11-03-2015 06:59 PM - edited 03-12-2019 05:48 AM
So I have started playing around with NMAP on Sourcefire 5.4.1.3 since I use it for other security related events. What I have found is that it seems to be terrible at detecting the OS type and version. For windows servers it seems to be always incorrect. However if I do a manual nmap scan from my workstation of the same server it will come back almost 100% correct. Not sure what I’m doing wrong in Sourcefire but seeing how we have over 700 Servers it will take a very long time to get them all corrected. Anybody experience this or have ideas on what I’m doing wrong?
Thanks!
11-03-2015 07:28 PM
Hi,
Refer link : http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Enhancing-Discovery.html#pgfId-1609213
The above link explains how NMAP works on Sourcefire.There are 2 types of detection :
Passive detection is the detection of host operating system, client, and application information through analysis of traffic passively collected by the system. The system uses information in the VDB to help it identify your network assets.
If the system cannot identify an operating system on a host, you can manually determine it and then create a custom server or client fingerprint to help the system recognize that operating system on other hosts with similar operating system characteristics.
Active detection is addition, to the network map, of data collected by active sources, such as host operating system and application information. For example, you can use the Nmap scanner to actively scan the hosts that you target on your network. Nmap discovers operating systems and applications on hosts.
Now when you say wrong what do you excatly mean by it ? can you send me a snapshot of same.What is the VDB version that you are on ?
Regards,
Aastha Bhardwaj
Rate if that helps!!!
11-03-2015 07:56 PM
Aastha,
You are correct there are two types of detections.
Example on a host that has had a passive detection done for a server host it will determine the OS version could be NT 4, Vista, 7, Server 2008, phone 7.5 and Phone 8.0 - See attachment Passive
If I kick off a active dectection using nmap on SourceFire it will determine that it the OS is version Vista - See attchment Active
Both of these are done on the same host and when I client on the 'View Operating Systems' you can now see both are listed with Vista being 100 'Confidence' - See attachment ViewOS
The correct Operating System for this Host is Server 2008 R2.
11-04-2015 10:44 AM
Hi,
Checking in previous cases , I have found a bug seems to match to what we are facing an issue with.
Refer : https://tools.cisco.com/bugsearch/bug/CSCut23654/?reffering_site=dumpcr
The bug is still open and i guess will be fixed in 5.4.0.5.
Regards,
Aastha Bhardwaj
Rate if that helps!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide