Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1 Manual page 43

Determine if the offense is a result of a remote host attempting to exploit one or
Step 6
more local hosts.
Typically the target of the attacker is located inside the Demilitarized Zone (DMZ)
or in the public facing Network Address Translation (NAT) range. However, if you
have assigned public addresses to internal hosts, this behavior could be occurring
on any host in the network. To determine if the offense is a result of a remote host
attempting to exploit one or more local hosts:
View the Attacker/Src field to determine if the attacker is associated with this
a
offense is local or remote. If local, go to step
View the Target(s)/Dest field to determine if the target for this offense is local or
b
remote. If remote, go to
View the Description field to determine the behavior associated with this
c
offense. If the exploit was followed by suspicious behavior, you can determine
the validity of the event if a Flow Context Response events appears. If the
offense does not include any Flow Context Response events, this indicates that
no flow context was detected, which is desired.
Note: For you to view Flow Context Response events, your network must include
a flow source monitoring the same location as the IDS product.
View the Annotations box to view the details of the offense. If the annotation
d
indicates that this offense includes chaining, this indicates that the target of the
attack is now attacking other hosts. If the chained offense started after the
exploit, this may indicate that the host was successfully exploited.
Category Offense Investigation Guide
How do I Investigate an Exploit Offense
Step
Step 8.
7.
37