- Cisco Home Security System User's Manual
8-14
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Chapter 8 Configuring Event Action Rules
Configuring Target Value Ratings
•
Target value rating (TVR)—A weight associated with the perceived value of the target.
Target value rating is a user-configurable value (zero, low, medium, high, or mission critical) that
identifies the importance of a network asset (through its IP address). You can develop a security
policy that is more stringent for valuable corporate resources and looser for less important resources.
For example, you could assign a target value rating to the company web server that is higher than
the target value rating you assign to a desktop node. In this example, attacks against the company
web server have a higher risk rating than attacks against the desktop node. Target value rating is
configured in the event action rules policy.
•
Attack relevance rating (ARR)—A weight associated with the relevancy of the targeted operating
system. Attack relevancy rating is a derived value (relevant, unknown, or not relevant), which is
determined at alert time. The relevant operating systems are configured per signature.
•
Promiscuous delta (PD)—A weight associated with the promiscuous delta, which can be subtracted
from the overall risk rating in promiscuous mode. Promiscuous delta is in the range of 0 to 30 and
is configured per signature.
Note
If the trigger packet is not inline, the promiscuous delta is subtracted from the rating.
•
Watch list rating (WLR)—A weight associated with the CSA MC watch list in the range of 0 to 100
(CSA MC only uses the range 0 to 35). If the attacker for the alert is found on the watch list, the
watch list rating for that attacker is added to the rating.
Figure 8-2 illustrates the risk rating formula:
Figure 8-2 Risk Rating Formula
Understanding Threat Rating
\
Threat rating is risk rating that has been lowered by event actions that have been taken. Nonlogging event
actions have a threat rating adjustment. The largest threat rating from all the event actions taken is
subtracted from the risk rating. The event actions have the following threat ratings:
•
deny-attacker-inline—45
•
deny-attacker-victim-pair-inline—40
•
deny-attacker-service-pair-inline—40
•
deny-connection-inline—35
•
deny-packet-inline—35
•
modify-packet-inline—35
•
request-block-host—20
•
request-block-connection—20
•
reset-tcp-connection—20
•
request-rate-limit—20
191016
RR =
ASR
*
TVR
*
SFR
+ ARR - PD + WLR
10000