Upload
marcelitafranci
View
708
Download
2
Embed Size (px)
Citation preview
Sourcefire 3D SystemUser Guide
Version 5.2
Terms of Use Applicable to the User Documentation
The legal notices, disclaimers, terms of use, and other information contained herein (the "terms") apply only to the information discussed in this documentation (the "Documentation") and your use of it. These terms do not apply to or govern the use of websites controlled by Sourcefire, Inc. or its subsidiaries (collectively, "Sourcefire") or any Sourcefire-provided products. Sourcefire products are available for purchase and subject to a separate license agreement and/or terms of use containing very different terms and conditions.
Terms of Use and Copyright and Trademark Notices
The copyright in the Documentation is owned by Sourcefire and is protected by copyright and other intellectual property laws of the United States and other countries. You may use, print out, save on a retrieval system, and otherwise copy and distribute the Documentation solely for non-commercial use, provided that you (i) do not modify the Documentation in any way and (ii) always include Sourcefire's copyright, trademark, and other proprietary notices, as well as a link to, or print out of, the full contents of this page and its terms.
No part of the Documentation may be used in a compilation or otherwise incorporated into another work or with or into any other documentation or user manuals, or be used to create derivative works, without the express prior written permission of Sourcefire. Sourcefire reserves the right to change the terms at any time, and your continued use of the Documentation shall be deemed an acceptance of those terms.
Sourcefire, the Sourcefire logo, Snort, the Snort and Pig logo, Agile Security and the Agile Security logo, ClamAV, FireAMP, FirePOWER, FireSIGHT, and certain other trademarks and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries. Other company, product and service names may be trademarks or service marks of others.
2004 - 2013 Sourcefire, Inc. All rights reserved.
Disclaimers
THE DOCUMENTATION AND ANY INFORMATION AVAILABLE FROM IT MAY INCLUDE INACCURACIES OR TYPOGRAPHICAL ERRORS. SOURCEFIRE MAY CHANGE THE DOCUMENTATION FROM TIME TO TIME. SOURCEFIRE MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE ACCURACY OR SUITABILITY OF ANY SOURCEFIRE-CONTROLLED WEBSITE, THE DOCUMENTATION AND/OR ANY PRODUCT INFORMATION. SOURCEFIRE-CONTROLLED WEBSITES, THE DOCUMENTATION AND ALL PRODUCT INFORMATION ARE PROVIDED "AS IS" AND SOURCEFIRE DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO WARRANTIES OF TITLE AND THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SOURCEFIRE BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF DATA, LOSS OF PROFITS, AND/OR BUSINESS INTERRUPTIONS), ARISING OUT OF OR IN ANY WAY RELATED TO SOURCEFIRE-CONTROLLED WEBSITES OR THE DOCUMENTATION, NO MATTER HOW CAUSED AND/OR WHETHER BASED ON CONTRACT, STRICT LIABILITY, NEGLIGENCE OR OTHER TORTUOUS ACTIVITY, OR ANY OTHER THEORY OF LIABILITY, EVEN IF SOURCEFIRE IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU.
The Documentation may contain "links" to websites that are not created by, or under the control of Sourcefire. Sourcefire provides such links solely for your convenience, and assumes no responsibility for the availability or content of such other sites.
2013-Jul-12 11:18
Redundancy and Resource Sharing ....................................................... 43Network Traffic Management ................................................................ 44FireSIGHT............................................................................................... 45Access Control....................................................................................... 45Intrusion Detection and Prevention ....................................................... 46File Tracking, Control, and Malware Protection...................................... 46Application Programming Interfaces...................................................... 48
Security, Internet Access, and Communication Ports......................................... 49Internet Access Requirements .............................................................. 49Open Communication Ports Requirements ........................................... 50
Documentation Resources ................................................................................. 52
Documentation Conventions .............................................................................. 53License Conventions.............................................................................. 53Supported Device and Defense Center Conventions ............................ 54Access Conventions .............................................................................. 55IP Address Conventions...................................................................................... 56
Logging into the Appliance ................................................................................. 56
Logging into the Appliance to Set Up an Account .............................................. 59Table of Contents
Chapter 1: Introduction to the Sourcefire 3D System ............................. 36Sourcefire 3D System Appliances ...................................................................... 37
Defense Centers.................................................................................... 37Managed Devices .................................................................................. 38Understanding Appliance Series, Models, and Capabilities................... 38
Sourcefire 3D System Components ................................................................... 43 Version 5.2 Sourcefire 3D System User Guide 3
Logging Out of the Appliance ............................................................................. 60
Table of ContentsUsing the Context Menu .................................................................................... 61
Chapter 2: Using Dashboards ..................................................................... 64Understanding Dashboard Widgets.................................................................... 68
Understanding Widget Availability ......................................................... 69Understanding Widget Preferences ...................................................... 71
Understanding the Predefined Widgets ............................................................. 72Understanding the Appliance Information Widget................................. 73Understanding the Appliance Status Widget......................................... 74Understanding the Correlation Events Widget ...................................... 75Understanding the Current Interface Status Widget ............................. 75Understanding the Current Sessions Widget ........................................ 76Understanding the Custom Analysis Widget......................................... 77Understanding the Disk Usage Widget ................................................. 94Understanding the Interface Traffic Widget ........................................... 95Understanding the Intrusion Events Widget.......................................... 95Understanding the Network Compliance Widget.................................. 97Understanding the Product Licensing Widget ....................................... 99Understanding the Product Updates Widget......................................... 99Understanding the RSS Feed Widget.................................................. 101Understanding the System Load Widget............................................. 102Understanding the System Time Widget ............................................ 102Understanding the White List Events Widget ..................................... 103
Working with Dashboards ................................................................................ 104Creating a Custom Dashboard............................................................. 104Viewing Dashboards ............................................................................ 107Modifying Dashboards......................................................................... 109Deleting a Dashboard .......................................................................... 114
Chapter 3: Using the Context Explorer..................................................... 115Understanding the Context Explorer ................................................................ 116
Understanding the Traffic and Intrusion Event Counts Time Graph...... 117Understanding the Network Information Section ................................ 118Understanding the Application Information Section ............................ 124Understanding the Intrusion Information Section................................ 129Understanding the Files Information Section ...................................... 133Understanding the Geolocation Information Section........................... 138Understanding the URL Information Section....................................... 141Refreshing the Context Explorer.......................................................... 144Setting the Context Explorer Time Range ........................................... 145Minimizing and Maximizing Context Explorer Sections....................... 145Drilling Down on Context Explorer Data .............................................. 146Version 5.2 Sourcefire 3D System User Guide 4
Table of ContentsWorking with Filters in the Context Explorer .................................................... 148Adding and Applying Filters ................................................................. 149Creating Filters with the Context Menu .............................................. 153Bookmarking Filters ............................................................................. 154
Chapter 4: Using Objects and Security Zones........................................ 155Using the Object Manager................................................................................ 156
Grouping Objects................................................................................. 156Browsing, Sorting, and Filtering Objects ............................................. 158
Working with Network Objects ........................................................................ 158
Working with Security Intelligence Lists and Feeds ......................................... 159Working with the Global Whitelist and Blacklist .................................. 163Working with the Sourcefire Intelligence Feed.................................... 164Working with Custom Security Intelligence Feeds.............................. 165Manually Updating Security Intelligence Feeds................................... 167Working with Custom Security Intelligence Lists ................................ 167
Working with Port Objects................................................................................ 170
Working with VLAN Tag Objects ...................................................................... 171
Working with URL Objects ............................................................................... 172
Working with Application Filters ....................................................................... 173
Working with the Global Malware Whitelist ..................................................... 177Adding a File to the Whitelist from the Event View............................. 178Adding a File to the Whitelist by Uploading the File ............................ 179Adding a File to the Whitelist Using the SHA-256 Value ..................... 181Modifying Files on the Global Malware List ........................................ 182
Working with Security Zones............................................................................ 184
Chapter 5: Managing Devices................................................................... 187Management Concepts .................................................................................... 188
What Can Be Managed by a Defense Center? .................................... 188Beyond Policies and Events ................................................................. 189Using Redundant Defense Centers ..................................................... 190
Working in NAT Environments.......................................................................... 190
Configuring High Availability ............................................................................. 191Using High Availability.......................................................................... 192Guidelines for Implementing High Availability ..................................... 196Setting Up High Availability .................................................................. 197Monitoring and Changing High Availability Status ............................... 199Disabling High Availability and Unregistering Devices ......................... 201Version 5.2 Sourcefire 3D System User Guide 5
Pausing Communication Between Paired Defense Centers................ 202Restarting Communication Between Paired Defense Centers............ 202
Table of ContentsWorking with Devices....................................................................................... 203Understanding the Device Management Page.................................... 203Adding Devices to the Defense Center ............................................... 205Applying Changes to Devices .............................................................. 208Using the Device Management Revision Comparison Report............. 209Deleting Devices.................................................................................. 209
Configuring Remote Management ................................................................... 210Editing Remote Management.............................................................. 213Changing the Management Port.......................................................... 214
Managing Device Groups ................................................................................. 214Adding Device Groups ......................................................................... 215Editing Device Groups ......................................................................... 215Deleting Device Groups....................................................................... 216
Clustering Devices............................................................................................ 217Establishing Device Clusters ............................................................... 220Editing Device Clusters........................................................................ 221Configuring Individual Devices in a Cluster.......................................... 222Configuring Individual Device Stacks in a Cluster ................................ 223Configuring Interfaces on a Clustered Device ..................................... 224Switching the Active Peer in a Cluster ................................................. 225Placing a Clustered Device into Maintenance Mode ........................... 226Replacing a Device in a Clustered Stack.............................................. 226Establishing Clustered State Sharing................................................... 227Troubleshooting Clustered State Sharing............................................. 230Separating Clustered Devices.............................................................. 233
Managing Stacked Devices............................................................................... 234Establishing Device Stacks .................................................................. 236Editing Device Stacks .......................................................................... 238Configuring Individual Devices in a Stack ............................................ 239Configuring Interfaces on a Stacked Device ........................................ 240Separating Stacked Devices ................................................................ 240
Editing Device Configuration ............................................................................ 241Editing Assigned Device Names.......................................................... 241Enabling and Disabling Device Licenses.............................................. 243Editing Device System Settings........................................................... 244Viewing the Health of a Device............................................................ 245Editing Device Management Settings ................................................. 246Understanding Advanced Device Settings........................................... 247Editing Advanced Device Settings ....................................................... 248Configuring Fast-Path Rules................................................................. 250
Configuring Interfaces ...................................................................................... 255Configuring the Management Interface............................................... 257Configuring HA Link Interfaces............................................................ 259Configuring the Interface MTU ............................................................ 260Version 5.2 Sourcefire 3D System User Guide 6
Disabling Interfaces ............................................................................. 261Preventing Duplicate Connection Logging........................................... 262
Table of ContentsChapter 6: Setting Up an IPS Device ....................................................... 263Understanding Passive IPS Deployments......................................................... 263
Configuring Passive Interfaces ......................................................................... 264
Understanding Inline IPS Deployments ............................................................ 266
Configuring Inline Interfaces............................................................................. 266
Configuring Inline Sets...................................................................................... 268Viewing Inline Sets .............................................................................. 268Adding Inline Sets................................................................................ 268Configuring Advanced Inline Set Options ............................................ 272Deleting Inline Sets.............................................................................. 276
Chapter 7: Setting Up Virtual Switches ................................................... 278Configuring Switched Interfaces....................................................................... 279
Configuring Physical Switched Interfaces............................................ 280Adding Logical Switched Interfaces..................................................... 282Deleting Logical Switched Interfaces................................................... 284
Configuring Virtual Switches ............................................................................. 285Viewing Virtual Switches...................................................................... 285Adding Virtual Switches ....................................................................... 286Configuring Advanced Virtual Switch Settings ..................................... 288Deleting Virtual Switches ..................................................................... 291
Chapter 8: Setting Up Virtual Routers ...................................................... 292Configuring Routed Interfaces.......................................................................... 293
Configuring Physical Routed Interfaces ............................................... 293Adding Logical Routed Interfaces ........................................................ 297Deleting Logical Routed Interfaces...................................................... 301Configuring SFRP................................................................................. 301
Configuring Virtual Routers ............................................................................... 303Viewing Virtual Routers........................................................................ 304Adding Virtual Routers ......................................................................... 304Setting up DHCP Relay ........................................................................ 307Setting up Static Routes ...................................................................... 310Setting up Dynamic Routing ................................................................ 313Setting up RIP Configuration................................................................ 313Setting Up OSPF Configuration ........................................................... 320Setting up Virtual Router Filters ........................................................... 332Adding Virtual Router Authentication Profiles ...................................... 336Viewing Virtual Router Statistics .......................................................... 337Deleting Virtual Routers ....................................................................... 338Version 5.2 Sourcefire 3D System User Guide 7
Table of ContentsConfiguring NAT on a Virtual Router ................................................................. 338Understanding the NAT Entry List ....................................................... 340Adding NAT Entries.............................................................................. 341Deleting NAT Entries ........................................................................... 347
