Configuring BMC Defender NMAP adapter

Once the BMC system is installed, you can then configure and use the software in a variety of ways. Specify the following parameters in order to use the software effectively:

• The operator should enable the GenNMAP program to run at some scheduled interval, such as hourly, daily, or weekly. This is the single required setting change, necessary to scan the network at regular intervals.
• Specify an address range to be scanned. (The default value, that configures the program, might require to be adjusted at all sites.)
• The operator can configure threads and alerts and other items within the BMC Defender Server, and can load the NMAP template files using the Correlation > Config > Templates screen, or configure threads and alerts manually.

Configuration of the system is not difficult. This section discusses the various parameters and steps necessary to configure a general purpose NMAP interface to BMC.

Once the NMAP interface is installed and is running on the system, you can configure parameters associated with the interface.

To configure the parameters associated with the NMAP interface

1. Navigate to the System > NMAP screen.
2. Click Edit and set Gen NMAP Master Enable to be enabled.
3. Set the Scan Address Specification to the network that you want to scan.
4. (Optional) Generate new NMAP data on demand using Generate.
5. (Optional) Set the execution time to be Hourly, Daily, or some other schedule of execution.

Navigating the NMAP tab

As part of the Windows installation, a new tab is created in the System section of the BMC web interface that permits you to configure various parameters associated with the NMAP background program. This screen is available only to BMC administrators, and serves as a starting point to configuring the NMAP interface. The following screen is the NMAP parameter screen:

This screen allows the administrator to enable periodic execution of the NMAP program (that creates NMAP data automatically). It also allows the administrator to view various aspects of the NMAP data, or generate an NMAP listing on demand using Run Report.

Run report button

Once the NMAP parameters are configured, you must generate the actual NMAP data. You can accomplish this by either waiting for the scheduled time or by clicking Generate at the top of the screen that launches the GenNMAP.exe program as a background process on the system.

The GenNMAP.exe program gathers the NMAP data and formats the result into a file that is subsequently used by BMC. The data acquisition process might take several minutes or longer to complete, depending on the number of NMAP data entries, the number of configured NMAP servers, and other factors. The process executes as a background process, and you can leave the screen and return later to check on the progress or the success of the operation.

NMAP configurable parameters

Click Edit to edit the NMAP parameters. This permits the following values to be specified and modified.

• Gen NMAP master enable—To generate any NMAP data, this setting should be set to enabled. This provides a simple way for the administrator to disable the operation of the system without changing any other configuration parameters.
• Schedule execution—This setting can be set to none, hourly, daily, weekly, or to some other schedule. This setting actually edits the values configured on the System > Scheduler screen (the screen that is actually responsible for launching the GenNMAP.exe program at periodic intervals). The special sched-1, sched-2, sched-3, and sched-4 values permit the administrator to run the GenLDAP program at arbitrary hours and days, configured in the Advanced Schedules screen at the bottom of the System > Scheduler screen.

• Auto generate image files—This setting is either True or False, and controls the image files (such as the baseline files). When set to True (the default setting) the last NMAP listing becomes the next baseline, and any changes to the network devices or ports generate syslog messages. When set to False, the image file is not modified after an NMAP execution, and the NMAP results compare against a baseline that has been established for the network. More information on establishing a baseline for the system is provided in the previous section.

• Send messages from target host—This setting determines where the NMAP syslog messages are sent. The default is to send these messages from the BMC Defender Server 127.0.0.1 address. Setting the value to True make these messages appear to be sent from the affected devices. This is desirable when you have a heartbeat function for devices, or all the devices on your network are manageable. However, this can potentially add a lot of new devices on the system that must be maintained. The setting depends largely on how BMC Defender Server is used. 

  Example

  In an embedded and dedicated system on a subnet, this value should probably be set to True. It should be set to False if the organization is highly dynamic and distributed across multiple networks.

• Scan address specification—This is the standard NMAP address specification, as documented on the nmap.org website.

  Example

  To list all the devices on a particular subnet 10.1.1, you can use an address specification of either 10.1.1.* or 10.1.1.1/24 (both of those are identical specifications); other alternate syntaxes are possible, including specifying an external file of addresses, adding skip addresses, and precise address ranges.

• Max NMAP records—This value is an integer number that limits NMAP to some fixed (but large) output. This value is mainly useful in controlling long scans over huge address ranges. The default value of 20,000 is usually sufficient for any BMC application.
• Max NMAP execution time—This value is an integer number of seconds that limits NMAP to some fixed execution time. This value is useful for controlling long scans over huge address ranges. The default value of 3600 seconds (one hour) is usually sufficient for any BMC application.
• Device added severity—This is the severity of messages that are sent by the NMAP adapter (and it appears in BMC Defender Server) when a device is added to the network that does not appear in the image file.
• Device deleted severity—This is the severity of messages that are sent by the NMAP adapter (and it appears in BMC Defender Server) when a device in the baseline Image file has failed to respond to an NMAP request. In other words, when the device is deleted from the baseline.
• Device heartbeat severity—This is the severity of messages that are sent by the NMAP adapter (and it appears in BMC Defender Server) whenever NMAP finds a device on the network. Under normal circumstances, this message is issued for each device that is up each time the NMAP program executes. This device is useful for maintaining associations or verifying that non-syslog devices are continuously up.
• Service port added severity—This is the severity of messages that are sent by the NMAP adapter (and it appears in BMC Defender Server) when a service port for a device is added to the listing, and this service port does not appear in the image file. This might indicate a security threat (for instance, a remote control program on the network).
• Service port deleted severity—This is the severity of messages that are sent by the NMAP adapter (and it appears in BMC Defender Server) when a service port in the baseline image file no longer appears in an NMAP request, in other words, when a service is removed from a managed device.
• Service port heartbeat severity—This is the severity of messages that are sent by the NMAP adapter (and it appears in BMC Defender Server) whenever NMAP finds a service port on the network. Under normal circumstances, this message is issued for each service port that is up each time the NMAP program executes. This is especially useful to maintain associations between network devices and service ports.

This section provides information about the following topics: