Table of Contents
Advertisement
Identifying Irrelevant Attacks
Copyright © 2010, Juniper Networks, Inc.
Your log entries are a valuable tool in helping you identify irrelevant attacks. Irrelevant
attacks are events that do not affect your network or that you do not consider important.
Typically, you want to identify irrelevant attacks to:
Reduce the number of log entries and increase system performance.
Isolate log entries for harmless attacks.
Focus on log entries for attacks to which you are actually vulnerable.
Select a log entry generated by a protocol anomaly or signature attack object, then view
the Summary panel to see the attack description. An example is shown in Figure 109 on
page 751.
Figure 109: Viewing Summary Panel
Look carefully at the information about affected systems, and compare it with what you
know about your network. Use the information in Table 103 on page 751 to determine if
the attack is relevant:
Table 103: Irrelevant Versus Relevant Attacks
Irrelevant Attacks
Attack target hardware you do not use.
Example: Attacks that exploit Cisco routers do
not affect Lucent routers.
Attack target software you do not use.
Example: Attacks that exploit Microsoft IIS Web
servers do not affect Apache Web servers.
Attack target software versions you do not use.
If the attack is irrelevant, you can remove the matching attack object group from the rule
that triggered the log entry, or monitor the attack object group using custom severity
setting.
Chapter 18: Logging
Relevant Attacks
Attack attempts to exploit vulnerabilities in the
hardware you use in your network.
Attack attempts to exploit vulnerabilities in the
software running on your network.
Attack attempts to exploit vulnerabilities in the
software versions running on your network.
751
Advertisement
Table of Contents
