Controlling Which Actions the Sensors Should Take
Many years ago, as the number of signatures kept increasing, it became very laborious to track and manage the individual actions for each and every signature on a sensor. A solution to this problem is to allow all the IPS/IDS sensors (after generating an alert) to consider how significant the risk is (related to that alert), and if the risk is high enough, then let the sensor go ahead and take appropriate countermeasure actions.
This is implemented using a calculated result called a risk rating. The maximum value for risk rating is 100. As the administrator, you can choose which countermeasure to take based on the risk rating that triggers an alert. There are three primary factors, or influencers, of the final risk rating value. The first is the accuracy of the signature (meaning how likely it is to not trigger false positive alerts), and this accuracy rating is known as the signature fidelity rating (SFR), and it is configured as a property of a signature. The second major component that goes into calculating the risk rating is the attack severity rating (ASR) of the signature that triggered the alert. This property is also configured as part of the signature. The third major component that is used to calculate the risk rating is subjectively determined by the administrator of the sensor. It is called the target value rating (TVR). To set the TVR, it is necessary to provide the sensor with the destination IP addresses or subnets that are the most critical. When attacks are seen going to these IP addresses, the final risk rating ends up being higher than if that same attack were going to a less-important device (that is, to an IP address or subnet that is not considered critical by the administrator). The TVR is not a property of any specific signature, but rather is a configured general parameter in the IPS. Some additional minor factors go into the risk rating, and Table 17-5 provides a summary of most relevant factors that influence the risk rating.
