That is what I thought as well. Originally it was common ports and OS. Then it changed to OS and SNMP. Now in 2.2 I am seeing many more ports show up. How is tcp 1720 and 5060 being listed for unknown devices? There are no built in NMAP scans that scan for those ports.

Sent from my iPhone

Craig,

Just to show you another example of how this has changed in 2.2. Here is my lab system running 2.2. patch 1. It is a fresh build with nothing in it. I have loaded one of my switches into ISE and have it SNMP polled so MACs are learned. Here you see an Unknown device with FTP identified as open. So 2.2 is definitely not just doing SNMP and OS. I know 2.0 and 2.1 definitely did SNMP and OS only because it broke what we do for printer identification, i.e. port 9100 open is key criteria. In 2.2 I noticed that 9100 was starting to be identified again on Unknown and Profiling groups using the predefined condition of SNMP and OS NMAP detection. So to me it looks like that definition is somehow broke and way more is getting scanned. I don’t mind that but if this is a bug and I can’t depend on common ports being scanned I would like to know that.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Craig,

I did more testing and SNMP and OS NMAP action in 2.2 is definitely broken (I like the way it works though). Here is how I tested. I changed the Cisco Switch definition in profiling to do SNMP and OS:

I added a rule to SCAN based of the predefined SNMP check. Here is what you see it scanned for my switch. Just a few more things and SNMP.

Like I said I like it like this, but I am guessing and some point it is going to get fixed and I can’t rely on this being true. I will being doing 2.3 installs this week so I will know if it still doing more than it should.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Grr sorry for so many emails. Are those ports being flagged open via the SNMP and OS NMAP action because it is using the ports in the OS detection part? I know in 2.0 and 2.1 only the SNMP ports were being shown. Now I see way more with that scan action, but maybe those ports are used as part of the OS detection so it is reporting them as open.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Craig,

I have seen the same things since the early days. We have always been using port 9100 being open as a key indicator in our printer profiles. This worked fine in 1.x, then in some versions of 2.x (I think 2.0 and 2.1) I stopped seeing 9100 show up on my endpoints. So I had to go and create a custom NMAP scan to do Common Ports and OS scan to get what I wanted. Then I had to go in and modify all the Cisco prebuilt printer top level profile polices (HP-Device, Canon-Device, Ricoh-Device, etc.) to use my custom scan. Now in 2.2 and I am assuming in 2.3 I am going to see the ports show up again.

The problem I have is if everything says SNMP ports and OS scan only, yet we are seeing all these other ports show up and no one can really explain why, then what is the assurance that at some point the developers are going to realize SNMP ports and OS scan is broken and change it to really only do SNMP ports and OS scan. Then if we have been relying on these other ports things stop profiling correctly. I would rather not have to create custom NMAP scans can modify a bunch of the Cisco prebuilt rules to get what I want. I like seeing all these other ports, but not sure if it is functioning as designed.

Thanks for your input Craig!

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

It looks like OS scans can potentially perform port scans, after reading some of the online info; e.g.

https://serverfault.com/questions/829009/which-ports-does-nmap-scan-for-os-detection

https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/

https://serverfault.com/questions/498372/do-an-os-scan-with-nmap-only

You may check ISE debug log file -- nmap.log