09-28-2015 10:56 AM - edited 03-12-2019 05:46 AM
Hello,
I would like to know how network discovery (Passive) works in sourcefire
how nmap scan works?
Thanks
Shubham
09-28-2015 12:16 PM
Below is a excerpt from FireSIGHT System User Guide Version 5.4.1 > Enhancing Network Discovery
The FireSIGHT System builds the network map using data it detects by passively analyzing traffic. It also uses data added through active sources such as the host input feature and the Nmap scanner. Understanding how the system decides which data to use for an application or operating system identity can help you decide how best to augment the system’s passive detection capabilities with active input sources.
Understanding Passive Detection
License: FireSIGHT
Passive detection is the detection of host operating system, client, and application information through analysis of traffic passively collected by the system. The system uses information in the VDB to help it identify your network assets.
If the system cannot identify an operating system on a host, you can manually determine it and then create a custom server or client fingerprint to help the system recognize that operating system on other hosts with similar operating system characteristics.
The system uses all collected passive fingerprints for a host operating system to create a derived fingerprint. The system creates derived fingerprints by applying a formula which calculates the most likely identity using the confidence value of each collected fingerprint and the amount of corroborating fingerprint data between identities. Common elements are identified between identities.
If you use user-defined application detectors on your network, you can augment the system’s application detection capabilities by creating custom detectors that provide the system with the information it needs to identify those applications. NetFlow can also add passively detected application information to the network map.
Note that the system does not use application protocol and operating system data that it classified as unknown because it is unable to interpret the data. The managed device reports the identity to the Defense Center as unknown and the identity data is not used to derive fingerprints.
I hope that this is the information that you were looking for.
09-30-2015 08:35 AM
Thanks a lot....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide