1. It seems that in my test network passive OS fingerprinting isn't working at all. The sensor is unable to fingerprint IOS 12.4, Windows 2000 Pro, Solaris 8 and most of Internet sites including www.cisco.com :)
S1# sh statistics os-identification
Statistics for Virtual Sensor vs0
IP = 126.96.36.199 (bsd)
IP = 188.8.131.52 (bsd)
The sensor learned the above 2 mappings after Internet browsing. Does anybody have success with this feature? Should some specific requirements be met for this feature to work?
2. It is documented that if an attack is not relevant the ARR=10 should be subtracted from the RR. This doesn't hold true. Am I missing something here? (If an attack is relevant the ARR=10 is added -- this works well.)