Chapter 9: Setting Up Hybrid Interfaces ................................................. 349Adding Logical Hybrid Interfaces ...................................................................... 349
Deleting Logical Hybrid Interfaces ....................................................... 353
Chapter 10: Using Gateway VPN ................................................................ 355Understanding IPSec ........................................................................................ 356
Understanding IKE............................................................................... 356
Understanding VPN Deployments .................................................................... 357Understanding Point-to-Point VPN Deployments................................. 357Understanding Star VPN Deployments................................................ 357Understanding Mesh VPN Deployments............................................. 358
Managing VPN Deployments............................................................................ 359Configuring VPN Deployments ............................................................ 360Configuring Advanced VPN Deployment Settings ............................... 371Applying a VPN Deployment................................................................ 374Viewing VPN Deployment Status ........................................................ 374Viewing VPN Statistics and Logs ......................................................... 375Using the VPN Deployment Comparison View.................................... 378
Chapter 11: Using NAT Policies .................................................................. 380Planning and Implementing a NAT Policy ......................................................... 381
Configuring NAT Policies................................................................................... 382Managing NAT Policy Targets .............................................................. 383
Organizing Rules in a NAT Policy ...................................................................... 385Working with NAT Rule Warnings and Errors ...................................... 387
Managing NAT Policies ..................................................................................... 388Creating a NAT Policy........................................................................... 389Editing a NAT Policy ............................................................................. 390Copying a NAT Policy ........................................................................... 392Viewing a NAT Policy Report................................................................ 392Comparing Two NAT Policies ............................................................... 393Applying a NAT Policy .......................................................................... 398
Creating and Editing NAT Rules........................................................................ 401
Understanding NAT Rule Types ........................................................................ 403Version 5.2 Sourcefire 3D System User Guide 8
Table of ContentsUnderstanding NAT Rule Conditions and Condition Mechanics ....................... 406Understanding NAT Rule Conditions ................................................... 407Adding Conditions to NAT Rules.......................................................... 408Searching NAT Rule Condition Lists..................................................... 410Adding Literal Conditions to NAT Rules ............................................... 411Using Objects in NAT Rule Conditions................................................. 412
Working with Different Types of Conditions in NAT Rules................................ 412Adding Zone Conditions to NAT Rules................................................. 412Adding Source Network Conditions to Dynamic NAT Rules................ 415Adding Destination Network Conditions to NAT Rules........................ 416Adding Port Conditions to NAT Rules .................................................. 418
Chapter 12: Using Access Control Policies .............................................. 421Configuring Policies .......................................................................................... 423
Setting the Default Action.................................................................... 425Logging Connections for the Default Action........................................ 428Using Custom User Roles with Access Control Policies ..................... 430Managing Policy Targets ...................................................................... 431Adding an HTTP Response Page ......................................................... 433Filtering Traffic Based on Security Intelligence Data............................ 435Configuring Advanced Access Control Policy Settings ........................ 444
Organizing Rules in a Policy .............................................................................. 446Working with Rule Categories ............................................................. 448Searching for Rules .............................................................................. 450Filtering Rules by Device ..................................................................... 451Working with Warnings and Errors ...................................................... 452
Managing Access Control Policies.................................................................... 453Creating an Access Control Policy ....................................................... 455Editing an Access Control Policy.......................................................... 456Copying an Access Control Policy........................................................ 457Viewing an Access Control Policy Report ............................................ 458Comparing Two Access Control Policies.............................................. 459Applying an Access Control Policy....................................................... 463
Chapter 13: Understanding and Writing Access Control Rules ............ 469Creating and Editing Access Control Rules ...................................................... 471
Understanding Rule Actions ............................................................................. 475
Understanding Rule Conditions and Condition Mechanics ............................... 479Understanding Rule Conditions ........................................................... 480Adding Rule Conditions........................................................................ 482Searching Condition Lists .................................................................... 486Version 5.2 Sourcefire 3D System User Guide 9
Adding Literal Conditions..................................................................... 487Using Objects in Conditions ................................................................ 488
Table of ContentsWorking with Different Types of Conditions ..................................................... 488Adding Zone Conditions....................................................................... 489Adding Network Conditions................................................................. 490Adding VLAN Tag Conditions ............................................................... 492Adding User Conditions ....................................................................... 494Working with Application Conditions ................................................... 495Adding Port Conditions ........................................................................ 501Adding URL Conditions........................................................................ 503
Performing File and Intrusion Inspection on Allowed Traffic ............................. 508
Logging Connection, File, and Malware Information ........................................ 512
Adding Comments to a Rule............................................................................. 518
Chapter 14: Configuring External Alerting................................................. 521Working with Alert Responses ......................................................................... 523
Creating an Email Alert Response ....................................................... 524Creating an SNMP Alert Response...................................................... 525Creating a Syslog Alert Response........................................................ 527Modifying an Alert Response .............................................................. 531Deleting an Alert Response ................................................................. 531Enabling and Disabling Alert Responses ............................................. 531
Configuring Impact Flag Alerting ...................................................................... 532
Configuring Discovery Event Alerting ............................................................... 533
Configuring Advanced Malware Protection Alerting ......................................... 534
Chapter 15: Working With Connection Data............................................. 536Understanding Connection Data....................................................................... 537
Understanding Connection Summaries ............................................... 539Connection Data Fields........................................................................ 540Information Available in Connection Events......................................... 547Uses for Connection Data in the Sourcefire 3D System...................... 551
Viewing Connection Data Graphs and Tables ................................................... 552
Working with Connection Graphs..................................................................... 552Changing the Graph Type..................................................................... 554Selecting Datasets............................................................................... 557Viewing Information About Aggregated Connection Data ................... 560Manipulating a Connection Graph on a Workflow Page....................... 560Drilling Down Through Connection Data Graphs ................................. 561Recentering and Zooming on Line Graphs .......................................... 562Selecting Data to Graph....................................................................... 562Detaching Connection Graphs ............................................................. 566Version 5.2 Sourcefire 3D System User Guide 10
Exporting Connection Data .................................................................. 566
