Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INTRUSION DETECTION PREVENTION DEVICES GUIDE REV 01 Manual page 35

Table 8: Profiler Alert Tab
Setting
New Host Detected
New Protocol Detected
New Port Detected
Database Limit Exceeded
Copyright © 2010, Juniper Networks, Inc.
Select the Database Limit Exceeded alert to indicate when you have reached the
maximum limit of the database size. You can configure the maximum limit of the Profiler
database using the dbLimit parameter in the General tab of the Profiler Configuration
dialog box. The default is 500 MB; the minimum-maximum range is 0 to 500 MB. After
a device reaches this limit, it begins purging the database. For example, a network host
performs the normal connections required for Internet connectivity (SMTP, POP3, HTTP,
and so on). If the host is infected by a worm, it begins making outbound connections on
an arbitrary port. The device logs the unique event and generates PROFILER_NEW_PROTO
and PROFILER_NEW_PORT log records. The system immediately e-mails these log
records to the security administrator, who can investigate the worm and take action to
contain it.
Repeat the configuration process for each device in your network. When you have
configured all devices on your network, you are ready to start the Profiler.
You configure Profiler alert options to determine whether you receive alerts when Profiler
detects new hosts, protocols, or ports in use.
If you are configuring the Profiler for the first time, do not enable the new host, protocol,
or port alerts. As the Profiler runs, the device views all network components as new, which
can generate unnecessary log records. After the Profiler has learned about your network
and has established a baseline of network activity, you should reconfigure the device to
record new hosts, protocols, or ports discovered on your internal network.
To specify Profiler alert options:
From Device Manager, double-click a device and then click Profiler Settings.
1.
Click the Alert tab.
2.
Configure alert settings using Table 8 on page 19.
3.
Click Apply.
4.
Click OK.
5.
Description
Sends an alert when Profiler detects a new host.
Sends an alert when Profiler detects a new protocol. New Protocol detection alerts are used only
for Layer 3 protocols.
Sends an alert when Profiler detects a new port.
Sends an alert to indicate the maximum database size has been reached. After a device reaches
this limit, it begins purging the database.
Chapter 3: Configuring Profiler Settings
19