Cisco IPS v6 Risk Ratings
The Cisco IPS Sensor generates risk ratings that are assigned to alerts which provides the administrator with an indication to the severity of the alert. There are six values which are used in the calculation of the Risk Rating :
- ASR (Attack severity rating)
- TVR (Target Value Rating)
- SFR (Signature fidelity Rating)
- ARR (Attack relevancy rating)
- PD (Promiscuous delta)
- WLR (Watch List Rating)
The formula for calculating the Risk Rating is as follows : RR = ASR * TVR * SFR + AAR - PD + WLR
Attack severity rating
Configured on a per signature basis. The ASR indicates how dangerous the detected event is. There are 4 severity levels :
- Information (25)
- Log (50)
- Medium (75)
- High (100)
Target Value Rating
The TVR identifies the importance of a network asset through its IP address.
TVRs are configured within the event rules, and are assigned numeric values which are used to calculate the risk rating value. Current values for configured targets are:
- Zero (50)
- Low (75)
- Medium (100)
- High (150)
- Mission Critical (200)
Signature fidelity Rating
The SFR is configured on a per signature basis. This indicates how accurate the signature writer has determined the signature is at detecting the necessary attack. Valid numbers for SFR are 0 to 100.
Attack Relevance Rating
The ARR is not configurable. ARR Values are as follows
- Relevant (10)
- Unknown (0)
- Not Relevant (-10)
The AAR allows the system to add relevance to an attack based on the victim’s operating system. Such as an IIS attack which would be given a higher AAR if it was being targeted at a Windows server rather than if it was targeted towards an Apache server.
The PD is only relevant when the IPS sensor is operating within promiscuous mode. If the sensor is inline the PD is subtracted from the Risk Rating. The PD lowers the risk rating of certain alerts when functioning within promiscuous mode.
Watch List Rating
The WLR is derived from the watch list within the Cisco Works Management Center for CSA. The watch list is a list of IP's that is has determined eligible for quarantine. If the attacked of alerts is found on the watch list the WLR for that attacker is added to the rating.