39-18
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 39 Configuring Event Action Rules
Configuring IPS Event Action Network Information
The sensor uses OS information to determine the relevance of the attack signature to the targeted
host. The attack relevance is the attack relevance rating component of the risk rating value for the
attack alert.
There are three sources of OS information. The sensor ranks the sources of OS information in the
following order:
1. Configured OS mappings—OS mappings that you enter on the OS Identification tab of the Event
Actions Network Information policy. You can configure different mappings for each virtual sensor.
For more information, see Configuring OS Identification (Cisco IPS 6.x and Later Sensors Only),
page 39-18.
We recommend configuring OS mappings to define the identity of the OS running on critical
systems. It is best to configure OS mappings when the OS and IP address of the critical systems are
unlikely to change.
2. Imported OS mappings—OS mappings imported from Management Center for Cisco Security
Agents (CSA MC).
Imported OS mappings are global and apply to all virtual sensors. For information on configuring
the sensor to use CSA MC, see Configuring the External Product Interface, page 35-23.
3. Learned OS mappings—OS mappings observed by the sensor through the fingerprinting of TCP
packets with the SYN control bit set.
Learned OS mappings are local to the virtual sensor that sees the traffic.
When the sensor needs to determine the OS for a target IP address, it consults the configured OS
mappings. If the target IP address is not in the configured OS mappings, the sensor looks in the imported
OS mappings. If the target IP address is not in the imported OS mappings, the sensor looks in the learned
OS mappings. If it cannot find it there, the sensor treats the OS of the target IP address as unknown.
Tip You can configure Event Action Filter rules to use the OS relevancy value of the target, and configure
signatures to identify the OSes vulnerable to a signature.
Configuring OS Identification (Cisco IPS 6.x and Later Sensors Only)
Use the OS Identification tab on the Event Actions Network Information policy to configure operating
system (OS) host mappings, which take precedence over learned OS mappings. On the OS
Identifications tab you can add, edit, and delete configured OS maps. You can move them up and down
in the list to change the order in which the sensor computes the attack relevance rating and risk rating
for that particular IP address and OS type combination.
Note OS Identification applies to IPS 6.0+ sensors only and does not apply to Cisco IOS IPS devices.
You can also move them up and down in the list to change the order in which the sensor resolves the OS
associated with a particular IP address. Configured OS mappings allow for ranges, so for network
192.168.1.0/24 you might define the following:
IP Address Range Set OS
192.168.1.1 IOS
192.168.1.2-192.168.1.10,192.168.1.25 UNIX
192.168.1.1-192.168.1.255 Windows