fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Cisco IPS v6 Risk Ratings

The Cisco IPS Sensor generates risk ratings that are assigned to alerts which provides the administrator with an indication to the severity of the alert. There are  six values which are used in the calculation of the Risk Rating :

  1. ASR (Attack severity rating)
  2. TVR (Target Value Rating)
  3. SFR (Signature fidelity Rating)
  4. ARR (Attack relevancy rating)
  5. PD (Promiscuous delta)
  6. WLR (Watch List Rating)

The formula for calculating the Risk Rating is as follows :     RR = ASR * TVR * SFR + AAR - PD + WLR
                                                                                                                                10,000  

Attack severity rating 

Configured on a per signature basis. The ASR indicates how dangerous the detected event is. There are 4 severity levels :  

  • Information (25)
  • Log (50)
  • Medium (75)
  • High (100)

Target Value Rating

The TVR identifies the importance of a network asset through its IP address.
TVRs are configured within the event rules, and are assigned numeric values which are  used to calculate the risk rating value. Current values for configured targets are:

  • Zero (50)
  • Low (75)
  • Medium (100)
  • High (150)
  • Mission Critical (200)

Signature fidelity Rating

The SFR is configured on a per signature basis. This indicates how accurate the signature writer has determined the signature is at detecting the necessary attack. Valid numbers for SFR are 0 to 100.

Attack Relevance Rating

The ARR is not configurable. ARR Values are as follows

  • Relevant (10)
  • Unknown (0)
  • Not Relevant (-10)

The AAR allows the system to add relevance to an attack based on the victim’s operating system. Such as an IIS attack which would be given a higher AAR if it was being targeted at a Windows server rather than if it was targeted towards an Apache server.

Promiscuous Delta

The PD is only relevant when the IPS sensor is operating within promiscuous mode. If the sensor is inline the PD is subtracted from the Risk Rating. The PD lowers the risk rating of certain alerts when functioning within promiscuous mode.

Watch List Rating

The WLR is derived from the watch list within the Cisco Works Management Center for CSA. The watch list is a list of IP's that is has determined eligible for quarantine. If the attacked of alerts is found on the watch list the WLR for that attacker is added to the rating.

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001