Help with Risk Rating calculation

Answered Question
Sep 29th, 2010
User Badges:

I'm trying to understand the risk rating calculation on an IPS4240 sensor.  From what I can tell, it looks like there are some additional parameters added to the equation that are not easy to determine.  It looks like the ARR (Attack Relevancy Rating) and/or WLR (Watch List Rating) are making changes (i.e. being added to the RR), but I cannot find any values for these.  Are there default values for ARR that the system uses?  What about the WLR, can that be viewed anywhere?


Any help is appreciated.


Thanks,

Pat

Correct Answer by praprama about 6 years 8 months ago

Hi Pat,


I guess below is what you are looking for:


http://www.cisco.com/web/about/security/intelligence/ipsmit.html


It says the below:


"Attack Relevancy Rating: The Attack Relevancy Rating  (ARR) is an IPS-generated value that  indicates if the attack target may  be vulnerable to an event-specific attack.  This information is  normally gathered through passive operating system identification but  can also be defined by a  user or gathered through integration with the  Cisco Security Agent Management  Console. If the operating system of the  targeted device is  unknown, there is no change to the  risk rating.  However, if the  targeted device operating system is discovered to be  relevant, the risk rating  increases by 10 in both Inline and  Promiscuous modes. If the targeted device operating system is found  to  be irrelevant, the risk rating in Promiscuous mode is reduced by  10,  and no change occurs in Inline mode."


Let me know if this clears things up.


Thanks and Regards,

Prapanch

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
pcoughlin01 Thu, 09/30/2010 - 08:19
User Badges:

Thanks, I've seen that too, but it doesn't tell you the values that actually get added.  It says that the ARR is a derived value (relevant, unknown, or not relevant), which is determined at alert time, however it doesn't tell you what the numeric value actually is.  From events that I'm seeing, I can determine most of the other values, but I still can't come up with the same RR that the sensor does, so I'm guessing that there's some ARR value that's added.  In other words, does a "relevant" o/s get 50 points, while an unknown only gets 20?  It's those values that I'm looking for.   Also, on the event in question, the signature lists the os type as "general" (I think), which also looks to have some internal ARR value.


Any help with those ARR values is appreciated.


Thanks,

Pat

Correct Answer
praprama Thu, 09/30/2010 - 08:53
User Badges:
  • Cisco Employee,

Hi Pat,


I guess below is what you are looking for:


http://www.cisco.com/web/about/security/intelligence/ipsmit.html


It says the below:


"Attack Relevancy Rating: The Attack Relevancy Rating  (ARR) is an IPS-generated value that  indicates if the attack target may  be vulnerable to an event-specific attack.  This information is  normally gathered through passive operating system identification but  can also be defined by a  user or gathered through integration with the  Cisco Security Agent Management  Console. If the operating system of the  targeted device is  unknown, there is no change to the  risk rating.  However, if the  targeted device operating system is discovered to be  relevant, the risk rating  increases by 10 in both Inline and  Promiscuous modes. If the targeted device operating system is found  to  be irrelevant, the risk rating in Promiscuous mode is reduced by  10,  and no change occurs in Inline mode."


Let me know if this clears things up.


Thanks and Regards,

Prapanch

pcoughlin01 Thu, 09/30/2010 - 10:19
User Badges:

Excellent, thanks.  That's what I was looking for.


Pat

Actions

This Discussion