topic Anomaly Detection not detecting host machines (learned OS) in Network Security

Anomaly Detection not detecting host machines (learned OS)

Colin Higgins — Sun, 10 Mar 2019 13:10:56 GMT

I have an ASA5540X firewall with the internal (software based) IPS module. The module has the up-to-date signatures and seems to be running correctly. However, after enabling anomaly detection (ad0), and specifying the internal zones, I don't see any "Learned OS" in IME

My settings are pretty basic for the sensor

access-list ips_traffic extended permit ip any any

access-list ips_traffic extended permit udp any any

class-map ips_class

match access-list ips_traffic

policy-map global_policy

class ips_class

ips inline fail-open

not sure why it isn't learning the OSs

Learned OS maps—OS maps

Saurav Lodh — Fri, 11 Apr 2014 05:56:33 GMT

Learned OS maps—OS maps observed by the sensor through the fingerprinting of TCP packets with the SYN control bit set. Learned OS maps are local to the virtual sensor that sees the traffic.

can you verify the OS finger printing from

sensor# show os-identification learned

Enable passive-traffic-analysis {enabled | disabled}

I realized that the problem

Colin Higgins — Fri, 11 Apr 2014 14:19:07 GMT

I realized that the problem was a failover issue--the ASAs are in a pair, and after a failover, the IPS policies had been applied to the wrong (failover) IPS module. Once I applied them on the correct module, I could see all the learned OSs.