IPS - Risk Rating
RR = (SFR * ASR * TVR) / 10000 +ARR -PD+WLR
Risk Rating is from 0 to 100
Signature Fidelity Rating (SFR) - 0-100
It tells how accurate signature detects described network situation.
Signature Fidelity Rating is configured per signature.The more generic signature the lower the rating.
SFR does not describe how dangerous is event but only accuracy of described event.
Attack Severity Rating (ASR)- 25,50,75 or 100
It tells us how dangerous is attack. Attack Severity Rating is configured per signature and comes from Alert severity(informational, low, medium or high).
ASR does not indicate how accurately the event is detected.
Target Value Rating (TVR) - 75,100,150 or 200
It tells us how important is target. We can distinguish the following values:
- zero - 0
- low - 75
- medium 100
- high - 150
- mission critical - 200
Attack Relevancy Rating (ARR) - relevant, unknown, not relevant
A weight associated with the relevancy of the targeted operating system. Attack relevancy rating is a derived value (relevant, unknown, or not relevant), which is determined at alert time. The relevant operating systems are configured per signature.
Promiscuous Delta (PD) - 0-30
A weight associated with the promiscuous delta, which can be subtracted from the overall risk rating in promiscuous mode. Promiscuous delta is configured per signature.
Watch List Rating (WLR) - 0-100
A weight associated with the CSA MC watch list in the range of 0 to 100 (CSA MC only uses the range 0 to 35). If the attacker for the alert is found on the watch list, thewatch list rating for that attacker is added to the rating.