Filter
Top Products
39-19
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 39 Configuring Event Action Rules
Configuring IPS Event Action Network Information
More specific mappings should be at the beginning of the list. Overlap in the IP address range sets is
allowed, but the entry closest to the beginning of the list takes precedence.
Tip There is a bug in IPS 6.0 versions lower than 6.0(5) related to the Network Information policy. Even if
you change nothing on the OS Identification tab, but you make configuration changes to the Threat Value
Ratings tab, Security Manager configures the device to use the any variable for restricting OS mappings
to addresses. This can result in your monitoring application showing “any” as the event locality for all
events. The solution is to upgrade the IPS version on your sensor. The workaround is to enter a
non-default value in the Restrict to these IP Addresses field on the OS Identification tab, even if you
are not configuring specific OS mappings. For example, enter 0.0.0.1-255.255.255.255 instead of “any”
or 0.0.0.0-255.255.255.255.
Navigation Path
• (Device view) Select IPS > Event Actions > Network Information from the Policy selector, then
click the OS Identification tab.
• (Policy view, IPS appliances and service modules) Select IPS > Event Actions > Network
Information, then select an existing policy or create a new one. Click the OS Identification tab.
Related Topics
• Configuring IPS Event Action Network Information, page 39-14
• Understanding the IPS Event Action Process, page 39-1
Field Reference
Table 39-6 OS Identification Tab
Element Description
Enable Passive OS
Fingerprinting
When selected, lets the sensor perform passive OS analysis. You must
enable this option for any of the maps configured on this page to be
used.
Passive OS fingerprinting functions as part of the sensor. As the sensor
analyzes network traffic between hosts, the sensor stores the identity of
the OS running on the hosts alongside the IP addresses of the hosts. The
sensor determines the identity of the OSes on the hosts by inspecting
characteristics of the packets exchanged on the network. The sensor
then uses the target system’s OS information to compute the ARR
(Attack Relevance Rating) component for the RR (Risk Rating). The
RR can then be used to drop suspicious packets.
For more information about passive OS fingerprinting, see
Understanding Passive OS Fingerprinting, page 39-17.
Restricted to these IP
Addresses
Restricts attack relevance rating calculation to the specified addresses.
You can specify addresses using the following techniques:
• Enter the name of a single network/host object, or click Select to
select an object from a list or to create a new one. The object can
contain a group of networks, hosts, and address ranges.
• A comma-separated list of host or network addresses or address
ranges. For example, 10.10.10.0/24, 10.10.10.10,
10.10.10.2-10.10.10.254.