Filter
Top Products
7-27
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 7 Configuring Event Action Rules
Configuring OS Identifications
The sensor then uses the OS of the target host OS to determine the relevance of the attack to the victim
by computing the attack relevance rating component of the risk rating. Based on the relevance of the
attack, the sensor may alter the risk rating of the alert for the attack and/or the sensor may filter the alert
for the attack. You can then use the risk rating to reduce the number of false positive alerts (a benefit in
IDS mode) or definitively drop suspicious packets (a benefit in IPS mode). Passive OS fingerprinting
also enhances the alert output by reporting the victim OS, the source of the OS identification, and the
relevance to the victim OS in the alert.
Passive OS fingerprinting consists of three components:
• Passive OS learning—Passive OS learning occurs as the sensor observes traffic on the network.
Based on the characteristics of TCP SYN and SYNACK packets, the sensor makes a determination
of the OS running on the host of the source IP address.
• User-configurable OS identification—You can configure OS host maps, which take precedence over
learned OS maps.
• Computation of attack relevance rating and risk rating—The sensor uses OS information to
determine the relevance of the attack signature to the targeted host. The attack relevance is the attack
relevance rating component of the risk rating value for the attack alert. The sensor uses the OS type
reported in the host posture information imported from the CSA MC to compute the attack relevance
rating.
There are three sources of OS information. The sensor ranks the sources of OS information in the
following order:
1. Configured OS maps—OS maps you enter. Configured OS maps reside in the event action rules
policy and can apply to one or many virtual sensors.
Note You can specify multiple operating systems for the same IP address. The last one in the list
is the operating system that is matched.
2. Imported OS maps—OS maps imported from an external data source. Imported OS maps are global
and apply to all virtual sensors.
Note Currently the CSA MC is the only external data source.
3. Learned OS maps—OS maps observed by the sensor through the fingerprinting of TCP packets with
the SYN control bit set. Learned OS maps are local to the virtual sensor that sees the traffic.
When the sensor needs to determine the OS for a target IP address, it consults the configured OS maps.
If the target IP address is not in the configured OS maps, the sensor looks in the imported OS maps. If
the target IP address is not in the imported OS maps, the sensor looks in the learned OS maps. If it cannot
find it there, the sensor treats the OS of the target IP address as unknown.
Note Passive OS fingerprinting is enabled by default and the IPS contains a default vulnerable OS list for each
signature.