Auto-Discovery Detection Accuracy

[stf_792]

Hello

Nagios XI V 5.6.6

I did not use Auto Discover feature since v 4.x (2-3 years ago)

My network configuration did not change (at least for the subnet I want to scan)

I am trying it now, and noticing strange behavior.

My Windows 2008R2 Detected as Cisco MDS 9509 switch (NX-OS 4.2)

Server 2012 / 2012R2 are detected as Linksys BEFW11S4 WAP

One 2008R2 SP1 server detected as 2008 SP1

Linux Servers, real Cisco equipment are detected properly.

What can I do to bring OS detection accuracy to same level as it was in 4.x?


Thank you.

[eloyd]

OS detection is based on nmap, which is provided by your system's software reporisitories. I'd investigate if there's a newer version available for your OS that has better or more complete or updated OS Detection.

[stf_792]

current version 6.47

Code: Select all

#yum update nmap
Loaded plugins: fastestmirror
Determining fastest mirrors
epel/x86_64/metalink                                                                                                           |  15 kB  00:00:00
 * base: ftpmirror.your.org
 * epel: mirror.team-cymru.com
 * extras: ftpmirror.your.org
 * updates: ftpmirror.your.org
base                                                                                                                           | 3.6 kB  00:00:00
epel                                                                                                                           | 5.3 kB  00:00:00
extras                                                                                                                         | 3.4 kB  00:00:00
nagios-base                                                                                                                    | 1.5 kB  00:00:00
nagiosxi-deps                                                                                                                  | 1.5 kB  00:00:00
updates                                                                                                                        | 3.4 kB  00:00:00
(1/3): epel/x86_64/updateinfo                                                                                                  | 1.0 MB  00:00:00
(2/3): nagios-base/primary                                                                                                     |  13 kB  00:00:00
(3/3): epel/x86_64/primary_db                                                                                                  | 6.8 MB  00:00:00
nagios-base                                                                                                                                     97/97
No packages marked for update

[stf_792]

Looks like this is definitely nmap problem

even with the latest database it cant detect windows with IIS web server

running nmap -v -Pn -O "my server" - Windows 2012 R2

Code: Select all

Device type: WAP|general purpose
Running (JUST GUESSING): Linksys embedded (89%), Linux 2.6.X (85%), HP HP-UX 11.X (85%)
OS CPE: cpe:/h:linksys:befw11s4 cpe:/o:linux:linux_kernel:2.6 cpe:/o:hp:hp-ux:11
Aggressive OS guesses: Linksys BEFW11S4 WAP (89%), Linux 2.6.32 (85%), HP HP-UX B.11.11 - B.11.23 (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 6.143 days (since Sat Sep  7 08:24:47 2019)
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: Incremental

[mbellerue]

This is going to be affected by the firewall running on Windows. If you have only exactly the ports necessary for operation open to the network (which is a good idea, don't get me wrong), it's going to hamper nmap's ability to guess the OS. I have a Server 2016 R2 domain controller with default firewall rules, sans ICMPv4/6, and nmap guessed the OS to be anything Windows 7 or up, including Windows Phone . Allowing ICMPv4/6 through, nmap was able to narrow the results down to a Windows Server OS 2012 or newer.

So the lesson is that some pretty small changes to a firewall can drastically affect nmap's ability to guess your OS.