How Cisco's SensorBase works

Understanding exactly how SensorBase will affect an event’s Risk Rating when Global Correlation Inspection is turned on is somewhat complicated. You have to pick a system-wide level, ranging from “permissive” to “standard” to “aggressive.” Then, every time an event occurs where the IP address involved has a bad reputation, the Risk Rating will be bumped up by some amount.

Understanding exactly how SensorBase will affect an event's Risk Rating when Global Correlation Inspection is turned on is somewhat complicated. You have to pick a system-wide level, ranging from "permissive" to "standard" to "aggressive." Then, every time an event occurs where the IP address involved has a bad reputation, the Risk Rating will be bumped up by some amount.

Cisco engineers showed us an "internal use only" table that spells out how different reputations (which are on a scale from 0 to -10, with -10 being the worst possible reputation) and different levels selected will affect the Risk Rating, but told us that they don't plan to put this into the documentation quite yet. Their reason is that they wanted the ability to adjust the way the table operates as they gain more experience with combining reputation services and IPS signatures, and as they figure out the "right" increase in Risk Rating for each scenario.

Return to test.

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.