https://community.cisco.com/t5/network-security/detection-against-vulnerability-assessment/m-p/3191501#M1041587 <P>What if it was to detect vulnerabilty scans? Is there anything that I must do to enable them?&nbsp;</P> Fri, 29 Sep 2017 07:28:15 GMT chanccmtech 2017-09-29T07:28:15Z https://community.cisco.com/t5/network-security/detection-against-vulnerability-assessment/m-p/3190841#M1041585 <P>Good Day All,&nbsp;</P><P>&nbsp;</P><P>The Firepower appliance is currently capable of detecting against vulnerability assessment by default, am I right on this? I think I recalled on the previous versions that there is an option to enable NMAP scanning in the intrusion policies.&nbsp;</P><P>&nbsp;</P><P>Or am I missing the point here?</P><P>Appreciate some explaination <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 21 Feb 2020 14:23:17 GMT https://community.cisco.com/t5/network-security/detection-against-vulnerability-assessment/m-p/3190841#M1041585 chanccmtech 2020-02-21T14:23:17Z https://community.cisco.com/t5/network-security/detection-against-vulnerability-assessment/m-p/3191490#M1041586 <P>It's not really in the Intrusion Policy per se but you can nmap scan as a result of a network discovery with active detection or as a response to a correlation rule.</P> <P>&nbsp;</P> <P>The following links have details on those use cases:</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/introduction_to_network_discovery_and_identity.html#concept_B9C9F7BF250847D6A4FB888CB738EA17" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/introduction_to_network_discovery_and_identity.html#concept_B9C9F7BF250847D6A4FB888CB738EA17</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/host_identity_sources.html#ID-2219-00000532" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/host_identity_sources.html#ID-2219-00000532</A></P> Fri, 29 Sep 2017 12:05:31 GMT https://community.cisco.com/t5/network-security/detection-against-vulnerability-assessment/m-p/3191490#M1041586 Marvin Rhoads 2017-09-29T12:05:31Z https://community.cisco.com/t5/network-security/detection-against-vulnerability-assessment/m-p/3191501#M1041587 <P>What if it was to detect vulnerabilty scans? Is there anything that I must do to enable them?&nbsp;</P> Fri, 29 Sep 2017 07:28:15 GMT https://community.cisco.com/t5/network-security/detection-against-vulnerability-assessment/m-p/3191501#M1041587 chanccmtech 2017-09-29T07:28:15Z https://community.cisco.com/t5/network-security/detection-against-vulnerability-assessment/m-p/3191605#M1041588 <P>Oh - you're asking about detectng nmap. In that case yes - you can go under Objects &gt; Intrusion Rules and search for nmap.</P> <P>&nbsp;</P> <P>I believe, for example, the following rule is relevant and included by default:</P> <P>&nbsp;</P> <TABLE> <TBODY> <TR class="first"> <TH colspan="2"> <H2>Rule Documentation (1:629:8)</H2> </TH> </TR> <TR> <TD colspan="2"> <DIV class="description">This event is generated when the nmap port scanner and reconnaissance <BR />tool is used against a host.<BR /><BR />When run with the '-O' option, it attempts to identify the remote <BR />operating system.</DIV> </TD> </TR> <TR> <TH>Rule</TH> <TD>alert tcp $EXTERNAL_NET any -&gt; $HOME_NET any (msg:"DELETED SCAN nmap fingerprint attempt"; flow:stateless; flags:SFPU; reference:arachnids,05; classtype:attempted-recon; sid:629; rev:8; gid:1; )</TD> </TR> <TR> <TH>Impact</TH> <TD>Can provide useful reconnaissance information to an attacker. Has been<BR />known to cause a denial of service on some older hosts.</TD> </TR> <TR> <TH>Detailed Information</TH> <TD>nmap attempts to identify the remote operating system by looking for<BR />different services that are common or specific to particular operating<BR />systems. It also sends a variety of abnormal packets that are often<BR />handled differently by different operating systems so that it can<BR />differentiate between them based on the responses.</TD> </TR> <TR> <TH>Affected Systems</TH> <TD>All</TD> </TR> <TR> <TH>Attack Scenarios</TH> <TD>nmap is often used before an attempt to gain access to a system.</TD> </TR> <TR> <TH>Ease of Attack</TH> <TD>Simple</TD> </TR> <TR> <TH>False Positives</TH> <TD>None known. The signature may be produced by other scanners but is<BR />unlikely to be used for legitimate activity.</TD> </TR> <TR> <TH>False Negatives</TH> <TD>None known.</TD> </TR> <TR> <TH>Corrective Action</TH> <TD>Block any TCP packets that have the SYN, FIN, PUSH and URGENT flags set<BR />using a firewall. Block only packets that have all four of the flags<BR />set as they are individually and in other combinations necessary for<BR />normal TCP traffic. If you block them individually or in other<BR />combinations your network will not function correctly.</TD> </TR> <TR> <TH>Contributors</TH> <TD>Original Rule Writer Unknown (prime suspect is Marty Roesch)<BR />Sourcefire Research Team<BR />Nigel Houghton &lt;nigel.houghton@sourcefire.com&gt;<BR />Snort documentation contributed by Steven Alexander&lt;alexander.s@mccd.edu&gt;</TD> </TR> </TBODY> </TABLE> Fri, 29 Sep 2017 12:04:13 GMT https://community.cisco.com/t5/network-security/detection-against-vulnerability-assessment/m-p/3191605#M1041588 Marvin Rhoads 2017-09-29T12:04:13Z