BigFix User Group

jspanitz · 2009-09-14 21:31:36

BigFix is still using NMAP 4.52 which was released 1/1/08. NMAP 5 has been out a while now 7/16/09 and has better detection capabilites. Is an updated NMAP fixlet on the horizon? Has anyone manually updated the Bigfix NMAP scan point?

John

annamin · 2009-09-15 08:25:36

Asset Discovery will be updated to use NMAP 5 by early October. The changes are currently undergoing testing.

-Anna

jspanitz · 2009-09-15 12:08:01

Excellent! Our Cisco Switches that are detected as HP Digital Senders under NMAP 4 will be happy!

mcalvi · 2009-10-12 08:00:56

Anna,
Any update on the Asset Discovery update?

JackCoates · 2009-10-27 21:45:29

It's done today, announcement will be sent shortly.

jspanitz · 2009-10-28 17:45:35

Jack,

We did the update today (after the WinMo eval webex) and our scan is scheduled for tomorrow, so I will report back how it goes. Thanks!

John

jspanitz · 2009-11-03 06:27:58

So we've found only minimal improvement with NMAP 5 Perhaps I will visit the NMAP forums and see if there is any hope for better detection. If I get some answers, I'll post them here.

BigFix, thanks for the effort in getting this update out the door.

JackCoates · 2009-11-03 08:26:16

Can you scan the devices with a standalone nmap 5 and post the xml output? That would determine if it's NMAP or our integration at fault.

JackCoates · 2009-11-06 17:24:40

Found out today that there's a problem with upgrading. Until we can publish a fix, you should uninstall and reinstall the importer service on your bigfix server, that should fix it.

jspanitz · 2009-11-12 11:02:56

I haven't gotten around to scanning with plain old NMAP yet. Hopefully by the end of the week.

Sooo, we didn't realize that the NMAP 5 update required us to recreate our NMAP 4 jobs. We thought we had bigger issues when no data was coming in after the upgrade. Was that documented anywhere?

So we recreated the jobs today and ran a test scan. It failed with this relevance being the cause:

continue if {(exists file whose (name of it starts with "nmap-" AND exists line whose (((exists key "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\BESScanner-NMAP" whose (value "NmapVersion" of it as string as version < "4.52") of registry) AND it as lowercase contains "nmap run completed at") OR ((exists key "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\BESScanner-NMAP" whose (value "NmapVersion" of it as string as version >= "4.52") of registry) AND it as lowercase contains "nmap done at")) of it) of folder (pathname of windows folder & "\temp\nmap"))}

Here is the NMAP XML Output file from the scan point:
<?xml version="1.0" ?>
<?xml-stylesheet href="file:///C:/Program Files (x86)/BigFix Enterprise/BES Client/BESScanner-NMAP/NMAP/nmap.xsl" type="text/xsl"?>

<nmaprun scanner="nmap" args="C:\Program Files (x86)\BigFix Enterprise\BES Client\BESScanner-NMAP\NMAP\nmap.exe -sV -sS -sU -p T:22,T:23,T:80,T:135,T:139,T:235,T:445,T:61616,U:52311 --exclude 172.26.2.77 -O --osscan-guess -PE -PA80 -T 4 -oX C:\WINDOWS\temp\nmap\nmap-BIGFIX02-1258035033.xml 172.26.2.2-254 172.26.40.2-254 172.26.45.2-254 172.200.45.2-254" start="1258053034" startstr="Thu Nov 12 14:10:34 2009" version="5.00" xmloutputversion="1.03">
<scaninfo type="syn" protocol="tcp" numservices="8" services="22-23,80,135,139,235,445,61616" />
<scaninfo type="udp" protocol="udp" numservices="1" services="52311" />
<verbose level="0" />
<debugging level="0" />

Any ideas why this is now failing?

jspanitz · 2009-12-03 12:23:40

It's been a while but we finally got back to this. We started from scratch, uninstalling the Nmap Asset Discovery Import Serivce and the Nmap Scan Point. We then reinstalled. We submitted a test scan and it worked (xml file with valid content in the windows\temp\nmap dir). But the data did bot show up in the BES console under the Unmanaged Assets tab. We then ran another scan with the same parameters as are old scans that were working under Nmap 4. It too seemed to complete successfully but again no data in the console.

So now we are troubleshooting why the data is not making it to the console.

On another note, the version of winpcap BigFix distributes has known issues under Windows 2008, which is what we are using. The latest version (4.1) fixes those issues. We have manually updated to the latest version after the tests above. There was no change in seeing data in the console, which is what we expected since the action was completing successfully before the winpcap update.

I have the standalone output from winpcap, but I'd rather not post it here. Can you tell me where to send it?

JackCoates · 2009-12-07 16:05:18

Hi,

sorry I missed this; you can send it to me.

jspanitz · 2009-12-22 14:04:50

With Jack and his groups help, we found the issue. The NMAP remove / install tasks removed the service account information the task was running under. So upon reinstall, the service had no access to the database. Once we were given the settings to turn on debug logging, the problem was found and corrected within 10 minutes. Hopefully future tasks will flag such potential issues and / or provide a way to preserve settings. Big thanks to all involved!

BigFix User Group

#1 2009-09-14 21:31:36

NMAP 5 - Any plans / Update Timerframe?

#2 2009-09-15 08:25:36

Re: NMAP 5 - Any plans / Update Timerframe?

#3 2009-09-15 12:08:01

Re: NMAP 5 - Any plans / Update Timerframe?

#4 2009-10-12 08:00:56

Re: NMAP 5 - Any plans / Update Timerframe?

#5 2009-10-27 21:45:29

Re: NMAP 5 - Any plans / Update Timerframe?

#6 2009-10-28 17:45:35

Re: NMAP 5 - Any plans / Update Timerframe?

#7 2009-11-03 06:27:58

Re: NMAP 5 - Any plans / Update Timerframe?

#8 2009-11-03 08:26:16

Re: NMAP 5 - Any plans / Update Timerframe?

#9 2009-11-06 17:24:40

Re: NMAP 5 - Any plans / Update Timerframe?

#10 2009-11-12 11:02:56

Re: NMAP 5 - Any plans / Update Timerframe?

#11 2009-12-03 12:23:40

Re: NMAP 5 - Any plans / Update Timerframe?

#12 2009-12-07 16:05:18

Re: NMAP 5 - Any plans / Update Timerframe?

#13 2009-12-22 14:04:50

Re: NMAP 5 - Any plans / Update Timerframe?

Board footer