Before we go live (in-line) with this IPS AIP-SSM, I just noted a feature I hadn't used before, the OS Fingerprinting. Under monitoring I see no entries. If I go look at it's configuration passive discovery is enabled (am seeing lots of signatures fire in promiscuous mode). There are no static entries defined.
Question: will the OS passive fingerprinting actually populate the OS window in monitoring while the IPS is running in prom. mode - do you have to be in in-line mode for this to function?
(Didn't see anything else to configure to make it work ortherwise...)
This is a known problem with the SSM:
Plan is to fix in a future service pack for the SSM.
Until that service pack the "learning" feature for OS fingerprinting will not work on the SSM. You can still use the configure/static option or import form CSA MC option to set the OS entries.