Cisco Cisco IPS 4255 Sensor Libro bianco
White Paper
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 2 of 3
value for this factor is between 0 and 35. (The watch list rating was introduced in Cisco IPS
Sensor Software Version 6.0.)
The formula to calculate risk rating in Cisco IPS Sensor Software Version 6.0 is:
Risk rating can help enhance your productivity as it intelligently assesses the level of risk of each
event and helps you focus on high-risk events.
Threat Rating Calculation
Threat rating is a quantitative measure of your network’s threat level after IPS mitigation. The
formula for threat rating is:
Threat Rating = Risk Rating – Alert Rating
The values of the alert ratings are listed below.
●
45: deny-attacker-inline
●
40: deny-attacker-victim-pair-inline
●
40: deny-attacker-service-pair-inline
●
35: deny-connection-inline
●
35: deny-packet-inline
●
35: modify-packet-inline
●
20: request-block-host
●
20: request-block-connection
●
20: reset-tcp-connection
●
20: request-rate-limit
For example, if an alert had a risk rating of 100 and the IPS mitigates the event with a deny-
attacker-inline action, the threat rating would be calculated as:
Threat Rating = Risk Rating – Alert Rating, or 100 – 45 = 55.
Threat rating brings the value of risk rating to a new level. By taking the IPS mitigation action into
account, threat rating helps you further focus on the most important threats that have not been
mitigated.
Policy Definition Based on Risk Rating and Threat Rating
Risk rating and threat rating allow you to easily build powerful policies with Cisco IPS Device
Manager embedded in the IPS sensor, or Cisco Security Manager, an advanced multidevice policy
management application. With Cisco IPS Device Manager or Cisco Security Manager event action
override, you can apply policies based on risk rating. For example, you can build the following
policy:
90 < risk rating < 100, deny packet inline
70 < risk rating < 89, produce verbose alert
59 < risk rating < 60, produce alert
You can easily tune your IPS by changing the risk rating thresholds for each action. Furthermore,
you can create exceptions with the event action filters. For example, you can create an exception