Global Correlation Risk Delta
Hi,
I'm currently working on Tuning a pair of IPS modules in ASA's. We are currently in Promiscous and tuning/filtering to ensure we don't block any valid traffic when making the switch to inline.
We are using the new 7.0.1 code and getting the global correlation / reputation data - works great & rocks.
When viewing the events - there is a paramater - "Global Correlation Risk Delta" -- Could someone explain to me what that is?
I understand how it adjusts the RR based on reputation & have the chart (including it for those who do not have it - got it from a networkers prezo). However I am having a hard time figuring out what Global Correlation Risk Delta is/means/does...anyone know?
Thanks,
Brad
Here is a basic description.
Without Global Correlation (versions prior to 7.0, or version 7.0 with the feature turned off) all alert triggerings will have a Risk Rating calculated.
How a Risk Rating is calculated is explained in the following White Paper on cisco.com:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e7299.html
Now with version 7.0 when Global Correlation is enabled there is now a new parameter added to the Risk Rating calculation ( + Global Correlation Risk Delta )
The Global Correlation Risk Delta is either 0 or a positive value and so can keep the Risk Rating the same, or raise the Risk Rating, but will not decrease the Risk Rating.
The Global Correlation Risk Delta is calculated based on both the Attacker IP address, and the Initial Risk Rating ( The Initial Risk Rating is the Risk Rating calculated without the Global Correlation Risk Delta).
When Global Correlation is enabled in version 7.0 the sensor will download a Reputation Database from the cisco servers. This reputation database contains lists of Public IP Addresses that have been known to be sources of attacks in the past. With that database a Negative Reputation Score is determined for each Address in the database. The Negative Reputation Score could range anywhere from a -0.5 to a -10. If only a few atttacks have been seen from the address, the score may be only slightl negative in the -0.5 - -3 range. The worst offending Attacker IP Addresses could have negative scores in the -8 to -10 range.
That Reputation Database is only for Public IP Addresses. So Private IP Addresses (addresses used only with NAT/PAT and are not Internet routable) will not exist in the Reputation Database.
If the attacker IP Address is a Private IP Address, or is a Public IP Address that is NOT in the Reputation Database, then the sensor will automatically set the Global Correlation Risk Delta to 0.
When added into the Original Risk Rating, the Risk Rating winds up the same (no change).
So Global Correlation has no effect on Private IP Addresses, or Public IP Addresses that do NOT have Negative Reputation.
It is only when the Attacker is from a Public IP Address with Negative Reputation that the Global Correlation Risk Delta is calculated.
Internally the sensor has a formula to calculate what that Delta should be.
The inputs to that formula are the Negative Reputation Score for the Atttacker IP, Original Risk Rating, as well as some proprietary variables for fine tuning the formula.
All of these are inputs to the formula, and the one output is the Delta.
The Delta is then Added to the Initial Risk Rating and results in a Higher Risk Rating.
The chart from your first post is a result of plugging in the highest 20 possible Risk Ratings, and 20 possible negative Reputation scores, and uses the original proprietary variable settings, and shows you what the formula will output as the Global Correlation Risk Delta.
So this should be used as just an example.
The formula will still be used for Risk Ratings lower than 80 that are not shown on the chart, and will also be used for Negative Reputation Scores that are not neatly rounded to a 0.5 number.
Also the proprietary variables are also subject to change, as we continue to fine tune the formula.
So the chart you've posted is a good example of the type of Deltas that the formula can output.
Because of this calculated Delta being added to the Risk Rating, the same attack coming from a known Negative Reputation Public Address will wind up with a Higher Risk Rating than the same attack coming from a Private IP Address (or even the same Public Address when not using Global Correlation).
The sensor then has features for how it can then make use of the Risk Rating.
And I will talk about this in the next post. I am limited by the number of characters in a single post or I would have put it into this post.
Similar Messages
-
MARS 6.0.4 reporting for IPS 7.0 Global Correlation Reputation Filtering
Does anyone know if there is a report available in MARS to see what IP addresses were denied by Reputation Filtering on IPS 7.0?
