Filter
Top Products
7-28
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 7 Configuring Event Action Rules
Configuring OS Identifications
Passive OS Fingerprinting Configuration Considerations
You do not have to configure passive OS fingerprinting for it to function. IPS provides a default
vulnerable OS list for each signature and passive analysis is enabled by default.
You can configure the following aspects of passive OS fingerprinting:
• Define OS maps—We recommend configuring OS maps to define the identity of the OS running on
critical systems. It is best to configure OS maps when the OS and IP address of the critical systems
are unlikely to change.
• Limit the attack relevance rating calculation to a specific IP address range—This limits the attack
relevance rating calculations to IP addresses on the protected network.
• Import OS maps—Importing OS maps provides a mechanism for accelerating the learning rate and
fidelity of the OS identifications made through passive analysis. If you have an external product
interface, such as the CSA MC, you can import OS identifications from it.
• Define event action rules filters using the OS relevance value of the target—This provides a way to
filter alerts solely on OS relevance.
• Disable passive analysis—Stops the sensor from learning new OS maps.
• Edit signature vulnerable OS lists—The vulnerable OS list specifies what OS types are vulnerable
to each signature. The default, general-os, applies to all signatures that do not specify a vulnerable
OS list.
Adding, Editing, Deleting, and Moving Configured OS Maps
Use the os-identifications command in the service event action rules submode to configure OS host
mappings, which take precedence over learned OS mappings. You can add, edit, and delete configured
OS maps. You can move them up and down in the list to change the order in which the sensor computes
the attack relevance rating and risk rating for that particular IP address and OS type combination.
You can also move them up and down in the list to change the order in which the sensor resolves the OS
associated with a particular IP address. Configured OS mappings allow for ranges, so for network
192.168.1.0/24 an administrator might define the following(Table 7-1):
More specific mappings should be at the beginning of the list. Overlap in the IP address range sets is
allowed, but the entry closest to the beginning of the list takes precedence. The following options apply:
• calc-arr-for-ip-range—Calculates the attack relevance rating for victims in this range. The value is
<A.B.C.D>-<A.B.C.D>[,<A.B.C.D>-<A.B.C.D>], for example,
10.20.1.0-10.20.1.255,10.20.5.0-10.20.5.255).
Note The second IP address in the range must be greater than or equal to the first IP address.
Table 7-1 Example Configured OS Mapping
IP Address Range Set OS
192.168.1.1 IOS
192.168.1.2-192.168.1.10,192.168.1.25 UNIX
192.168.1.1-192.168.1.255 Windows