Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - EVENT CATEGORY CORRELATION REFERENCE GUIDE REV 1 Reference Manual page 10

4 E C C
VENT ATEGORY
Event Correlation
Processing
ORRELATION
For each event category, the Correlation Group determines the correlation rules
(tests) that are performed on each event. Each test is performed and assigned a
value between 0 and 10. Once all tests are complete, all test results are weighted
and the data for the event is provided in the event viewer.
of possible correlation rules (tests).
Table 2-2 Correlation Rules (Tests)
Rule
Relevance of the
day of the week
Device credibility
Event rate
Attacker
Target
Source port
Attacker age
Target age
Remote attacker
Remote target
Target port
Attacker risk
Target risk
Time of the attack Determines the time of attack. For example, if the attack occurs
Vulnerable
targeted port
Vulnerable port
Open target port
STRM Event Category Correlation Reference
Description
Determines the relevance of the day of the week for this event.
For example, if the event occurs on the weekend, an attack may
have a higher relevance.
Credibility rating can be applied on a per device basis that allows
users to associate a credibility to a device based on the level of
trust for the device and the validity of the produced event. For
example, a highly tuned IDS in front of a key server may have a
credibility of 7 while an IDS outside the corporate network may
have a credibility of 3.
Determines if the event rate of this event type is greater than
normal. This is determined on a category by category basis.
Determines if the attacker is one of the configured assets.
Determines if the target is one of the configured assets.
Determines if the source port is less than 1024. If the port is less
than 1024, the attacker may be attempting to fool a stateless
firewall.
Determines the relative importance of how long the attacker has
been known to the system. If the attacker is new, the relevance of
this attacker increases.
Determines the relative importance of how long the target has
been known to the system.
Determines the relative importance of the attacker network.
Determines the relative importance of the target network.
Determines if the target port is included in the list of most
attacked ports provided by the incidents.org data.
Determine the overall risk assessment value for the attacker
based on the asset profile data.
Determine the overall risk assessment value for the target.
in the middle of the night, which is deemed to be a low traffic
time, this indicates a higher relevance of the attack.
If the port is open, determine if the targeted port is vulnerable to
the current exploit.
Determines if the port is vulnerable to any type of attack or
exploit.
Determines if the target port is open.
Table 2-2 provides a list