IPS - Risk Rating

 

 

RR = (SFR * ASR * TVR) / 10000 +ARR -PD+WLR

Risk Rating is from 0 to 100


Signature Fidelity Rating (SFR) - 0-100

It tells how accurate signature detects described network situation.

Signature Fidelity Rating is configured per signature.The more generic signature the lower the rating.

SFR does not describe how dangerous is event but only accuracy of described event.


Attack Severity Rating (ASR)- 25,50,75 or 100

It tells  us how dangerous is attack. Attack Severity Rating is configured per signature and comes from  Alert severity(informational, low, medium or high).

ASR does not indicate how accurately the event is detected.

 

Target Value Rating (TVR) - 75,100,150 or 200

It tells us how important is target. We can distinguish the following values:

  • zero - 0
  • low - 75
  • medium 100
  • high - 150
  • mission critical - 200

 

Attack Relevancy Rating (ARR)  - relevant, unknown, not relevant

A weight associated with the relevancy of the targeted operating system. Attack relevancy rating is a derived value (relevant, unknown, or not relevant), which is determined at alert time. The relevant operating systems are configured per signature.

 

Promiscuous Delta (PD) - 0-30

A weight associated with the promiscuous delta, which can be subtracted from the overall risk rating in promiscuous mode. Promiscuous delta is configured per signature.

 

Watch List Rating (WLR) - 0-100

A weight associated with the CSA MC watch list in the range of 0 to 100 (CSA MC only uses the range 0 to 35). If the attacker for the alert is found on the watch list, thewatch list rating for that attacker is added to the rating.

 

 

 dzbanek 2013-03-04

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.