Filter
Top Products
7-14
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 7 Configuring Event Action Rules
Configuring Target Value Ratings
The following values are used to calculate the risk rating for a particular event:
• Signature fidelity rating (SFR)—A weight associated with how well this signature might perform in
the absence of specific knowledge of the target. The signature fidelity rating is configured per
signature and indicates how accurately the signature detects the event or condition it describes.
Signature fidelity rating is calculated by the signature author on a per-signature basis. The signature
author defines a baseline confidence ranking for the accuracy of the signature in the absence of
qualifying intelligence on the target. It represents the confidence that the detected behavior would
produce the intended effect on the target platform if the packet under analysis were allowed to be
delivered. For example, a signature that is written with very specific rules (specific regular
expression) has a higher signature fidelity rating than a signature that is written with generic rules.
Note The signature fidelity rating does not indicate how bad the detected event may be.
• Attack severity rating (ASR)—A weight associated with the severity of a successful exploit of the
vulnerability. The attack severity rating is derived from the alert severity parameter (informational,
low, medium, or high) of the signature. The attack severity rating is configured per signature and
indicates how dangerous the event detected is.
Note The attack severity rating does not indicate how accurately the event is detected.
• Target value rating (TVR)—A weight associated with the perceived value of the target.
Target value rating is a user-configurable value (zero, low, medium, high, or mission critical) that
identifies the importance of a network asset (through its IP address). You can develop a security
policy that is more stringent for valuable corporate resources and looser for less important resources.
For example, you could assign a target value rating to the company web server that is higher than
the target value rating you assign to a desktop node. In this example, attacks against the company
web server have a higher risk rating than attacks against the desktop node. Target value rating is
configured in the event action rules policy.
• Attack relevance rating (ARR)—A weight associated with the relevancy of the targeted operating
system. Attack relevancy rating is a derived value (relevant, unknown, or not relevant), which is
determined at alert time. The relevant operating systems are configured per signature.
• Promiscuous delta (PD)—A weight associated with the promiscuous delta, which can be subtracted
from the overall risk rating in promiscuous mode. Promiscuous delta is in the range of 0 to 30 and
is configured per signature.
Note If the trigger packet is not inline, the promiscuous delta is subtracted from the rating.
• Watch list rating (WLR)—A weight associated with the CSA MC watch list in the range of 0 to 100
(CSA MC only uses the range 0 to 35). If the attacker for the alert is found on the watch list, the
watch list rating for that attacker is added to the rating.
Figure 7-2 illustrates the risk rating formula:
Figure 7-2 Risk Rating Formula
191016
RR =
ASR
*
TVR
*
SFR
+ ARR - PD + WLR
10000