IPS 6.x "high risk events" denied by default

Answered Question
May 15th, 2007

I'm curious what factor determines if something is "high risk" in regards to denying packets by default... Alert severity is the only thing that has a "high" rating. Risk Rating is the product of severity x fidelity (assuming default target value)... so what's "high"?


I see a lot of things that are high severity but low fidelity... For instance, I don't want this thing denying text posts that have the word "select" followed by the word "from" (SQL injection).


Thanks - Al

Correct Answer by marcabal about 9 years 9 months ago


High Risk is a Risk Rating Range of 90-100.


By default there is an Event Action Override that will add a deny-packet-inline event action to any alert with a Risk Rating of 90-100.


This can be seen in the configuration:

qsensor-8095(config)# service event-action-rules rules0

qsensor-8095(config-eve)# show set

variables (min: 0, max: 256, current: 0)

-----------------------------------------------

-----------------------------------------------

overrides (min: 0, max: 15, current: 1)

-----------------------------------------------

action-to-add: deny-packet-inline

-----------------------------------------------

override-item-status: Disabled default: Enabled

risk-rating-range: 90-100

-----------------------------------------------

-----------------------------------------------





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
marcabal Tue, 05/15/2007 - 08:38


High Risk is a Risk Rating Range of 90-100.


By default there is an Event Action Override that will add a deny-packet-inline event action to any alert with a Risk Rating of 90-100.


This can be seen in the configuration:

qsensor-8095(config)# service event-action-rules rules0

qsensor-8095(config-eve)# show set

variables (min: 0, max: 256, current: 0)

-----------------------------------------------

-----------------------------------------------

overrides (min: 0, max: 15, current: 1)

-----------------------------------------------

action-to-add: deny-packet-inline

-----------------------------------------------

override-item-status: Disabled default: Enabled

risk-rating-range: 90-100

-----------------------------------------------

-----------------------------------------------





ALAN HARKRADER Tue, 05/15/2007 - 09:30

Excellent... I had my own override for RR=100 in 5.x (100% fidelity reqd), so this is along the same lines. Thanks!

marcabal Tue, 05/15/2007 - 09:36

Just so you are aware.


If you already have an event-action-override for deny-packet-inline configured in 5.x and upgrade to 6.0, then your 5.x configuration will carry forward into 6.0 and be used instead of the 6.0 default.


So if you set it to 100 in 5.x, then when you ugrade to 6.x it will still be 100 (the 100 will replace the default 90-100).






Actions

This Discussion