Creating a Custom Fingerprint for Clients

Client fingerprints identify operating systems based on the SYN packet a host sends when it connects to a TCP application running on another host on the network.

If the management center does not have direct contact with monitored hosts, you can specify a device that is managed by the management center and is closest to the host you intend to fingerprint when specifying client fingerprint properties.

Before you begin the fingerprinting process, obtain the following information about the host you want to fingerprint:

  • The number of network hops between the host and the management center or the device you use to obtain the fingerprint. (Cisco strongly recommends that you directly connect the management center or the device to the same subnet that the host is connected to.)

  • The network interface (on the management center or the device) that is connected to the network where the host resides.

  • The actual operating system vendor, product, and version of the host.

  • Access to the host in order to generate client traffic.

Procedure

Step 1

Choose Policies > Network Discovery.

Step 2

Click Custom Operating Systems.

Step 3

Click Create Custom Fingerprint.

Step 4

From the Device drop-down list, choose the management center or the device that you want to use to collect the fingerprint.

Step 5

Enter a Fingerprint Name.

Step 6

Enter a Fingerprint Description.

Step 7

From the Fingerprint Type list, choose Client.

Step 8

In the Target IP Address field, enter an IP address of the host you want to fingerprint.

Note that the fingerprint will only be based on traffic to and from the host IP address you specify, not any of the host’s other IP addresses (if it has any).

Step 9

In the Target Distance field, enter the number of network hops between the host and the device that you chose earlier to collect the fingerprint.

Caution

This must be the actual number of physical network hops to the host, which may or may not be the same as the number of hops detected by the system.

Step 10

From the Interface list, choose the network interface that is connected to the network segment where the host resides.

Caution

Cisco recommends that you do not use the sensing interface on a managed device for fingerprinting for several reasons. First, fingerprinting does not work if the sensing interface is on a span port. Also, if you use the sensing interface on a device, the device stops monitoring the network for the amount of time it takes to collect the fingerprint. You can, however, use the management interface or any other available network interfaces to perform fingerprint collection. If you do not know which interface is the sensing interface on your device, refer to the Installation Guide for the specific model you are using to fingerprint.

Step 11

If you want to display custom information in the host profile for fingerprinted hosts (or if the host you want to fingerprint does not reside in the OS Vulnerability Mappings section), choose Use Custom OS Display and provide the values you want to display for the following:

  • In the Vendor String field, enter the operating system’s vendor name. For example, the vendor for Microsoft Windows would be Microsoft.

  • In the Product String field, enter the operating system’s product name. For example, the product name for Microsoft Windows 2000 would be Windows.

  • In the Version String field, enter the operating system’s version number. For example, the version number for Microsoft Windows 2000 would be 2000.

Step 12

In the OS Vulnerability Mappings section, choose the operating system, product, and versions you want to use for vulnerability mapping.

You must specify Vendor and Product values in this section if you want to use the fingerprint to identify vulnerabilities for matching hosts or if you do not assign custom operating system display information.

To map vulnerabilities for all versions of an operating system, specify only the Vendor and Product values.

Note

Not all options in the Major Version, Minor Version, Revision Version, Build, Patch, and Extension drop-down lists may apply to the operating system you choose. In addition, if no definition appears in a list that matches the operating system you want to fingerprint, you can leave these values empty. Be aware that if you do not create any OS vulnerability mappings in a fingerprint, the system cannot use the fingerprint to assign a vulnerabilities list with hosts identified by the fingerprint.

Example:

If you want your custom fingerprint to assign the list of vulnerabilities from Redhat Linux 9 to matching hosts, choose Redhat, Inc. as the vendor, Redhat Linux as the product, and 9 as the major version.

Example:

To add all versions of the Palm OS, you would choose PalmSource, Inc. from the Vendor list, Palm OS from the Product list, and leave all other lists at their default settings.

Step 13

Click Create.

The status briefly shows New, then switches to Pending, where it remains until traffic is seen for the fingerprint. Once traffic is seen, it switches to Ready.

The Custom Fingerprint status page refreshes every ten seconds until it receives data from the host in question.

Step 14

Using the IP address you specified as the target IP address, access the host you are trying to fingerprint and initiate a TCP connection to the appliance.

To create an accurate fingerprint, traffic must be seen by the appliance collecting the fingerprint. If you are connected through a switch, traffic to a system other than the appliance may not be seen by the system.

Example:

Access the web interface of the management center from the host you want to fingerprint or SSH into the management center from the host. If you are using SSH, use the command below, where localIPv6address is the IPv6 address specified in step 7 that is currently assigned to the host and DCmanagementIPv6address is the management IPv6 address of the management center. The Custom Fingerprint page should then reload with a “Ready” status. 

ssh -b localIPv6address DCmanagementIPv6address

What to do next