Filter
Top Products
39-15
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 39 Configuring Event Action Rules
Configuring IPS Event Action Network Information
• Passive OS fingerprinting and OS mappings (OS Identification tab)—You can enable the sensor
to use information about the operating system running on a device to determine the attack relevance
rating, which is a component of the overall risk rating.
Passive OS fingerprinting and OS mappings are available on devices running IPS 6.x+ software only,
and are not available on Cisco IOS IPS devices.
For more information, see:
–
Understanding Passive OS Fingerprinting, page 39-17
–
Configuring OS Identification (Cisco IPS 6.x and Later Sensors Only), page 39-18
To open the Network Information policy, do one of the following:
• (Device view) Select IPS > Event Actions > Network Information from the Policy selector.
• (Policy view, IPS appliances and service modules) Select IPS > Event Actions > Network
Information, then select an existing policy or create a new one.
• (Policy view, Cisco IOS IPS devices) Select IPS (Router) > Event Actions > Network
Information, then select an existing policy or create a new one.
Configuring Target Value Ratings
You can assign target value ratings to your network assets. The target value rating is one of the factors
used to calculate the risk rating value for each alert. It identifies the perceived importance of a network
asset, which you identify by its IP address.
You can develop a security policy that is more stringent for valuable corporate resources and looser for
less important resources. For example, you could assign a target value rating to the company web server
that is higher than the target value rating you assign to a desktop node. In this example, attacks against
the company web server have a higher risk rating than attacks against the desktop node. Events with a
higher risk rating trigger more severe signature event actions.
You can configure four value ratings. From highest value to lowest: Mission Critical, High, Medium,
Low, No Value (zero value).
For a detailed explanation of how risk rating is calculated, see Calculating the Risk Rating in Installing
and Using Cisco Intrusion Prevention System Device Manager 7.0 on Cisco.com.
Tip If you are configuring target value ratings on a device that uses IPS 6.0 software lower than 6.0(5), you
might also want to update the OS Identification tab of the Network Information policy to get around a
software bug, even if you do not need to create OS maps. For detailed information, see Configuring OS
Identification (Cisco IPS 6.x and Later Sensors Only), page 39-18.
Related Topics
• Configuring IPS Event Action Network Information, page 39-14
• Understanding the IPS Event Action Process, page 39-1
Step 1 Do one of the following to open the Network Information policy:
• (Device view) Select IPS > Event Actions > Network Information from the Policy selector, then
click the IPv4 Target Value Ratings tab or the IPv6 Target Value Ratings tab.