Scan Which Address(es) From Event?
|
When you use an Nmap scan as a response to a correlation rule,
select one of the following options to control which address in the event is
scanned, that of the source host, the destination host, or both:
-
Scan Source and Destination
Addresses scans the hosts represented by the source IP address and
the destination IP address in the event.
-
Scan Source Address
Only scans the host represented by the event’s source IP address.
-
Scan Destination Address
Only scans the host represented by the event’s destination IP
address.
|
N/A
|
Scan Types
|
Select how Nmap scans ports:
-
The
TCP Syn
scan connects quickly to thousand of ports
without using a complete TCP handshake. This options allows you to scan quickly
in stealth mode on hosts where the
admin account has
raw packet access or where IPv6 is not running, by initiating TCP connections
but not completing them. If a host acknowledges the Syn packet sent in a TCP
Syn scan, Nmap resets the connection.
-
The TCP Connect scan uses the connect() system call to open connections through the operating system on the host. You can use the TCP Connect scan if the admin user on the management center or managed device does not have raw packet privileges on a host or you are scanning IPv6 networks. In other words, use this
option in situations where the TCP Syn scan cannot be used.
-
The
TCP ACK scan
sends an ACK packet to check whether ports are filtered or unfiltered.
-
The
TCP Window scan
works in the same way as a TCP ACK scan but can also determine whether a port
is open or closed.
-
The
TCP Maimon scan
identifies BSD-derived systems using a FIN/ACK probe.
|
TCP Syn:
-sS
TCP Connect:
-sT
TCP ACK:
-sA
TCP Window:
-sW
TCP Maimon:
-sM
|
Scan for UDP ports
|
Enable to scan UDP ports in addition to TCP ports. Note that
scanning UDP ports may be time-consuming, so avoid using this option if you
want to scan quickly.
|
-sU
|
Use Port From Event
|
If you plan to use the remediation as a response in a
correlation policy, enable to cause the remediation to scan only the port
specified in the event that triggers the correlation response.
-
Select
On to scan the
port in the correlation event, rather than the ports you specify during Nmap
remediation configuration. If you scan the port in the correlation event, note
that the remediation scans the port on the IP addresses that you specify during
Nmap remediation configuration. These ports are also added to the remediation’s
dynamic scan target.
-
Select
Off to scan only
the ports you specify Nmap remediation configuration.
You can also control whether Nmap collects information about
operating system and server information. Enable the
Use Port From
Event option to scan the port associated with the new server.
|
N/A
|
Scan from reporting detection engine
|
Enable to scan a host from the appliance where the detection
engine that reported the host resides.
-
To scan from the appliance running the reporting detection
engine, select
On.
-
To scan from the appliance configured in the remediation, select
Off.
|
N/A
|
Fast Port Scan
|
Enable to scan only the TCP ports listed in the
nmap-services file
located in the
/var/sf/nmap/share/nmap/nmap-services directory on the
device that does the scanning, ignoring other port settings. Note that you
cannot use this option with the
Port Ranges and Scan
Order option.
-
To scan only the ports listed in the
nmap-services file
located in the
/var/sf/nmap/share/nmap/nmap-services directory on the
device that does the scanning, ignoring other port settings, select
On.
-
To scan all TCP ports, select
Off.
|
-F
|
Port Ranges and Scan Order
|
Set the specific ports you want to scan, using Nmap port
specification syntax, and the order you want to scan them. Note that you cannot
use this option with the
Fast Port Scan
option.
|
-p
|
Probe open ports for vendor and version information
|
Enable to detect server vendor and version information. If you
probe open ports for server vendor and version information, Nmap obtains server
data that it uses to identify servers. It then replaces the Cisco server data
for that server.
|
-sV
|
Service Version Intensity
|
Select the intensity of Nmap probes for service versions.
-
To use more probes for higher accuracy with a longer scan,
select a higher number.
-
To use fewer probes for less accuracy with a faster scan, select
a lower number.
|
--version-intensity <intensity>
|
Detect Operating System
|
Enable to detect operating system information for the host.
If you configure detection of the operating system for a host,
Nmap scans the host and uses the results to create a rating for each operating
system that reflects the likelihood that the operating system is running on the
host.
|
-o
|
Treat All Hosts As Online
|
Enable to skip the host discovery process and run a port scan on
every host in the target range. Note that when you enable this option, Nmap
ignores settings for
Host Discovery
Method and
Host Discovery Port
List.
-
To skip the host discovery process and run a port scan on every
host in the target range, select
On.
-
To perform host discovery using the settings for
Host Discovery
Method and
Host Discovery Port
List and skip the port scan on any host that is not available,
select
Off.
|
-PN
|
Host Discovery Method
|
Select to perform host discovery for all hosts in the target
range, over the ports listed in the
Host Discovery Port
List, or if no ports are listed, over the default ports for that
host discovery method.
Note that if you also enabled
Treat All Hosts As
Online, however, the
Host Discovery
Method option has no effect and host discovery is not performed.
Select the method to be used when Nmap tests to see if a host is
present and available:
-
The
TCP SYN option
sends an empty TCP packet with the SYN flag set and recognizes the host as
available if a response is received. TCP SYN scans port 80 by default. Note
that TCP SYN scans are less likely to be blocked by a firewall with stateful
firewall rules.
-
The
TCP ACK option
sends an empty TCP packet with the ACK flag set and recognizes the host as
available if a response is received. TCP ACK also scans port 80 by default.
Note that TCP ACK scans are less likely to be blocked by a firewall with
stateless firewall rules.
-
The
UDP option
sends a UDP packet and assumes host availability if a port unreachable response
comes back from a closed port. UDP scans port 40125 by default.
|
TCP SYN:
-PS
TCP ACK:
-PA
UDP:
-PU
|
Host Discovery Port List
|
Specify a customized list of ports, separated by commas, that
you want to scan when doing host discovery.
|
port list for host discovery method
|
Default NSE Scripts
|
Enable to run the default set of Nmap scripts for host discovery
and server and operating system and vulnerability detection. See
https://nmap.org/nsedoc/categories/default.html
for the list of default scripts.
-
To run the default set of Nmap scripts, select
On.
-
To skip the default set of Nmap scripts, select
Off.
|
-sC
|
Timing Template
|
Select the timing of the scan process; the higher the number you
select, the faster and less comprehensive the scan.
|
0:
T0 (paranoid)
1:
T1 (sneaky)
2:
T2 (polite)
3:
T3 (normal)
4:
T4 (aggressive)
5:
T5 (insane)
|