cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
469
Views
0
Helpful
3
Replies

IPS 6.x "high risk events" denied by default

ALAN HARKRADER
Level 4
Level 4

I'm curious what factor determines if something is "high risk" in regards to denying packets by default... Alert severity is the only thing that has a "high" rating. Risk Rating is the product of severity x fidelity (assuming default target value)... so what's "high"?

I see a lot of things that are high severity but low fidelity... For instance, I don't want this thing denying text posts that have the word "select" followed by the word "from" (SQL injection).

Thanks - Al

1 Accepted Solution

Accepted Solutions

marcabal
Cisco Employee
Cisco Employee

High Risk is a Risk Rating Range of 90-100.

By default there is an Event Action Override that will add a deny-packet-inline event action to any alert with a Risk Rating of 90-100.

This can be seen in the configuration:

qsensor-8095(config)# service event-action-rules rules0

qsensor-8095(config-eve)# show set

variables (min: 0, max: 256, current: 0)

-----------------------------------------------

-----------------------------------------------

overrides (min: 0, max: 15, current: 1)

-----------------------------------------------

action-to-add: deny-packet-inline

-----------------------------------------------

override-item-status: Disabled default: Enabled

risk-rating-range: 90-100

-----------------------------------------------

-----------------------------------------------

View solution in original post

3 Replies 3

marcabal
Cisco Employee
Cisco Employee

High Risk is a Risk Rating Range of 90-100.

By default there is an Event Action Override that will add a deny-packet-inline event action to any alert with a Risk Rating of 90-100.

This can be seen in the configuration:

qsensor-8095(config)# service event-action-rules rules0

qsensor-8095(config-eve)# show set

variables (min: 0, max: 256, current: 0)

-----------------------------------------------

-----------------------------------------------

overrides (min: 0, max: 15, current: 1)

-----------------------------------------------

action-to-add: deny-packet-inline

-----------------------------------------------

override-item-status: Disabled default: Enabled

risk-rating-range: 90-100

-----------------------------------------------

-----------------------------------------------

Excellent... I had my own override for RR=100 in 5.x (100% fidelity reqd), so this is along the same lines. Thanks!

Just so you are aware.

If you already have an event-action-override for deny-packet-inline configured in 5.x and upgrade to 6.0, then your 5.x configuration will carry forward into 6.0 and be used instead of the 6.0 default.

So if you set it to 100 in 5.x, then when you ugrade to 6.x it will still be 100 (the 100 will replace the default 90-100).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: