubnetscan.sh
2019-05-16 22:30:06,986 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapCmdExecuter -:NMAPNodeScan:- CMD SNMP_PORTS -sU -p U:161,162
2019-05-16 22:30:06,988 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapCmdExecuter -:NMAPNodeScan:- IPAddress: 10.0.0.201
2019-05-16 22:30:06,989 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapCmdExecuter -:NMAPNodeScan:- About to execute: '/usr/bin/sudo /usr/bin/nmap -v -sS -O -F --disable-arp-ping --host-timeout 30 -oN /opt/CSCOcpm/logs/nmap.log --append-output -oX - 10.0.0.201'
2019-05-16 22:30:06,989 DEBUG  [NMAPEventHandler-48-thread-1][] cisco.profiler.probes.nmap.NmapCmdExecuter -:NMAPNodeScan:- Execute from process builder [/usr/bin/sudo, /usr/bin/nmap, -v, -sS, -O, -F, --disable-arp-ping, --host-timeout, 30, -oN, /opt/CSCOcpm/logs/nmap.log, --append-output, -oX, -, 10.0.0.201]

If still problematic for you, please engage Cisco TAC.

topic NMAP Trigger Scan - Profiling in Network Access Control

NMAP Trigger Scan - Profiling

Re: NMAP Trigger Scan - Profiling