I'm trying to understand the risk rating calculation on an IPS4240 sensor. From what I can tell, it looks like there are some additional parameters added to the equation that are not easy to determine. It looks like the ARR (Attack Relevancy Rating) and/or WLR (Watch List Rating) are making changes (i.e. being added to the RR), but I cannot find any values for these. Are there default values for ARR that the system uses? What about the WLR, can that be viewed anywhere?
Any help is appreciated.
I guess below is what you are looking for:
It says the below:
"Attack Relevancy Rating: The Attack Relevancy Rating (ARR) is an IPS-generated value that indicates if the attack target may be vulnerable to an event-specific attack. This information is normally gathered through passive operating system identification but can also be defined by a user or gathered through integration with the Cisco Security Agent Management Console. If the operating system of the targeted device is unknown, there is no change to the risk rating. However, if the targeted device operating system is discovered to be relevant, the risk rating increases by 10 in both Inline and Promiscuous modes. If the targeted device operating system is found to be irrelevant, the risk rating in Promiscuous mode is reduced by 10, and no change occurs in Inline mode."
Let me know if this clears things up.
Thanks and Regards,