Cisco Systems CL-28826-01 Understanding Passive OS Fingerprinting

39-17

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter3 9 Configuring Event Action Rules

Configuring IPS Event Action Network Information

Field Reference

Understanding Passive OS Fingerprinting

Passive operating system (OS) fingerprinting is enabled by default on IPS 6.0+ sensors and the IPS

contains a default vulnerable OS list for each signature.

Passive OS fingerprinting lets the sensor determine the OS that hosts are running. The sensor analyzes

network traffic between hosts and stores the OS of these hosts with their IP addresses. The sensor

inspects TCP SYN and SYNACK packets exchanged on the network to determine the OS type.

The sensor then uses the OS of the target host OS to determine the relevance of the attack to the victim

by computing the attack relevance rating component of the risk rating. Based on the relevance of the

attack, the sensor may alter the risk rating of the alert for the attack or the sensor may filter the alert for

the attack. You can then use the risk rating to reduce the number of false positive alerts (a benefit in IDS

mode) or definitively drop suspicious packets (a benefit in IPS mode). Passive OS fingerprinting also

enhances the alert output by reporting the victim OS, the source of the OS identification, and the

relevance to the victim OS in the alert.

Passive OS fingerprinting consists of three components:

•Passive OS learning.

Passive OS learning occurs as the sensor observes traffic on the network. Based on the

characteristics of TCP SYN and SYNACK packets, the sensor makes a determination of the OS

running on the host of the source IP address.

•User-configurable OS identification.

You can configure OS host mappings, which take precedence over learned OS mappings.

•Computation of attack relevance rating and risk rating.

Table39-5 Target Value Rating Dialog Box

Element Description

Value The target value rating to associate with the specified addresses. From

highest to lowest importance: Mission Critical, High, Medium, Low,

No Value.

This list includes only those value ratings that you have not already

configured in the target value ratings table.

You change this option when editing a ratings category.

target-address The IP addresses of the network assets assigned to this value rating.

You can specify addresses using the following techniques:

•Enter the name of a single network/host object, or click Select to

select an object from a list or to create a new one. The object can

contain a group of networks, hosts, and address ranges.

•A comma-separated list of host or network addresses or address

ranges. For example, using IPv4, 10.10.10.0/24, 10.10.10.10,

10.10.10.2-10.10.10.254. Addresses that you enter in the network

format are converted to address ranges; for example, 10.10.10.0/24

is converted to 10.10.10.0-10.10.10.255.