How Cisco's SensorBase works

Understanding exactly how SensorBase will affect an event’s Risk Rating when Global Correlation Inspection is turned on is somewhat complicated. You have to pick a system-wide level, ranging from “permissive” to “standard” to “aggressive.” Then, every time an event occurs where the IP address involved has a bad reputation, the Risk Rating will be bumped up by some amount.

Understanding exactly how SensorBase will affect an event's Risk Rating when Global Correlation Inspection is turned on is somewhat complicated. You have to pick a system-wide level, ranging from "permissive" to "standard" to "aggressive." Then, every time an event occurs where the IP address involved has a bad reputation, the Risk Rating will be bumped up by some amount.

Cisco engineers showed us an "internal use only" table that spells out how different reputations (which are on a scale from 0 to -10, with -10 being the worst possible reputation) and different levels selected will affect the Risk Rating, but told us that they don't plan to put this into the documentation quite yet. Their reason is that they wanted the ability to adjust the way the table operates as they gain more experience with combining reputation services and IPS signatures, and as they figure out the "right" increase in Risk Rating for each scenario.

Return to test.

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies