Example: Using Nmap to Respond to New Hosts

This example walks through an Nmap configuration designed to respond to new hosts. For a complete look at Nmap configuration, see Managing Nmap Scanning.

When the system detects a new host in a subnet where intrusions may be likely, you may want to scan that host to make sure you have accurate vulnerability information for it.

You can accomplish this by creating and activating a correlation policy that detects when a new host appears in this subnet, and that launches a remediation that performs an Nmap scan on the host.

To do this, you would:

  1. Configure a scan instance as described in Adding an Nmap Scan Instance.

  2. Create an Nmap remediation using the following settings:

    • Enable Use Port From Event to scan the port associated with the new server.

    • Enable Detect Operating System to detect operating system information for the host.

    • Enable Probe open ports for vendor and version information to detect server vendor and version information.

    • Enable Treat All Hosts as Online, because you know the host exists.

  3. Create a correlation rule that triggers when the system detects a new host on a specific subnet. The rule should trigger when a discovery event occurs and a new host is detected.

  4. Create a correlation policy that contains the correlation rule.

  5. In the correlation policy, add the Nmap remediation you created in step 2 as a response to the rule you created in step 3.

  6. Activate the correlation policy.

  7. When you are notified of a new host, check the host profile to see the results of the Nmap scan and address any vulnerabilities that apply to the host.

After you activate the policy, you can periodically check the remediation status view (Analysis > Correlation > Status) to see when the remediation launched. The remediation’s dynamic scan target should include the IP addresses of the hosts it scanned as a result of the server detection. Check the host profile for those hosts to see if there are vulnerabilities that need to be addressed for the host, based on the operating system and servers detected by Nmap.

Caution

If you have a large or dynamic network, detection of a new host may be too frequent an occurrence to respond to using a scan. To prevent resource overload, avoid using Nmap scans as a response to events that occur frequently. In addition, note that using Nmap to challenge new hosts for operating system and server information deactivates Cisco monitoring of that data for scanned hosts.