Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1 Manual page 50
Category offense investigation guide
Hide thumbs
Also See for SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1:
- Administration manual (370 pages) ,
- Manual (228 pages) ,
- Getting started (14 pages)
Table of Contents
Advertisement
44
M
O
ALWARE
FFENSES
Step 8
Step 9
Step 10
Step 11
Step 12
Step 13
Step 14
Step 15
Step 16
has become chained to another offense. Chaining means that the target has
become an attacker of another offense. This indicates a self-propagating malware.
Note: Any remote targets associated to a malware offense may be foreign or
unknown servers that the source IP address is communicating with to receive
instructions to upload data.
View the Top 5 Categories box, which displays the various types of activities
associated to the attacker during the time of the offense.
View the Top 10 Events box, which displays the top events for this offense,
organized by severity.
View the Top 5 Annotations box, which displays the most significant correlation
tests that contributed to the overall magnitude of the offense. Annotations provide
important information, such as, which devices have contributed events to the
offense.
Double-click any event that you wish to investigate in further details and view the
Source Port field. Port 6667 is commonly used by bots as an IRC-based control
channel. Spyware commonly use ports 80 and 443.
In the offense details window, click
attacker IP address. When investigating flows, select the port or application in
question. If the traffic volume and the number of conversation pairs seem to be too
high for the user, this may indicate potential malware.
In the offense details window, click
vulnerability risk and business value.
Right-click on a targets IP address and select Information > Asset Profile, which
displays which services the targets are responding to.
Once you have determined the impact of the offense, you must either block the
source of the scan, patch or shut down services on the appropriate systems, then
take the desired action against the offense.
Once you have resolved the offense, close or hide the offense.
For more information on closing or hiding an offense, see the STRM Users Guide.
Category Offense Investigation Guide
Flows to view network flows from the
Targets, which are organized by
Advertisement
Table of Contents
Related Manuals for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1
Related Products for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - AQL EVENT AND FLOW QUERY CLI GUIDE
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - EVENT CATEGORY CORRELATION REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - SNMP AGENT GUIDE REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1
- Juniper STRM LOG MANAGEMENT 2008.2 - S 6-2008
- Juniper MEDIA FLOW CONTROLLER 2.0.4 -
- Juniper MEDIA FLOW MANAGER 2.0.2 - ADMINISTRATOR S GUIDE AND CLI
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INTRUSION DETECTION PREVENTION DEVICES GUIDE REV 01
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - M-SERIES AND MX-SERIES DEVICES GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - NSMXPRESS SERIES II REV 1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - REV1
- Juniper MEDIA FLOW CONTROLLER 2.0.5
- Juniper NETWORK AND SECURITY MANAGER 2010.3
- Juniper 200 Series