39-17
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter3 9 Configuring Event Action Rules
Configuring IPS Event Action Network Information
Field Reference
Understanding Passive OS Fingerprinting
Passive operating system (OS) fingerprinting is enabled by default on IPS 6.0+ sensors and the IPS
contains a default vulnerable OS list for each signature.
Passive OS fingerprinting lets the sensor determine the OS that hosts are running. The sensor analyzes
network traffic between hosts and stores the OS of these hosts with their IP addresses. The sensor
inspects TCP SYN and SYNACK packets exchanged on the network to determine the OS type.
The sensor then uses the OS of the target host OS to determine the relevance of the attack to the victim
by computing the attack relevance rating component of the risk rating. Based on the relevance of the
attack, the sensor may alter the risk rating of the alert for the attack or the sensor may filter the alert for
the attack. You can then use the risk rating to reduce the number of false positive alerts (a benefit in IDS
mode) or definitively drop suspicious packets (a benefit in IPS mode). Passive OS fingerprinting also
enhances the alert output by reporting the victim OS, the source of the OS identification, and the
relevance to the victim OS in the alert.
Passive OS fingerprinting consists of three components:
Passive OS learning.
Passive OS learning occurs as the sensor observes traffic on the network. Based on the
characteristics of TCP SYN and SYNACK packets, the sensor makes a determination of the OS
running on the host of the source IP address.
User-configurable OS identification.
You can configure OS host mappings, which take precedence over learned OS mappings.
Computation of attack relevance rating and risk rating.
Table39-5 Target Value Rating Dialog Box
Element Description
Value The target value rating to associate with the specified addresses. From
highest to lowest importance: Mission Critical, High, Medium, Low,
No Value.
This list includes only those value ratings that you have not already
configured in the target value ratings table.
You change this option when editing a ratings category.
target-address The IP addresses of the network assets assigned to this value rating.
You can specify addresses using the following techniques:
Enter the name of a single network/host object, or click Select to
select an object from a list or to create a new one. The object can
contain a group of networks, hosts, and address ranges.
A comma-separated list of host or network addresses or address
ranges. For example, using IPv4, 10.10.10.0/24, 10.10.10.10,
10.10.10.2-10.10.10.254. Addresses that you enter in the network
format are converted to address ranges; for example, 10.10.10.0/24
is converted to 10.10.10.0-10.10.10.255.