Calculating The Risk Rating - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Calculating the Risk Rating

-----------------------------------------------
Exit event action rules submode:
Step 5
sensor(config-rul)# exit
Apply Changes:?[yes]:
Press Enter to apply your changes or type
Step 6
Calculating the Risk Rating
An RR is a value between 0 and 100 that represents a numerical quantification of the risk associated with
a particular event on the network. The calculation takes into account the value of the network asset being
attacked (for example, a particular server), so it is configured on a per-signature basis (ASR and SFR)
and on a per-server basis (TVR).
RRs let you prioritize alerts that need your attention. These RR factors take into consideration the
severity of the attack if it succeeds, the fidelity of the signature, and the overall value of the target host
to you. The RR is reported in the evIdsAlert.
The following values are used to calculate the RR for a particular event:
•
•
•
RR is a product of ASR, SFR, TVR, and ARR with an optional PD (promiscuous delta) subtracted in
Note
promiscuous mode only.
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
6-6
-----------------------------------------------
address: 10.89.130.108 default: 0.0.0.0-255.255.255.255
-----------------------------------------------
Attack Severity Rating—A weight associated with the severity of a successful exploit of the
vulnerability.
The ASR is derived from the alert severity parameter of the signature.
Signature Fidelity Rating—A weight associated with how well this signature might perform in the
absence of specific knowledge of the target.
SFR is calculated by the signature author on a per-signature basis. The signature author defines a
baseline confidence ranking for the accuracy of the signature in the absence of qualifying
intelligence on the target. It represents the confidence that the detected behavior would produce the
intended effect on the target platform if the packet under analysis were allowed to be delivered. For
example, a signature that is written with very specific rules (specific Regex) has a higher SFR than
a signature that is written with generic rules.
Target Value Rating—A weight associated with the perceived value of the target.
TVR is a user-configurable value that identifies the importance of a network asset (through its IP
address). You can develop a security policy that is more stringent for valuable corporate resources
and looser for less important resources. For example, you could assign a TVR to the company web
server that is higher than the TVR you assign to a desktop node. In this example, attacks against the
company web server have a higher RR than attacks against the desktop node.
Chapter 6
to discard them.
no
Configuring Event Action Rules
78-16527-01