Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1131
Views
0
Helpful
4
Replies

Help with Risk Rating calculation

Go to solution
pcoughlin01
Level 1
Level 1

‎09-29-2010 09:48 AM - edited ‎03-10-2019 05:08 AM

I'm trying to understand the risk rating calculation on an IPS4240 sensor.  From what I can tell, it looks like there are some additional parameters added to the equation that are not easy to determine.  It looks like the ARR (Attack Relevancy Rating) and/or WLR (Watch List Rating) are making changes (i.e. being added to the RR), but I cannot find any values for these.  Are there default values for ARR that the system uses?  What about the WLR, can that be viewed anywhere?

Any help is appreciated.

Thanks,

Pat

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to pcoughlin01

‎09-30-2010 08:53 AM

Hi Pat,

I guess below is what you are looking for:

http://www.cisco.com/web/about/security/intelligence/ipsmit.html

It says the below:

"Attack Relevancy Rating: The Attack Relevancy Rating  (ARR) is an IPS-generated value that  indicates if the attack target may  be vulnerable to an event-specific attack.  This information is  normally gathered through passive operating system identification but  can also be defined by a  user or gathered through integration with the  Cisco Security Agent Management  Console. If the operating system of the  targeted device is  unknown, there is no change to the  risk rating.  However, if the  targeted device operating system is discovered to be  relevant, the risk rating  increases by 10 in both Inline and  Promiscuous modes. If the targeted device operating system is found  to  be irrelevant, the risk rating in Promiscuous mode is reduced by  10,  and no change occurs in Inline mode."

Let me know if this clears things up.

Thanks and Regards,

Prapanch

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jia Liu
Cisco Employee
Cisco Employee

‎09-29-2010 06:12 PM

Here's the config guide on how risk rating is calculated:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_event_action_rules.html#wp1067121

0 Helpful

Go to solution
pcoughlin01
Level 1
Level 1
In response to Jia Liu

‎09-30-2010 08:19 AM

Thanks, I've seen that too, but it doesn't tell you the values that actually get added.  It says that the ARR is a derived value (relevant, unknown, or not relevant), which is determined at alert time, however it doesn't tell you what the numeric value actually is.  From events that I'm seeing, I can determine most of the other values, but I still can't come up with the same RR that the sensor does, so I'm guessing that there's some ARR value that's added.  In other words, does a "relevant" o/s get 50 points, while an unknown only gets 20?  It's those values that I'm looking for.   Also, on the event in question, the signature lists the os type as "general" (I think), which also looks to have some internal ARR value.

Any help with those ARR values is appreciated.

Thanks,

Pat

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to pcoughlin01

‎09-30-2010 08:53 AM

Hi Pat,

I guess below is what you are looking for:

http://www.cisco.com/web/about/security/intelligence/ipsmit.html

It says the below:

"Attack Relevancy Rating: The Attack Relevancy Rating  (ARR) is an IPS-generated value that  indicates if the attack target may  be vulnerable to an event-specific attack.  This information is  normally gathered through passive operating system identification but  can also be defined by a  user or gathered through integration with the  Cisco Security Agent Management  Console. If the operating system of the  targeted device is  unknown, there is no change to the  risk rating.  However, if the  targeted device operating system is discovered to be  relevant, the risk rating  increases by 10 in both Inline and  Promiscuous modes. If the targeted device operating system is found  to  be irrelevant, the risk rating in Promiscuous mode is reduced by  10,  and no change occurs in Inline mode."

Let me know if this clears things up.

Thanks and Regards,

Prapanch

0 Helpful

Go to solution
pcoughlin01
Level 1
Level 1
In response to praprama

‎09-30-2010 10:19 AM

Excellent, thanks.  That's what I was looking for.

Pat

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card