Example: Using Nmap to Resolve Unknown Operating Systems

This example walks through an Nmap configuration designed to resolve unknown operating systems. For a complete look at Nmap configuration, see Managing Nmap Scanning.

If the system cannot determine the operating system on a host on your network, you can use Nmap to actively scan the host. Nmap uses the information it obtains from the scan to rate the possible operating systems. It then uses the operating system that has the highest rating as the host operating system identification.

Using Nmap to challenge new hosts for operating system and server information deactivates the system’s monitoring of that data for scanned hosts. If you use Nmap to discover host and server operating system for hosts the system marks as having unknown operating systems, you may be able to identify groups of hosts that are similar. You can then create a custom fingerprint based on one of them to cause the system to associate the fingerprint with the operating system you know is running on the host based on the Nmap scan. Whenever possible, create a custom fingerprint rather than inputting static data through a third-party source like Nmap because the custom fingerprint allows the system to continue to monitor the host operating system and update it as needed.

In this example, you would:

  1. Configure a scan instance as described in Adding an Nmap Scan Instance.

  2. Create an Nmap remediation using the following settings:

    • Enable Use Port From Event to scan the port associated with the new server.

    • Enable Detect Operating System to detect operating system information for the host.

    • Enable Probe open ports for vendor and version information to detect server vendor and version information.

    • Enable Treat All Hosts as Online, because you know the host exists.

  3. Create a correlation rule that triggers when the system detects a host with an unknown operating system. The rule should trigger when a discovery event occurs and the OS information for a host has changed and it meets the following conditions: OS Name is unknown.

  4. Create a correlation policy that contains the correlation rule.

  5. n the correlation policy, add the Nmap remediation you created in step 2 as a response to the rule you created in step 3.

  6. Activate the correlation policy.

  7. Purge the hosts on the network map to force network discovery to restart and rebuild the network map.

  8. After a day or two, search for events generated by the correlation policy. Analyze the Nmap results for the operating systems detected on the hosts to see if there is a particular host configuration on your network that the system does not recognize.

  9. If you find hosts with unknown operating systems whose Nmap results are identical, create a custom fingerprint for one of those hosts and use it to identify similar hosts in the future.