Cisco Systems IPS 7.1 Home Security System User Manual


  Open as PDF
of 1042
 
7-15
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 7 Configuring Event Action Rules
Configuring Target Value Ratings
Understanding Threat Rating
\Threat rating is risk rating that has been lowered by event actions that have been taken. Nonlogging event
actions have a threat rating adjustment. The largest threat rating from all the event actions taken is
subtracted from the risk rating. The event actions have the following threat ratings:
deny-attacker-inline—45
deny-attacker-victim-pair-inline—40
deny-attacker-service-pair-inline—40
deny-connection-inline—35
deny-packet-inline—35
modify-packet-inline—35
request-block-host—20
request-block-connection—20
reset-tcp-connection—20
request-rate-limit—20
Adding, Editing, and Deleting Target Value Ratings
Note Global correlation inspection and the reputation filtering deny features do not support IPv6 addresses.
For global correlation inspection, the sensor does not receive or process reputation data for IPv6
addresses. The risk rating for IPv6 addresses is not modified for global correlation inspection. Similarly,
network participation does not include event data for attacks from IPv6 addresses. And finally, IPv6
addresses do not appear in the deny list.
Note Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a block or
rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action is not carried
out.
You can assign a target value rating to your network assets. The target value rating is one of the factors
used to calculate the risk rating value for each alert. You can assign different target value ratings to
different targets. Events with a higher risk rating trigger more severe signature event actions.
For IPv4 address, use the target-value {zerovalue | low | medium | high | mission-critical}
target-address ip_address command in service event action rules submode to add target value ratings
for your network assets. The default is medium. Use the no target-value {zerovalue | low | medium |
high | mission-critical} command in service event action rules submode to delete target value ratings.
For IPv6 addresses, use the ipv6-target-value {zerovalue | low | medium | high | mission-critical}
ipv6-target-address ip_address command in service event action rules submode to add target value
ratings for your network assets. The default is medium. Use the no ipv6-target-value {zerovalue | low
| medium | high | mission-critical} command in service event action rules submode to delete target
value ratings.