OS fingerprinting restriction

Answered Question
Jul 3rd, 2007
User Badges:
  • Blue, 1500 points or more

Does the "Restrict OS Mapping and ARR to these addresses" actually work in IPS V6? I have configured this for only my own networks and Internet hosts are still showing up by the thousands.

Correct Answer by marcabal about 9 years 10 months ago

There are 3 types of OS fingerprinting: Configured, Imported, and Passive.


Configured OS maps have a number of characters limit. When configuring the OS maps you can have one list of ip ranges assigned to each OS type. That list of ip ranges has a maximum size in number of characters, but not in number of addresses.

For example:

A list of "10.1.1.1,10.1.1.2,10.1.1.3,10.1.1.5,10.1.1.6,10.1.1.7" contains 6 addresses and uses 53 characters.

A list of "10.1.1.1-10.1.1.4,10.1.1.5-10.1.1.7" contains the same list of 6 addresses but only uses 35 characters.

There is an uppper limit to the total number of characters, but I can't remember what that upper limit is. The number of addresses that can fit within that limit will depend on how large your ranges are.


Imported OS maps are imported from the Cisco Security Agent Management Center (CSA MC). There is a 10,000 address limit for imported OS mappings from CSA MC.


Passive OS maps are limited by sensor memory.

Any time a packet is seen with a new address, the sensor will create a database node for that address for the tracking of signatures. Included in that node is a field of the passively detected OS. So the total number of IP Addresses that can be mapped for Passive OS at any one time is the number of nodes that the sensor's internal database can handle at any one time.

When a node is removed (haven't seen traffic from that address for awhile) then the passive OS knowledge for that IP is also removed.

Or if the database gets full then oldest unused nodes and their passive OS information are automatically removed for newer nodes.

So the number of passive OS's that can be learned is the same as the number of IP Addresses that the sensor is monitoring at any given time.


Correct Answer by marcabal about 9 years 10 months ago

It's been awhile since I've dealt with this configuration setting.


But if my memory serves me correctly it always learns the OS for any address is can, that setting controls whether or not it uses what it learned when calculating the Attack Relevancy Rating portion of the Risk Rating.


If the address is within the list, the it includes the OS within the alert and will modify the risk rating of the alert if the OS is relevant or not for that signature.


If the address is NOT within the list, then when it generates the alert it will not list the OS and will not modify the risk rating based on the OS relevance.


So if I remember right that setting does not prevent the learning, but instead only prevents whether or not the learned OS is used for attack relevancy rating in calculating the risk rating.


To check if my memory is correct can you look at the actual alerts being generated and see if the OS is being listed and if the risk rating is being modified because of the OS relevancy.


The CLI command for this is just:

calc-arr-for-ip-range: 0.0.0.0-255.255.255.255

The CLI command does not mention whether or not the OS will be learned, just whether or not arr (attack relevance rating) will be calculated based on the OS relevancy.


When they wrote IDM, they have incorrectly assumed that it would also prevent the learning. In which case IDM needs to be modified to only reference the ARR and not the Learning.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
mhellman Mon, 07/09/2007 - 14:06
User Badges:
  • Blue, 1500 points or more

Can you explain why you think this?...do you actually have it working in a production environment? We are running 6.0(2)E1. There is a newer version that was just released..6.0(3)E1, but the readme says nothing about this.


This seems pretty trivial to configure. You go into the event action rules policy, click the OS identifications tab, enter a network address range, and click apply. I can disable OS identification, clear the list, and the re-enable and immediately it starts populating the list with address outside the range I provided. Is there something I'm missing?

Correct Answer
marcabal Mon, 07/09/2007 - 15:01
User Badges:
  • Cisco Employee,

It's been awhile since I've dealt with this configuration setting.


But if my memory serves me correctly it always learns the OS for any address is can, that setting controls whether or not it uses what it learned when calculating the Attack Relevancy Rating portion of the Risk Rating.


If the address is within the list, the it includes the OS within the alert and will modify the risk rating of the alert if the OS is relevant or not for that signature.


If the address is NOT within the list, then when it generates the alert it will not list the OS and will not modify the risk rating based on the OS relevance.


So if I remember right that setting does not prevent the learning, but instead only prevents whether or not the learned OS is used for attack relevancy rating in calculating the risk rating.


To check if my memory is correct can you look at the actual alerts being generated and see if the OS is being listed and if the risk rating is being modified because of the OS relevancy.


The CLI command for this is just:

calc-arr-for-ip-range: 0.0.0.0-255.255.255.255

The CLI command does not mention whether or not the OS will be learned, just whether or not arr (attack relevance rating) will be calculated based on the OS relevancy.


When they wrote IDM, they have incorrectly assumed that it would also prevent the learning. In which case IDM needs to be modified to only reference the ARR and not the Learning.


mhellman Tue, 07/10/2007 - 05:03
User Badges:
  • Blue, 1500 points or more

Do you know if there is any limit to the number of OS fingerprinting entries?

Correct Answer
marcabal Tue, 07/10/2007 - 07:15
User Badges:
  • Cisco Employee,

There are 3 types of OS fingerprinting: Configured, Imported, and Passive.


Configured OS maps have a number of characters limit. When configuring the OS maps you can have one list of ip ranges assigned to each OS type. That list of ip ranges has a maximum size in number of characters, but not in number of addresses.

For example:

A list of "10.1.1.1,10.1.1.2,10.1.1.3,10.1.1.5,10.1.1.6,10.1.1.7" contains 6 addresses and uses 53 characters.

A list of "10.1.1.1-10.1.1.4,10.1.1.5-10.1.1.7" contains the same list of 6 addresses but only uses 35 characters.

There is an uppper limit to the total number of characters, but I can't remember what that upper limit is. The number of addresses that can fit within that limit will depend on how large your ranges are.


Imported OS maps are imported from the Cisco Security Agent Management Center (CSA MC). There is a 10,000 address limit for imported OS mappings from CSA MC.


Passive OS maps are limited by sensor memory.

Any time a packet is seen with a new address, the sensor will create a database node for that address for the tracking of signatures. Included in that node is a field of the passively detected OS. So the total number of IP Addresses that can be mapped for Passive OS at any one time is the number of nodes that the sensor's internal database can handle at any one time.

When a node is removed (haven't seen traffic from that address for awhile) then the passive OS knowledge for that IP is also removed.

Or if the database gets full then oldest unused nodes and their passive OS information are automatically removed for newer nodes.

So the number of passive OS's that can be learned is the same as the number of IP Addresses that the sensor is monitoring at any given time.


Actions

This Discussion