Table of ContentsWorking with Connection Data Tables.............................................................. 567Working with Connection Events Associated with Monitor Rules ...... 568Viewing Files Detected in a Connection .............................................. 569Viewing Intrusion Events Associated with a Connection..................... 571
Searching for Connection Data ......................................................................... 572
Viewing the Connection Summary Page .......................................................... 575
Chapter 16: Introduction to Sourcefire Intrusion Prevention ................ 578Understanding How Traffic Is Analyzed ............................................................ 580
Capturing and Decoding Packets ......................................................... 581Processing Packets .............................................................................. 582Generating Events ............................................................................... 583
Analyzing Intrusion Event Data ......................................................................... 584
Using Intrusion Event Responses..................................................................... 585
Understanding Intrusion Prevention Deployments ........................................... 585
The Benefits of Custom Intrusion Policies........................................................ 588
Chapter 17: Working with Intrusion Events............................................... 590Viewing Intrusion Event Statistics .................................................................... 592
Host Statistics...................................................................................... 593Event Overview ................................................................................... 594Event Statistics .................................................................................... 595
Viewing Intrusion Event Performance............................................................... 595Generating Intrusion Event Performance Statistics Graphs................. 596
Viewing Intrusion Event Graphs........................................................................ 598
Viewing Intrusion Events .................................................................................. 599Understanding Intrusion Events .......................................................... 601Viewing Connection Data Associated with Intrusion Events ............... 607Reviewing Intrusion Events ................................................................. 608
Understanding Workflow Pages for Intrusion Events ....................................... 609
Using Drill-Down and Table View Pages ........................................................... 613
Using the Packet View ...................................................................................... 619Viewing Event Information................................................................... 622Viewing Frame Information.................................................................. 631Viewing Data Link Layer Information ................................................... 632Viewing Network Layer Information .................................................... 633Viewing Transport Layer Information ................................................... 635Viewing Packet Byte Information ......................................................... 638Version 5.2 Sourcefire 3D System User Guide 11
Using Impact Flags to Evaluate Events ............................................................ 638
Searching for Intrusion Events .......................................................................... 641
Table of ContentsUsing the Clipboard .......................................................................................... 649Generating Clipboard Reports.............................................................. 649Deleting Events from the Clipboard..................................................... 651
Chapter 18: Handling Incidents................................................................... 653Incident Handling Basics................................................................................... 654
Definition of an Incident....................................................................... 654Common Incident Handling Processes................................................ 654Incident Types in the Sourcefire 3D System........................................ 657
Creating an Incident.......................................................................................... 658
Editing an Incident ............................................................................................ 660
Generating Incident Reports............................................................................. 661
Creating Custom Incident Types....................................................................... 662
Chapter 19: Configuring Intrusion Policies ............................................... 664Planning and Implementing an Intrusion Policy ................................................ 665
Managing Intrusion Policies .............................................................................. 667Creating an Intrusion Policy ................................................................. 669Editing an Intrusion Policy.................................................................... 672Using the Navigation Panel .................................................................. 675Committing Intrusion Policy Changes .................................................. 676Reapplying an Intrusion Policy ............................................................. 677Viewing an Intrusion Policy Report ...................................................... 679Comparing Two Intrusion Policies ........................................................ 682
Setting Drop Behavior in an Inline Deployment ................................................ 686
Understanding the Base Policy ......................................................................... 688Using Default Intrusion Policies ........................................................... 689Using a Custom Base Policy ................................................................ 690Allowing Rule Updates to Modify the Base Policy............................... 691Selecting the Base Policy..................................................................... 692Accepting Rule Setting Changes from a Custom Base Policy ............. 693
Managing Variables........................................................................................... 695Understanding Existing Variables......................................................... 696Modifying Variables.............................................................................. 698Creating New Variables........................................................................ 700Deleting Unused Variables................................................................... 706Understanding Custom Variables......................................................... 707
Defining IP Addresses and Ports for Your Network .......................................... 708Defining IP Addresses in Variables and Rules...................................... 710Defining Ports in Variables and Rules .................................................. 712Version 5.2 Sourcefire 3D System User Guide 12
Table of ContentsChapter 20: Managing Rules in an Intrusion Policy ................................ 714Understanding Intrusion Prevention Rule Types ............................................... 715
Viewing Rules in an Intrusion Policy ................................................................. 716Sorting the Rule Display....................................................................... 719Viewing Rule Details ............................................................................ 720
Filtering Rules in an Intrusion Policy ................................................................. 726Understanding Rule Filtering in an Intrusion Policy.............................. 727Setting a Rule Filter in an Intrusion Policy ............................................ 738
Setting Rule States ........................................................................................... 740
Filtering Intrusion Event Notification Per Policy ................................................ 743Configuring Event Thresholding........................................................... 744Configuring Suppression Per Intrusion Policy ...................................... 750
Adding Dynamic Rule States ............................................................................ 753Understanding Dynamic Rule States ................................................... 754Setting a Dynamic Rule State .............................................................. 755
Adding Alerts .................................................................................................... 758Adding SNMP Alerts............................................................................ 758
Adding Rule Comments.................................................................................... 759
Managing FireSIGHT Rule State Recommendations ........................................ 761Understanding Basic Rule State Recommendations ........................... 762Understanding Advanced Rule State Recommendations .................... 763Using FireSIGHT Recommendations ................................................... 765
Chapter 21: Using Advanced Settings in an Intrusion Policy ................ 770Modifying Advanced Settings ........................................................................... 771
Understanding Preprocessors .......................................................................... 777Meeting Traffic Challenges with Preprocessors .................................. 778Understanding Preprocessor Execution Order .................................... 779Reading Preprocessor Events.............................................................. 781
Automatically Enabling Advanced Settings ....................................................... 784
Understanding Troubleshooting Options .......................................................... 787
Chapter 22: Using Layers in an Intrusion Policy ...................................... 789Understanding Intrusion Policy Layers.............................................................. 789
