Tuning Using Sentries; Tuning Using Custom Rules Wizard - Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1 Manual

Step 4
Step 5
Step 6
Tuning Using
Sentries
Tuning Using Custom
Rules Wizard
In the Event Properties option, select the first option.
In the Traffic Direction option, choose one of the following options:
For a DoS attack, select the <IP address> to Any Destination option.
a
For a DDos attack, select the <IP address> to DoS target option, which is listed
b
as the Attacker source and Any Destination option.
For example, in the window above, the source IP address and the event high-level
category that is creating the false positive suspicious offense. For additional
information on using the False Positive tuning function, see the STRM Users
Guide.
Click Tune.
STRM will no longer create additional offense for this source IP address when this
type of activity occurs.
If the attacker is local and events are being received from the Classification
Engine, you can assume that the events are being created as a result of a STRM
sentry. You can enable or disable DoS sentries for internal and external networks.
For more information on sentries, see the STRM Administration Guide.
You can use the Custom Rules wizard to edit a building block that contains the IP
address(es) of the attackers and the DoS category. For more information on
creating or editing a building block, see the STRM Administration Guide.
Category Offense Investigation Guide
How do I Tune a DoS Offense? 33