Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - EVENT CATEGORY CORRELATION REFERENCE GUIDE REV 1 Reference Manual
  1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. SECURITY THREAT RESPONSE MANAGER 2008.2 - EVENT CATEGORY CORRELATION REV...
  6. Reference manual
Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - EVENT CATEGORY CORRELATION REFERENCE GUIDE REV 1 Reference Manual

Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - EVENT CATEGORY CORRELATION REFERENCE GUIDE REV 1 Reference Manual

Event category correlation reference guide
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Enlarged version
Security Threat Response Manager
Event Category Correlation Reference
Guide
Release 2008.2
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part Number: 530-025607-01, Revision 1

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SECURITY THREAT RESPONSE MANAGER 2008.2 - EVENT CATEGORY CORRELATION REFERENCE GUIDE REV 1 and is the answer not in the manual?

Questions and answers

Related Manuals for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - EVENT CATEGORY CORRELATION REFERENCE GUIDE REV 1

Summary of Contents for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - EVENT CATEGORY CORRELATION REFERENCE GUIDE REV 1

  • Page 1 Security Threat Response Manager Event Category Correlation Reference Guide Release 2008.2 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 408-745-2000 www.juniper.net Part Number: 530-025607-01, Revision 1...
  • Page 2 Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

  • Page 3: Table Of Contents

    ONTENTS BOUT UIDE Conventions Technical Documentation Documentation Feedback Requesting Support VENT ATEGORY ORRELATION About Event Category Correlation High-Level Event Categories Event Correlation Processing Additional Event Processing Recon Authentication Access Exploit Malware Suspicious Activity System Policy Potential Exploit SIM Audit VIS Host Discovery Application...

  • Page 5: About This Guide

    Information that alerts you to potential personal injury. Technical You can access technical documentation, technical notes, and release notes Documentation directly from the Juniper networks Support Web site at http:// www.juniper.net/support Documentation We encourage you to provide feedback, comments, and suggestions so that we Feedback can improve the documentation.

  • Page 6: Requesting Support

    BOUT UIDE Requesting • Open a support case using the Case Management link at Support or call 1-888-314-JTAC (from the United States, http://www.juniper.net/support/ Canada, or Mexico) or 1-408-745-9500 (from elsewhere). STRM Event Category Correlation Reference Guide...

  • Page 7: Event Category Correlation

    VENT ATEGORY ORRELATION This document provides information on the types of event categories and the processing of events. For example, the event category determines if events will have an offense automatically created, real-time flow analysis, rate analysis, and the default correlation tests performed. This document provides information on event correlation including: About Event Category Correlation •...

  • Page 8: High-Level Event Categories

    VENT ATEGORY ORRELATION in the Ariel database and, in some circumstances, performs real-time flow analysis to determine the appropriate routing of the event. For example, Figure 2-1 provides a representation of the process within the Event Processor for processing events. Once the Event Processor receives an event, the Category Router determines the appropriate Correlation Group to apply tests to the event.

  • Page 9: Recon

    About Event Category Correlation High-Level Event The high-level event categories include: Categories Table 2-1 High-Level Event Categories Category Description Recon Events relating to scanning and other techniques used to identify network resources, for example, network or host port scans. Events relating to Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks against services or hosts, for example, brute force network DoS attacks.
  • Page 10 VENT ATEGORY ORRELATION Event Correlation For each event category, the Correlation Group determines the correlation rules Processing (tests) that are performed on each event. Each test is performed and assigned a value between 0 and 10. Once all tests are complete, all test results are weighted and the data for the event is provided in the event viewer.
  • Page 11 About Event Category Correlation Table 2-2 Correlation Rules (Tests) (continued) Rule Description Remote Target Determines if the target network is defined as a remote network in STRM views. Geographic Determines the relative importance of the geographic location of Location the target. Remote attacker Determines if the attacker network is defined as a remote network in STRM views.
  • Page 12 VENT ATEGORY ORRELATION Correlation Group 1 The Correlation Group 1 correlation model provides tests for the following traffic types: Table 2-3 Correlation Group 1 Tests Traffic Type Correlation Rules (Tests) Local-to-Local Correlation Group 1 performs the following tests for Local-to-Local traffic: Relevance of the day of the week •...
  • Page 13 About Event Category Correlation Table 2-3 Correlation Group 1 Tests (continued) Traffic Type Correlation Rules (Tests) Local-to-Remote Correlation Group 1 performs the following tests for Local-to-Remote traffic: Relevance of the day of the week • Device credibility • Event rate •...
  • Page 14 VENT ATEGORY ORRELATION Correlation Group 2 The Correlation Group 2 correlation model provides tests for the following traffic types: Table 2-4 Correlation Group 2 Tests Traffic Type Correlation Rules (Tests) Local-to-Local Correlation Group 2 performs the following tests for Local-to-Local traffic: Relevance of the day of the week •...
  • Page 15 About Event Category Correlation Table 2-4 Correlation Group 2 Tests (continued) Traffic Type Correlation Rules (Tests) Remote-to-Local Correlation Group 2 performs the following tests for Remote-to-Local traffic: Relevance of the day of the week • Device credibility • Event rate •...
  • Page 16 VENT ATEGORY ORRELATION Correlation Group 3 The Correlation Group 3 correlation model provides tests for the following traffic types: Table 2-5 Correlation Group 3 Tests Traffic Type Correlation Rules (Tests) Local-to-Local Correlation Group 3 performs the following tests for Local-to-Local traffic: Relevance of the day of the week •...
  • Page 17 About Event Category Correlation Table 2-5 Correlation Group 3 Tests (continued) Traffic Type Correlation Rules (Tests) Remote-to-Local Correlation Group 3 performs the following tests for Remote-to-Local traffic: Relevance of the day of the week • Device credibility • Event rate •...
  • Page 18 VENT ATEGORY ORRELATION Correlation Group 4 The Correlation Group 4 correlation model provides tests for the following traffic types: Table 2-6 Correlation Group 4 Tests Traffic Type Correlation Rules (Tests) Local-to-Local Correlation Group 4 performs the following tests for Local-to-Local traffic: Relevance of the day of the week •...
  • Page 19 About Event Category Correlation Table 2-6 Correlation Group 4 Tests (continued) Traffic Type Correlation Rules (Tests) Remote-to-Local Correlation Group 4 performs the following tests for Remote-to-Local traffic: Relevance of the day of the week • Device credibility • Event rate •...
  • Page 20 VENT ATEGORY ORRELATION Table 2-7 Correlation Group 5 Tests (continued) Traffic Type Correlation Rules (Tests) Local-to-Remote Correlation Group 5 performs the following tests for Local-to-Remote traffic: Relevance of the day of the week • Device credibility • Event rate • Attacker network •...
  • Page 21 Recon Table 2-8 Recon Categories (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing Host Query Indicates reconnaissance to a Correlation Group 2 Scenario 2 host in your network. Network Sweep Indicates reconnaissance on your Correlation Group 2 Scenario 2 network.
  • Page 22 VENT ATEGORY ORRELATION The DoS category indicates events relating to Denial Of Service (DoS) attacks against services or hosts. The associated low-level event categories include: Table 2-9 DoS Categories Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing...
  • Page 23 Table 2-9 DoS Categories (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing Medium Rate DoS Indicates a medium rate DoS Correlation Group 2 Scenario 2 attack. Medium Rate DoS Indicates a medium rate DoS Correlation Group 2 Scenario 2 attack.
  • Page 24 VENT ATEGORY ORRELATION Table 2-9 DoS Categories (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing High Rate Scan Indicates a high rate scan. Correlation Group 2 Scenario 2 Medium Rate TCP Indicates a medium rate TCP Correlation Group 2 Scenario 2 Scan...
  • Page 25 Authentication Table 2-10 Authentication Categories (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing Mail Service Login Indicates that the mail service Correlation Group 3 Scenario 2 Failed login failed. Auth Server Login Indicates that the authentication Correlation Group 3 Scenario 2 Failed...
  • Page 26 VENT ATEGORY ORRELATION Table 2-10 Authentication Categories (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing System Security Indicates that system security Correlation Group 3 Scenario 2 Access Granted access was successfully granted. System Security Indicates that system security Correlation Group 3 Scenario 2...
  • Page 27 Authentication Table 2-10 Authentication Categories (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing General Indicates that the authentication Correlation Group 3 Scenario 2 Authentication processes was successful Successful General Indicates that the authenticating Correlation Group 3 Scenario 2 Authentication process failed.
  • Page 28 VENT ATEGORY ORRELATION Table 2-10 Authentication Categories (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing Remote Access Indicates that the process to log Correlation Group 3 Scenario 2 Logout out using remote access was successful.
  • Page 29 Access Access The access category indicates events relating to authentication and access controls. The associated low-level event categories include: Table 2-11 Access Categories Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing Unknown Network Indicates an unknown network Correlation Group 3 Scenario 2 Communication...
  • Page 30 VENT ATEGORY ORRELATION Table 2-11 Access Categories (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing Session Reset Indicates that a session was Correlation Group 3 Scenario 2 reset. Session Terminated Indicates that a session was Correlation Group 3 Scenario 2 terminated.
  • Page 31 Malware Table 2-12 Exploit Categories (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing Session Hijack Indicates a session in your Correlation Group 2 Scenario 2 network has been interceded. Worm Active Indicates an active worm.

