05-15-2007 07:10 AM - edited 03-10-2019 03:36 AM
I'm curious what factor determines if something is "high risk" in regards to denying packets by default... Alert severity is the only thing that has a "high" rating. Risk Rating is the product of severity x fidelity (assuming default target value)... so what's "high"?
I see a lot of things that are high severity but low fidelity... For instance, I don't want this thing denying text posts that have the word "select" followed by the word "from" (SQL injection).
Thanks - Al
Solved! Go to Solution.
05-15-2007 08:38 AM
High Risk is a Risk Rating Range of 90-100.
By default there is an Event Action Override that will add a deny-packet-inline event action to any alert with a Risk Rating of 90-100.
This can be seen in the configuration:
qsensor-8095(config)# service event-action-rules rules0
qsensor-8095(config-eve)# show set
variables (min: 0, max: 256, current: 0)
-----------------------------------------------
-----------------------------------------------
overrides (min: 0, max: 15, current: 1)
-----------------------------------------------
action-to-add: deny-packet-inline
-----------------------------------------------
override-item-status: Disabled default: Enabled
risk-rating-range: 90-100
-----------------------------------------------
-----------------------------------------------
05-15-2007 08:38 AM
High Risk is a Risk Rating Range of 90-100.
By default there is an Event Action Override that will add a deny-packet-inline event action to any alert with a Risk Rating of 90-100.
This can be seen in the configuration:
qsensor-8095(config)# service event-action-rules rules0
qsensor-8095(config-eve)# show set
variables (min: 0, max: 256, current: 0)
-----------------------------------------------
-----------------------------------------------
overrides (min: 0, max: 15, current: 1)
-----------------------------------------------
action-to-add: deny-packet-inline
-----------------------------------------------
override-item-status: Disabled default: Enabled
risk-rating-range: 90-100
-----------------------------------------------
-----------------------------------------------
05-15-2007 09:30 AM
Excellent... I had my own override for RR=100 in 5.x (100% fidelity reqd), so this is along the same lines. Thanks!
05-15-2007 09:36 AM
Just so you are aware.
If you already have an event-action-override for deny-packet-inline configured in 5.x and upgrade to 6.0, then your 5.x configuration will carry forward into 6.0 and be used instead of the 6.0 default.
So if you set it to 100 in 5.x, then when you ugrade to 6.x it will still be 100 (the 100 will replace the default 90-100).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: