Cisco IPS v6 Risk Ratings

The Cisco IPS Sensor generates risk ratings that are assigned to alerts which provides the administrator with an indication to the severity of the alert. There are  six values which are used in the calculation of the Risk Rating :

1. ASR (Attack severity rating)
2. TVR (Target Value Rating)
3. SFR (Signature fidelity Rating)
4. ARR (Attack relevancy rating)
5. PD (Promiscuous delta)
6. WLR (Watch List Rating)

The formula for calculating the Risk Rating is as follows :     RR = ASR * TVR * SFR + AAR – PD + WLR
                                                                                                                                10,000  

Attack severity rating 

Configured on a per signature basis. The ASR indicates how dangerous the detected event is. There are 4 severity levels :  

• Information (25)
• Log (50)
• Medium (75)
• High (100)

Target Value Rating

The TVR identifies the importance of a network asset through its IP address.
TVRs are configured within the event rules, and are assigned numeric values which are  used to calculate the risk rating value. Current values for configured targets are:

• Zero (50)
• Low (75)
• Medium (100)
• High (150)
• Mission Critical (200)

Signature fidelity Rating

The SFR is configured on a per signature basis. This indicates how accurate the signature writer has determined the signature is at detecting the necessary attack. Valid numbers for SFR are 0 to 100.

Attack Relevance Rating

The ARR is not configurable. ARR Values are as follows

• Relevant (10)
• Unknown (0)
• Not Relevant (-10)

The AAR allows the system to add relevance to an attack based on the victim’s operating system. Such as an IIS attack which would be given a higher AAR if it was being targeted at a Windows server rather than if it was targeted towards an Apache server.

Promiscuous Delta

The PD is only relevant when the IPS sensor is operating within promiscuous mode. If the sensor is inline the PD is subtracted from the Risk Rating. The PD lowers the risk rating of certain alerts when functioning within promiscuous mode.

Watch List Rating

The WLR is derived from the watch list within the Cisco Works Management Center for CSA. The watch list is a list of IP’s that is has determined eligible for quarantine. If the attacked of alerts is found on the watch list the WLR for that attacker is added to the rating.

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial