Firesight Nmap active scan

Meng Li · ‎10-19-2015

Hi all,

I am trying to enable Nmap instance in Firesight 5.4.1 and a bit confused with the following two points:

1. I noticed in http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Scanning.html#pgfId-3355672 it states 'Step 6 Optionally, to run the scan from a remote device instead of the Defense Center, specify the IP address or name of the device as it appears in the Information page for the device in the Defense Center web interface, in the Remote Device Name field.', does it mean that if I provide the IP of a Firepower module (we have three SFR modules deployed in three branch offices and the Defense Center in HQ) the active scanner will be enabled there and the scan will be launched from the firepower module?

2. Can Firesight 5.4.1 run a credentialed active scan? I don't see where I can provide domain level privileges for Firesight to run such a scan.

Thanks,

Meng Li · ‎10-26-2015

Any thoughts on this?

Thanks,

atatistc · ‎10-30-2015

The short answer to #1 is yes. When you setup an nmap scan if you enter the remote device IP address the scan will kick off and run from the SFR module. The scan will be performed through the management interface.

As for #2 I don't believe nmap has a credentialed scan capability and nmap is what we use for the scanner.

Meng Li · ‎11-02-2015

Thanks for the information!

I'm running a scan to a remote site via a quite congested WAN link, and it's still running. Is there a way to stop the scan job in the Mgmt GUI?

Also in the firesight, is it possible to run more than one scan at the same tmie?

wbarboza · ‎06-27-2017

I stopped like this

go on the CLI of the machine running the scan

enter expert mode
then, type sudo su -
put the password
type ps -ef | grep nmap

Find the process ID

then

kill -9 PID

Example

root@firepower:~# ps -ef | grep nmap
root 898 847 3 01:41 ? 00:41:48 /usr/local/sf/nmap/bin/nmap

root@firepower:~# kill -9 898

That's it...