Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
3968
Views
0
Helpful
3
Replies

NMAP and Operating System Detection

dney
Level 1
Level 1

ā€Ž11-03-2015 06:59 PM - edited ā€Ž03-12-2019 05:48 AM

So I have started playing around with NMAP on Sourcefire 5.4.1.3 since I use it for other security related events.  What I have found is that it seems to be terrible at detecting the OS type and version. For windows servers it seems to be always incorrect. However if I do a manual nmap scan from my workstation of the same server it will come back almost 100% correct. Not sure what Iā€™m doing wrong in Sourcefire but seeing how we have over 700 Servers it will take a very long time to get them all corrected. Anybody experience this or have ideas on what Iā€™m doing wrong?

 

Thanks!

Labels:
0 Helpful
3 Replies 3

Aastha Bhardwaj
Cisco Employee
Cisco Employee

ā€Ž11-03-2015 07:28 PM

Hi,

Refer link : http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Enhancing-Discovery.html#pgfId-1609213

The above link explains how NMAP works on Sourcefire.There are 2 types of detection :

Passive detection is the detection of host operating system, client, and application information through analysis of traffic passively collected by the system. The system uses information in the VDB to help it identify your network assets.
If the system cannot identify an operating system on a host, you can manually determine it and then create a custom server or client fingerprint to help the system recognize that operating system on other hosts with similar operating system characteristics.

Active detection is addition, to the network map, of data collected by active sources, such as host operating system and application information. For example, you can use the Nmap scanner to actively scan the hosts that you target on your network. Nmap discovers operating systems and applications on hosts.

Now when you say wrong what do you excatly mean by it ? can you send me a snapshot of same.What is the VDB version that you are on ?

Regards,

Aastha Bhardwaj

Rate if that helps!!!

0 Helpful

dney
Level 1
Level 1
In response to Aastha Bhardwaj

ā€Ž11-03-2015 07:56 PM

Aastha,

You are correct there are two types of detections.

Example on a host that has had a passive detection done for a server host it will determine the OS version could be NT 4, Vista, 7, Server 2008, phone 7.5 and Phone 8.0  - See attachment Passive

If I kick off a active dectection using nmap on SourceFire it will determine that it the OS is version Vista - See attchment Active

Both of these are done on the same host and when I client on the 'View Operating Systems' you can now see both are listed with Vista being 100 'Confidence' - See attachment ViewOS

The correct Operating System for this Host is Server 2008 R2.

Preview file
41 KB
Preview file
28 KB
Preview file
32 KB
0 Helpful

Aastha Bhardwaj
Cisco Employee
Cisco Employee
In response to dney

ā€Ž11-04-2015 10:44 AM

Hi,

Checking in previous cases , I have found  a bug  seems to match to what we are facing an issue with.

Refer : https://tools.cisco.com/bugsearch/bug/CSCut23654/?reffering_site=dumpcr

The bug is still open and i guess will be fixed in 5.4.0.5.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card