How Do I Tune A Potential Exploit Offense - Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1 Manual

Step 7
Step 8
Step 9
Step 10
How do I Tune a
Potential Exploit
Offense?
Step 1
remote source IP address to make sure that your firewalls are probably
configured to block any threatening traffic. If firewall logs are being sent to
STRM, use the Event Viewer to investigate firewall logs to make sure it is
probably configured. For more information on the Event Viewer, see the
STRM Users Guide.
User - If the attacker is local or a VPN user and STRM is receiving user identity
•
logs, this field indicates user identity information. This allows you identify the
user who is the source of the suspicious traffic. To obtain further information
about the user, right-click on the IP address in the Description field to access
additional menu options. From the menu, select use the Select Information >
Asset Profile. The Asset Profile window allows you to determine additional
information regarding the identify of the source user.
View the Annotations box and locate any CRE Event annotation, which means that
this offense is the result of a custom rule created for STRM. The annotations for an
offense describes the offense details and the reasons for investigating this offense.
For example, an annotation may indicate that a system, which is not known to be a
DNS server, communicates to a DNS server outside the customer networks. The
annotations for this offense explains that many bots that get installed on client
hosts have a built in DNS client to avoid DNS-based remediation techniques and
that you should investigate this communication.
View the Annotations box and locate any real-time flow analysis annotation, which
describes the behavior of the host or other exploit attempts from the same
attacker. This type of annotation occurs when the offense is generated by IDS or
IPS products.
Once you have determined the impact of the offense, you must either block the
source of the scan, patch or shut down services on the appropriate systems, then
take the desired action against the offense.
Once you have resolved the offense, close or hide the offense.
For more information on closing or hiding an offense, see the STRM Users Guide.
If you determine that the potential exploit activity is normal and STRM is creating
false positive offenses, you can tune STRM to make sure no more offenses are
created due to this activity.
To tune potential exploit activity using the false positive function:
In the offense details interface, click
The List of Events appears for the selected offense.
Category Offense Investigation Guide

How do I Tune a Potential Exploit Offense?

Events.
59