Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - EVENT CATEGORY CORRELATION REFERENCE GUIDE REV 1, Security Threat Response Manager Reference Manual
Security Threat Response Manager
Event Category Correlation Reference
Guide
Release 2008.2
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part Number: 530-025607-01, Revision 1
Copyright Notice
Copyright © 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper
Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this
document are the property of Juniper Networks or their respective owners. All specifications are subject to chang e without notice. Juniper Networks
assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves
the right to change, modify, transfer, or otherwise revise this publicati on without notice.
FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A
digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and
used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential
area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following
information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it
is not installed in accordance with NetScreen’s installation instructions, i t may cause interference wi th radio and tele vision reception. This equip ment has
been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These
specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that
interference will not occur in a particular installation. If this equipmen t does cause harmful interference to radio or television reception, which can be
determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna. Increase the separation between the equipme nt and receive r. Consult t he dealer o r an experienced ra dio/TV
technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution: Changes or modifications to this product could void the user's warrant y and authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET
THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE
SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.
Event Category Correlation Reference guide
Release 2008.2
Copyright © 2008, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Revision History
June 2008—Beta Draft
The information in this document is current as of the date listed in the revision history.
2
CONTENTS
ABOUT THIS GUIDE
Conventions 1
Technical Documentation 1
Documentation Feedback 1
Requesting Support 2
EVENT CATEGORY CORRELATION
About Event Category Correlation 1
High-Level Event Categories 3
Event Correlation Processing 4
Additional Event Processing 14
Recon 14
DoS 16
Authentication 18
Access 23
Exploit 24
Malware 25
Suspicious Activity 26
System 30
Policy 33
CRE 34
Potential Exploit 34
SIM Audit 35
VIS Host Discovery 36
Application 36
ABOUT THIS GUIDE
The Event Category Correlation Reference Guide provides you with information on
how to investigate various types of sec u rity threats using the Offense Manager,
Event Viewer , or Flow V iewer. You can sort offenses by category (such as, exploit,
policy, or malware).
Conventions Table 1 lists conventions that are used throughout this guide.
Table 1 Icons
Icon Type Description
Information note Information that describes important features or
instructions.
Caution Information that alerts you to potential loss of
data or potential damage to an application,
system, device, or network.
Warning Information that alerts you to potential personal
injury.
Technical
Documentation
Documentation
Feedback
You can access technical documentation, technical notes, and release notes
directly from the Juniper networks Support Web site at
www.juniper.net/support/.
http://
We encourage you to provide feedback, comments, and suggestions so that we
can improve the documentation. Send your comments to
techpubs-comments@juniper.net, or fill out the documentation feedback form at
http://www.juniper.net/techpubs/docbug/docbugreport.html. If you are using e-mail, be
sure to include the following information with your comments:
• Document name
• Document part number
• Page number
• Software release version
STRM Event Category Correlation Reference Guide
2 ABOUT THIS GUIDE
Requesting
Support
• Open a support case using the Case Management link at
http://www.juniper.net/support/ or call 1-888-314-JTAC (from the United States,
Canada, or Mexico) or 1-408-745-9500 (from elsewher e).
STRM Event Category Correlation Reference Guide
EVENT CATEGORY CORRELATION
This document provides information on the types of event categories and the
processing of events. For example, the event category determines if events will
have an offense automatically created, real-time flow analysis, rate analysis, and
the default correlation tests performed. This document provides information on
event correlation including:
• About Event Category Correlation
• Recon
• DoS
• Authentication
• Access
• Exploit
• Malware
About Event
Category
Correlation
• Suspicious Activity
• System
• Policy
• CRE
• Potential Exploit
• SIM Audit
• VIS Host Discovery
• Application
An Event Processor processes events collected from one or more Event
Collector(s). Once received, the Event Processor correlates the information from
STRM and distributes to the appropriate Correlation Group for processing.
The Correlation Groups perform tests on the events to determine factors such as
vulnerability data, relevance of the targets, import ance, or credibility of the events.
The results of the Correlation Group tests appear as annotations in the Offense
Manager and Event Viewer. Also, custom rules are applied to additional events for
specific incident recognition. Once complete, the Event Processor stores the event
STRM Event Category Correlation Reference
2 EVENT CATEGORY CORRELATION
in the Ariel database and, in some circumstances, performs real-time flow analysis
to determine the appropriate routing of the event.
For example, Figure 2-1 provides a representation of the process within the Event
Processor for processing events. Once the Event Processor receives an event, the
Category Router determines the appropriate Correlation Group to apply tests to
the event. Once complete, the event is passed through the Custom Rules Engine
to determine the custom rules that apply to the event. The event is then passed
through the Ariel database for storage and the Flow Context and Routing
components to determine if real-time flow analysis should be performed and if the
event should automatically generate a new offense or become part of an existing
offense. If this is the case, the event is sent to the Magistrate. If real-time flow
analysis is requested of the event, a request is sent to the Classification Engine to
determine routing.
Events
Event Collector
Correlation
Group 1
Classification Engine
Correlation
Group 2
Events
Event Processor
Category Router
Correlation
Group 3
Custom Rules
Engine
Ariel DB Storage
Flow Context and Routing
Events
Correlation
Group 4
Event Collector
Correlation
Group 5
Magistrate
External Event
Exported to:
E-mail
Syslog
SNMP
Figure 2-1 Event Category Correlation Process
This section includes:
• High-Level Event Categories
• Event Correlation Processing
• Additional Event Processing
STRM Event Category Correlation Reference
About Event Category Correlation 3
High-Level Event
Categories
The high-level event categories include:
Table 2-1 High-Level Event Categories
Category Description
Recon Events relating to scanning a nd other techniqu es used to id entify
network resources, for example, network or host port scans.
DoS Events relating to Denial of Service (DoS) or Distributed Denial of
Service (DDoS) attacks against services or hosts, for example,
brute force network DoS attacks.
Authentication Events relating to authentication controls, group, or privilege
change, for example, log in or log out.
Access Events resulting from an attempt to access network resources,
for example, firewall accept or deny.
Exploit Events relating to application exploits and buffer overflow
attempts, for example, buffer overflow or web application
exploits.
Malware Events relating to viruses, trojans, back door attacks, or other
forms of hostile software. This may include a virus, trojan,
malicious software, or spyware.
Suspicious
Activity
The nature of the threat is unknown but behavior is suspicious
including protocol anomalies that potentially indicate evasive
techniques, for example, packet fragmentation or known IDS
evasion techniques.
System Events related to system changes, software installation, or status
messages.
Policy Events regarding corporate policy violations or misuse.
CRE Events generated from an offense or event rule. For more
information on creating custom rules, see the STRM
Administration Guide.
Potential Exploit Events relating to potential application exploits and buffer
overflow attempts.
SIM Audit Events relating to user interaction with the Console and STRM
Administration Console.
VIS Host
Discovery
Events relating to the host, ports, or vulnerabilities that the VIS
component discovers.
Application Events relating to application activity.
STRM Event Category Correlation Reference
4 EVENT CATEGORY CORRELATION
Event Correlation
Processing
For each event category, the Correlation Group determines the correlation rules
(tests) that are performed on each event. Each test is performed and assigned a
value between 0 and 10. Once all tests are complete, all test results are weighted
and the data for the event is provided in the event viewer. Table 2-2 provides a list
of possible correlation rules (tests).
Table 2-2 Correlation Rules (Tests)
Rule Description
Relevance of the
day of the week
Determines the relevance of the day of the week for this event.
For example, if the event occurs on the weekend, an attack may
have a higher relevance.
Device credibility Credibility rating can be applied on a per device basis that allows
users to associate a credibility to a device based on the level of
trust for the device and the validity of the produced event. For
example, a highly tuned IDS in front of a key server may have a
credibility of 7 while an IDS outside the corporate network may
have a credibility of 3.
Event rate Determines if the event rate of this event type is greater than
normal. This is determined on a category by category basis.
Attacker Determines if the attacker is one of the configured assets.
Target Determines if the target is one of the configured assets.
Source port Determines if the source port is less than 1024. If the port is less
than 1024, the attacker may be attempting to fool a stateless
firewall.
Attacker age Determines the relative importance of how long the attacker has
been known to the system. If the attacker is new, the relevance of
this attacker increases.
Target age Determines the relative importance of how long the target has
been known to the system.
Remote attacker Determines the relative importance of the attacker network.
Remote target Determines the relative importance of the target network.
Target port Determines if the target port is included in the list of most
attacked ports provided by the incidents.org data.
Attacker risk Determine the overall risk assessment value for the attacker
based on the asset profile data.
Target risk Determine the overall risk assessment value for the target.
Time of the attack Determines the time of attack. For example, if the attack occurs
in the middle of the night, which is deemed to be a low traffic
time, this indicates a higher relevance of the attack .
