Example: Using Screen Reports To Identify Attack Trends; Example: Using Di Reports To Detect Application Attacks; Using The Watch List - Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual

Example: Using Screen Reports to Identify Attack Trends

Example: Using DI Reports to Detect Application Attacks

Using the Watch List

Copyright © 2010, Juniper Networks, Inc.
In this example, you are a security administrator in the network operations center
responsible for tracking potential network attacks. You daily generate and track an
"Attacks By Severity" report.
Over time, you notice that the number of critical attacks has increased 20 percent. To
verify this, you generate an "Attacks over Time" report for the past 30 days.
The report indicates a recent increase in attacks detected by your firewall. You can
generate "Top Attacks", "Top Attackers", and "Top Targets" reports to further investigate
the nature and assess the risk of these attacks.
For details on generating and configuring these reports, refer to the Network and Security
Manager Online Help.
In this example, you are a security analyst responsible for tracking potential deep
inspection attacks. You routinely generate an "Attacks By Severity" report daily to track
and identify potential attacks.
One day, you notice a significant increase in the number of critical attacks detected by
the deep inspection rules you have implemented in your Security Policy. You then generate
a "Top Attackers" report for the last day.
The report indicates an IP address as the top attacker for all the DI attacks that you have
been tracking. You recognize the IP address as an external server that is running a service
using a nonstandard protocol. Although the traffic is not malicious, it happens to match
a malicious signature anomaly that you have configured in your DI policy. You can then
revise your policy rules to reclassify this traffic.
For details on generating and configuring these reports, refer to the Network and Security
Manager Online Help.
NSM lets you create and configure both a destination and a source watch list. The
Destination Watch List contains key hosts within the network against which a
proportionally large number of logs is recorded. The Source Watch List contains key hosts
outside the network that are sending a large number of log records and are therefore
suspected or known sources of attacks on your network.
The watch lists are convenient ways to create a list of source or destination hosts to use
as a filter in:
Log Viewer—Includes logs with destination or source watch lists in a query filter.
Log Investigator—Investigates logs with destination or source watch lists as data point
sources.
Report Manager—Includes custom reports for destination and source watch lists.
Chapter 20: Reporting
829