FMC passive network discovery - what OSID fields used when discovering

evan.chadwick1 · ‎05-11-2016

Hi Folks,

When FMC performs passive network discovery it is not interacting with end hosts, it is paying extra attention to syn and syn-ack packets and determining OS definitions based on known output from ip headers.

Can anyone point me in the direction to find more information on how the FMC is configured to carry out the discovery from ip packets passing through the managed device network points?

Cheers

yogdhanu · ‎05-12-2016

Hi Even,

Yes the managed devices gathers the network discovery info as the traffic passed through it and send that info to FMC which in turn processes the data to show the data.

The user guide has detailed information about it.

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Discovery-Network-Map.html

Is there something specific you are looking for ?

Hope it helps.

Yogesh

evan.chadwick1 · ‎05-23-2016

I'm just wanting to be able to comprehend the operation so I can explain it to people. From what I gather its fairly standard open source type operation, nothing cisco tailored?

So understanding something like http://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting is all thats needed?

Also I've had discovery running for about 2-3 weeks now and Windows 2012 R2 is not being discovered. Its being marked as Windows 7, Server 2008, 8. Do we not need to care that the exact version is detected?

From what I understand if a product does not change in operation in higher versions the system marks it as the lowest version. For example, i can't remember the finer details, but when seeing Windows Vista for a certain function it still applies to Windows 7/8/10, as the particular feature has not changed in the higher versions.

evan.chadwick1 · ‎05-23-2016

Should one not run 'Firepower Recommendations' until most end points (especially main servers) are classified accurately?