Creating an Nmap Remediation
An Nmap remediation can only be created by adding it to an existing Nmap scan instance. The remediation defines the settings for the scan. It can be used as a response in a correlation policy, run on demand, or run as a scheduled task at a specific time.
Nmap-supplied server and operating system data remains static until you run another Nmap scan. If you plan to scan a host using Nmap, regularly schedule scans. If a host is deleted from the network map, any Nmap scan results are discarded.
For general information about Nmap functionality, refer to the Nmap documentation at http://insecure.org.
Before you begin
-
Add an Nmap scan instance .
Procedure
Step 1 | Choose . | ||||
Step 2 | Click View ( | ||||
Step 3 | In the Configured Remediations section, click Add. | ||||
Step 4 | Enter a Remediation Name. | ||||
Step 5 | Enter a Description. | ||||
Step 6 | If you plan to use this remediation in response to a correlation rule that triggers on an intrusion event, a connection event, or a user event, configure the Scan Which Address(es) From Event? option.
| ||||
Step 7 | Configure the Scan Type option. | ||||
Step 8 | Optionally, to scan UDP ports in addition to TCP ports, choose On for the Scan for UDP ports option.
| ||||
Step 9 | If you plan to use this remediation in response to correlation policy violations, configure the Use Port From Event option. | ||||
Step 10 | If you plan to use this remediation in response to correlation policy violations and want to run the scan using the appliance running the detection engine that detected the event, configure the Scan from reporting detection engine option. | ||||
Step 11 | Configure the Fast Port Scan option. | ||||
Step 12 | In the Port Ranges and Scan Order field, enter the ports you want to scan by default, using Nmap port specification syntax, in the order you want to scan those ports. Use the following format:
Example:U:53,111,T:21-25.
| ||||
Step 13 | To probe open ports for server vendor and version information, configure Probe open ports for vendor and version information. | ||||
Step 14 | If you choose to probe open ports, set the number of probes used by choosing a number from the Service Version Intensity drop-down list. | ||||
Step 15 | To scan for operating system information, configure Detect Operating System settings. | ||||
Step 16 | To determine whether host discovery occurs and whether port scans are only run against available hosts, configure Treat All Hosts As Online. | ||||
Step 17 | To set the method you want Nmap to use when it tests for host availability, choose a method from the Host Discovery Method drop-down list. | ||||
Step 18 | If you want to scan a custom list of ports during host discovery, enter a list of ports appropriate for the host discovery method you chose, separated by commas, in the Host Discovery Port List field. | ||||
Step 19 | Configure the Default NSE Scripts option to control whether to use the default set of Nmap scripts for host discovery and server, operating system, and vulnerability discovery.
| ||||
Step 20 | To set the timing of the scan process, choose a timing template number from the Timing Template drop-down list. Choose a higher number for a faster, less comprehensive scan and a lower number for a slower, more comprehensive scan. | ||||
Step 21 | Click Create. When
the system is done creating the remediation, it displays it in edit mode.
| ||||
Step 22 | Click Done to return to the related instance. | ||||
Step 23 | Click Cancel to return to the instance list. |
