Detecting Other Scans; Example: Traffic Anomalies Rule; Session Limiting; Example: Session Limiting - Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual

Adding the Traffic Anomalies Rulebase

Copyright © 2010, Juniper Networks, Inc.

Detecting Other Scans

In addition to port scans, the attacks can occur over multiple connections and sessions:
Distributed Port Scans. Use multiple Source IP addresses to scan ports.
ICMP Sweeps. Use a single Source IP to ping multiple IP addresses.
Network Scans. Use a single Source IP to scan multiple IP addresses.
To detect these attacks, set the IP Count (the number of times attempts to scan or ping
ports on your network occur) and the Time (the time period that IP addresses are counted)
in seconds.

Example: Traffic Anomalies Rule

To create a Traffic Anomalies rule that looks for distributed port scans on your internal
network, set the IP Count to 50 and the Time to 120 seconds. If 50 IP addresses attempt
to scan ports on your internal network within 120 seconds, the rule is matched.
Example: Traffic Anomalies Rule
You want to create a Traffic Anomalies rule that looks for network scans and ICMP
sweeps on your internal network. You set the IP Count to 50 and the Time to 120 seconds
for ICMP sweeps and network scans. The rule is matched if:
The same Source IP attempts to scan 50 IP addresses on your internal network within
120 seconds
The same Source IP attempts to ping 50 IP addresses on your internal network within
120 seconds

Session Limiting

You can set a session limit threshold that defines the maximum number of sessions
allowed from a single host within a second. For each source IP specified in the rule, the
Sensor tracks the sessions per second; if the session rate exceeds the user-defined
maximum, the Sensor generates a SCAN_SESSION_RATE_EXCEEDED event log record,
which appears in the Log Viewer. To take action when this event is triggered, configure
an IP action in the rule.

Example: Session Limiting

Your internal network typically has a low volume traffic. To detect a sudden increase in
traffic from a specific host (which might indicate a worm), set the source IP to your
Internal Network and the configure the session count as 200 session/sec. To block traffic
that exceeds the session limit, set an IP action of IDP Block and chose Source, Protocol
from the Blocking Options menu.
Before you can configure a rule in the Traffic Anomalies rulebase, you need to add the
Traffic Anomalies rulebase to a security policy.
Chapter 9: Configuring Security Policies
503