Vulnerable
targeted port
If the port is open, determine if the targeted port is vulnerable to
the current exploit.
Vulnerable port Determines if the port is vulnerable to any type of atta ck or
exploit.
Open target port Determines if the target port is open.
STRM Event Category Correlation Reference
About Event Category Correlation 5
Table 2-2 Correlation Rules (Tests) (continued)
Rule Description
Remote Target Determines if the target network is defined as a remote network
in STRM views.
Geographic
Location
Determines the relative importance of the geographic location of
the target.
Remote attacker Determines if the attacker network is defined as a remote
network in STRM views.
Attacker IP
address
Determines if the attacker IP address is included in the list of IP
addresses that are highlighted as suspicious in the Remote
Services View.
Attacker port Determines if the attacker port is included in the list of ports from
which attacks originate as provided by the incidents.org data.
Each low-level event category is processed by one of five event Correlation
Groups. This section provides information on the Correlation Groups including:
• Correlation Group 1
• Correlation Group 2
• Correlation Group 3
• Correlation Group 4
• Correlation Group 5
STRM Event Category Correlation Reference
6 EVENT CATEGORY CORRELATION
Correlation Group 1
The Correlation Group 1 correlation model provides tests for the following traffic
types:
Table 2-3 Correlation Group 1 Tests
Traffic Type Correlation Rules (Tests)
Local-to-Local Correlation Group 1 performs the following tests for
Local-to-Local traffic:
• Relevance of the day of the week
• Device credibility
• Event rate
• Attacker
• Target
• Source port
• Target port
• Cross host
• Attacker age
• Target age
• Attacker network
• Target network
• Vulnerable targeted port
• Attacker risk
• Target risk
• Time of the attack
• Open target port
• Vulnerable port
Note: For test details, see
Table 2-2.
STRM Event Category Correlation Reference
About Event Category Correlation 7
Table 2-3 Correlation Group 1 Tests (continued)
Traffic Type Correlation Rules (Tests)
Local-to-Remote Correlation Group 1 performs the following tests for
Local-to-Remote traffic:
• Relevance of the day of the week
• Device credibility
• Event rate
• Attacker
• Source port
• Target port
• Attacker age
• Attacker network
• Attacker risk
• Remote Target
• Geographic Location
• Time of the attack
Note: For test details, see
Table 2-2.
Remote-to-Local Correlation Group 1 performs the following tests for
Remote-to-Local traffic:
• Relevance of the day of the week
• Device credibility
• Event rate
• Target
• Source port
• Target age
• Attacker port
• Remote attacker
• Attacker IP address
• Geographic location
• Time of the attack
• Target network
• Target risk
• Open target port
• Vulnerable targeted port
• Vulnerable port
Note: For test details, see
Table 2-2.
STRM Event Category Correlation Reference
8 EVENT CATEGORY CORRELATION
Correlation Group 2
The Correlation Group 2 correlation model provides tests for the following traffic
types:
Table 2-4 Correlation Group 2 Tests
Traffic Type Correlation Rules (Tests)
Local-to-Local Correlation Group 2 performs the following tests for
Local-to-Remote Correlation Group 2 performs the following tests for
Local-to-Local traffic:
• Relevance of the day of the week
• Device credibility
• Event rate
• Attacker
• Target
• Source port
• Attacker age
• Target age
• Attacker network
• Target port
• Attacker risk
• Target risk
• Time of the attack
• Open target port
Note: For test details, see
Table 2-2.
Local-to-Remote traffic:
• Relevance of the day of the week
• Device credibility
• Event rate
• Attacker
• Source port
• Target port
• Attacker age
• Attacker network
• Attacker risk
• Remote target
• Target
• Geographic location
• Time of the attack
Note: For test details, see
Table 2-2.
STRM Event Category Correlation Reference
About Event Category Correlation 9
Table 2-4 Correlation Group 2 Tests (continued)
Traffic Type Correlation Rules (Tests)
Remote-to-Local Correlation Group 2 performs the following tests for
Remote-to-Local traffic:
• Relevance of the day of the week
• Device credibility
• Event rate
• Target
• Source port
• Target age
• Attacker port
• Target port
• Remote Attacker
• Attacker IP address
• Geographic location
• Time of the attack
• Target network
• Target risk
• Open target port
Note: For test details, see
Table 2-2.
STRM Event Category Correlation Reference
Loading...