Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2442
Views
0
Helpful
0
Comments

How to create custom risk rating on the IPS

TCC_2
Level 10
Level 10

‎06-22-2009 06:08 PM - edited ‎03-08-2019 06:27 PM

Resolution

 

An Risk Rating (RR) is a value between 0 and 100 that represents a numerical quantification of the risk associated with a particular event on the network. The calculation takes into account the value of the network asset being attacked (for example, a particular server) so it is configured on a per-signature basis (ASR and SFR) and on a per-server basis (TVR).

 

RRs let you prioritize alerts that need your attention. These RR factors take into consideration the severity of the attack if it succeeds, the fidelity of the signature, and the overall value of the target host to you. The RR is reported in the evIdsAlert.

 

These values are used in order to calculate the RR for a particular event:

 

  • Attack Severity Rating (ASR)—A weight associated with the severity of a successful exploit of the vulnerability. The ASR is derived from the alert severity parameter of the signature.

     

  • Signature Fidelity Rating (SFR)—A weight associated with how well this signature can perform in the absence of specific knowledge of the target. SFR is calculated by the signature author on a per-signature basis. The signature author defines a baseline confidence ranking for the accuracy of the signature in the absence of qualifying intelligence on the target.

     

  • Target Value Rating (TVR)—A weight associated with the perceived value of the target. TVR is a user-configurable value that identifies the importance of a network asset through its IP address. You can develop a security policy that is more stringent for valuable corporate resources and looser for less important resources.

 

Note: RR is a product of ASR, SFR, and TVR with an optional promiscuous delta (PD) subtracted in promiscuous mode only.

 

To create custom risk rating (RR) you can configure the values in TVR, which as a result affects the RR. Following commands configure TVR for host 10.89.130.108:

 

sensor# configure terminal
sensor(config)# service event-action-rules rules0 

 

sensor(config-rul)# target-value target-value-setting mission-critical target-address

10.89.130.108

Scenario 2:

Problem:

User have a 5510 and am going to install the AIP10SP-K9 SSM module and am wondering what the gigabit port that comes on this is used for? Is it just for remote management?

Solution:

Yes, you are right with your assumption. This is the Command & Control-Port where you assign an IP-address and where you access your IPS with SSH and IDM. SDEE events are communicated through this interface. So this port has to be connected for example to your management-VLAN.

 

Refer to these documents for more information:

 

Problem Type

Troubleshoot software feature

How to (General Information)

 

Product Family

IDS/IPS - 4200 series sensor

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents