- Blue, 1500 points or more
Does the "Restrict OS Mapping and ARR to these addresses" actually work in IPS V6? I have configured this for only my own networks and Internet hosts are still showing up by the thousands.
There are 3 types of OS fingerprinting: Configured, Imported, and Passive.
Configured OS maps have a number of characters limit. When configuring the OS maps you can have one list of ip ranges assigned to each OS type. That list of ip ranges has a maximum size in number of characters, but not in number of addresses.
A list of "10.1.1.1,10.1.1.2,10.1.1.3,10.1.1.5,10.1.1.6,10.1.1.7" contains 6 addresses and uses 53 characters.
A list of "10.1.1.1-10.1.1.4,10.1.1.5-10.1.1.7" contains the same list of 6 addresses but only uses 35 characters.
There is an uppper limit to the total number of characters, but I can't remember what that upper limit is. The number of addresses that can fit within that limit will depend on how large your ranges are.
Imported OS maps are imported from the Cisco Security Agent Management Center (CSA MC). There is a 10,000 address limit for imported OS mappings from CSA MC.
Passive OS maps are limited by sensor memory.
Any time a packet is seen with a new address, the sensor will create a database node for that address for the tracking of signatures. Included in that node is a field of the passively detected OS. So the total number of IP Addresses that can be mapped for Passive OS at any one time is the number of nodes that the sensor's internal database can handle at any one time.
When a node is removed (haven't seen traffic from that address for awhile) then the passive OS knowledge for that IP is also removed.
Or if the database gets full then oldest unused nodes and their passive OS information are automatically removed for newer nodes.
So the number of passive OS's that can be learned is the same as the number of IP Addresses that the sensor is monitoring at any given time.
It's been awhile since I've dealt with this configuration setting.
But if my memory serves me correctly it always learns the OS for any address is can, that setting controls whether or not it uses what it learned when calculating the Attack Relevancy Rating portion of the Risk Rating.
If the address is within the list, the it includes the OS within the alert and will modify the risk rating of the alert if the OS is relevant or not for that signature.
If the address is NOT within the list, then when it generates the alert it will not list the OS and will not modify the risk rating based on the OS relevance.
So if I remember right that setting does not prevent the learning, but instead only prevents whether or not the learned OS is used for attack relevancy rating in calculating the risk rating.
To check if my memory is correct can you look at the actual alerts being generated and see if the OS is being listed and if the risk rating is being modified because of the OS relevancy.
The CLI command for this is just:
The CLI command does not mention whether or not the OS will be learned, just whether or not arr (attack relevance rating) will be calculated based on the OS relevancy.
When they wrote IDM, they have incorrectly assumed that it would also prevent the learning. In which case IDM needs to be modified to only reference the ARR and not the Learning.