Sharing Layers ..................................................................................... 791Using Rules in Layers .......................................................................... 792Removing Multi-Layer Rule Settings.................................................... 794Using the FireSIGHT Recommendations Layer ................................... 796Version 5.2 Sourcefire 3D System User Guide 13
Using Layers with Advanced Settings ................................................. 797
Configuring User Layers ................................................................................... 800
Table of ContentsChapter 23: Using Application Layer Preprocessors .............................. 806Decoding DCE/RPC Traffic ................................................................................ 807
Selecting Global DCE/RPC Options ..................................................... 808Understanding Target-Based DCE/RPC Server Policies....................... 810Understanding DCE/RPC Transports.................................................... 811Selecting DCE/RPC Target-Based Policy Options ................................ 815Configuring the DCE/RPC Preprocessor.............................................. 818
Detecting Exploits in DNS Name Server Responses........................................ 824Understanding DNS Preprocessor Resource Record Inspection......... 824Detecting Overflow Attempts in RData Text Fields ............................. 826Detecting Obsolete DNS Resource Record Types............................... 826Detecting Experimental DNS Resource Record Types ........................ 827Configuring the DNS Preprocessor...................................................... 827
Decoding FTP and Telnet Traffic........................................................................ 829Understanding Global FTP and Telnet Options .................................... 829Configuring Global FTP/Telnet Options ................................................ 830Understanding Telnet Options ............................................................. 832Configuring Telnet Options .................................................................. 833Understanding Server-Level FTP Options ............................................ 835Configuring Server-Level FTP Options ................................................. 839Understanding Client-Level FTP Options ............................................. 843Configuring Client-Level FTP Options .................................................. 844
Decoding HTTP Traffic ...................................................................................... 847Selecting Global HTTP Normalization Options ..................................... 848Configuring Global HTTP Configuration Options.................................. 850Selecting Server-Level HTTP Normalization Options ........................... 851Selecting Server-Level HTTP Normalization Encoding Options............ 859Configuring HTTP Server Options........................................................ 862Enabling Additional HTTP Inspect Preprocessor Rules ........................ 865
Using the Sun RPC Preprocessor ..................................................................... 866Configuring the Sun RPC Preprocessor............................................... 867
Decoding the Session Initiation Protocol .......................................................... 869Selecting SIP Preprocessor Options.................................................... 870Configuring the SIP Preprocessor........................................................ 872Enabling Additional SIP Preprocessor Rules ........................................ 873
Configuring the GTP Command Channel.......................................................... 875
Decoding IMAP Traffic ...................................................................................... 877Selecting IMAP Preprocessor Options ................................................ 878Configuring the IMAP Preprocessor .................................................... 879Enabling Additional IMAP Preprocessor Rules .................................... 881
Decoding POP Traffic ........................................................................................ 881Selecting POP Preprocessor Options .................................................. 882Version 5.2 Sourcefire 3D System User Guide 14
Configuring the POP Preprocessor...................................................... 884Enabling Additional POP Preprocessor Rules ...................................... 886
Table of ContentsDecoding SMTP Traffic ..................................................................................... 886Understanding SMTP Decoding .......................................................... 887Configuring SMTP Decoding ............................................................... 892Enabling SMTP Maximum Decoding Memory Alerting....................... 896
Detecting Exploits Using the SSH Preprocessor .............................................. 896Selecting SSH Preprocessor Options .................................................. 898Configuring the SSH Preprocessor ...................................................... 900
Using the SSL Preprocessor............................................................................. 902Understanding SSL Preprocessing ...................................................... 902Enabling SSL Preprocessor Rules........................................................ 904Configuring the SSL Preprocessor....................................................... 904
Working with SCADA Preprocessors................................................................ 906Configuring the Modbus Preprocessor................................................ 906Configuring the DNP3 Preprocessor.................................................... 908
Chapter 24: Using Transport & Network Layer Preprocessors ............. 912Verifying Checksums ........................................................................................ 912
Ignoring VLAN Headers .................................................................................... 914
Normalizing Inline Traffic ................................................................................... 915Understanding Protocol Normalization ................................................ 916Configuring Inline Normalization .......................................................... 919
Defragmenting IP Packets ................................................................................ 924Understanding IP Fragmentation Exploits ........................................... 925Target-Based Defragmentation Policies ............................................... 926Selecting Defragmentation Options .................................................... 927Configuring IP Defragmentation .......................................................... 929
Understanding Packet Decoding....................................................................... 931Configuring Packet Decoding............................................................... 935
Using TCP Stream Preprocessing..................................................................... 937Understanding State-Related TCP Exploits.......................................... 938Initiating Active Responses with Drop Rules ....................................... 938Selecting TCP Global Options.............................................................. 940Understanding Target-Based TCP Policies ........................................... 940Selecting TCP Policy Options............................................................... 942Reassembling TCP Streams ................................................................ 946Configuring TCP Stream Preprocessing .............................................. 949
Using UDP Stream Preprocessing.................................................................... 953Configuring UDP Stream Preprocessing.............................................. 954
Chapter 25: Detecting Specific Threats .................................................... 956Version 5.2 Sourcefire 3D System User Guide 15
Detecting Back Orifice ...................................................................................... 956
Table of ContentsDetecting Portscans.......................................................................................... 958Configuring Portscan Detection ........................................................... 962Understanding Portscan Events........................................................... 965
Preventing Rate-Based Attacks......................................................................... 968Understanding Rate-Based Attack Prevention ..................................... 968Rate-Based Attack Prevention and Other Filters.................................. 971Configuring Rate-Based Attack Prevention .......................................... 978
Detecting Sensitive Data .................................................................................. 980Deploying Sensitive Data Detection .................................................... 982Selecting Global Sensitive Data Detection Options............................. 982Selecting Individual Data Type Options................................................ 984Using Predefined Data Types............................................................... 985Configuring Sensitive Data Detection.................................................. 986Selecting Application Protocols to Monitor.......................................... 990Special Case: Detecting Sensitive Data in FTP Traffic ......................... 992Using Custom Data Types ................................................................... 993
Chapter 26: Using Adaptive Profiles ........................................................ 1000Understanding Adaptive Profiles .................................................................... 1001
Using Adaptive Profiles with Preprocessors...................................... 1001Adaptive Profiles and FireSIGHT Recommended Rules..................... 1002
Configuring Adaptive Profiles.......................................................................... 1003
Chapter 27: Using Global Rule Thresholding .......................................... 1006Understanding Thresholding........................................................................... 1006
Understanding Thresholding Options ................................................ 1007
Configuring Global Thresholds........................................................................ 1009Disabling the Global Threshold ........................................................... 1011
Chapter 28: Using Performance Settings in an Intrusion Policy ......... 1012Event Queue Configuration ............................................................................. 1013
Understanding Packet Latency Thresholding................................................... 1014Setting Packet Latency Thresholding Options .................................... 1016Configuring Packet Latency Thresholding........................................... 1017
Understanding Rule Latency Thresholding ...................................................... 1018Setting Rule Latency Thresholding Options....................................... 1021Configuring Rule Latency Thresholding ............................................. 1022
Performance Statistics Configuration ............................................................. 1023Version 5.2 Sourcefire 3D System User Guide 16
Constraining Regular Expressions .................................................................. 1025
Rule Processing Configuration........................................................................ 1027
Table of ContentsChapter 29: Configuring External Responses to Intrusion Events....... 1030Using SNMP Responses ................................................................................ 1031
Configuring SNMP Responses .......................................................... 1034
Using Syslog Responses ................................................................................ 1035Configuring Syslog Responses .......................................................... 1037
Understanding Email Alerting ......................................................................... 1039Configuring Email Alerting ................................................................. 1041
Chapter 30: Understanding and Writing Intrusion Rules ...................... 1043Understanding Rule Anatomy......................................................................... 1044
Understanding Rule Headers.......................................................................... 1046Specifying Rule Actions ..................................................................... 1047Specifying Protocols .......................................................................... 1048Specifying Source and Destination IP Addresses.............................. 1048Specifying Source and Destination Ports........................................... 1050Specifying Direction........................................................................... 1052
Understanding Keywords and Arguments in Rules ........................................ 1052Defining Intrusion Event Details ........................................................ 1054Searching for Content Matches ......................................................... 1060Constraining Content Matches .......................................................... 1062Replacing Content in Inline Deployments.......................................... 1075Using Byte_Jump and Byte_Test ....................................................... 1076Searching for Content Using PCRE.................................................... 1083Adding Metadata to a Rule ................................................................ 1093Inspecting IP Header Values .............................................................. 1098Inspecting ICMP Header Values ......................................................... 1101Inspecting TCP Header Values and Stream Size................................. 1103Enabling and Disabling TCP Stream Reassembly ............................... 1109Extracting SSL Information from a Session ........................................ 1110Inspecting Application Layer Protocol Values ..................................... 1113Inspecting Packet Characteristics ...................................................... 1150Reading Packet Data into Keyword Arguments ................................. 1153Initiating Active Responses with Rule Keywords............................... 1157Filtering Events .................................................................................. 1162Evaluating Post-Attack Traffic ............................................................. 1163Detecting Attacks That Span Multiple Packets .................................. 1165Generating Events on the HTTP Encoding Type and Location ............ 1172Pointing to a Specific Payload Type..................................................... 1174Pointing to the Beginning of the Packet Payload................................. 1175Decoding and Inspecting Base64 Data............................................... 1176Version 5.2 Sourcefire 3D System User Guide 17
Table of ContentsConstructing a Rule ......................................................................................... 1178Writing New Rules.............................................................................. 1179Modifying Existing Rules ................................................................... 1181Adding Comments to Rules............................................................... 1184Deleting Custom Rules...................................................................... 1185
Searching for Rules......................................................................................... 1186
Filtering Rules on the Rule Editor Page .......................................................... 1189Using Keywords in a Rule Filter ......................................................... 1189Using Character Strings in a Rule Filter ............................................. 1191Combining Keywords and Character Strings in a Rule Filter.............. 1192Filtering Rules .................................................................................... 1192
Chapter 31: Working with Malware Protection and File Control......... 1194Understanding Malware Protection and File Control ...................................... 1196
Configuring Malware Protection and File Control .............................. 1198Logging Events Based on Malware Protection and File Control ........ 1199Integrating FireAMP with the Sourcefire 3D System ........................ 1199Network-Based AMP vs Endpoint-Based FireAMP ........................... 1201
Understanding and Creating File Policies ....................................................... 1203Creating a File Policy.......................................................................... 1210Working with File Rules ..................................................................... 1211Comparing Two File Policies .............................................................. 1214
Working with Sourcefire Cloud Connections for FireAMP.............................. 1216Creating a Sourcefire Cloud Connection............................................ 1217Deleting or Disabling a Sourcefire Cloud Connection ........................ 1218
Working with File Events ................................................................................ 1219Viewing File Events............................................................................ 1220Understanding the File Events Table ................................................. 1221Searching for File Events ................................................................... 1224
Working with Malware Events........................................................................ 1226Viewing Malware Events ................................................................... 1229Understanding the Malware Events Table ......................................... 1230Searching for Malware Events ........................................................... 1236
Working with Network File Trajectory............................................................. 1238Reviewing Network File Trajectory .................................................... 1239Analyzing Network File Trajectory...................................................... 1241Version 5.2 Sourcefire 3D System User Guide 18
Table of ContentsChapter 32: Introduction to Network Discovery .................................... 1247Understanding Discovery Data Collection ...................................................... 1248
Understanding Host Data Collection ................................................. 1249Understanding User Data Collection ................................................. 1249Understanding Application Detection ................................................ 1260Importing Third-Party Discovery Data ................................................ 1266Uses for Discovery Data .................................................................... 1267
Understanding NetFlow.................................................................................. 1268Differences Between NetFlow and FireSIGHT Data .......................... 1269Preparing to Analyze NetFlow Data ................................................... 1271
Creating a Network Discovery Policy.............................................................. 1272Working with Discovery Rules........................................................... 1273Restricting User Logging ................................................................... 1282Configuring Advanced Network Discovery Options........................... 1284Applying the Network Discovery Policy ............................................. 1294
Obtaining User Data from LDAP Servers ....................................................... 1295Creating LDAP Connections with the Defense Center ...................... 1295Enabling and Disabling User Awareness LDAP Connections ............ 1303Performing an On-Demand User Data Retrieval for Access Control.. 1304Configuring Defense Center-User Agent Connections ...................... 1304
Chapter 33: Using the Network Map........................................................ 1311Understanding the Network Map ................................................................... 1312
Working with the Hosts Network Map........................................................... 1313
Working with the Network Devices Network Map......................................... 1315
Working with the Mobile Devices Network Map............................................ 1316
Working with the Applications Network Map................................................. 1318
Working with the Vulnerabilities Network Map .............................................. 1320
Working with the Host Attributes Network Map ............................................ 1322
Working with Custom Network Topologies .................................................... 1323Creating Custom Topologies.............................................................. 1324Managing Custom Topologies ........................................................... 1329
Chapter 34: Using Host Profiles ................................................................ 1331Viewing Host Profiles...................................................................................... 1334