I found a report that shows attacks that were prevented due to global correlation score, but not for packets denied by Reputation Filtering.
Replies are greatly appreciated.
Thanks,
MarkThanks for the reply, but what I am looking for is reporting on what packets were dropped with Reputation Filtering(doesn't have a report in MARS) Not the GLobal Correlation risk rating blocks(Which does have a report available in MARS).
-
I have an ASA 5510 with an SSM-10 module. I have global correlation turned on and updating. When I look at the dashboard's "Global Correlation Report" I see packets that have been denied by global correlation. Can someone tell me how global correlation events are logged? I'd like to be able to see the raw data associated with the global correlation.
Thanks.Hi,
Take a look at this:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html#wp1065809
As can be seen, whenever "global correlation" causes any kind of action to be taken by the IPS it produces an alert unless the packet is being denied by "reputation filtering" which does not produce any kind of alert. Also, "This feature only applies to global correlation inspection where the traffic is allowed if no specific signature is matched".
I am not sure of all those fields in then alert but i have seen at least some of them. If you are not seeing any alerts with those fields, then global correlation may not be seeing any instances where it has had to modify the risk ratings and take appropriate actions for it, that is, you may not be receiving any kind of such packets from malicious hosts at all in the first place.
Also, if you have "reputation filtering" on, you might want to turn it OFF to ensure it is not causing this behavior.
Rregards,
Prapanch -
Global Correlation and Application Failed
Hi, People.
I have IPS4270-20-K9 with version 7.0(3)E4 and signature version 572.
In Sensor Health show me a problem critical, with:
- Application Failed
- Global Correlation
sensor#sh statistics global-correlation
Error: getGlobalCorrelationStatistics : ct-collaborationApp.459 not responding, please check system processes - The connect to the specified Io::ClientPipe failed.
How do I resolve these problems?
Tks.That error message indicates that one of the software processes required for the Global Correlation feature (CollaborationApp) is not responding (stopped/crashed, hung, etc.). You will need to reboot ("reset") the sensor to restore the process to a "Running" status.
There are multiple defects present in the version of software you are running (7.0(3)E4) that are likely culprits/causes that were fixed in subsequent releases (7.0(4)E4 and 7.0(5a)E4). After you have rebooted the sensor and restored it to service, you can upgrade to a fixed release (7.0(5a)E4). -
Global-correlation does not update.
Hi all,
I have a problem to update the global-correlation. I do get updates for the signatures in the IPS but see output below regarding the global-correlation;
==========================================
show statistics global-correlation
Network Participation:
Counters:
Total Connection Attempts = 0
Total Connection Failures = 0
Connection Failures Since Last Success = 0
Connection History:
Updates:
Status Of Last Update Attempt = Failed
Time Since Last Successful Update = never
Counters:
Update Failures Since Last Success = 8
Total Update Attempts = 8
Total Update Failures = 8
Update Interval In Seconds = 300
Update Server = update-manifests.ironport.com
Update Server Address = 204.15.82.17
Current Versions:
config = 0
drop = 0
ip = 0
rule = 0
Warnings:
===========================================
Hardware used:
asa-ssm-10 (version 7.0(4)E4)
ASA-5520(version 8.4(1))
I see all traffic passing the firewall and ISP-routers.
I hope someone can help me with this issue or some pointers.
Thanks in advance,
Erik Verkerk.Hi Jennifer,
Good to hear we do not have to buy an additional license and that global-correlation is included in version 7.0.
Thanks for your suggestion "access to internet", I did a re-re-recheck of my configuration and found out that I had a "little routing issue in one of my routers". I solved this and now it is working.
===========================================
sh statistics global-correlation
Network Participation:
Counters:
Total Connection Attempts = 0
Total Connection Failures = 0
Connection Failures Since Last Success = 0
Connection History:
Updates:
Status Of Last Update Attempt = Ok
Time Since Last Successful Update = 2 minutes
Counters:
Update Failures Since Last Success = 0
Total Update Attempts = 269
Total Update Failures = 268
Update Interval In Seconds = 300
Update Server = update-manifests.ironport.com
Update Server Address = 204.15.82.17
Current Versions:
config = 1236210407
drop = 1300274962
ip = 1300276386
rule = 1300221126
Warnings:
=================================
Thanks for your time and help.