  • Page 32: Suspicious Activity

    VENT ATEGORY ORRELATION Table 2-13 Malware Categories (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing Hostile Software Indicates a hostile software Correlation Group 2 Scenario 2 Download download to your network. Virus Detected Indicates a virus has been Correlation Group 2 Scenario 2...
  • Page 33 Suspicious Activity Table 2-14 Suspicious Categories (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing Suspicious File Indicates a suspicious file name. Correlation Group 2 Scenario 2 Name Suspicious Port Indicates suspicious port activity. 3 Correlation Group 2 Scenario 2 Activity Suspicious Routing Indicates suspicious routing.
  • Page 34 VENT ATEGORY ORRELATION Table 2-14 Suspicious Categories (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing Potential SMB Indicates a potential SMB Correlation Group 2 Scenario 2 Vulnerability (Samba) vulnerability. Potential Database Indicates a potential vulnerability Correlation Group 2 Scenario 2 Vulnerability...
  • Page 35 Suspicious Activity Table 2-14 Suspicious Categories (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing Suspicious ICMP Indicates a potentially invalid Correlation Group 2 Scenario 2 Type ICMP type has been detected. Suspicious ICMP Indicates a potentially invalid Correlation Group 2 Scenario 2...

  • Page 36: System

    VENT ATEGORY ORRELATION System The system category indicates that the nature of threat is unknown but the behavior is suspicious including protocol anomalies potentially indicating evasive techniques. The associated low-level event categories include: Table 2-15 System Categories Low Level Event Severity Level Event Correlation/ Additional Event...
  • Page 37 System Table 2-15 System Categories (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing Failed Host-Policy Indicates that a modification to Correlation Group 5 Scenario 2 Modification the host policy has failed. Failed File Indicates that a modification to a Correlation Group 5 Scenario 2...
  • Page 38 VENT ATEGORY ORRELATION Table 2-15 System Categories (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing Cron Status Indicates a crontab status Correlation Group 5 Scenario 2 message. Cron Failed Indicates a crontab failure Correlation Group 5 Scenario 2 message.

  • Page 39: Policy

    Policy Policy The policy category indicates events relating to system changes, software installation, or status messages. The associated low-level event categories include: Table 2-16 Policy Categories Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing Unknown Policy...

  • Page 40: Cre

    VENT ATEGORY ORRELATION The CRE category indicates events generated from a custom offense or event rule. The associated low-level event categories include: Table 2-17 CRE Category Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing Unknown CRE Event...

  • Page 41: Sim Audit

    SIM Audit Table 2-18 Potential Exploit Category (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing Potential Mail Exploit Indicates a potentially Correlation Group 1 Scenario 2 exploitative attack through mail has been detected. Potential Infrastructure Indicates a potential Correlation Group 1 Scenario 2...

  • Page 42: Vis Host Discovery

    VENT ATEGORY ORRELATION VIS Host Discovery When the VIS component discovers and stores new hosts, ports, or vulnerabilities detected on the network, the VIS component generates events. These events are sent to the Event Collector to be correlated with other security events. The associated low-level event categories include: Table 2-20 VIS Host Discovery Category Low Level Event...
  • Page 43 Application Table 2-21 Application Category (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing Mail in Progress Indicates that an e-mail Correlation Group 3 Scenario 2 connection is being attempted. Mail Delayed Indicates that an e-mail Correlation Group 3 Scenario 2 connection was delayed.
  • Page 44 VENT ATEGORY ORRELATION Table 2-21 Application Category (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing HTTP Redirected Indicates that an HTTP Correlation Group 3 Scenario 2 connection was redirected. HTTP Proxy Indicates that an HTTP Correlation Group 3 Scenario 2 connection is being proxied.
  • Page 45 Application Table 2-21 Application Category (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing RemoteAccess Closed Indicates that a remote Correlation Group 3 Scenario 2 access connection was closed. RemoteAccess Reset Indicates that a remote Correlation Group 3 Scenario 2 access connection was reset.
  • Page 46 VENT ATEGORY ORRELATION Table 2-21 Application Category (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing RDP Reset Indicates that an RDP Correlation Group 3 Scenario 2 connection was reset. RDP Terminated Indicates that an RDP Correlation Group 3 Scenario 2 connection was terminated.
  • Page 47 Application Table 2-21 Application Category (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing DNS In Progress Indicates that a DNS Correlation Group 3 Scenario 2 connection is currently in progress. DNS Delayed Indicates that a DNS Correlation Group 3 Scenario 2 connection was delayed.
  • Page 48 VENT ATEGORY ORRELATION Table 2-21 Application Category (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing SMTP Reset Indicates that an SMTP Correlation Group 3 Scenario 2 connection was reset. SMTP Terminated Indicates that an SMTP Correlation Group 3 Scenario 2 connection was terminated.
  • Page 49 Application Table 2-21 Application Category (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing P2P Closed Indicates that a P2P Correlation Group 3 Scenario 2 connection was closed. P2P Reset Indicates that a P2P Correlation Group 3 Scenario 2 connection was reset.
  • Page 50 VENT ATEGORY ORRELATION Table 2-21 Application Category (continued) Low Level Event Severity Level Event Correlation/ Additional Event Category Description (0 to 10) Processing Processing VoIP Denied Indicates that a VoIP Correlation Group 3 Scenario 2 connection was denied. VoIP In Progress Indicates that a VoIP Correlation Group 3 Scenario 2 connection is currently in...

This manual is also suitable for:

Security threat response manager

Table of Contents