Creating a Custom Fingerprint for Servers

Server fingerprints identify operating systems based on the SYN-ACK packet that the host uses to respond to an incoming connection to a running TCP application. Before you begin, you should obtain the following information about the host you want to fingerprint:

The number of network hops between the host and the appliance you use to obtain the fingerprint. Cisco strongly recommends that you directly connect an unused interface on the appliance to the same subnet that the host is connected to.
The network interface (on the appliance) that is connected to the network where the host resides.
The actual operating system vendor, product, and version of the host.
An IP address that is not currently in use and is authorized on the network where the host is located.

Tip	If the management center does not have direct contact with monitored hosts, you can specify a managed device that is closest to the host you intend to fingerprint when specifying server fingerprint properties.

Procedure

Step 1

Choose Policies > Network Discovery.

Step 2

Click Custom Operating Systems.

Step 3

Click Create Custom Fingerprint.

Step 4

From the Device list, choose the management center or the managed device that you want to use to collect the fingerprint.

Step 5

Enter a Fingerprint Name.

Step 6

Enter a Fingerprint Description.

Step 7

From the Fingerprint Type list, choose Server to display the server fingerprinting options.

Step 8

In the Target IP Address field, enter an IP address of the host you want to fingerprint.

Note that the fingerprint will only be based on traffic to and from the host IP address you specify, not any of the host’s other IP addresses (if it has any).

Caution

You can capture IPv6 fingerprints only with appliances running Version 5.2 and later.

Step 9

In the Target Distance field, enter the number of network hops between the host and the device that you chose earlier to collect the fingerprint.

Caution

This must be the actual number of physical network hops to the host, which may or may not be the same as the number of hops detected by the system.

Step 10

From the Interface list, choose the network interface that is connected to the network segment where the host resides.

Caution

Cisco recommends that you do not use the sensing interface on a managed device for fingerprinting for several reasons. First, fingerprinting does not work if the sensing interface is on a span port. Also, if you use the sensing interface on a device, the device stops monitoring the network for the amount of time it takes to collect the fingerprint. You can, however, use the management interface or any other available network interfaces to perform fingerprint collection. If you do not know which interface is the sensing interface on your device, refer to the Installation Guide for the specific model you are using to fingerprint.

Step 11

Click Get Active Ports.

Step 12

In the Server Port field, enter the port that you want the device chose to collect the fingerprint to initiate contact with, or choose a port from the Get Active Ports drop-down list.

You can use any server port that you know is open on the host (for instance, 80 if the host is running a web server).

Step 13

In the Source IP Address field, enter an IP address that should be used to attempt to communicate with the host.

You should use a source IP address that is authorized for use on the network but is not currently being used, for example, a DHCP pool address that is currently not in use. This prevents you from temporarily knocking another host offline while you create the fingerprint.

You should exclude that IP address from monitoring in your network discovery policy while you create the fingerprint. Otherwise, the network map and discovery event views will be cluttered with inaccurate information about the host represented by that IP address.

Step 14

In the Source Subnet Mask field, enter the subnet mask for the IP address you are using.

Step 15

If the Source Gateway field appears, enter the default gateway IP address that should be used to establish a route to the host.

Step 16

If you want to display custom information in the host profile for fingerprinted hosts or if the fingerprint name you want to use does not exist in the OS Definition section, choose Use Custom OS Display in the Custom OS Display section.

Provide the values you want to appear in host profiles for the following:

In the Vendor String field, enter the operating system’s vendor name. For example, the vendor for Microsoft Windows would be Microsoft.
In the Product String field, enter the operating system’s product name. For example, the product name for Microsoft Windows 2000 would be Windows.
In the Version String field, enter the operating system’s version number. For example, the version number for Microsoft Windows 2000 would be 2000.

Step 17

In the OS Vulnerability Mappings section, choose the operating system, product, and versions you want to use for vulnerability mapping.

You must specify a Vendor and Product name in this section if you want to use the fingerprint to identify vulnerabilities for matching hosts or if you do not assign custom operating system display information.

To map vulnerabilities for all versions of an operating system, specify only the vendor and product name.

Note

Not all options in the Major Version, Minor Version, Revision Version, Build, Patch, and Extension drop-down lists may apply to the operating system you choose. In addition, if no definition appears in a list that matches the operating system you want to fingerprint, you can leave these values empty. Be aware that if you do not create any OS vulnerability mappings in a fingerprint, the system cannot use the fingerprint to assign a vulnerabilities list with hosts identified by the fingerprint.

Example:

If you want your custom fingerprint to assign the list of vulnerabilities from Redhat Linux 9 to matching hosts, choose Redhat, Inc. as the vendor, Redhat Linux as the product, and 9 as the version.

Example:

To add all versions of the Palm OS, you would choose PalmSource, Inc. from the Vendor list, Palm OS from the Product list, and leave all other lists at their default settings.

Step 18

Click Create.

The Custom Fingerprint status page refreshes every ten seconds and should reload with a “Ready” status.

Note

If the target system stops responding during the fingerprinting process, the status shows an ERROR: No Response message. If you see this message, submit the fingerprint again. Wait three to five minutes (the time period may vary depending on the target system), click Edit ( edit icon ) to access the Custom Fingerprint page, and then click Create.

What to do next

Activate the fingerprint as described in Activating and Deactivating Fingerprints.