Filter
Top Products
10-3
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 10 Configuring Global Correlation
Understanding Reputation
Table 10-1 shows how we use the data.
When you enable Partial or Full Network Participation, the Network Participation Disclaimer appears.
You must enter yes to participate. If you do not have a license installed, you receive a warning telling
you that global correlation inspection and reputation filtering are disabled until the sensor is licensed.
You can obtain a license at http://www.cisco.com/go/license.
For More Information
For information on how to obtain and install a sensor license, see Installing the License Key, page 4-56.
Understanding Reputation
Similar to human social interaction, reputation is an opinion toward a device on the Internet. It enables
the installed base of IPS sensors in the field to collaborate using the existing network infrastructure. A
network device with reputation is most likely either malicious or infected. You can view reputation
information and statistics in the IDM, IME, or the CLI.
The IPS sensor collaborates with the global correlation servers (also known as reputation servers) to
improve the efficacy of the sensor.
Table 10-1 Cisco Network Participation Data Use
Participation Level Type of Data Purpose
Partial Protocol attributes
(TCP maximum segment size and
options string, for example)
Tracks potential threats and helps us to
understand threat exposure.
Attack type
(signature fired and risk rating, for
example)
Used to understand current attacks and
attack severity.
Connecting IP address and port Identifies attack source.
Summary IPS performance
(CPU utilization, memory usage,
inline vs. promiscuous, for
example)
Tracks product efficacy.
Full Victim IP address and port Detects threat behavioral patterns.