Target Analysis Group - Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 Administration Manual
Strm administration guide
Hide thumbs
Also See for SECURITY THREAT RESPONSE MANAGER 2008.2:
- Manual (228 pages) ,
- Getting started (14 pages) ,
- Release note (11 pages)
Table of Contents
Advertisement
294
U
T
NIVERSITY
EMPLATE
Target Analysis
Group
D
EFAULTS
Table B-4 Custom Views - AttackerTargetAnalysis (continued)
Group
Objects
PeripheralComms
This group includes:
Analysis
•
•
• Target_Initiating_Comms_To_Attacker - The network flow analysis
Pre-configured groups that specify traffic flows from back door entries, scanning
behaviors, malicious software (malware), spam relay including:
Table B-5 Custom Views - TargetAnalysis
Group
Objects
BotNetAnalysis
BotNet_Connect - The network flow analysis indicates a target
host is connected to IRC servers on the Internet. This may
indicate the attacker has installed an IRC Bot on the target and
instructed the target to connect to an IRC Channel that is under
his control and await instructions. Large numbers of such
exploited machines form a BotNet and can be used by the
attacker to coordinate large scale Distributed Denial of Service
attacker (DDoS).
MalwareAnalysis
Malware_Server_Connection - Network flow analysis indicates
a target is aggressively attempting (and failing) to connect to
many other hosts on the network (or Internet). This behavior is
being seen in the presence of security events aimed at this host,
and therefore is possible the attacker has infected the target with
a worm, or other hostile malware, and it is attempting to spread
from this host.
STRM Administration Guide
Activity_Before_Event - The network flow analysis indicates a
target and attacker were communicating prior to the event that
triggered this analysis. This can indicate a false positive, or that this
attacker is concentrating on breaking this host. Many typical attacks
fire an exploit at the target with little or no prior host investigation.
Activity_After_Event - The network flow analysis indicates a target
and attacker were communicating after the event that triggered this
analysis. This can indicate a false positive if the attacker/target were
also seen communicating before the event, and the device emitting
these events has a high false positive rate. Conversely, if this is a
serious event and the device is credible, it can indicate a successful
attack has occurred.
indicates a target was seen initiating connections back to the attacker
before or after the event. This can sometimes indicate the attacker
has been able to force the target to communicate back to him,
therefore bypassing some firewall rules.
Advertisement
Table of Contents
