09-29-2010 09:48 AM - edited 03-10-2019 05:08 AM
I'm trying to understand the risk rating calculation on an IPS4240 sensor. From what I can tell, it looks like there are some additional parameters added to the equation that are not easy to determine. It looks like the ARR (Attack Relevancy Rating) and/or WLR (Watch List Rating) are making changes (i.e. being added to the RR), but I cannot find any values for these. Are there default values for ARR that the system uses? What about the WLR, can that be viewed anywhere?
Any help is appreciated.
Thanks,
Pat
Solved! Go to Solution.
09-30-2010 08:53 AM
Hi Pat,
I guess below is what you are looking for:
http://www.cisco.com/web/about/security/intelligence/ipsmit.html
It says the below:
"Attack Relevancy Rating: The Attack Relevancy Rating (ARR) is an IPS-generated value that indicates if the attack target may be vulnerable to an event-specific attack. This information is normally gathered through passive operating system identification but can also be defined by a user or gathered through integration with the Cisco Security Agent Management Console. If the operating system of the targeted device is unknown, there is no change to the risk rating. However, if the targeted device operating system is discovered to be relevant, the risk rating increases by 10 in both Inline and Promiscuous modes. If the targeted device operating system is found to be irrelevant, the risk rating in Promiscuous mode is reduced by 10, and no change occurs in Inline mode."
Let me know if this clears things up.
Thanks and Regards,
Prapanch
09-29-2010 06:12 PM
Here's the config guide on how risk rating is calculated:
09-30-2010 08:19 AM
Thanks, I've seen that too, but it doesn't tell you the values that actually get added. It says that the ARR is a derived value (relevant, unknown, or not relevant), which is determined at alert time, however it doesn't tell you what the numeric value actually is. From events that I'm seeing, I can determine most of the other values, but I still can't come up with the same RR that the sensor does, so I'm guessing that there's some ARR value that's added. In other words, does a "relevant" o/s get 50 points, while an unknown only gets 20? It's those values that I'm looking for. Also, on the event in question, the signature lists the os type as "general" (I think), which also looks to have some internal ARR value.
Any help with those ARR values is appreciated.
Thanks,
Pat
09-30-2010 08:53 AM
Hi Pat,
I guess below is what you are looking for:
http://www.cisco.com/web/about/security/intelligence/ipsmit.html
It says the below:
"Attack Relevancy Rating: The Attack Relevancy Rating (ARR) is an IPS-generated value that indicates if the attack target may be vulnerable to an event-specific attack. This information is normally gathered through passive operating system identification but can also be defined by a user or gathered through integration with the Cisco Security Agent Management Console. If the operating system of the targeted device is unknown, there is no change to the risk rating. However, if the targeted device operating system is discovered to be relevant, the risk rating increases by 10 in both Inline and Promiscuous modes. If the targeted device operating system is found to be irrelevant, the risk rating in Promiscuous mode is reduced by 10, and no change occurs in Inline mode."
Let me know if this clears things up.
Thanks and Regards,
Prapanch
09-30-2010 10:19 AM
Excellent, thanks. That's what I was looking for.
Pat
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide