Suspicious Activity Offenses; What Is A Suspicious Attack; What Is Suspicious Traffic; What Is A Suspicious Offense - Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1 Manual

12
What is a
Suspicious Attack?
What is Suspicious
Traffic?
What is a Suspicious
Offense?
S
USPICIOUS
This chapter provides information on a suspicious attack including:

What is a Suspicious Attack?

•
How do I Investigate Suspicious Offense
•
• How do I Tune a Suspicious Offenses?
This section provides information on a suspicious attack including:

What is Suspicious Traffic?

•
•

What is a Suspicious Offense?

STRM detects suspicious activity, which is security events, patterns of security
events, or network flows that have been classified as suspicious and may
represent a potential threat to the network. A potential threat is traffic that may
include a virus, potential vulnerability, or potential unauthorized access. Many
devices, such as IDSs, report events when suspicious packets are detected. For
example, STRM should not detect data on a SYN packet. STRM also monitors for
patterns of events that may be considered suspicious, such as multiple log in
failures by the same source IP address followed by a successful log in. When
STRM detects these types of events, a suspicious offense is created.
STRM performs several tests on suspicious events and network flows prior to
creating a suspicious offense to rule out false positives. Suspicious events and
flows are correlated into an offense based on the results of the STRM correlation
rules.
For example, STRM considers the following questions when analyzing suspicious
traffic and events:
• What is the event rate?
• Who is the attacker (source IP address)?
Who are the targets (destination IP addresses)?
•
Are the targets vulnerable?
•
Are there any patterns in the events or flows that can be suspicious?
•
Category Offense Investigation Guide
A O
CTIVITY FFENSES