Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2077
Views
0
Helpful
2
Replies

Nmap scan in Sourcefire

shubhamkulkarni39
Level 1
Level 1

‎09-28-2015 10:56 AM - edited ‎03-12-2019 05:46 AM

Hello,

 

I would like to know how network discovery (Passive) works in sourcefire

 

how nmap scan works?

 

 

 

Thanks

Shubham

Labels:
0 Helpful
2 Replies 2

chhinchm
Cisco Employee
Cisco Employee

‎09-28-2015 12:16 PM

Below is a excerpt from FireSIGHT System User Guide Version 5.4.1 > Enhancing Network Discovery

The FireSIGHT System builds the network map using data it detects by passively analyzing traffic. It also uses data added through active sources such as the host input feature and the Nmap scanner. Understanding how the system decides which data to use for an application or operating system identity can help you decide how best to augment the system’s passive detection capabilities with active input sources.

Understanding Passive Detection

License: FireSIGHT

Passive detection is the detection of host operating system, client, and application information through analysis of traffic passively collected by the system. The system uses information in the VDB to help it identify your network assets.

If the system cannot identify an operating system on a host, you can manually determine it and then create a custom server or client fingerprint to help the system recognize that operating system on other hosts with similar operating system characteristics.

The system uses all collected passive fingerprints for a host operating system to create a derived fingerprint. The system creates derived fingerprints by applying a formula which calculates the most likely identity using the confidence value of each collected fingerprint and the amount of corroborating fingerprint data between identities. Common elements are identified between identities.

If you use user-defined application detectors on your network, you can augment the system’s application detection capabilities by creating custom detectors that provide the system with the information it needs to identify those applications. NetFlow can also add passively detected application information to the network map.

Note that the system does not use application protocol and operating system data that it classified as unknown because it is unable to interpret the data. The managed device reports the identity to the Defense Center as unknown and the identity data is not used to derive fingerprints.

 

I hope that this is the information that you were looking for.

0 Helpful

shubhamkulkarni39
Level 1
Level 1
In response to chhinchm

‎09-30-2015 08:35 AM

Thanks a lot....

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card