https://community.cisco.com/t5/network-security/help-with-risk-rating-calculation/m-p/1560174#M66395 <HTML><HEAD></HEAD><BODY><P>Here's the config guide on how risk rating is calculated:</P><P></P><P><A href="http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_event_action_rules.html#wp1067121">http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_event_action_rules.html#wp1067121</A></P></BODY></HTML> Thu, 30 Sep 2010 01:12:09 GMT Jia Liu 2010-09-30T01:12:09Z https://community.cisco.com/t5/network-security/help-with-risk-rating-calculation/m-p/1560173#M66394 <P>I'm trying to understand the risk rating calculation on an IPS4240 sensor.&nbsp; From what I can tell, it looks like there are some additional parameters added to the equation that are not easy to determine.&nbsp; It looks like the ARR (Attack Relevancy Rating) and/or WLR (Watch List Rating) are making changes (i.e. being added to the RR), but I cannot find any values for these.&nbsp; Are there default values for ARR that the system uses?&nbsp; What about the WLR, can that be viewed anywhere?</P><P></P><P>Any help is appreciated.</P><P></P><P>Thanks,</P><P>Pat</P> Sun, 10 Mar 2019 12:08:30 GMT https://community.cisco.com/t5/network-security/help-with-risk-rating-calculation/m-p/1560173#M66394 pcoughlin01 2019-03-10T12:08:30Z https://community.cisco.com/t5/network-security/help-with-risk-rating-calculation/m-p/1560174#M66395 <HTML><HEAD></HEAD><BODY><P>Here's the config guide on how risk rating is calculated:</P><P></P><P><A href="http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_event_action_rules.html#wp1067121">http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_event_action_rules.html#wp1067121</A></P></BODY></HTML> Thu, 30 Sep 2010 01:12:09 GMT https://community.cisco.com/t5/network-security/help-with-risk-rating-calculation/m-p/1560174#M66395 Jia Liu 2010-09-30T01:12:09Z https://community.cisco.com/t5/network-security/help-with-risk-rating-calculation/m-p/1560175#M66396 <HTML><HEAD></HEAD><BODY><P>Thanks, I've seen that too, but it doesn't tell you the values that actually get added.&nbsp; It says that the ARR is a derived value (relevant, unknown, or not relevant), which is determined at alert time, however it doesn't tell you what the numeric value actually is.&nbsp; From events that I'm seeing, I can determine most of the other values, but I still can't come up with the same RR that the sensor does, so I'm guessing that there's some ARR value that's added.&nbsp; In other words, does a "relevant" o/s get 50 points, while an unknown only gets 20?&nbsp; It's those values that I'm looking for.&nbsp;&nbsp; Also, on the event in question, the signature lists the os type as "general" (I think), which also looks to have some internal ARR value.</P><P></P><P>Any help with those ARR values is appreciated.</P><P></P><P>Thanks,</P><P>Pat</P></BODY></HTML> Thu, 30 Sep 2010 15:19:45 GMT https://community.cisco.com/t5/network-security/help-with-risk-rating-calculation/m-p/1560175#M66396 pcoughlin01 2010-09-30T15:19:45Z https://community.cisco.com/t5/network-security/help-with-risk-rating-calculation/m-p/1560176#M66399 <HTML><HEAD></HEAD><BODY><P>Hi Pat,</P><P></P><P>I guess below is what you are looking for:</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/web/about/security/intelligence/ipsmit.html">http://www.cisco.com/web/about/security/intelligence/ipsmit.html</A></P><P></P><P>It says the below:</P><P></P><P>"<STRONG>Attack Relevancy Rating: </STRONG>The Attack Relevancy Rating&nbsp; (ARR) is an IPS-generated value that&nbsp; indicates if the attack target may&nbsp; be vulnerable to an event-specific attack.&nbsp; This information is&nbsp; normally gathered through passive operating system identification but&nbsp; can also be defined by a&nbsp; user or gathered through integration with the&nbsp; Cisco Security Agent Management&nbsp; Console. If the operating system of the&nbsp; targeted device is&nbsp; unknown, there is no change to the&nbsp; risk rating.&nbsp; However, if the&nbsp; targeted device operating system is discovered to be&nbsp; relevant, the risk rating&nbsp; increases by 10 in both Inline and&nbsp; Promiscuous modes. If the targeted device operating system is found&nbsp; to&nbsp; be irrelevant, the risk rating in Promiscuous mode is reduced by&nbsp; 10,&nbsp; and no change occurs in Inline mode."</P><P></P><P>Let me know if this clears things up.</P><P></P><P>Thanks and Regards,</P><P>Prapanch</P></BODY></HTML> Thu, 30 Sep 2010 15:53:41 GMT https://community.cisco.com/t5/network-security/help-with-risk-rating-calculation/m-p/1560176#M66399 praprama 2010-09-30T15:53:41Z https://community.cisco.com/t5/network-security/help-with-risk-rating-calculation/m-p/1560177#M66405 <HTML><HEAD></HEAD><BODY><P>Excellent, thanks.&nbsp; That's what I was looking for.</P><P></P><P>Pat</P></BODY></HTML> Thu, 30 Sep 2010 17:19:52 GMT https://community.cisco.com/t5/network-security/help-with-risk-rating-calculation/m-p/1560177#M66405 pcoughlin01 2010-09-30T17:19:52Z