Thanks,
Erik Verkerk. -
"Global Correlation" = Critical - Cisco AIP-SSM-20
We are getting this error on both IME and IDM. What causes this, and how does one resolve it?
We are also not getting new events in IME - could this be related to the problem?correct..The sensor must operate in Inline mode so that the Global Correlation features can increase efficacy by being able to use the inline deny actions.
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/ime/ime_collaboration.html -
Global correlation / reputation filtering in monitoring mode
We use Cisco appliances primarily in monitoring mode. We'd like to use the IPS reputation filtering / global correlation to alert us when we have connections to "bad" IP addresses (e.g. botnet, etc). Is it even possible to use either of these features for this purpose? According the the following document is appears there may not be alerts for packets denied before signature analysis. Surely that can't be???
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_collaboration.html#wp1067283
"Note This feature only applies to global correlation inspection where the traffic is allowed if no specific signature is matched. It does not apply to reputation filtering where the packet is denied before signature analysis, and no alerts are generated when packets are denied by reputation filtering. "Just listened to the techtalk on global correlation. about 16 minutes in...."we do not send events just to keep the load quiet". Can someone from Cisco please confirm that this completely naive and poorly engineered facet of the solution still works this way? I'm sorry to sound like an arse, but I am so completely frustrated with the value we get out of these appliances. Apparently, the ASA botnet functionality can do what we want, but not the stand alone IPS appliance....come on Cisco.
-
Hello Everyone,
i'm trying to enable global correlation, but, after apply the configuration, i see the status bellow:
service global-correlation
network-participation off
global-correlation-inspection-influence aggressive
test-global-correlation off
exit
service aaa
exit
service analysis-engine
virtual-sensor vs0
physical-interface GigabitEthernet0/1
exit
exit
IPS-SITE-BACKUP#
IPS-SITE-BACKUP#
IPS-SITE-BACKUP#
IPS-SITE-BACKUP# show health
Overall Health Status Green
Health Status for Failed Applications Green
Health Status for Signature Updates Green
Health Status for License Key Expiration Green
Health Status for Running in Bypass Mode Green
Health Status for Interfaces Being Down Green
Health Status for the Inspection Load Green
Health Status for the Time Since Last Event Retrieval Green
Health Status for the Number of Missed Packets Green
Health Status for the Memory Usage Green
Health Status for Global Correlation Not Enabled
Health Status for Network Participation Green
Why the status is "not enabled"?
Obs: Downloads ok via proxy server.
Thanks.
RafaelHello Rafael,
Why the status is "not enabled
The status is not enabled because the participation of your IPS in the global correlation is off.
There are 3 states related to Global Correlation:
-Full
-Partial
-Off
Please change that and it should working, You need to have a DNS server set up in your IPS, if not Global Correlation will not work.
Julio
Rate the helpful posts -
Hi,
Will the IPS go offline during a global correlation update? We are running sensor version 7.1.(7)E4 and are noticing drops due to the IPS being unavailable. The timing of theses matches global correlation updates on the IPS.We are receiving the following log entry when global correlation updates.
%ASA-3-420001: IPS card not up and fail-close mode used, dropping TCP packet from InterfaceA:x.x.x.x/xx to InterfaceB:y.y.y.y/yy -
Global correlation can't updated
version is IPS7.0, asa5520-aip-ssm.
Singatrue and IME can be sucessfully updated,
Global correlation can't updated,
the Status of global correlation is Critical.
I saw the website
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/ime/ime_collaboration.html#wp1053280
and updated following the web page. But can't work it.
How could I update global correlation
or go back old sensorbase?The output provided clearly indicates that the AIP-SSM is unable to resolve the update server address. The server name update-manifests.ironport.com is not user configurable.
Do you have more than one DNS server configured? If so, disable all but the primary DNS server.
If you only have one DNS server configured, please verify the AIP-SSM's management IP address has unrestricted access to the Internet. (At a minimum TCP ports 80 and 443 and UDP port 53).
Scott -
Global Correlation update Failure error
Hello,
I have received following error in IPS regarding global correlation update
A global correlation update failed: ExecLoadCollabUpdate control transaction failed: Control transaction cannot be completed at this time
is any one aware about this error? is it major issue and affecting IPS? I think this is because correlation update failure. Please let me know if any one has more information on this errorWhenever a global correlation update fails, an evError event is generated. The error message is included in sensor statistics. The following conditions result in a status message with the severity of Error:
•The sensor is unlicensed
•No DNS or HTTP proxy server is configured
•The manifest exchange failed
•An update file download failed
•Applying or committing the update failed
For global correlation update fails, refer
http://www.cisco.com/c/en/us/support/docs/security/ips-4200-series-sensors/50360-ids-faq.html -
Global Correlation Update Failures
I've recently turned on Global Correlation but we've failed to update every 5 minutes.
PL-ASA-IPS# show stat global
Network Participation:
Counters:
Total Connection Attempts = 2
Total Connection Failures = 0
Connection Failures Since Last Success = 0
Connection History:
Connection Attempt on February 16 2010, at 14:28:38 UTC = Successful
Connection Attempt on February 16 2010, at 14:19:06 UTC = Successful
Updates:
Status Of Last Update Attempt = Failed
Time Since Last Successful Update = never
Counters:
Update Failures Since Last Success = 4
Total Update Attempts = 4
Total Update Failures = 4
Update Interval In Seconds = 300
Update Server = update-manifests.ironport.com
Update Server Address = 204.15.82.17
Current Versions:
config = 0
drop = 0
ip = 0
rule = 0
Warnings:
I have a static NAT translation for the IPS, there are no proxy servers in our enviorment and it can ping outside as well as update-manifests.ironport.com (204.15.82.17). DNS is setup as well.
In the logs I see this entry:
16Feb2010 14:13:15.679 265.199 collaborationApp[491] rep/E A global correlation update failed: Failed download of ibrs/1.1/config/default/1236210407 : HTTP connection failed
I guess I'm at a loss for what else I can check. We have no problems sending the Network Participation data but we can't get any data. Any suggestions?
Cisco Intrusion Prevention System, Version 7.0(2)E3
Signature Definition:
Signature Update S469.0 2010-02-11
Virus Update V1.4 2007-03-02
OS Version: 2.4.30-IDS-smp-bigphysI have the same issue, i have no ASA or websense product between this device and the iNet.
Does anyone have a fix or workaround?
I have an AIM-IPS running 7.0(6)E4 with Signature versuon S599.0. All updates to date have been manualy d/l to a local ftp server
the auto update "seems" to run but never gets any updates
This is what i see
# sh stat global
Network Participation:
Counters:
Total Connection Attempts = 127
Total Connection Failures = 127
Connection Failures Since Last Success = 127
Connection History:
Connection Attempt on October 06 2011, at 10:46:32 UTC = Failed
Connection Attempt on October 06 2011, at 09:24:32 UTC = Failed
Connection Attempt on October 06 2011, at 08:03:04 UTC = Failed
Connection Attempt on October 06 2011, at 07:59:52 UTC = Failed
Connection Attempt on October 06 2011, at 06:36:57 UTC = Failed
Updates:
Status Of Last Update Attempt = Failed
Time Since Last Successful Update = never
Counters:
Update Failures Since Last Success = 2702
Total Update Attempts = 2702
Total Update Failures = 2702
Update Interval In Seconds = 300
Update Server = update-manifests.ironport.com
Update Server Address = Unknown
Current Versions:
config = 0
drop = 0
ip = 0
rule = 0
Warnings:
#sh ver
Application Partition:
Cisco Intrusion Prevention System, Version 7.0(6)E4
Host:
Realm Keys key1.0
Signature Definition:
Signature Update S599.0 2011-09-29
OS Version: 2.6.14-Cavium-Octeon
Platform: AIM-IPS-K9
Serial Number: xxx
Licensed, expires: 31-Mar-2012 UTC
Sensor up-time is 9 days.
Using 54726656 out of 454148096 bytes of available memory (12% usage)
system is using 22.4M out of 80.0M bytes of available disk space (28% usage)
application-data is using 46.8M out of 213.0M bytes of available disk space (23% usage)
boot is using 54.4M out of 114.8M bytes of available disk space (50% usage)
application-log is using 61.8M out of 513.0M bytes of available disk space (12% usage)
MainApp B-BEAU_2011_SEP_10_00_30_7_0_5_45 (Ipsbuild) 2011-09-10T00:32:09-0500 Running
AnalysisEngine B-BEAU_2011_SEP_10_00_30_7_0_5_45 (Ipsbuild) 2011-09-10T00:32:09-0500 Running
CollaborationApp B-BEAU_2011_SEP_10_00_30_7_0_5_45 (Ipsbuild) 2011-09-10T00:32:09-0500 Running
CLI B-BEAU_2011_SEP_10_00_30_7_0_5_45 (Ipsbuild) 2011-09-10T00:32:09-0500
Upgrade History:
* IPS-AIM-K9-7.0-6-E4 17:39:07 UTC Sat Sep 10 2011
IPS-sig-S599-req-E4.pkg 07:59:08 UTC Wed Oct 05 2011
Recovery Partition Version 1.1 - 7.0(6)E4
Host Certificate Valid from: 25-Sep-2011 to 25-Sep-2013
>
as seen above there is no ip address listed for "update-manifests.ironport.com"
NS lookup is able to resolve,
why can't the IPS?
I can i hard code the ip address?
>Non-authoritative answer:
>Name: update-manifests.ironport.com
>Address: 204.15.82.17 -
Global Correlation and Anomaly detection drop messages?
We've implemented an SSP-40 and were wondering if there were event messages for Global Correlation or Anomaly detection drops. We seem to only have signature event messages.
DennisSure. Here is an example:
evIdsAlert: eventId=1332748411090083862 severity=informational vendor=Cisco alarmTraits=32768
originator:
hostId: sensorName
appName: sensorApp
appInstanceId: 19247
time: 2012/03/27 15:12:41 2012/03/27 15:12:41 UTC
signature: description=ICMP Echo Request id=2004 created=20001127 type=other version=S592
subsigId: 0
interfaceGroup: vs0
vlan: 1104
participants:
attacker:
addr: locality=OUT A.B.C.3
target:
addr: locality=OUT A.B.C.2
os: idSource=unknown relevance=relevant type=unknown
actions:
deniedPacket: true
riskRatingValue: attackRelevanceRating=relevant targetValueRating=medium 95
threatRatingValue: 60
interface: ge2_0
protocol: icmp
globalCorrelation:
globalCorrelationScore: -9.2
globalCorrelationRiskDelta: 60
globalCorrelationModifiedRiskRating: true
globalCorrelationDenyPacket: true
globalCorrelationDenyAttacker: false
globalCorrelationOtherOverrides: false
globalCorrelationAuditMode: false
Alternatively, you can see the stats using:
sensor# show statistics analysis-engine | be Malicious
MaliciousSiteDenyHitCounts
A.B.C.D/16 = 1
MaliciousSiteDenyHitCountsAUDIT
Regards,
Sawan Gupta -
Cisco IPS (global correlation) is downloading lots of updates from the iron-port website
I have query on Global correlation.
Following is the observed behavior
Scenario 1:
Global Correlation Inspection: ON (Standard)
Reputation Filter: ON
Result: Global correlation downloads in bytes or KBs (observed on proxy)
Scenario 2:
Global Correlation Inspection: OFF
Reputation Filter: ON
Result: Global correlation downloads 4-5 MB every 5 Minutes (observed on proxy)
This behavior has been observed on both IPS devices one by one. What we wanted the clarity on is why is does global correlation download so much of data when it is OFF, and downloads only minimal data when ON. The equation does not seem to be right.
Request you for your prompt response.