Working with Basic Host Information in the Host Profile ............................... 1335
Working with IP Addresses in the Host Profile............................................... 1338Version 5.2 Sourcefire 3D System User Guide 19
Table of ContentsWorking with Operating Systems in the Host Profile ..................................... 1338Viewing Operating System Identities................................................. 1340Editing an Operating System ............................................................. 1341Resolving Operating System Identity Conflicts ................................. 1342
Working with Servers in the Host Profile........................................................ 1344Server Detail ...................................................................................... 1346Editing Server Identities..................................................................... 1349Resolving Server Identity Conflicts.................................................... 1350
Working with Applications in the Host Profile ................................................ 1351Viewing Applications in the Host Profile ............................................ 1351Deleting Applications from the Host Profile ...................................... 1353
Working with VLAN Tags in the Host Profile .................................................. 1354
Working with User History in the Host Profile................................................ 1354
Working with Host Attributes in the Host Profile............................................ 1355Assigning Host Attribute Values ........................................................ 1355
Working with Host Protocols in the Host Profile ............................................ 1356
Working with White List Violations in the Host Profile ................................... 1357Creating a White List Host Profile from a Host Profile ...................... 1358
Working with Malware Detections in the Host Profile ................................... 1359
Working with Vulnerabilities in the Host Profile.............................................. 1360Viewing Vulnerability Details.............................................................. 1362Setting the Vulnerability Impact Qualification .................................... 1364Downloading Patches for Vulnerabilities ............................................ 1365Setting Vulnerabilities for Individual Hosts......................................... 1365
Working with the Predefined Host Attributes................................................. 1366
Working with User-Defined Host Attributes ................................................... 1367Creating User-Defined Host Attributes .............................................. 1369Editing a User-Defined Host Attribute................................................ 1371Deleting a User-Defined Host Attribute ............................................. 1372
Working with Scan Results in a Host Profile .................................................. 1372Scanning a Host from the Host Profile .............................................. 1373
Chapter 35: Working with Discovery Events........................................... 1374Viewing Discovery Event Statistics................................................................. 1375
Statistics Summary............................................................................ 1376Event Breakdown............................................................................... 1378Protocol Breakdown........................................................................... 1379Application Protocol Breakdown........................................................ 1379OS Breakdown................................................................................... 1380
Viewing Discovery Performance Graphs......................................................... 1381Version 5.2 Sourcefire 3D System User Guide 20
Understanding Discovery Event Workflows ................................................... 1383
Table of ContentsWorking with Discovery and Host Input Events ............................................. 1385Understanding Discovery Event Types .............................................. 1386Understanding Host Input Event Types ............................................. 1391Viewing Discovery and Host Input Events......................................... 1393Understanding the Discovery Events Table ....................................... 1394Searching for Discovery Events ......................................................... 1396
Working with Hosts ........................................................................................ 1398Viewing Hosts.................................................................................... 1399Understanding the Hosts Table ......................................................... 1400Creating a Traffic Profile for Selected Hosts ...................................... 1404Creating a Compliance White List Based on Selected Hosts ............ 1405Searching for Hosts ........................................................................... 1405
Working with Host Attributes ......................................................................... 1409Viewing Host Attributes ..................................................................... 1409Understanding the Host Attributes Table........................................... 1410Setting Host Attributes for Selected Hosts........................................ 1412Searching for Host Attributes............................................................. 1413
Working with Servers ..................................................................................... 1415Viewing Servers................................................................................. 1415Understanding the Servers Table....................................................... 1416Searching for Servers......................................................................... 1419
Working with Applications .............................................................................. 1421Viewing Applications.......................................................................... 1422Understanding the Applications Table ............................................... 1422Searching for Applications ................................................................. 1424
Working with Application Details.................................................................... 1426Viewing Application Details ............................................................... 1426Understanding the Application Detail Table ....................................... 1427Searching for Application Details ....................................................... 1429
Working with Sourcefire Vulnerabilities .......................................................... 1431Viewing Sourcefire Vulnerabilities...................................................... 1432Understanding the Sourcefire Vulnerabilities Table ........................... 1433Deactivating Sourcefire Vulnerabilities............................................... 1435Searching for Sourcefire Vulnerabilities ............................................. 1436
Working with Third-Party Vulnerabilities ......................................................... 1438Viewing Third-Party Vulnerabilities ..................................................... 1438Understanding the Third-Party Vulnerabilities Table........................... 1439Searching for Third-Party Vulnerabilities............................................. 1441
Working with Users ........................................................................................ 1442Viewing Users.................................................................................... 1444Understanding the Users Table ......................................................... 1444Understanding User Details and Host History................................... 1446Searching for Users ........................................................................... 1448Version 5.2 Sourcefire 3D System User Guide 21
Table of ContentsWorking with User Activity ............................................................................. 1450Viewing User Activity Events............................................................. 1451Understanding the User Activity Table .............................................. 1452Searching for User Activity ................................................................ 1453
Chapter 36: Configuring Correlation Policies and Rules....................... 1456Creating Rules for Correlation Policies............................................................ 1458
Providing Basic Rule Information ....................................................... 1461Specifying Correlation Rule Trigger Criteria........................................ 1461Adding a Host Profile Qualification .................................................... 1478Adding a Connection Tracker.............................................................. 1483Adding a User Qualification ............................................................... 1493Adding Snooze and Inactive Periods .................................................. 1495Understanding Rule Building Mechanics ........................................... 1496
Managing Rules for Correlation Policies ......................................................... 1505Modifying a Rule................................................................................ 1505Deleting a Rule .................................................................................. 1506Creating a Rule Group........................................................................ 1506
Grouping Correlation Responses .................................................................... 1507Creating a Response Group............................................................... 1508Modifying a Response Group ............................................................ 1509Deleting a Response Group............................................................... 1509Activating and Deactivating Response Groups .................................. 1509
Creating Correlation Policies ........................................................................... 1510Providing Basic Policy Information ..................................................... 1512Adding Rules and White Lists to a Correlation Policy ........................ 1512Setting Rule and White List Priorities ................................................ 1513Adding Responses to Rules and White Lists..................................... 1514
Managing Correlation Policies......................................................................... 1516Activating and Deactivating Correlation Policies ................................ 1517Editing a Correlation Policy ................................................................ 1517Deleting a Correlation Policy .............................................................. 1517
Working with Correlation Events .................................................................... 1518Viewing Correlation Events................................................................ 1518Understanding the Correlation Events Table...................................... 1521Searching for Correlation Events........................................................ 1523
Chapter 37: Using the Sourcefire 3D System as a Compliance Tool .. 1527Understanding Compliance White Lists ......................................................... 1529
Understanding White List Targets ..................................................... 1530Understanding White List Host Profiles ............................................ 1531Version 5.2 Sourcefire 3D System User Guide 22
Understanding White List Evaluations............................................... 1535Understanding White List Violations.................................................. 1536
Table of ContentsCreating Compliance White Lists ................................................................... 1538Surveying Your Network .................................................................... 1540Providing Basic White List Information.............................................. 1542Configuring Compliance White List Targets....................................... 1542Configuring Compliance White List Host Profiles.............................. 1545
Managing Compliance White Lists ................................................................. 1560Modifying a Compliance White List................................................... 1560Deleting a Compliance White List ..................................................... 1561
Working with Shared Host Profiles................................................................. 1561Creating Shared Host Profiles............................................................ 1562Modifying a Shared Host Profile ........................................................ 1564Deleting a Shared Host Profile........................................................... 1568Resetting Built-In Host Profiles to Their Factory Defaults.................. 1568
Working with White List Events ..................................................................... 1569Viewing White List Events................................................................. 1570Understanding the White List Events Table....................................... 1572Searching for Compliance White List Events..................................... 1573
Working with White List Violations................................................................. 1576Viewing White List Violations ............................................................ 1576Understanding the White List Violations Table .................................. 1578Searching for White List Violations .................................................... 1579
Chapter 38: Creating Traffic Profiles ........................................................ 1582Providing Basic Profile Information ................................................................. 1584
Specifying Traffic Profile Conditions................................................................ 1585Syntax for Traffic Profile Conditions ................................................... 1586
Adding a Host Profile Qualification ................................................................. 1587Syntax for Host Profile Qualifications ................................................ 1588
Setting Profile Options.................................................................................... 1590
Saving a Traffic Profile ..................................................................................... 1592
Activating and Deactivating Traffic Profiles ..................................................... 1592
Editing a Traffic Profile .................................................................................... 1593
Understanding Condition-Building Mechanics ................................................ 1593Building a Single Condition ................................................................ 1594Adding and Linking Conditions .......................................................... 1596Using Multiple Values in a Condition ................................................. 1599
Viewing Traffic Profiles.................................................................................... 1600Version 5.2 Sourcefire 3D System User Guide 23
Table of ContentsChapter 39: Configuring Remediations .................................................... 1603Creating Remediations ................................................................................... 1604
Configuring Remediations for Cisco IOS Routers.............................. 1605Configuring Remediations for Cisco PIX Firewalls ............................. 1614Configuring Nmap Remediations....................................................... 1620Configuring Set Attribute Remediations ............................................ 1626
Working with Remediation Status Events ...................................................... 1630Viewing Remediation Status Events .................................................. 1630Working with Remediation Status Events ......................................... 1633Understanding the Remediation Status Table.................................... 1633Searching for Remediation Status Events.......................................... 1635
Chapter 40: Enhancing Network Discovery............................................ 1638Assessing Your Detection Strategy ................................................................ 1639
Are Your Managed Devices Correctly Placed?................................... 1639Do Unidentified Operating Systems Have a Unique TCP Stack?....... 1640Can the Sourcefire 3D System Identify All Applications? .................. 1641Have You Applied Patches that Fix Vulnerabilities?............................ 1641Do You Want to Track Third-Party Vulnerabilities?.............................. 1641
Enhancing Your Network Map ........................................................................ 1641Understanding Passive Detection...................................................... 1642Understanding Active Detection........................................................ 1642Understanding Current Identities....................................................... 1643Understanding Identity Conflicts ....................................................... 1645
Using Custom Fingerprinting .......................................................................... 1646Fingerprinting Clients......................................................................... 1647Fingerprinting Servers........................................................................ 1652Managing Fingerprints ....................................................................... 1657Activating Fingerprints ....................................................................... 1657Deactivating Fingerprints ................................................................... 1658Deleting Fingerprints ......................................................................... 1658Editing Fingerprints............................................................................ 1659
Working with Application Detectors ............................................................... 1660Creating a User-Defined Application Protocol Detector ..................... 1663Managing Detectors .......................................................................... 1670
Importing Host Input Data .............................................................................. 1677Enabling the Use of Third-Party Data................................................. 1678Managing Third-Party Product Mappings........................................... 1679Mapping Third-Party Vulnerabilities.................................................... 1684Managing Custom Product Mappings ............................................... 1685Version 5.2 Sourcefire 3D System User Guide 24
Table of ContentsChapter 41: Configuring Active Scanning ............................................... 1689Understanding Nmap Scans ........................................................................... 1690
Understanding Nmap Remediations.................................................. 1690Creating an Nmap Scanning Strategy ................................................ 1694Sample Nmap Scanning Profiles........................................................ 1696
Setting up Nmap Scans .................................................................................. 1699Creating an Nmap Scan Instance....................................................... 1699Creating an Nmap Scan Target .......................................................... 1701Creating an Nmap Remediation......................................................... 1702
Managing Nmap Scanning.............................................................................. 1707Managing Nmap Scan Instances ....................................................... 1707Managing Nmap Remediations ......................................................... 1709Running an On-Demand Nmap Scan ................................................. 1710
Managing Scan Targets ................................................................................... 1711Editing a Scan Target ......................................................................... 1712Deleting a Scan Target ....................................................................... 1713
Working with Active Scan Results .................................................................. 1713Viewing Scan Results ........................................................................ 1713Understanding the Scan Results Table .............................................. 1715Analyzing Scan Results...................................................................... 1716Monitoring Scans............................................................................... 1716Importing Scan Results...................................................................... 1717Searching for Scan Results ................................................................ 1718
Chapter 42: Working with Reports.........
