How Do I Tune An Exploit Offenses - Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1 Manual

How do I Tune an
Exploit Offenses?
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
If you determine that the exploit activity is normal and STRM is creating false
positive offenses, you can tune STRM to make sure no more offenses are created
due to this activity.
To tune exploit offenses using the false positive function:
In the offense details interface, click
The category details appear.
In the List of Event Categories, double-click the related category to display
associated events. These categories should be low-level exploit categories, such
as, buffer overflow, FTP exploit, or worm active.
Select the event that includes the known source IP address that is reported to
produce suspicious activity.
Click False Positive.
The False Positive window appears with information derived from the selected
event.
If only a single offense of this type exists and the offense contains only a single
target, select the first option in the Event Property options.
If this offense includes multiple attackers generating similar offenses but all to the
same destination (typically a multiple host communicating with a single server),
use the SRC to any option.
Note: If all the hosts associated to this offense are related, you can also create a
building block using the Rules Wizard to include all the hosts and QIDs (events)
that are creating the false positives. Then, add this new building block to the
Default-Rule-FalsePositives: All false positive building blocks rule.
If this event includes a single offense of this type but the same event (QID) has
been used against many targets, select the second option in the Traffic Properties
options.
Category Offense Investigation Guide

How do I Tune an Exploit Offenses?

Categories.
39