Regards,
NealBoth global correlation and reputation filtering retrieve updates from the SensorBase network, or IronPort. By default, they communicate with the network every five minutes. This value cannot be changed by the IPS administrator.
-
SSM-AIP 7.0(1) Global Correlation config nightmare!
Thanks, Cisco, for creating a Management nightmare with your "Global Correlation" option in version 7.0...
Lets start with the SSM-AIP-20 Management interface...
We have an OOB Management network, with a single POI into this through a separate PIX515E appliance. Both the ASA5540 AND the SSM-AIP-20 reside on this network.
The first issue was in Routing, since the ASA sees the Management network as "directly attached", and we ROUTE the traffic through the PIX for updates on the SSM module, we had to add translation entries in the PIX515E for the SSM module (10.x.x.x Management, 172.x.x.x translated).
This was not a big issue, but here is where the nightmare begins...
First a note: We have the Management network locked down TIGHT, only a couple of Network Management stations allowed into that network to access these devices.
I enabled Global Correlation in test mode, but it was "failed" every time it tried to update.. Reading other posts, I created ACL and Static NAT in the PIX515E for these IP's:
204.15.82.17 (IP listed in the IME Global Correlation update server)
97.65.135.170 and .137 (from another post in these forums)
207.15.82.17 (IP found in a trace)
Still no updates. Looking in the PIX logs, I found "no translation" entries for the following addresses:
198.133.219.25
209.107.213.40
208.90.57.73
I put these in, and it started updating! FIXED? NOT!
This morning, it was again failing... Looked in the PIX logs again, and found these:
77.67.85.33
77.67.85.9
Entered them, and the SSM is happy again. How long? Who knows?
So, now I have NINE holes in my "secure" network, and who knows when Cisco will change or add new IP addresses to this list.
Cisco, if you are listening - ALL access to/from the Global correlation through a single IP? PLEASE?
(use the one listed in the IME - 204.15.82.17, for the URL "update-manifests.ironport.com")A few of the addresses belong to Cisco (originally ironport.com addresses from the ironport aquisition) and are used as manifest servers to provide the sensor a list of files to download.
The sensor then downloads those files from Akamai servers. Akamai has a large number of servers across the world. Cisco sends the update to Akamai and they replicate it across their servers. When sensors try to connect to the Akamai server it does a DNS query and by controlling the DNS response it can direct sensors to an Akamai server located nearer to the sensor. This allows for better load balancing, response times, and download speeds.
However, Akamai has a large number of servers (in the thousands I think) world wide, and you can't predict which server your specific sensor will be directed to.
Sensor connections to the cisco servers for the manifest (file list) is on port 443, and usually to update-manifests.ironport.com URLs.
Sensor connections to the Akamai servers for the actual file downloads are on port 80 and usually to updates.ironport.com URLs.
The above is all based on my limited understanding of how the updates work. I may have gotten a few details wrong, but should at least give you a general idea.
I will be working with development to get this better documented in Release Notes and Readme with the next IPS software release.
Maybe you are looking for
-
Why does my calendar not sync events created on my iphone
When I create an event on my iPhone 4 and then sync it to my MacBook, the event is not showing up in iCal. I have "Sync all Calendars" checked in iTunes under info when my phone is connected. This problem just started after I installed Snow Leopard
-
Smartform problem with FS [short dump]
Hi Abapers, Am using <FS> in my smartform it is using as Work area. Bcoz my line item data Containing Amount and Quantity fields. so when am not using <FS> i.e., if am declaring WA like <struc> then its giving error message like Quantity does not exi
-
How do I expand the size of a volume under a RAID 5 setup (2 volumes, one RAID Set) - there is spare space available, but I cannot locate anywhere in Disk Utility or RAID Utility where I can add the space to the existing volumes. Selecting RAID SETS
-
Any good article on Singleton design pattern recently updated.
Hi, Can anyone suggest me a good article on Singleton design pattern recently updated..? Thanks in advance.
-
jonvallier wrote: What if each of the three screens are different sizes. Can this be done? Why not attempt it with the two monitors they already have? I don't see why the monitor resolution would limit this ability if it's already able to be done. A