Download Print this page

Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 Administration Manual

Strm administration guide

Hide thumbs Also See for SECURITY THREAT RESPONSE MANAGER 2008.2:

Manual (228 pages)

,

Getting started (14 pages)

,

Release note (11 pages)

Table Of Contents

page of 370

/ 370
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

Download this manual See also: Manual

Enlarged version

Security Threat Response Manager

STRM Administration Guide

Release 2008.2

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, CA 94089

USA

408-745-2000

www.juniper.net

Part Number: 530-025612-01, Revision 1

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the SECURITY THREAT RESPONSE MANAGER 2008.2 and is the answer not in the manual?

Questions and answers

Summary of Contents for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2

Page 1 Security Threat Response Manager STRM Administration Guide Release 2008.2 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 408-745-2000 www.juniper.net Part Number: 530-025612-01, Revision 1...
Page 2 Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Page 3: Table Of Contents
ONTENTS BOUT UIDE Audience Conventions Technical Documentation Documentation Feedback Requesting Support VERVIEW About the Interface Accessing the Administration Console Using the Interface Deploying Changes Viewing STRM Audit Logs Logged Actions Viewing the Log File ANAGING SERS Managing Roles Creating a Role Editing a Role Managing User Accounts Creating a User Account...
Page 4 Configuring STRM Settings Configuring System Notifications Configuring the Console Settings Starting and Stopping STRM Resetting SIM Accessing the Embedded SNMP Agent Configuring Access Settings Configuring Firewall Access Updating Your Host Set-up Configuring Interface Roles Changing Passwords Updating System Time ANAGING ACKUP AND ECOVERY Managing Backup Archives...
Page 5 Configuring a Flow Collector Configuring a Flow Processor Configuring a Classification Engine Configuring an Update Daemon Configuring a Flow Writer Configuring an Event Collector Configuring an Event Processor Configuring the Magistrate ANAGING OURCES About Flow Sources NetFlow sFlow J-Flow Packeteer Flowlog File Managing Flow Sources Adding a Flow Source...
Page 6 Managing Application Views Default Application Views Adding an Applications Object Editing an Applications Object Managing Remote Networks View Default Remote Networks Views Adding a Remote Networks Object Editing a Remote Networks Object Managing Remote Services Views Default Remote Services Views Adding a Remote Services Object Editing a Remote Services Object Managing Collector Views...
Page 7 UNIPER ETWORKS NTERPRISE EMPLATE EFAULTS Default Sentries Default Custom Views IP Tracking Group Threats Group Attacker Target Analysis Group Target Analysis Group Policy Violations Group ASN Source Group ASN Destination Group IFIndexIn Group IFIndexOut Group QoS Group Flow Shape Group Default Rules Default Building Blocks NIVERSITY...
Page 8 IFIndexIn Group IFIndexIn Group QoS Group Flow Shape Group Default Rules Default Building Blocks NDEX...
Page 9: About This Guide
Information that alerts you to potential personal injury. Technical You can access technical documentation, technical notes, and release notes Documentation directly from the Juniper networks Support Web site at http:// www.juniper.net/support Documentation We encourage you to provide feedback, comments, and suggestions so that we Feedback can improve the documentation.
Page 10: Requesting Support
BOUT UIDE • Page number • Software release version Requesting • Open a support case using the Case Management link at Support http://www.juniper.net/support/ or call 1-888-314-JTAC (from the United States, Canada, or Mexico) or 1-408-745-9500 (from elsewhere). STRM Administration Guide...
Page 11: Overview
VERVIEW This chapter provides an overview of the STRM Administration Console and STRM administrative functionality including: About the Interface • Accessing the Administration Console • • Using the Interface • Deploying Changes • Viewing STRM Audit Logs About the Interface You must have administrative privileges to access the Administration Console.
Page 12 VERVIEW Accessing the You can access the STRM Administration Console through the main STRM Administration interface. To access the Administration Console, click Config in the main STRM Console interface. The Administration Console appears. Using the Interface The Administration Console provides several tab and menu options that allow you to configure STRM including: •...
Page 13: Logged Actions
Deploying Changes Table 1-1 Administrative Console Menu Options (continued) Menu Option Sub-Menu Description STRM Restart Restarts the STRM application. Help Help and Support Opens user documentation. About STRM Displays version information. Administration Console The Administration Console provides several toolbar options including: Table 1-2 Administration Console Toolbar Options Icon Description...
Page 14 VERVIEW Table 1-3 Logged Actions Category Action User Authentication Log in to STRM User Authentication Log out of STRM Administrator Authentication Log in to the STRM Administration Console Administrator Authentication Log out of the STRM Administration Console Root Login Log in to STRM, as root Log out of STRM, as root Rules Adding a rule...
Page 15 Viewing STRM Audit Logs Table 1-3 Logged Actions Category Action Protocol Configuration Adding a protocol configuration Deleting a protocol configuration Editing a protocol configuration Flow Sources Adding a flow source Editing a flow source Deleting a flow source Offense Manager Hiding an offense Closing an offense Closing all offenses...
Page 16 VERVIEW Table 1-3 Logged Actions Category Action Scanner Adding a scanner Deleting a scanner Editing a scanner Scanner Schedule Adding a schedule Editing a schedule Deleting a schedule Asset Deleting all assets License Adding a license key. Editing a license key. Viewing the Log File To view the audit logs: Log in to STRM as root.
Page 17 Viewing STRM Audit Logs Nov 6 12:22:31 localhost.localdomain jsam@10.100.100.15 (0) [Configuration] [User Account] [Account Modified] username=james, password=/oJDuXP7YXUYQ, networks=ALL, email=sam@q1labs.com, userrole=Admin Nov 13 10:14:44 localhost.localdomain admin@10.100.45.61 (0) [Configuration] [FlowSource] [FlowSourceModified] Flowsource( name="tim", enabled="true", deployed="false", asymmetrical="false", targetQflow=DeployedComponent(id=3), flowsourceType=FlowsourceType(id=6), flowsourceConfig=FlowsourceConfig(id=1)) STRM Administration Guide...
Page 19: Managing Users
ANAGING SERS This chapter provides information on managing STRM users including: Managing Roles • Managing User Accounts • • Authenticating Users You can add or remove user accounts for all users that you wish to access STRM. Each user is associated with a role, which determines the privileges the user has to functionality and information within STRM.
Page 20 ANAGING SERS Enter values for the parameters. You must select at least one permission to Step 4 proceed. Table 2-1 Create Roles Parameters Parameter Description Role Name Specify the name of the role. The name can be up to 15 characters in length and must only contain integers and letters.
Page 21 Managing Roles Table 2-1 Create Roles Parameters (continued) Parameter Description Offense Management Select the check box if you wish to grant this user access to Offense Manager functionality. Within the Offense Manager functionality, you can grant additional access to the following: Assign Offenses to Users - Select the check box if you •...
Page 22: Editing A Role
ANAGING SERS Table 2-1 Create Roles Parameters (continued) Parameter Description Network Surveillance Select the check box if you wish to grant this user access to Network Surveillance functionality. Within the Network Surveillance functionality, you can grant additional access to the following: View Flows - Select the check box if you wish to allow •...
Page 23: Managing User Accounts
Managing User Accounts Click Return. Step 5 Click Save. Step 6 Close the Manage User Roles window. Step 7 The STRM Administration Console appears. From the menu, select Configurations > Deploy configuration changes. Step 8 Managing User You can create a STRM user account, which allows a user access to selected Accounts network components using the STRM interface.
Page 24 ANAGING SERS Table 2-2 User Details Parameters (continued) Parameter Description Password Specify a password for the user to gain access. The password must be at least 5 characters in length. Confirm Password Re-enter the password for confirmation. Email Address Specify the user’s e-mail address. Role Using the drop-down list box, select the role you wish this user to assume.
Page 25 Managing User Accounts Editing a User To edit a user account: Account In the Administration Console, click the System Configuration tab. Step 1 The System Configuration panel appears. Click the Users icon. Step 2 The Manage Users window appears. In the Manage Users area, click the user account you wish to edit. Step 3 The User Details window appears.
Page 26: Authenticating Users
ANAGING SERS Authenticating You can configure authentication to validate STRM users and passwords. STRM Users supports the following user authentication types: • System Authentication - Users are authenticated locally by STRM. This is the default authentication type. RADIUS Authentication - Users are authenticated by a Remote Authentication •...
Page 27 Authenticating Users From the Authentication Module drop-down list box, select the authentication type Step 3 you wish to configure. Configure the selected authentication type: Step 4 If you selected System Authentication, go to Step 5 If you selected RADIUS Authentication, enter values for the following parameters: Table 2-3 RADIUS Parameters Parameter...
Page 28 ANAGING SERS Table 2-4 TACACS Parameters (continued) Parameter Description Authentication Specify the type of authentication you wish to perform. The Type options are: PAP (Password Authentication Protocol) - Sends clear text • between the user and the server. CHAP (Challenge Handshake Authentication Protocol) - •...
Page 29: Setting U Pstrm
STRM ETTING This chapter provides information on setting up STRM including: Managing Your License Keys • Creating Your Network Hierarchy • • Scheduling Automatic Updates • Configuring STRM Settings Configuring System Notifications • Configuring the Console Settings • Starting and Stopping STRM •...
Page 30 • For a new or updated license key, please contact your local sales representative. For all other technical issues, please contact Juniper Networks Customer • Support. If you log in to STRM and your Console license key has expired, you are automatically directed to the System Management window.
Page 31 Managing Your License Keys Once you locate and select the license key, click Open. Step 5 The Current License Details window appears. Click Save. Step 6 A message appears indicating the license key was successfully updated. Note: If you wish to revert back to the previous license key, click Revert to Deployed.
Page 32: Considerations
STRM ETTING Click Export Licenses. Step 3 The export window appears. Select one of the following options: Step 4 • Open - Opens the license key data in an Excel spreadsheet. Save - Allows you to save the file to your desktop. •...
Page 33 Creating Your Network Hierarchy Group Description IP Address Marketing 10.10.5.0/24 Sales 10.10.8.0/21 Database Cluster 10.10.1.3/32 10.10.1.4/32 10.10.1.5/32 Note: that you do not configure a network group with more than 15 We recommend objects. This may cause you difficulty in viewing detailed information for each group.
Page 34 STRM ETTING Table 3-1 Add New Object Parameters (continued) Parameter Action Name Specify the name for the object. Weight Specify the weight of the object. The range is 1 to 100 and indicates the importance of the object in the system. IP/CIDR(s) Specify the CIDR range(s) for this object.
Page 35 Creating Your Network Hierarchy Table 3-2 Accepted CIDR Values (continued) CIDR Number of Length Mask Networks Hosts 255.252.0.0 262,136 255.254.0.0 131,068 255.255.0.0 65,534 255.255.128.0 128 C 32,512 255.255.192.0 64 C 16,256 255.255.224.0 32 C 8,128 255.255.240.0 16 C 4,064 255.255.248.0 2,032 255.255.252.0 1,016...
Page 36: Scheduling Automatic Updates
STRM ETTING Subnet Host Range 0 192.0.0.1 - 192.0.0.62 1 192.0.0.65 - 192.0.0.126 2 192.0.0.129 - 192.0.0.190 3 192.0.0.193 - 192.0.0.254 192.0.0.0 /27 • Subnet Host Range 0 192.0.0.1 - 192.0.0.30 1 192.0.0.33 - 192.0.0.62 2 192.0.0.65 - 192.0.0.94 3 192.0.0.97 - 192.0.0.126 4 192.0.0.129 - 192.0.0.158 5 192.0.0.161 - 192.0.0.190 6 192.0.0.193 - 192.0.0.222...
Page 37: Scheduling Automatic Updates
Scheduling Automatic Updates Scheduling To schedule automatic updates: Automatic Updates In the Administration Console, click the System Configuration tab. Step 1 The System Configuration panel appears. Click the Auto Update icon. Step 2 The Auto-Update Configuration window appears. In the Update Method list box, select the method you wish to use for updating your Step 3 files: Auto Integrate - Integrates the new configuration files with your existing files to...
Page 38: Updating Your Files On-Demand
STRM ETTING Daily - Updates are downloaded every day at 1 am. • • Weekly - Updates are downloaded every Sunday at 1 am. Monthly - Updates are downloaded on the first day of every month at 1 am. • Click Save.
Page 39: Configuring Strm Settings
Configuring STRM Settings Configuring STRM Using the Administration Console, you can configure the STRM system, database, Settings and sentry settings. To configure STRM system settings: In the Administration Console, click the System Configuration tab. Step 1 The System Configuration panel appears. Click the Secure Threat Reponse Manager icon.
Page 40 STRM ETTING Table 3-3 STRM Settings Parameters (continued) Parameter Description Coalescing Events Enables or disables the ability for a sensor device to coalesce (bundle) events. This value applies to all sensor devices. However, if you wish to alter this value for a specific sensor device, edit the Coalescing Event parameter in the sensor device configuration.
Page 41 Configuring STRM Settings Table 3-3 STRM Settings Parameters (continued) Parameter Description Offense Retention Period Using the drop-down list box, select the period of time you wish to retain offense information. The default is 3 days. Identity History Retention Using the drop-down list box, select the length of time you Period wish to store asset profile history records.
Page 42 STRM ETTING Table 3-3 STRM Settings Parameters (continued) Parameter Description Event Log Hashing Enables or disables the ability for STRM to store a hash file for every stored event log file. The default is No. Hashing Algorithm You can use a hashing algorithm for database storage and encryption.
Page 43 Configuring STRM Settings Table 3-3 STRM Settings Parameters (continued) Parameter Description Sentry Database Location Specify the location of the sentry database. The default is /store/sentry/qc_persistentstorage. SNMP Settings Enable Enables or disables SNMP responses in the STRM custom rules engine. The default is No, which means you do not wish to accept events using SNMP.
Page 44: Configuring System Notifications
STRM ETTING Configuring You can configure system performance alerts for thresholds using the STRM System Administration Console. This section provides information for configuring your Notifications system thresholds. To configure system thresholds: In the Administration Console, click the System Configuration tab. Step 1 The System Configuration panel appears.
Page 45 Configuring System Notifications Table 3-4 System Thresholds Parameters (continued) Parameter Description Kilobytes of memory used Specify the threshold amount, in kilobytes, of used memory. This does not consider memory used by the kernel. Percentage of memory Specify the threshold percentage of used memory. used Kilobytes of cache swap Specify the threshold amount of memory, in kilobytes,...
Page 46 STRM ETTING Table 3-4 System Thresholds Parameters (continued) Parameter Description Dropped Transmit Specify the threshold number of transmitted packets that packets are dropped per second due to a lack of space in the buffers. Transmit carrier errors Specify the threshold number of carrier errors that occur per second while transmitting packets.
Page 47: Configuring The Console Settings
Configuring the Console Settings Configuring the The STRM Console provides the interface for STRM. The Console provides real Console Settings time views, reports, alerts, and in-depth investigation of flows for network traffic and security threats. This Console is also used to manage distributed STRM deployments.
Page 48 STRM ETTING Table 3-5 STRM Console Management Parameters (continued) Parameter Description ARP - Safe Interfaces Specify the interface you wish to be excluded from ARP resolution activities. The default is eth0. Enable 3D graphs in the Using the drop-down list box, select one of the following: user interface Yes - Displays Dashboard graphics in 3-dimensional •...
Page 49: Starting And Stopping Strm
Starting and Stopping STRM Table 3-5 STRM Console Management Parameters (continued) Parameter Description Data Export Settings Include Header in CSV Specify whether you wish to include a header in a CSV Exports export file. Maximum Simultaneous Specify the maximum number of exports you wish to Exports occur at one time.
Page 50: Accessing The Embedded Snmp Agent
STRM ETTING Read the information in the window. Step 3 Select one of the following options: Step 4 - Closes all offenses in the database. • Soft Clean Hard Clean - Closes all active SIM data including offenses, targets and •...
Page 51: Configuring Access Settings
Configuring Access Settings The SNMP Agent appears. Configuring The System Configuration tab provides access to the web-based system Access Settings administration interface, which allows you to configure firewall rules, interface roles, passwords, and system time. This section includes: • Firewall access. See Configuring Firewall Access.
Page 52 STRM ETTING In the Device Access box, you must include any STRM systems you wish to have Step 6 access to this managed host. Only managed hosts listed will have access. For example, if you enter one IP address, only that one IP address will be granted access to the managed host.
Page 53 Configuring Access Settings Click Apply Access Controls. Step 8 Wait for the interface to refresh before continuing. Step 9 Updating Your Host You can use the web-based system administration interface to configure the mail Set-up server you wish STRM to use, the global password for STRM configuration, and the IP address for the STRM Console: To configure your host set-up: In the Administration Console, click the System Configuration tab.
Page 54 From the menu, select Managed Host Config > Network Interfaces. Step 5 The Network Interfaces window appears with a list of each interface on your managed host. Note: For assistance with determining the appropriate role for each interface, please contact Juniper Networks Customer Support. STRM Administration Guide...
Page 55 Configuring Access Settings For each interface listed, select the role you wish to assign to the interface using Step 6 the Role list box. Click Save Configuration. Step 7 Wait for the interface to refresh before continuing. Step 8 Changing Passwords To change the passwords: In the Administration Console, click the System Configuration tab.
Page 56 STRM ETTING Updating System You are able to change the time for the following options: Time • System time Hardware time • Time Zone • • Time Server Note: You must change the system time information on the host operating the Console only.
Page 57 Configuring Access Settings In the Time Zone box, select the time zone in which this managed host is located Step 6 using the Change timezone to list box. Click Save. In the Time Server box, you must specify the following options: Step 7 Timeserver hostnames or addresses - Specify the time server hostname or •...
Page 58 STRM ETTING Configuring Time Settings For Your System To update the time settings for your system: In the Administration Console, click the System Configuration tab. Step 1 The System Configuration panel appears. Click the System Management icon. Step 2 The System Management window appears. For the host on which you wish to configure time, click Manage System.
Page 59 Configuring Access Settings In the Time Zone box, select the time zone in which this managed host is located Step 6 using the Change timezone to list box. Click Save. In the System Time box, you must specify the current date and time you wish to Step 7 assign to the managed host.
Page 60 STRM ETTING STRM Administration Guide...
Page 61: Managing Backup And Recovery
ANAGING ACKUP AND ECOVERY Using the Administration Console, you can backup and recover configuration information and data for STRM. You can backup and recover the following information for your system: License key information • Sentry configuration • Rules configuration • •...
Page 62 ANAGING ACKUP AND ECOVERY The list of archives includes backup files that exist in the database. If a backup file is deleted, it is removed from the disk and from the database. Also, the entry is removed from this list and an audit event is generated to indicate the removal. If a backup is in progress, a status window appears to indicate the duration of the current backup, which user/process initiated the backup, and provides you with the option to cancel the backup.
Page 63 Managing Backup Archives In the Upload Archive field, click Browse. Step 3 The File Upload window appears. Select the archive file you wish to upload. Click Open. Step 4 Click Upload. Step 5 Deleting a Backup To delete a backup archive: Archive Note: To delete a backup archive file, the backup archive file and the Host Context component must reside on the same system.
Page 64: Scheduling Your Backup
ANAGING ACKUP AND ECOVERY Backing Up Your You can backup your configuration information and data using the Backup Information Recovery Configuration window. You can backup your configuration information using a manual process. Also, you can also backup your configuration information and data using a scheduled process.
Page 65 Backing Up Your Information Table 4-2 Backup Recovery Configuration Parameters (continued) Parameter Description Backup Specifies the location you wish to store your backup file. This Repository Path path must exist before the backup process is initiated. If this path does not exist, the backup process aborts. The default is /store/backup.
Page 66 ANAGING ACKUP AND ECOVERY From the Administration Console menu, select Configurations > Deploy All. Step 6 Initiating a Backup To manually initiate a backup: In the Administration Console, click the System Configuration tab. Step 1 The System Configuration panel appears. Click the Backup Recovery icon.
Page 67: Restoring Your Configuration Information
Restoring Your Configuration Information Restoring Your You can restore configuration information from existing backup archives using the Configuration Restore Backup window. Note the following requirements when you are restoring Information configuration information: You can only restore a backup archive created within the same release of •...
Page 68 ANAGING ACKUP AND ECOVERY From the Administration Console menu, select Configurations > Deploy All. Step 8 Note: The restore process only restores your configuration information. For assistance in restoring your data, contact Q1 Labs Customer Support. STRM Administration Guide...
Page 69: Using The Deployment Editor
SING THE EPLOYMENT DITOR The deployment editor allows you to manage the individual components of your STRM, and SIM deployment. Once you configure your Flow, Event, and System Views, you can access and configure the individual components of each managed host.
Page 70 SING THE EPLOYMENT DITOR About the You can access the deployment editor using the STRM Administration Console. Deployment Editor You can use the deployment editor to create your deployment, assign connections, and configure each component. The deployment editor provides the following views of your deployment: •...
Page 71: Accessing The Deployment Editor
About the Deployment Editor In the System View, the left panel provides a list of managed hosts, which you can view and configure. The deployment editor polls your deployment for updates to managed hosts. If the deployment editor detects a change to a managed host in your deployment, a message appears notifying you of the change.
Page 72 SING THE EPLOYMENT DITOR Table 5-1 Deployment Editor Menu Options (continued) Menu Option Sub Menu Option Description Manage NATed Opens the Manage NATed Networks Networks window, which allows you to manage the list of NATed networks in your deployment. Rename component Renames an existing component. This option is only available when a component is selected.
Page 73: Creating Your Deployment
About the Deployment Editor Table 5-2 Toolbar Options (continued) Icon Description Deletes selected item from the deployment view. This option is only available when the selected component has a managed host running a compatible version of STRM software. Opens the Add a Managed Host wizard, which allows you to add a managed host to your deployment.
Page 74: Editing Deployment Editor Preferences
SING THE EPLOYMENT DITOR Note: If you require assistance with the above, please contact Juniper Networks Customer Support. Editing Deployment To edit the deployment editor preferences: Editor Preferences From the deployment editor main menu, select File > Edit Preferences. Step 1 The Deployment Editor Setting window appears.
Page 75: Managing Your System View
Building Your Flow View Adding STRM You can add the following STRM components to your Flow View: Components Flow Collector - Collects data from devices and various live and recorded • feeds. Flow Processor - Collects and consolidates data from one or more Flow •...
Page 76 SING THE EPLOYMENT DITOR Enter a unique name for the component you wish to add. The name can be up to Step 3 15 characters in length and may include underscores or hyphens. Make sure you record the assigned name and Click Next. Note: If the message “There are no hosts to which you can assign this component.”...
Page 77 Building Your Flow View The component appears in your Flow View. Repeat for each component you wish to add to your view. Step 6 From the menu, select File > Save to staging. Step 7 Connecting Once you add all the necessary components in your Flow View, you must connect Components them together.
Page 78 SING THE EPLOYMENT DITOR Connecting You can connect deployments in your network to allow deployments to share flow Deployments data. To connect your deployments, you must configure an off-site Flow Processor (target) in your current deployment and the associated off-site Flow Processor in the receiving deployment (source).
Page 79 Building Your Flow View Figure 5-1 Example of Connecting Deployments To connect your deployments: In the deployment editor, click the Flow View tab. Step 1 The Flow View appears. In the Flow Components panel, select either or Add Off-site Add Off-site Source Step 2 Target.
Page 80 SING THE EPLOYMENT DITOR Specify a unique name for the source or target. The name can be up to 15 Step 3 characters in length and may include underscores or hyphens. Click Next. The flow source/target information window appears. Enter values for the parameters: Step 4 Enter a name for the off-site host - Specify the name of the off-site host.
Page 81 Building Your Event View Encrypt traffic from off-site source - Select the check box if you wish to • encrypt traffic from an off-site source. To enable encryption, you must select this check box on the associated off-site source and target. For more information regarding encryption, see Managing Your System View.
Page 82 SING THE EPLOYMENT DITOR from STRM and distributes to the appropriate area, depending on the type of event. The Event Processor also includes information gathered by STRM to indicate any behavioral changes or policy violations for that event. Rules are then applied to the events that allow the Event Processor to process according to the configured rules.
Page 83 Building Your Event View Figure 5-2 Example of SIM Components in your STRM Deployment To build your Event View, you must: Add SIM components to your view. See Adding Components. Step 1 Connect the components. See Connecting Components. Step 2 Forward normalized events.
Page 84 SING THE EPLOYMENT DITOR Enter a unique name for the component you wish to add. The name can be up to Step 3 15 characters in length and may include underscores or hyphens. Click Next. The Assign Component window appears. From the Select a host to assign to list box, select a managed host to which you Step 4 wish to assign the new component.
Page 85: Connecting Components
Building Your Event View Connecting Once you add all the necessary components in your Event View, you must connect Components them together. The Event View only allows you to connect appropriate components together. For example, you can connect an Event Collector to an Event Processor and not a Magistrate component.
Page 86 SING THE EPLOYMENT DITOR If you wish to disconnect the off-site source, you must remove the connections from both deployments. From deployment A, you must remove the off-site target and in deployment B, you must remove the off-site source. If you wish to enable encryption between deployments, you must enable encryption on both off-site source and target.
Page 87 Building Your Event View Specify a unique name for the source or target. The name can be up to 15 Step 3 characters in length and may include underscores or hyphens. Click Next. The event source/target information window appears. Enter values for the parameters: Step 4 •...
Page 88: Setting Up Managed Hosts
SING THE EPLOYMENT DITOR Click Next. Step 5 Click Finish. Step 6 Repeat for all remaining off-site sources and targets. Step 7 From the main menu, select File > Save to staging. Step 8 Note: If you update your Event Collector configuration or the monitoring ports, you must manually update your source and target configurations to maintain the connection between deployments.
Page 89: Configuring Host Context
STRM software running on a managed host. You can only add a managed host to your deployment when the managed host is running a compatible version of STRM software. For more information, contact Juniper Networks Customer Support. You also can not assign or configure components on a non-Console managed host when the STRM software version is incompatible with the software version that the Console is running.
Page 90 SING THE EPLOYMENT DITOR within the deployment. When enabling encryption on a managed host, the encryption SSH tunnel is created on the client’s host. For example, if you enable encryption for the Event Collector in the below deployment, the connection between the Event Processor and Classification Engine as well as the connection between the Event Processor and Magistrate would be encrypted.
Page 91 Managing Your System View Click Next. Step 2 The Enter the host’s IP window appears. Enter values for the parameters: Step 3 Enter the IP of the server or appliance to add - Specify the IP address of the • host you wish to add to your System View.
Page 92 SING THE EPLOYMENT DITOR Note: If you wish to enable NAT for a managed host, the NATed network must be using static NAT translation. For more information on using NAT, see Using NAT with STRM. • Enable Encryption - Select the check box if you wish to create an encryption tunnel for the host.
Page 93 Managing Your System View Click Next. Step 3 The attributes window appears. Edit the following values, as necessary: Step 4 Host is NATed - Select the check box if you wish to use existing Network • Address Translation (NAT) on this managed host. For more information on NAT, Using NAT with STRM.
Page 94 SING THE EPLOYMENT DITOR Enable Encryption - Select the check box if you wish to create an encryption • tunnel for the host. To enable encryption between two managed hosts, each managed host must be running at least STRM 5.1. If you selected the Host is NATed check box, the Configure NAT settings window appears.
Page 95 Managing Your System View Using NAT with Network Address Translation (NAT) translates an IP address in one network to a STRM different IP address in another network. NAT provides increased security for your deployment since requests are managed through the translation process and essentially hides internal IP address.
Page 96 SING THE EPLOYMENT DITOR Adding a NATed Network to STRM To add a NATed network to your STRM deployment: In the deployment editor, click the NATed networks icon. Step 1 Note: You can also use the Actions > Managed NATed Networks menu option to access the Managed NATed Networks window.
Page 97 Managing Your System View Select the NATed network you wish to edit and click Edit. Step 2 The Edit NATed Network window appears. Update the name of the network you wish to use for NAT. Step 3 Click Ok. Step 4 The Manage NATed Networks window appears.
Page 98 SING THE EPLOYMENT DITOR Changing the NAT Status for a Managed Host To change your NAT status for a managed host, make sure you update the managed host configuration within STRM before you update the device. This prevents the host from becoming unreachable and allows you to deploy changes to that host.
Page 99 Managing Your System View Configuring a To configure a managed host: Managed Host From the System View, use the right mouse button (right-click) on the managed Step 1 host you wish to configure and select Configure. The Configure host window appears. Enter values for the parameters: Step 2 •...
Page 100 SING THE EPLOYMENT DITOR From the Select a host drop-down list box, select the host that you wish to assign Step 5 to this component. Click Next. Note: The drop-down list box only displays managed hosts that are running a compatible version of STRM software.
Page 101 Managing Your System View Enter values for the parameters: Step 5 Table 5-5 Host Context Parameters Parameter Description Disk Usage Sentinal Settings Warning Threshold When the configured threshold of disk usage is exceeded, an e-mail is sent to the administrator indicating the current state of disk usage.
Page 102 SING THE EPLOYMENT DITOR Table 5-5 Host Context Parameters (continued) Parameter Description Recovery Threshold Once the system has exceeded the shutdown threshold, disk usage must fall below the recovery threshold before STRM processes are restarted. The default is 0.90, therefore, processes will not be restarted until the disk usage is below 90%.
Page 103: Configuring Strm Components
Configuring STRM Components Configuring STRM This section provides information on configuring STRM components and includes: Components Configuring a Flow Collector • Configuring a Flow Processor • • Configuring a Classification Engine Configuring an Update Daemon • Configuring a Flow Writer •...
Page 104 SING THE EPLOYMENT DITOR Enter values for the parameters: Step 3 Table 5-6 Flow Collector Parameters Parameter Description Server Listen Port The Flow Collector passes data to the next component in the process. Once the link is established, all collected data is passed for further processing.
Page 105 The default is 15 minutes. Endace DAG Interface Specify the Endace Network Monitoring Interface card Card Configuration parameters. For more information, see the Qmmunity web site or contact Juniper Networks Customer Support. STRM Administration Guide...
Page 106 SING THE EPLOYMENT DITOR Table 5-7 Flow Collector Parameters (continued) Parameter Description Flow Buffer Size Specify the amount of memory, in MB, that you wish to reserve for flow storage. The default is 400 MB. Maximum Number of Specify the maximum number of flows you wish to send Flows from the Flow Collector to Flow Processors.
Page 107 Configuring STRM Components Some normally occurring network communications generate flows for which there are no responses, such as web requests to a failed web server or to a host that is down. One-sided flows are generally not a high risk threat and should not apply to superflows.
Page 108 SING THE EPLOYMENT DITOR Table 5-8 Flow Processor Parameters (continued) Parameter Description Flow Collectors When the Flow Processor starts, it attempts to establish a link with one or more Flow Collector(s). If the Flow Collector cannot be reached, the Flow Processor attempts to establish the link periodically, until it succeeds.
Page 109 Configuring STRM Components 101 Enter values for the parameters: Step 5 Table 5-9 Flow Processor Parameters Parameter Description Create Flow Bundles Specify one of the following options: Yes - Allows the Flow Processor to group flows that have • similar properties. No - Disables the bundling of flows •...
Page 110 SING THE EPLOYMENT DITOR Table 5-9 Flow Processor Parameters (continued) Parameter Description Type C Superflows Specify the threshold for type C superflows, which is one host sending data to another host. A unidirectional flow that is an aggregate of all non-ICMP flows that have the same protocol, source host, destination host, source bytes, destination bytes, source packets, and destination packets but different source or destination ports.
Page 111 Configuring STRM Components 103 Table 5-9 Flow Processor Parameters (continued) Parameter Description Branch Filtering By default, branch filtering is disabled and all traffic is forwarded to all Classification Engines. Filtering does not begin unless the Flow Processor receives a branch filter definition from the Classification Engine.
Page 112 SING THE EPLOYMENT DITOR The deployment editor appears. Repeat for all Flow Processors in your deployment you wish to configure. Step 7 Configuring a The Classification Engine receives inputs from one or more Flow Processor(s), Classification Engine classifies the flows into views and objects, and outputs the resulting database entries and flow logs to the Update Daemon to be stored on disk.
Page 113 Configuring STRM Components 105 Table 5-10 Classification Engine Parameters (continued) Parameter Description Update Daemon Specifies the hostname and port of the Update Daemon to Connections which the Classification Engine sends data for storage. This parameter is for information purposes only and is not amendable.
Page 114 Only the processing information. This requires each involved managed host to have a list of views to process. For assistance, contact Juniper Networks Customer Support. Branch Filtering By default, branch filtering is disabled and all traffic is forwarded to all Classification Engines. Filtering does not begin unless the Flow Processor receives a branch filter definition from the Classification Engine.
Page 115 Configuring STRM Components 107 For the Server listen port parameter, specify the Update Daemon listening port Step 3 values. Separate each entry with a comma. This port monitors requests from the Classification Engine. The entered values must match the values configured for the Classification Engine.
Page 116 SING THE EPLOYMENT DITOR Configuring a Flow Once the Classification Engine has processed the flows for an interval, the Flow Writer Writer stores the flow and asset profile data. You can only have one Flow Writer per host, which must be connected to the Classification Engine. To configure a Flow Writer: In either the Flow or System View, select the Flow Writer you wish to configure.
Page 117 Configuring STRM Components 109 Click Save. Step 6 The deployment map appears. Configuring an Event The Event Collector collects security events from various types of security devices Collector in your network. To configure an Event Collector: From either the Event View or System View, select the Event Collector you wish to Step 1 configure.
Page 118 SING THE EPLOYMENT DITOR Enter values for the parameters: Step 5 Table 5-16 Event Collector Advanced Parameters Parameter Description Receives Flow Context Specifies the first Event Collector installed in your deployment. This parameter is for informational purposes only and is not amendable. Auto Detection Specify if you wish the Event Collector to auto analyze and Enabled...
Page 119 Configuring STRM Components 111 Enter values for the parameters: Step 3 Table 5-17 Event Processor Parameters Parameter Description Event Processor Server Specify the port that the Event Processor monitors for Listen Port incoming connections. The default range is from 32000 to 65535.
Page 120 SING THE EPLOYMENT DITOR Table 5-18 Event Processor Parameters Parameter Description Overflow Routing Specify the events per second threshold that the Event Threshold Processor can manage events. Events over this threshold are placed in the cache. Path to Ariel Events Specify the location you wish to store events.
Page 121 Configuring STRM Components 113 In the toolbar, click Advanced to display the advanced parameters. Step 4 The advanced configuration parameters appear. For the Overflow Routing Threshold, specify the events per second threshold Step 5 that the Magistrate can manage events. Events over this threshold are placed in the cache.
Page 123: Managing Flow Sources
ANAGING OURCES This chapter provides information on managing flows sources in your deployment including: About Flow Sources • Managing Flow Sources • • Managing Flow Source Aliases About Flow STRM allows you to integrate internal and external flow sources: Sources Internal flow sources - Includes any additional hardware installed on a •...
Page 124 ANAGING OURCES 5, 7, and 9. For more information on NetFlow, see www.cisco.com. While NetFlow expands the amount of the network that is monitored, the following details some NetFlow limitations including: • NetFlow classifies only application traffic from the TCP port (for example, HTTP on port 80).
Page 125: Packeteer
About Flow Sources reduced alerting capabilities. This can result in inaccurate presentations of both traffic volumes and bi-directional flows. Once you configure an external flow source for sFlow, you must: Make sure the appropriate firewall rules are configured. • • Make sure the appropriate ports are configured for your Flow Collector.
Page 126: Flowlog File
ANAGING OURCES Flowlog File A file generated from the STRM flow logs. Managing Flow For STRM appliances, STRM automatically adds default flow sources for the Sources physical ports on the appliance. Also, STRM also includes a default NetFlow v5 flow source. If you have installed STRM on your own hardware, STRM attempts to automatically detect and add default flow sources for any physical devices (such as a NIC card).
Page 127 Managing Flow Sources Enter values for the parameters: Step 4 Table 6-1 Add Flow Source Parameter Description Build from existing flow Select the check box if you wish to create this flow source source using an existing flow source as a template. Once the check box is selected, use the drop-down list box to select the desired flow source and click Use as Template.
Page 128 ANAGING OURCES If you selected Flowlog File as the Flow Source Type, configure the Source File Path, which is the source path location for the flow log file. If you selected JFlow, Netflow, Packeteer FDR, or sFlow as the Flow Source Type, configure the following: Table 6-2 External Flow parameters Parameter...
Page 129 Managing Flow Sources Click Edit. Step 3 The Edit Flow Source window appears. Edit values, as necessary. For more information on values for flow source types, Step 4 Adding a Flow Source. Click Save. Step 5 From the Administration Console menu, select Configurations > Deploy Step 6 configuration changes.
Page 130: Deleting A Flow Source
ANAGING OURCES Deleting a Flow To delete a flow source: Source In the Administration Console, click the Flow Configuration tab. Step 1 The Flow Configuration panel appears. Click the Manage Flow Source icon. Step 2 The Flow Source window appears. Select the flow source you wish to delete.
Page 131 Managing Flow Source Aliases The Flow Source Alias Management window appears. Enter values for the parameters: Step 4 IP - Specify the IP address of the flow source alias. • • Name - Specify the name of the flow source alias. Click Save.
Page 132 ANAGING OURCES Deleting a Flow To delete a flow source alias: Source Alias In the Administration Console, click the Flow Configuration tab. Step 1 The Flow Configuration panel appears. Click the Manage Flow Source Aliases icon. Step 2 The Flow Source Aliases window appears. Select the flow source alias you wish to delete.
Page 133: Managing Sentries
ANAGING ENTRIES Sentries provide an alerting function for your network. A sentry can monitor any number of views and generate an alert when traffic in one of the monitored views meets the specified criteria. A non-administrative user can create sentries, however, only an administrative user can configure advanced sentries on a system-wide basis.
Page 134 ANAGING ENTRIES Sentry - Specifies which network location you wish the sentry to apply. The • network location component of the sentry can also specify any restrictions that you wish to enforce. The variables in the sentry component have priority over the Package and Logic Unit variables.
Page 135 Editing Sentry Details Users - View the available sentries by the user who created the sentry. • Select the sentry you wish to view. Step 5 Table 7-1 provides the details of the Sentry List window: Table 7-1 Sentry List Parameter Description Name...
Page 136 ANAGING ENTRIES Update values for the parameters, as necessary: Step 6 If you are editing a Security/Policy sentry: Table 7-2 Edit Security/Policy Sentry Parameter Description Name Specify a name for this sentry. Description Specify a description for this sentry. This description appears as an annotation in the Offense Manager if this sentry results in an offense being generated.
Page 137 Editing Sentry Details Table 7-2 Edit Security/Policy Sentry (continued) Parameter Description Options Select the check box if you wish this event to be included with other events to create an offense. Use the Address to mark as the target drop-down list box to identify if you wish the destination or source IP address to be used as the target.
Page 138 ANAGING ENTRIES Table 7-3 Edit Behavior, Anomaly, or Threshold Sentry (continued) Parameter Description Restrictions Select the check box for one or more restrictions you wish to enforce for an active sentry including: Date is relevant - Select the check box to indicate that this •...
Page 139 Editing Sentry Details Table 7-4 Default Variables (continued) Parameter Description $$Trend Specify the current traffic trend weight that you wish to assign to current traffic trends against the calculated behavior. This variable is for behavioral sentries. The higher the value indicates more weight on traffic trends than the calculated behavior.
Page 140: Creating A Sentry Package
ANAGING ENTRIES Table 7-4 Default Variables (continued) Parameter Description $$LargeWindow Specify a period of time you wish to the system to monitor flows in your network. This allows the system a basis of comparison for traffic over an smaller period of time. If the large window and small window values exceed a certain threshold, the sentry generates an alert.
Page 141 Managing Packages The Package List appears. Click Create New Package. Step 5 The Create New Package panel appears. Enter values for the parameters: Step 6 Table 7-5 Create Sentry Package Parameters Parameter Description Name Specify the name of the sentry package. Description Specify a description for the sentry package.
Page 142 ANAGING ENTRIES Table 7-5 Create Sentry Package Parameters (continued) Parameter Description Components In the menu tree, select the components you wish this package to monitor. The added components appear under the Selected Components column. Permissions Specify the users you wish to be able to use this package. Categories For each event, you must select a high-level and low-level event category.
Page 143: Managing Logic Units
Managing Logic Units Update parameters (see Table 7-5), as necessary. Step 6 Click Save. Step 7 Managing Logic A Logic Unit determines if a violation has occurred and if an alert needs to be Units generated. A Logic Unit contains the algorithm that a sentry uses to monitor your network for suspicious behavior.
Page 144 ANAGING ENTRIES Enter values for the parameters: Step 6 Table 7-6 Create new Logic Unit Parameters Parameter Action Name Specify a name for this Logic Unit. Description Specify a description for this Logic Unit, Create your own equation in the Equation field using JavaScript code. The entry Step 7 must include the following format: var testObj = new CustomFunction( $$Counter,...
Page 145 Managing Logic Units Table 7-7 JavaScript Functions Function Description thresholdCheck Monitors policy and threshold objects. By default, this value monitors each object separately. If you wish to test objects as group, you must add the value set. This function includes: components - String of component names from one or more •...
Page 146: Editing A Logic Unit
ANAGING ENTRIES Editing a Logic Unit To edit a Logic Unit: In the Administration Console, click the System Configuration tab. Step 1 The System Configuration panel appears. Click the Sentries icon. Step 2 The Sentries window appears. From the View By drop-down list box, select Object. Step 3 The Sentry Objects menu tree appears.
Page 147: Managing Views
ANAGING IEWS You can display network traffic with many different views. A view represents traffic activity on your network for a specific profile. The Local Network View has n-levels of depth that is specific to your network hierarchy. All views, with the exception of the Network View, have group levels and leaf object levels.
Page 148 ANAGING IEWS Each view is assigned a weight. Configured for traffic alerting purposes, weight is the numeric value assigned to a flow property. STRM adds the weight value to the sentry flow property weight value and assigns a sequence of ranking events. An alert may be signalled when STRM interprets the combination of the numerical weight values.
Page 149: Defining Unique Objects
Using STRM Views 141 Remote Services View - Displays traffic originating from user defined network • ranges or, if desired, the Juniper Networks automatic update server. Collector View - Displays traffic seen by each Flow Collector • Protocol - Displays traffic originating from protocol usage.
Page 150: Managing Ports View
ANAGING IEWS Managing Ports Ports Views display traffic originating from identified destination ports. Using the View Ports View, you can view traffic by port. This section provides information on managing the Ports View including: Default Ports Views • Adding a Ports Object •...
Page 151 Managing Ports View 143 Enter values for the following parameters: Step 4 Table 8-2 Ports - Add New Object Parameters Parameter Description Group Select the group for this object. Using the drop-down list box, select a group or click Add Group to add a new group. Name Specify object name.
Page 152 ANAGING IEWS Editing a Ports To edit an existing object: Object In the Administration Console, click the Views Configuration tab. Step 1 The Views Configuration panel appears. Click the Ports icon. Step 2 The Manage Group window appears. Table 8-3 Manage Group Parameter Description Name...
Page 153 Managing Ports View 145 Edit values as necessary. See Table 8-2. Step 5 Click Save. Step 6 Click Return. Step 7 Close the Ports View window. Step 8 From the Administration Console menu, select Configuration > Deploy Step 9 Configuration Changes. All changes are deployed.
Page 154: Managing Application Views
ANAGING IEWS Managing Application Views display traffic originating from the application server by the client Application Views connection and the server connection. Using the Application Views, you can view traffic by application identification. This section provides information on managing Application Views including: Default Application Views •...
Page 155 Managing Application Views 147 Table 8-5 Application Views (continued) Sub-Component Description Misc Specifies identified miscellaneous application traffic, such as, Appletalk-IP, Authentication, DHCP, DNS, DNS-Port, ManagementService, Misc-Ports, MiscApp, Network-Config-Ports, RPC, SNMP-Ports, Syslog, and Time. Multimedia Specifies traffic originating from multimedia application traffic, such as, WebEx, video frames, or Intellex.
Page 156 ANAGING IEWS Enter values for the following parameters: Step 4 Table 8-6 Applications - Add New Object Parameters Parameter Description Group Select the group for this object. Using the drop-down list box, select a group or click Add Group to add a new group. Name Specify the name for the object.
Page 157 Managing Application Views 149 From the Administration Console menu, select Configuration > Deploy Step 8 Configuration Changes. All changes are deployed. Editing an To edit an applications object: Applications Object In the Administration Console, click the Views Configuration tab. Step 1 The Views Configuration panel appears.
Page 158 ANAGING IEWS Edit values as necessary, see Table 8-6. Step 5 Click Save. Step 6 Click Return. Step 7 Close the Applications View window. Step 8 From the Administration Console menu, select Configuration > Deploy Step 9 Configuration Changes. All changes are deployed. STRM Administration Guide...
Page 159: Managing Remote Networks View
Managing Remote Networks View 151 Managing Remote Remote Networks View displays user traffic originating from named remote Networks View networks. Using the Remote Networks View, you can view traffic by known remote networks. This section provides information on managing the Remote Networks View including: Default Remote Networks Views •...
Page 160 ANAGING IEWS Enter values for the following parameters: Step 4 Table 8-10 Remote Networks - Add New Object Parameters Parameter Description Group Select the group for this object. Using the drop-down list box, select a group or click Add Group to add a new group. Name Specify the name for the object.
Page 161 Managing Remote Networks View 153 Editing a Remote To edit an existing Remote Networks object: Networks Object From the Administration Console, click the Views Configuration tab. Step 1 The Views Configuration panel appears. Click the Remote Networks icon. Step 2 The Manage Group window appears.
Page 162: Managing Remote Services Views
ANAGING IEWS Edit values as necessary. See Table 8-10. Step 5 Click Save. Step 6 Click Return. Step 7 Close the Remote Networks View window. Step 8 From the Administration Console menu, select Configuration > Deploy Step 9 Configuration Changes. All changes are deployed.
Page 163 Managing Remote Services Views 155 Table 8-13 Remote Services - Manage Group Parameters (continued) Parameter Description Reserved_IP_ Specifies traffic originating from reserved IP address ranges. Ranges Spam Specifies traffic originating from addresses commonly known to produce SPAM or unwanted e-mail. Spy_Adware Specifies traffic originating from addresses commonly known to contain spyware or adware.
Page 164 ANAGING IEWS Table 8-14 Remote Services - Add New Object Parameters Parameter Description Group Select the group for this object. Using the drop-down list box, select a group or click Add Group to add a new group. Name Specify the name for the object. Weight Specify the object weight or use the arrows to change the existing numeric value.
Page 165 Managing Remote Services Views 157 The Manage Group window appears. Table 8-16 Manage Group Parameter Description Name Specifies the name assigned to the object. Value Specifies ports assigned to this object. Weight Specifies the weight assigned to the object. Color Specifies the color displayed when viewed on the Network Surveillance graphs.
Page 166: Managing Collector Views
ANAGING IEWS From the Administration Console menu, select Configuration > Deploy Step 9 Configuration Changes. All changes are deployed. Managing Collector The Collector Views display traffic seen from the Flow Collector and provides the Views AllCollectors group. This group specifies the traffic originating from all Flow Collectors that reside on your network.
Page 167 Managing Collector Views 159 Table 8-17 Flow Collector - Add New Object Parameters (continued) Parameter Description Collector ID Using the drop-down list box, select the Flow Collector you wish to use as the source. Color Specify a color for this object. Enter the RGB alpha-numeric value or click Select Color to access the color palette.
Page 168 ANAGING IEWS Table 8-19 Manage Group Parameter Description Name Specifies the name assigned to the object. Value Specifies ports assigned to this object. Weight Specifies the weight assigned to the object. Color Specifies the color displayed when viewed on the Network Surveillance graphs.
Page 169: Managing Custom Views
Managing Custom Views 161 Managing Custom Custom Views uniquely identify specific traffic flows, such as SSH traffic on a Views non-standard port, or traffic originating from another country. Each Custom View object must be configured with an equation, which creates a set of properties that applies a filter for each network flow.
Page 170 ANAGING IEWS IFIndex Out • • FlowShape • The objects for the IP Tracking, Threats, Attacker Target Analysis, Target Analysis, and Policy Violations groups depend on the template chosen during the installation process. For more information on the defaults, see: •...
Page 171 Managing Custom Views 163 Enter values for the following parameters: Step 4 Table 8-20 Custom View - Properties for New View: Staging/Globalconfig Parameter Description Name Specify a name for the new view. Description Specify a description for the new view. Click Save.
Page 172 ANAGING IEWS Enter values for the following parameters: Step 8 Table 8-21 Properties Views Parameter Description Group Using the drop-down list box, select the group you wish to add the object. Click Add Group. Name Specify the name for the object. Weight Specify the object weight or use the arrows to change the existing numeric value.
Page 173 Managing Custom Views 165 From the Elements panel, select an element and enter the parameter values to Step 11 configure the element. See Table 8-22. The element is assigned to the selected object. This creates the first instance on the Equation Editor. Select another object from the Objects box and assign an associated element.
Page 174 ANAGING IEWS Table 8-22 Element Options (continued) Parameter Description Name Specify the element name. Protocol Specify the protocol identification number. You must enter the protocol number and not the name. Click Add. Note: For a list of default protocol identification numbers, see STRM Default Application Configuration Guide.
Page 175 Managing Custom Views 167 Table 8-22 Element Options (continued) Parameter Description Value Enter the character that represents the TCP/IP flags element type you wish to add. STRM accepts the following: A, ACK - (Acknowledge) - Receiver sends an acknowledgement that equals the senders sequence.
Page 176 ANAGING IEWS Table 8-22 Element Options (continued) Parameter Description Property Using the drop-down list box, select the flow property. Options include: ClassL2L - Traffic between two local objects on your network. • ClassL2R - Traffic between one local object and one remote object. •...
Page 177 Managing Custom Views 169 Table 8-22 Element Options (continued) Parameter Description Value Specify the application identification number. Click Add. Collector Element Type Name Specify the element name. Property Using the drop-down list box, select the element property. Options include: CollectorID and CollectorInterface. Value Specify the user-defined Flow Collector Identification or Collector Interface name.
Page 178 ANAGING IEWS Table 8-22 Element Options (continued) Parameter Description Flow Context Property Name Specify the element name. Property Using the drop-down list box, select the flow text property. Options include: PortIsNew, TargetIsSrc, AttackerIsSrc, TargetIsDst, AttackerIsDst, TargetIsKnownLocal, AttackerIsKnownLocal, TargetIsLocal, AttackerIsLocal, TargetPort, AttackerPort, BeforeEvent, and AfterEvent.
Page 179 Managing Custom Views 171 Edit the necessary parameters, see Table 8-22. Step 5 Click Save. Step 6 Click Return. Step 7 Close the Custom View window. Step 8 From the Administration Console menu, select Configuration > Deploy Step 9 Configuration Changes. All changes are deployed.
Page 180: Enabling And Disabling Views
ANAGING IEWS Editing the Operators You can edit the operators as they appear in the Drop Area of the Equation Editor. You can access the following using the right mouse button (right-click) on each operator: • And Operator - To change the default AND operator to OR, use the right mouse button (right-click) on the operator and select OR from the menu.
Page 181 Enabling and Disabling Views 173 Using the drop-down list box, select one of the following for each view: Step 3 Table 8-23 View Management Parameter Description Enabled Using the drop-down list box, select Enabled to enable this view. This enables the Classification Engine, data collection, data storage, graphing capabilities, and enables access from the interface.
Page 182: Using Best Practices
ANAGING IEWS Table 8-23 View Management (continued) Parameter Description Disabled Using the drop-down list box, select Disabled to disable the view. This disables the Classification Engine, data collection, data storage, graphing capabilities, and removes the view from the interface. To enable access from the interface, select Enabled. Note: Selecting the Disabled mode can save processing power on your system.
Page 183: Configuring Rules
ONFIGURING ULES Rules match events or offenses by performing a series of tests. If all the conditions of a test are true, the rule generate a response. Building blocks are rules without a response. Responses to a rule include: Creation of an offense. •...
Page 184: Viewing Rules
ONFIGURING ULES You can configure the following rule types: • Event Rule - An event rule performs tests on events as they are processed in real-time by the Event Processor. You can create an event rule to detect a single event (within certain properties) or event sequences. For example, if you wish to monitor your network for invalid login attempts, access multiple hosts, or a reconnaissance event followed by an exploit, you can create an event rule.
Page 185 Enabling/Disabling Rules The list of deployed rules appear. Select the rule you wish to view. Step 4 In the Rule and Notes fields, descriptive information appears. The default rules that appear depends on the template chosen during the installation process. For more information on the defaults, see: Enterprise Template - See Appendix B Enterprise Template Defaults.
Page 186 ONFIGURING ULES Choose one of the following options: Step 3 From the Actions drop-down list box, select New Event Rule to configure a rule for events. From the Actions drop-down list box, click New Offense Rule to configure a rule for offenses. The Custom Rule wizard appears.
Page 187: Event Rule Tests
Creating a Rule The Rules Test Stack Editor window appears. To add a test to a rule: Step 5 In the Test Group drop-down list box, select the type of test you wish to apply to this rule. The resulting list of tests appear. For information on tests, see Event Rule Tests Offense Rule Tests.
Page 188 ONFIGURING ULES Enter the name you wish to assign to this building block. Click Save. To assign multi-event or multi-offense functions to the rule, select Functions from Step 8 the Test Group drop-down list box and configure the function: The functions include: Table 9-1 Functions Group Test Description...
Page 189 Creating a Rule Table 9-1 Functions Group (continued) Test Description Default Test Name Parameters Multi-Rule Allows you to use saved when all of these Configure the following parameters: Event Function building blocks or other rules to rules, in order, from these rules - Specify the rules you •...
Page 190 ONFIGURING ULES Table 9-1 Functions Group (continued) Test Description Default Test Name Parameters Multi-Rule Allows you to use saved when at least this Configure the following parameters: Event Function building blocks or other rules to number of these this number - Specify the number •...
Page 191 Creating a Rule Table 9-1 Functions Group (continued) Test Description Default Test Name Parameters Multi-Event Allows you to test the number of when a(n) IP address/ Configure the following parameters: Counter events from configured Port/QID/Event/ IP address/ Port/QID/Event/ • Function conditions, such as, source IP Device/Category Device/Category - Specify the...
Page 192 ONFIGURING ULES Table 9-1 Functions Group (continued) Test Description Default Test Name Parameters Multi-Rule You can also use building when all of these Configure the following parameters: Function blocks or existing rules to rules, in order, with rules - Specify the rules you wish •...
Page 193 Creating a Rule Table 9-1 Functions Group (continued) Test Description Default Test Name Parameters Multi-Rule You can also use building when at least this Configure the following parameters: Function blocks or existing rules to number of these this number - Specify the number •...
Page 194 ONFIGURING ULES Table 9-1 Functions Group (continued) Test Description Default Test Name Parameters Multi-Rule You can also use building when any of these Configure the following parameters: Function blocks or existing rules to rules with the same IP rules - Specify the rules you wish •...
Page 195 Creating a Rule In the groups area, select the check box(es) of the groups to which you wish to Step 9 assign this rule. For more information on grouping rules, see Grouping Rules. In the Notes field, enter any notes you wish to include for this rule. Click Next. Step 10 The Rule Responses window appears, which allows you to configure the action STRM takes when the event sequence is detected.
Page 196 ONFIGURING ULES Table 9-3 Event Rule Response Parameters (continued) Parameter Description Dispatch New Event Select the check box to dispatch a new event in addition to the original event, which will be processed like all other events in the system. The Dispatch New Event parameters appear when you select the check box.
Page 197 Creating a Rule Table 9-3 Event Rule Response Parameters (continued) Parameter Description Ensure the Select the check box if you wish, as a result of this dispatched event is rule, the event is forwarded to the Magistrate part of an offense component.
Page 198 Select the check box to send an SNMP trap. For an event rule, the SNMP trap output includes system time, the trap OID, and the notification data, as defined by the Juniper Networks MIB. For more information on the Juniper Networks MIB, see Appendix A Juniper Networks MIB For example, the SNMP notification may resemble: "Wed Sep 28 12:20:57 GMT 2005, QRADAR...
Page 199 Creating a Rule Table 9-4 Offense Rule Response Parameters (continued) Parameter Description Offense Name Select one of the following options: This information should contribute to the • name of the associated offense(s) - Select this option if you wish the Event Name information to contribute to the name of the offense(s).
Page 200 Select the check box to send an SNMP trap. For an offense rule, the SNMP trap output includes system time, the trap OID, and the notification data, as defined by the Juniper Networks MIB. For more information on the Juniper Networks MIB, see Appendix Juniper Networks MIB For example, the SNMP notification may resemble: "Wed Sep 28 12:20:57 GMT 2005, QRADAR...
Page 201 Creating a Rule Review the configured rule. Click Finish. Step 13 STRM Administration Guide...
Page 202 ONFIGURING ULES Event Rule Tests This section provides information on the tests you can apply to the rules including: • Network Property Tests Event Property Tests • IP/Port Tests • Host Profile Tests • Date/Time Tests • • Device Tests Network Property Tests The network property test group includes: Table 9-5 Network Property Tests...
Page 203 Creating a Rule Table 9-6 Event Property Tests Test Description Default Test Name Parameters Local Network Valid when the event occurs when the local network is one of the following - Specify the Object in the specified network. one of the following areas of the network you wish this test networks to apply.
Page 204 ONFIGURING ULES Table 9-6 Event Property Tests (continued) Test Description Default Test Name Parameters Credibility Valid when the event when the event credibility Configure the following parameters: credibility is greater than, is greater than 5 greater than - Specify whether the •...
Page 205 Creating a Rule Table 9-6 Event Property Tests (continued) Test Description Default Test Name Parameters False Positive When you tune false when the false positive signatures - Specify the false positive Tuning positive events in the Event signature matches one of signature you wish this test to Viewer, the resulting tuning the following signatures...
Page 206 ONFIGURING ULES Table 9-7 IP / Port Test Group (continued) Test Description Default Test Name Parameters Remote Port Valid when the remote port when the remote port is one ports - Specify the ports you wish of the event is one of the of the following ports this test to consider.
Page 207 Creating a Rule Table 9-8 Host Profile Tests (continued) Test Description Default Test Name Parameters Host Existence Valid when the local source or when the local source Configure the following parameters: destination host is known to exist host exists either source - Specify if you wish this •...
Page 208 ONFIGURING ULES Table 9-8 Host Profile Tests (continued) Test Description Default Test Name Parameters Host Valid when the local source or when the local Configure the following parameters: Vulnerability destination host vulnerability risk destination host destination - Specify if you wish •...
Page 209 Creating a Rule Table 9-8 Host Profile Tests (continued) Test Description Default Test Name Parameters Target Threat Threat under is the value applied when the amount of Configure the following parameters: to the threat a network is under the threat the target is greater than - Specify if you wish •...
Page 210 ONFIGURING ULES Date/Time Tests The date and time tests include: Table 9-9 Date/Time Tests Test Description Default Test Name Parameters Event Day Valid when the event occurs when the event(s) Configure the following parameters: on the configured day of the occur on the selected on - Specify if you wish this test •...
Page 211: Offense Rule Tests
Creating a Rule Offense Rule Tests This section provides information on the tests you can apply to the rules including: IP/Port Tests • Host Profile Tests • • Date/Time Tests Device Tests • Offense Property Tests • IP/Port Tests The IP/Port tests include: Table 9-11 IP / Port Test Group Test Description...
Page 212 ONFIGURING ULES Host Profile Tests The host profile tests include: Table 9-12 Host Profile Tests Test Description Default Test Name Parameters Attacker Threat Threat Posing is the when the amount of Configure the following parameters: Level calculated value for this threat the attacker is greater than - Specify if you wish •...
Page 213 Creating a Rule Date/Time Tests The date and time tests include: Table 9-13 Date/Time Tests Test Description Default Test Name Parameters Event Day Valid when the offense when the offense(s) Configure the following parameters: occurs on the configured day occur on the selected on - Specify if you wish this rule •...
Page 214 ONFIGURING ULES Offense Property Tests The offense property tests include: Table 9-15 Offense Property Tests Test Description Default Test Name Parameters Network Object Valid when the network is when the networks Configure the following parameters: affected are any or all of the affected are any of one of any - Specify if you wish this test •...
Page 215 Creating a Rule Table 9-15 Offense Property Tests (continued) Test Description Default Test Name Parameters Attack Context Attack Context is the when the attack context is this context - Specify the context relationship between the this context you wish this test to consider. The attacker and target.
Page 216: Copying A Rule
ONFIGURING ULES Table 9-15 Offense Property Tests (continued) Test Description Default Test Name Parameters Target Count in Valid when the number of when the number of Configure the following parameters: an Offense targets for an offense greater targets under attack is greater than - Specify if you wish •...
Page 217: Grouping Rules
Grouping Rules Grouping Rules You can now group and view your rules and building blocks based on your chosen criteria. Categorizing your rules or building blocks into groups allows you to efficiently view and track your rules. For example, you can view all rules related to compliance.
Page 218 ONFIGURING ULES From the menu tree, select the group under which you wish to create a new group. Step 4 Note: Once you create the group, you can drag and drop menu tree items to change the organization of the tree items. Click New Group.
Page 219 Grouping Rules Editing a Group To edit a group: Click the Offense Manager tab. Step 1 The Offense Manager interface appears. In the navigation menu, click Rules. Step 2 Click Groups. Step 3 The Group window appears. From the menu tree, select the group you wish to edit. Step 4 Click Edit.
Page 220 ONFIGURING ULES Click Groups. Step 3 The Group window appears. From the menu tree, select the rule or building block you wish to copy to another Step 4 group. Click Copy. Step 5 The Choose Group window appears. Select the check box for the group(s) to which you wish to copy the rule or building Step 6 block.
Page 221: Editing Building Blocks
Editing Building Blocks Deleting an Item from To delete a rule or building block from a group: a Group Note: Deleting a group removes this rule or building block from the Rules interface. Deleting an item from a group does not delete the rule or building block from the Rules interface.
Page 222 ONFIGURING ULES To edit a building block: Select the Offense Manager tab. Step 1 The Offense Manager window appears. In the navigation menu, click Rules. Step 2 The rules window appears. In the Display drop-down list box, select Building Blocks. Step 3 The Building Blocks appear.
Page 223 Editing Building Blocks Click Finish. Step 7 STRM Administration Guide...
Page 225: Discovering Servers
ISCOVERING ERVERS The Server Discovery function uses STRM’s Asset Profile database to discover different server types based on port definitions, then allows you to select which servers should be added to a server-type building block. This feature makes the discovery and tuning process simpler and faster by allowing a quick mechanism to insert servers into building blocks.
Page 226 ISCOVERING ERVERS In the Matching Servers table, select the check box(es) of all servers you wish to Step 7 assign to the server role. Note: If you wish to modify the search criteria, click either Edit Port or Edit Definition. The Rules Wizard appears. For more information on the rules wizard, Chapter 9 Configuring Rules.
Page 227: Forwarding Syslog Data
ORWARDING YSLOG STRM allows you to forward received log data to other products. You can forward syslog data (raw log data) received from devices as well as STRM normalized event data. You can forward data on a per Event Collector/ Event Processor basis and you can configure multiple forwarding destinations.
Page 228 ORWARDING YSLOG Enter values for the parameters: Step 4 Forwarding Event Collector - Using the drop-down list box, select the • deployed Event Collector from which you wish to forward log data. IP - Enter the IP address of the system to which you wish to forward log data. •...
Page 229 Delete a Syslog Destination Delete a Syslog To delete a syslog forwarding destination: Destination In the Administration Console, click the SIM Configuration tab. Step 1 The SIM Configuration panel appears. Click the Syslog Forwarding Destinations icon. Step 2 The Syslog Forwarding Destinations window appears. Select the entry you wish to delete.
Page 231: Juniper Networks Mib
UNIPER ETWORKS This appendix provides information on the Juniper Networks Management Information Base (MIB). The Juniper Networks MIB allows you to send SNMP traps to other network management systems. The Juniper Networks OID is 1.3.6.1.4.1.20212. Note: STRM does not support outbound SNMP traps.
Page 232 UNIPER ETWORKS CONTACT-INFO " Juniper Technical Assistance Center Juniper Networks, Inc. 1194 N. Mathilda Avenue Sunnyvale, CA 94089 E-mail: support@juniper.net" DESCRIPTION "Security Threat Response Manger trap definitions for STRM" ::= { jnxStrm 1 } strmTrap OBJECT IDENTIFIER ::= { jnxStrm 0 } --- Variables within the STRM Trap Info --- .2636.7.1.*...
Page 233 ::= { strmTrapInfo 3 } --- Offense Properties strmOffenseID OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Offense ID" ::= { strmTrapInfo 4 } strmOffenseDescription OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Description of the Offense" ::= { strmTrapInfo 6 } strmOffenseLink OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify...
Page 234 UNIPER ETWORKS ::= { strmTrapInfo 9 } strmCreditibility OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Offense creditibility" ::= { strmTrapInfo 10 } strmRelevance OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Offense relevance" ::= { strmTrapInfo 11 } --- Attacker Properties strmAttackerIP OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify...
Page 235 ::= { strmTrapInfo 14 } strmTop5AttackerIPs OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top 5 Attackers by Magnitude(comma separated)" ::= { strmTrapInfo 15 } strmTopAttackerIP OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top Attacker IPs" ::= { strmTrapInfo 16 } strmTop5AttackerUsernames OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify...
Page 236 UNIPER ETWORKS --- Target Properties strmTargetIP OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Target IP" ::= { strmTrapInfo 18 } strmTargetUserName OBJECT-TYPE SYNTAX DisplayString (SIZE(0..64)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Target's User Name" ::= { strmTrapInfo 19 } strmTargetCount OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS accessible-for-notify STATUS current...
Page 237 strmTop5TargetUsernames OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top 5 Target Usernames by Magnitude" ::= { strmTrapInfo 50 } strmTopTargetUsername OBJECT-TYPE SYNTAX DisplayString (SIZE(0..32)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top Target" ::= { strmTrapInfo 51 } strmTargetNetworks OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current...
Page 238 UNIPER ETWORKS strmTopCategory OBJECT-TYPE SYNTAX DisplayString (SIZE(0..64)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top Category" ::= { strmTrapInfo 26 } strmCategoryID OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Category ID of Event that triggered the Event CRE Rule" ::= { strmTrapInfo 27 } strmCategory OBJECT-TYPE SYNTAX DisplayString (SIZE(0..64)) MAX-ACCESS accessible-for-notify...
Page 239 ::= { strmTrapInfo 30 } --- Rule Properties strmRuleCount OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Total Number of Rules contained in the Offense" ::= { strmTrapInfo 31 } strmRuleNames OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Names of the Rules that contributed to the Offense(comma separated)"...
Page 240 UNIPER ETWORKS DESCRIPTION "Description/Notes of the Rules that was triggered in the CRE" ::= { strmTrapInfo 35 } --- Event Properties strmEventCount OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Total Number of Events contained in the Offense" ::= { strmTrapInfo 36 } strmEventID OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify...
Page 241 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Description/Notes of the Event that triggered the Event CRE Rule" ::= { strmTrapInfo 40 } --- IP Properties strmSourceIP OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Source IP of the Event that triggered the Event CRE Rule"...
Page 242 ::= { strmTrapInfo 44 } strmProtocol OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Protocol of the Event that triggered the Event CRE Rule" ::= { strmTrapInfo 45 } strmAttackerPort OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Source Port of the Event that triggered the Event CRE Rule"...
Page 243 strmTargetUserName, strmTargetNetworks, strmProtocol, strmQid, strmEventName, strmEventDescription, strmCategory STATUS current DESCRIPTION "Event CRE Notification" ::= { strmTrap 1 } strmOffenseCRENotification NOTIFICATION-TYPE OBJECTS { strmLocalHostAddress, strmTimeString, strmRuleName, strmRuleDescription, strmOffenseID, strmOffenseDescription, strmOffenseLink, strmMagnitude, strmSeverity, strmCreditibility, strmRelevance, strmEventCount, strmCategoryCount, strmTop5Categories, strmAttackerIP, strmAttackerUserName, strmAttackerNetworks, strmAttackerCount, strmTop5AttackerIPs, strmTargetIP, strmTargetUserName,...
Page 244 UNIPER ETWORKS strmRuleCount, strmRuleNames, strmAnnotationCount, strmTopAnnotation.1, strmTopAnnotation.2, strmTopAnnotation.3, strmTopAnnotation.4, strmTopAnnotation.5, STATUS current DESCRIPTION "Offense CRE Notification" ::= { strmTrap 2 } STRM Administration Guide...
Page 245: Default Sentries
NTERPRISE EMPLATE EFAULTS The Enterprise template includes settings with emphasis on internal network activities. This appendix provides the defaults for the Enterprise template including: Default Sentries • Default Custom Views • Default Rules • • Default Building Blocks Default Sentries The default sentries for the Enterprise template include: Table B-1 Default Sentries Sentry...
Page 246: Enterprise Template Defaults
NTERPRISE EMPLATE EFAULTS Table B-1 Default Sentries (continued) Sentry Description Default - Suspicious - Internal Detects an excessive rate (more than 1000) of - Inbound Unidirectional inbound unidirectional (local host not responding) Flows Threshold flows within the last 5 minutes. This may indicate a scan is in progress, worms, DoS attack, or issues with your network configuration.
Page 247 Default Sentries Table B-1 Default Sentries (continued) Sentry Description DoS - Internal - Distributed Detects a low number of hosts (500) sending identical, DoS Attack (Low Number of non-responsive packets to a single target. In this Hosts) case, the target is treated as the attacker in the Offense Manager.
Page 248 NTERPRISE EMPLATE EFAULTS Table B-1 Default Sentries (continued) Sentry Description Policy - External - Hidden Detects an FTP server on a non-standard port. The FTP Server default port for FTP is TCP port 21. Detecting FTP on other ports may indicate an exploited host, where the attacker has installed this server to provide backdoor access to the host.
Page 249 Default Sentries Table B-1 Default Sentries (continued) Sentry Description Policy - External - SSH or Detects an SSH or Telnet server on a non-standard Telnet Detected on port. The default port for SSH and Telnet servers is Non-Standard Ports TCP port 22 and 23. Detecting SSH/Telnet operating on other ports may indicate an exploited host, where the attacker has installed these servers to provide backdoor access to the host.
Page 250 NTERPRISE EMPLATE EFAULTS Table B-1 Default Sentries (continued) Sentry Description Recon - External - Scanning Detects a host performing reconnaissance activity at Activity (High) an extremely high rate (100,000 hosts per minute), which is typical of a worm infection or a scanning application.
Page 251 Default Sentries Table B-1 Default Sentries (continued) Sentry Description Recon - Internal - Scanning Detects a host performing reconnaissance activity at Activity (High) an extremely high rate (100,000 hosts per minute), which is typical of a worm infection or a scanning application.
Page 252 NTERPRISE EMPLATE EFAULTS Table B-1 Default Sentries (continued) Sentry Description Suspicious - External - Detects excessive unidirectional ICMP responses Unidirectional ICMP from a single source. This may indicate an attempt to Responses Detected enumerate hosts on the network, or can be an indicator of other serious network issues.
Page 253: Default Custom Views
Default Custom Views Table B-1 Default Sentries (continued) Sentry Description Suspicious - Internal - Detects flows that indicate a host is sending an Unidirectional TCP Flows excessive quantity (at least 15) of unidirectional flows. These types of flows may be considered normal, however, client workstations and other devices, should not be seen emitting large quantities of such flows, and therefore should be considered suspicious.
Page 254: Threats Group
NTERPRISE EMPLATE EFAULTS Threats Group Pre-configured groups that specify traffic flows from suspicious IP addresses, protocols, server ports, and network sweeps including: Table B-3 Custom Views - Threats View Group Objects Exceptions This group includes: Network_Management_Hosts - Defines network management servers or other system responsible for reconnaissance, SNMP, large numbers of ICMP requests, or other attacks, such as, traffic on your network such as vulnerability assessment (VA) scanners.
Page 255 Default Custom Views Table B-3 Custom Views - Threats View (continued) Group Objects Scanning This scanning group includes: • ICMPScan_High - Detects a host sending ICMP packets to more than 100,000 hosts more minute. • ICMPScan_Medium - Detects a host sending ICMP packets to more than 5,000 hosts more minute.
Page 256 NTERPRISE EMPLATE EFAULTS Table B-3 Custom Views - Threats View (continued) Group Objects Suspicious_IP_ This group includes: Protocol_Usage • Illegal_TCP_Flag_Combination - Detects flows with illegal TCP flag combinations. This may indicate malicious activity, such as port scanning or operating system detection. •...
Page 257: Attacker Target Analysis Group
Default Custom Views Table B-3 Custom Views - Threats View (continued) Group Objects Remote_Access_ This group includes: Violation • Hidden_Telnet_SSH - Detects flows where the application type is Telnet or SSH but the destination server port is not one of the common ports for this application.
Page 258: Target Analysis Group
NTERPRISE EMPLATE EFAULTS Table B-4 Custom Views - AttackerTargetAnalysis (continued) Group Objects PeripheralComms This group includes: Analysis • Activity_Before_Event - The network flow analysis indicates a target and attacker were communicating prior to the event that triggered this analysis. This can indicate a false positive, or that this attacker is concentrating on breaking this host.
Page 259: Policy Violations Group
Default Custom Views Table B-5 Custom Views - TargetAnalysis (continued) Group Objects PeripheralComms This group includes: Analysis • Service_Unresponsive_After_Attack - The network flow analysis indicates that the service on the target that was attacked is unresponsive to other hosts on the network. This may indicate that the attack has intentionally, or inadvertently crashed the service running on this host.
Page 260: Asn Source Group
NTERPRISE EMPLATE EFAULTS Table B-6 Custom Views - PolicyViolations (continued) Group Objects Remote_Access_ Remote_Access_Shell - Detects bidirectional flows, where Policy_Violation remote hosts were connecting to local remote access servers. Detection of any of the following access technologies include: Citrix, PCAnywhere, SSH, Telnet, or VNC. P2P_ This group includes: Policy_Violation...
Page 261: Flow Shape Group
Default Custom Views Table B-7 Custom Views - QoS View QoS Group Group Objects NetworkControl Specifies QoS values related to link layer and routing Object protocols. IPRoutingControl Specifies QoS values used by IP routing protocols. Expedited Specifies values related to expedited forwarding, such as, a virtual leased line or premium service.
Page 262: Default Rules
NTERPRISE EMPLATE EFAULTS Default Rules Default rules for the Enterprise template include: Table B-9 Default Rules Rule Rule Group Type Enabled Description Default-Response- Response Offense False Reports any offense matching the severity, E-mail: Offense E-mail credibility, and relevance minimums to e-mail. Sender You must configure the e-mail address.
Page 263 Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule- Anomaly Event False Reports a host emitting events at a rate greater Anomaly: Rate Analysis than normal. This may be normal, but in some Marked Events cases can be an early warning sign that the host has changed behavior.
Page 264 NTERPRISE EMPLATE EFAULTS Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Botnet: Botnet,Exploit Event False Reports a host connecting or attempting to Potential Botnet connect to a DNS server on the Internet. This Connection (DNS) may indicate a host connecting to a Botnet. The host should be investigated for malicious code.
Page 265 Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Database: Compliance, Event True Reports when there are multiple database Multiple Database Database failures followed by a success within a short Failures Followed by period of time. Success Default-Rule-Database: Compliance,...
Page 266 NTERPRISE EMPLATE EFAULTS Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Exploit: Exploit Event False Reports an attack from a local host where the Attacker Vulnerable to attacker is vulnerable to the attack being used. It this Exploit is possible that the attacker was a target in an earlier offense.
Page 267 Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-False False Positive Event True Reports events that include false positive rules Positive: False Positive and building blocks, such as, Rules and Building Default-BB-FalsePositive: Windows Server Blocks False Positive Events.
Page 268 NTERPRISE EMPLATE EFAULTS Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Policy: Authentication, Event False Reports when a new host has been discovered New Host Discovered in Compliance in the DMZ. Default-Rule-Policy: Policy Event False Reports when an existing host has a newly New Service discovered service.
Page 269 Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports a source IP address attempting Local LDAP Server reconnaissance or suspicious connections on Scanner common LDAP ports to more than 60 hosts in 10 minutes.
Page 270 NTERPRISE EMPLATE EFAULTS Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports a source IP address attempting Local Proxy Server reconnaissance or suspicious connections on Scanner common proxy server ports to more than 60 hosts in 10 minutes.
Page 271 Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports on events that are detected by the Local Windows Server system and when the attack context is Scanner Local-to-Local (L2L). Default-Rule-Recon: Recon Event False Adds an additional event into the event stream...
Page 272 NTERPRISE EMPLATE EFAULTS Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports a remote host attempting Remote P2P Server reconnaissance or suspicious connections on Scanner common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes. Default-Rule-Recon: Recon Event...
Page 273 Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports merged reconnaissance events Single Merged Recon generated by some devices. This rule causes all Events these events to create an offense. All devices of this type and their categories should be added to the Default-BB-ReconDetected: Devices which Merge Recon into Single Events building block.
Page 274: Default Building Blocks
NTERPRISE EMPLATE EFAULTS Default Building Default building blocks for the Enterprise template include: Blocks Table B-10 Default Building Blocks Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Category Category Event Edit this BB to include all events Definition: Authentication Definitions, that indicate an unsuccessful...
Page 275 Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Category Category Event Edit this BB to include all events Definition: Firewall Definitions that may indicate a firewall system System Errors error.
Page 276 NTERPRISE EMPLATE EFAULTS Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Category Category Event STRM monitors event rates of all Definition: Rate Analysis Definitions source IP addresses/QIDs and Marked Events destination IP addresses/QIDs and marks events that exhibit abnormal rate behavior.
Page 277 Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Category Category Event Edit this BB to include all event Definition: Windows Definitions, categories that indicate Compliance Events Compliance compliance events. Default-BB-Category Category Event Edit this BB to define worm events.
Page 278 NTERPRISE EMPLATE EFAULTS Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-FalsePositive: False Event Edit this BB to define all the false Default-BB-HostDefinition: Database Server False Positive positive categories that occur to or Database Servers Positive Categories from database servers that are...
Page 279 Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-FalsePositive: False Event Edit this BB to define all the false Default-BB-HostDefinition: FTP False Positive Events Positive positive QIDs that occur to or from FTP Servers FTP-based servers that are defined in the...
Page 280 Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-FalsePositive: False Event Edit this BB to define all the false Default-BB-HostDefinition: Proxy Server False Positive positive categories that occur to or Proxy Servers Positive Categories from proxy servers that are defined in the Default-BB-HostDefinition:...
Page 281 Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-FalsePositive: False Event Edit this BB to define all false Default-BB-HostDefinition: Syslog Sender False Positive positive events that occur to or Syslog Servers and Positive Events from syslog sources or...
Page 282 NTERPRISE EMPLATE EFAULTS Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Host Host Event Edit this BB to define typical DNS Default-BB-False Positive: Definition: DNS Servers Definitions servers. DNS Server False Positives Categories Default-BB-FalsePositve: DNS Server False...
Page 283 Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Host Host Event Edit this BB to define SNMP Default-BB-PortDefinition: Definition: SNMP Sender Definitions senders or receivers. SNMP Ports or Receiver Default-BB-Host Host Event Edit this BB to define typical SSH...
Page 284 Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Network Network Event Edit this BB to include all networks Definition: Client Definition that include client hosts. Networks Default-BB-Network Network Event Edit this BB by replacing the other Definition: Honeypot like Definition network with network objects...
Page 285 Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-PortDefinition: Compliance, Event Edit this BB to include all common IM Ports Port\ IM ports. Protocol Definition Default-BB-PortDefinition: Port\ Event Edit this BB to include all common IRC Ports Protocol IRC ports.
Page 286 Group Type Description Blocks, if applicable Default-BB-Recon Recon Event Define all Juniper Networks default Detected: All Recon Rules reconnaissance tests. This BB is used to detect a host that has performed reconnaissance such that other follow on tests can be performed.
Page 287 Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable User-BB-FalsePositive: User Tuning Event Edit this BB to include any User-BB-HostDefinition: User Defined Server Type categories you wish to consider User Defined Server Type 2 False Positive false positives for hosts defined in...
Page 288 NTERPRISE EMPLATE EFAULTS Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable User-BB-Host User Tuning Event Edit this BB to include the IP User-BB-FalsePositives: Definition: User Defined address of your custom server User Defined Server Type Server Type 2 type.
Page 289: Default Sentries
NIVERSITY EMPLATE EFAULTS The University template includes settings with emphasis on internal network activities. This appendix provides the defaults for the University template including: Default Sentries • Default Custom Views • • Default Rules • Default Building Blocks Default Sentries The default sentries for the University template include: Table C-1 Default Sentries Sentry...
Page 290: University Template Defaults
NIVERSITY EMPLATE EFAULTS Table C-1 Default Sentries (continued) Sentry Description DoS - External - Distributed Detects a low number of hosts (500) sending identical, DoS Attack (Low Number of non-responsive packets to a single target. In this Hosts) case, the target is treated as the attacker in the Offense Manager.
Page 291 Default Sentries Table C-1 Default Sentries (continued) Sentry Description DoS - Internal - Flood Attack Detects flood attacks above 5000 packets per second. (Medium) This activity typically indicates a serious attack. DoS - Internal - Flood Attack Detects flood attacks above 500 packets per second. (Low) This activity may indicate an attack.
Page 292 NIVERSITY EMPLATE EFAULTS Table C-1 Default Sentries (continued) Sentry Description Policy - External - IM/Chat Detects an excessive amount of IM/Chat traffic from a single source. By default, the minimum number of times, in flows, this activity must occur before an event generates is 20.
Page 293 Default Sentries Table C-1 Default Sentries (continued) Sentry Description Policy - External - Usenet Detects flows to or from a Usenet server. It is Usage uncommon for legitimate business communications to use Usenet or NNTP services. The hosts involved may be violating corporate policy. Policy - External - VNC Detects VNC (a remote desktop access application) Access From the Internet to a...
Page 294 NIVERSITY EMPLATE EFAULTS Table C-1 Default Sentries (continued) Sentry Description Recon - External - Scanning Detects a host performing reconnaissance activity at a Activity (Low) rate of 500 hosts per minute. This may indicate a host configured for network management or normal server behavior on a busy internal network.
Page 295 Default Sentries Table C-1 Default Sentries (continued) Sentry Description Recon - Internal - Scanning Detects a host performing reconnaissance activity at a Activity (Low) rate of 500 hosts per minute. This may indicate a host configured for network management or normal server behavior on a busy internal network.
Page 296 NIVERSITY EMPLATE EFAULTS Table C-1 Default Sentries (continued) Sentry Description Suspicious - External - Detects flows that indicate a host is sending an Unidirectional TCP Flows excessive quantity (at least 40) of unidirectional flows. These types of flows may be considered normal, however, client workstations and other devices, should not be seen emitting large quantities of such flows, and therefore should be considered suspicious.
Page 297: Default Custom Views
Default Custom Views Table C-1 Default Sentries (continued) Sentry Description Excessive Unidirectional Detects an excessive number of UDP, non-TCP, or UDP or Misc Flows ICMP from a single source. By default, the minimum number of times, in flows, this activity must occur before an event generates is 80.
Page 298: Threats Group
NIVERSITY EMPLATE EFAULTS Threats Group Pre-configured groups that specify traffic flows from suspicious IP addresses, protocols, server ports, and network sweeps including: Table B-3 Custom Views - Threats View Group Objects Exceptions This group includes: Network_Management_Hosts - Defines network management servers or other system responsible for reconnaissance, SNMP, large numbers of ICMP requests, or other attacks, such as, traffic on your network such as vulnerability assessment (VA) scanners.
Page 299 Default Custom Views Table B-3 Custom Views - Threats View (continued) Group Objects Scanning This scanning group includes: • ICMPScan_High - Detects a host sending ICMP packets to more than 100,000 hosts more minute. • ICMPScan_Medium - Detects a host sending ICMP packets to more than 5,000 hosts more minute.
Page 300 NIVERSITY EMPLATE EFAULTS Table B-3 Custom Views - Threats View (continued) Group Objects Suspicious_IP_ This group includes: Protocol_Usage • Illegal_TCP_Flag_Combination - Detects flows with illegal TCP flag combinations. This may indicate malicious activity, such as port scanning or operating system detection. •...
Page 301: Attacker Target Analysis Group
Default Custom Views Table B-3 Custom Views - Threats View (continued) Group Objects Remote_Access_ This group includes: Violation • Hidden_Telnet_SSH - Detects flows where the application type is Telnet or SSH but the destination server port is not one of the common ports for this application.
Page 302: Target Analysis Group
NIVERSITY EMPLATE EFAULTS Table B-4 Custom Views - AttackerTargetAnalysis (continued) Group Objects PeripheralComms This group includes: Analysis • Activity_Before_Event - The network flow analysis indicates a target and attacker were communicating prior to the event that triggered this analysis. This can indicate a false positive, or that this attacker is concentrating on breaking this host.
Page 303: Policy Violations Group
Default Custom Views Table B-5 Custom Views - TargetAnalysis (continued) Group Objects PeripheralComms This group includes: Analysis • Service_Unresponsive_After_Attack - The network flow analysis indicates that the service on the target that was attacked is unresponsive to other hosts on the network. This may indicate that the attack has intentionally, or inadvertently crashed the service running on this host.
Page 304: Asn Destination Group
NIVERSITY EMPLATE EFAULTS Table B-6 Custom Views - PolicyViolations (continued) Group Objects Remote_Access_ Remote_Access_Shell - Detects bidirectional flows, where Policy_Violation remote hosts were connecting to local remote access servers. Detection of any of the following access technologies include: Citrix, PCAnywhere, SSH, Telnet, or VNC. P2P_ This group includes: Policy_Violation...
Page 305: Flow Shape Group
Default Custom Views Table B-7 Custom Views - QoS View QoS Group Group Objects NetworkControl Specifies QoS values related to link layer and routing Object protocols. IPRoutingControl Specifies QoS values used by IP routing protocols. Expedited Specifies values related to expedited forwarding, such as, a virtual leased line or premium service.
Page 306: Default Rules
NIVERSITY EMPLATE EFAULTS Default Rules Default rules for the University template include: Table B-9 Default Rules Rule Rule Group Type Enabled Description Default-Response- Response Offense False Reports any offense matching the severity, E-mail: Offense E-mail credibility, and relevance minimums to e-mail. Sender You must configure the e-mail address.
Page 307 Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule- Anomaly Event False Reports a host emitting events at a rate greater Anomaly: Rate Analysis than normal. This may be normal, but in some Marked Events cases can be an early warning sign that the host has changed behavior.
Page 308 NIVERSITY EMPLATE EFAULTS Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Botnet: Botnet,Exploit Event False Reports a host connecting or attempting to Potential Botnet connect to a DNS server on the Internet. This Connection (DNS) may indicate a host connecting to a Botnet. The host should be investigated for malicious code.
Page 309 Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Database: Database, Event True Reports when there are multiple database Multiple Database Compliance failures followed by a success within a short Failures Followed by period of time. Success Default-Rule-Database: Database,...
Page 310 NIVERSITY EMPLATE EFAULTS Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Exploit: Exploit Event False Reports an attack from a local host where the Attacker Vulnerable to attacker is vulnerable to the attack being used. It this Exploit is possible that the attacker was a target in an earlier offense.
Page 311 Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-False False Positive Event True Reports events that include false positive rules Positive: False Positive and building blocks, such as, Rules and Building Default-BB-FalsePositive: Windows Server Blocks False Positive Events.
Page 312 NIVERSITY EMPLATE EFAULTS Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Policy: Authentication, Event False Reports when a new host has been discovered New Host Discovered in Compliance in the DMZ. Default-Rule-Policy: Policy Event False Reports when an existing host has a newly New Service discovered service.
Page 313 Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports a source IP address attempting Local LDAP Server reconnaissance or suspicious connections on Scanner common LDAP ports to more than 60 hosts in 10 minutes.
Page 314 NIVERSITY EMPLATE EFAULTS Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports a source IP address attempting Local Proxy Server reconnaissance or suspicious connections on Scanner common proxy server ports to more than 60 hosts in 10 minutes.
Page 315 Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports a source IP address attempting Local Windows Server reconnaissance or suspicious connections on Scanner common Windows server ports with the same source IP address more than 5 times, across more than 200 destination IP address(es) within 20 minutes.
Page 316 NIVERSITY EMPLATE EFAULTS Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports a remote host attempting Remote Mail Server reconnaissance or suspicious connections on Scanner common mail server ports to more than 30 hosts in 10 minutes.
Page 317 Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports a remote host attempting Remote Windows reconnaissance or suspicious connections on Server Scanner common Windows server ports to more than 60 hosts in 10 minutes. Default-Rule-Recon: Recon Event...
Page 318: Default Building Blocks
NIVERSITY EMPLATE EFAULTS Default Building Default building blocks for the University template include: Blocks Table B-10 Default Building Blocks Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Category Category Event Edit this BB to include all events Definition: Authentication Definitions, that indicate an unsuccessful...
Page 319 Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Category Category Event Edit this BB to include all events Definition: Firewall Definitions that may indicate a firewall system System Errors error.
Page 320 NIVERSITY EMPLATE EFAULTS Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Category Category Event STRM monitors event rates of all Definition: Rate Analysis Definitions source IP addresses/QIDs and Marked Events destination IP addresses/QIDs and marks events that exhibit abnormal rate behavior.
Page 321 Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Category Category Event Edit this BB to include all event Definition: Windows Definitions, categories that indicate Compliance Events Compliance compliance events. Default-BB-Category Category Event Edit this BB to define worm events.
Page 322 NIVERSITY EMPLATE EFAULTS Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-FalsePositive: False Event Edit this BB to define all the false Default-BB-HostDefinition: Database Server False Positive positive categories that occur to or Database Servers Positive Categories from database servers that are...
Page 323 Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-FalsePositive: False Event Edit this BB to define all the false Default-BB-HostDefinition: FTP False Positive Events Positive positive QIDs that occur to or from FTP Servers FTP-based servers that are defined in the...
Page 324 Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-FalsePositive: False Event Edit this BB to define all the false Default-BB-HostDefinition: Proxy Server False Positive positive categories that occur to or Proxy Servers Positive Categories from proxy servers that are defined in the Default-BB-HostDefinition:...
Page 325 Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-FalsePositive: False Event Edit this BB to define all false Default-BB-HostDefinition: Syslog Sender False Positive positive events that occur to or Syslog Servers and Positive Events from syslog sources or...
Page 326 NIVERSITY EMPLATE EFAULTS Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Host Host Event Edit this BB to define typical DNS Default-BB-False Positive: Definition: DNS Servers Definitions servers. DNS Server False Positives Categories Default-BB-FalsePositve: DNS Server False...
Page 327 Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Host Host Event Edit this BB to define SNMP Default-BB-PortDefinition: Definition: SNMP Sender Definitions senders or receivers. SNMP Ports or Receiver Default-BB-Host Host Event Edit this BB to define typical SSH...
Page 328 Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Network Network Event Edit this BB to include all networks Definition: Client Definition that include client hosts. Networks Default-BB-Network Network Event Edit this BB by replacing the other Definition: Honeypot like Definition network with network objects...
Page 329 Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-PortDefinition: Compliance, Event Edit this BB to include all common IM Ports Port\ IM ports. Protocol Definition Default-BB-PortDefinition: Port\ Event Edit this BB to include all common IRC Ports Protocol IRC ports.
Page 330 Group Type Description Blocks, if applicable Default-BB-Recon Recon Event Define all Juniper Networks default Detected: All Recon Rules reconnaissance tests. This BB is used to detect a host that has performed reconnaissance such that other follow on tests can be performed.
Page 331 Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable User-BB-FalsePositive: User Tuning Event Edit this BB to include any User-BB-HostDefinition: User Defined Server Type categories you wish to consider User Defined Server Type 2 False Positive false positives for hosts defined in...
Page 332 NIVERSITY EMPLATE EFAULTS Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable User-BB-Host User Tuning Event Edit this BB to include the IP User-BB-FalsePositives: Definition: User Defined address of your custom server User Defined Server Type Server Type 2 type.
Page 333: Default Sentries
ISP T EMPLATE EFAULTS The ISP template includes settings with emphasis on internal network activities. This appendix provides the defaults for the ISP template including: Default Sentries • Default Custom Views • • Default Rules • Default Building Blocks Default Sentries The default sentries for the ISP template include: Table D-1 Default Sentries Sentry...
Page 334: Isp Template Defaults
ISP T EMPLATE EFAULTS Table D-1 Default Sentries (continued) Sentry Description Excessive Inbound Detects an excessive rate (more than 1000) of Unidirectional Flows inbound unidirectional (local host not responding) Threshold flows within the last 5 minutes. This may indicate a scan is in progress, worms, DoS attack, or issues with your network configuration.
Page 335 Default Sentries Table D-1 Default Sentries (continued) Sentry Description Invalid TCP Flag usage Detects flows that appear to have improper flag combinations. This may indicate various troubling behaviors, such as OS detection, DoS attacks, or even forms of reconnaissance. By default, the minimum number of times, in flows, this activity must occur before an event generates is 10.
Page 336: Default Custom Views
ISP T EMPLATE EFAULTS Table D-1 Default Sentries (continued) Sentry Description UDP DoS Detects flows that appear to be a UDP DoS attack attempt. Default Custom This section provides the default custom views for the Enterprise template Views including: • IP Tracking Group Threats Group •...
Page 337: Threats Group
Default Custom Views Threats Group Pre-configured groups that specify traffic flows from suspicious IP addresses, protocols, server ports, and network sweeps including: Table D-3 Custom Views - Threats View Group Objects Exceptions This group includes: Network_Management_Hosts - Defines network management servers or other system responsible for reconnaissance, SNMP, large numbers of ICMP requests, or other attacks, such as, traffic on your network such as vulnerability assessment (VA) scanners.
Page 338 ISP T EMPLATE EFAULTS Table D-3 Custom Views - Threats View (continued) Group Objects Scanning This scanning group includes: • ICMPScan_High - Detects a host sending ICMP packets to more than 100,000 hosts more minute. • ICMPScan_Medium - Detects a host sending ICMP packets to more than 5,000 hosts more minute.
Page 339 Default Custom Views Table D-3 Custom Views - Threats View (continued) Group Objects Suspicious_IP_ This group includes: Protocol_Usage • Illegal_TCP_Flag_Combination - Detects flows with illegal TCP flag combinations. This may indicate malicious activity, such as port scanning or operating system detection. •...
Page 340: Attacker Target Analysis Group
ISP T EMPLATE EFAULTS Table D-3 Custom Views - Threats View (continued) Group Objects Remote_Access_ This group includes: Violation • Hidden_Telnet_SSH - Detects flows where the application type is Telnet or SSH but the destination server port is not one of the common ports for this application.
Page 341: Target Analysis Group
Default Custom Views Table B-4 Custom Views - AttackerTargetAnalysis (continued) Group Objects PeripheralComms This group includes: Analysis • Activity_Before_Event - The network flow analysis indicates a target and attacker were communicating prior to the event that triggered this analysis. This can indicate a false positive, or that this attacker is concentrating on breaking this host.
Page 342: Policy Violations Group
ISP T EMPLATE EFAULTS Table B-5 Custom Views - TargetAnalysis (continued) Group Objects PeripheralComms This group includes: Analysis • Service_Unresponsive_After_Attack - The network flow analysis indicates that the service on the target that was attacked is unresponsive to other hosts on the network. This may indicate that the attack has intentionally, or inadvertently crashed the service running on this host.
Page 343: Ifindexin Group
Default Custom Views Table B-6 Custom Views - PolicyViolations (continued) Group Objects Remote_Access_ Remote_Access_Shell - Detects bidirectional flows, where Policy_Violation remote hosts were connecting to local remote access servers. Detection of any of the following access technologies include: Citrix, PCAnywhere, SSH, Telnet, or VNC. P2P_ This group includes: Policy_Violation...
Page 344: Flow Shape Group
ISP T EMPLATE EFAULTS Table B-7 Custom Views - QoS View (continued) QoS Group Group Objects IP Routing Control Specifies QoS values used by IP routing protocols. Expedited Specifies values related to expedited forwarding, such as, a virtual leased line or premium service. Class 4 Specifies values related to Class 4 traffic.
Page 345: Default Rules
Default Rules Default Rules Default rules for the ISP template include: Table D-9 Default Rules Rule Rule Type Enabled Description Default-Response-E- Offense False Reports any offense matching the mail: Offense E-mail severity, credibility, and relevance Sender minimums to e-mail. You must configure the e-mail address.
Page 346 ISP T EMPLATE EFAULTS Table D-9 Default Rules (continued) Rule Rule Type Enabled Description Default-Rule- Event False Detects a host emitting events at a rate Anomaly: Rate greater than normal. This may be Analysis Marked normal, but in some cases can be an Events early warning sign that the host has changed behavior.
Page 347 Default Rules Table D-9 Default Rules (continued) Rule Rule Type Enabled Description Default-Rule-Botnet: Event False Reports a host connecting or attempting Potential Botnet to connect to an IRC server on the Connection (IRC) Internet. This may indicate a host connecting to a Botnet. The host should be investigated for malicious code.
Page 348 ISP T EMPLATE EFAULTS Table D-9 Default Rules (continued) Rule Rule Type Enabled Description Default-Rule-Exploit: Event True Reports an IP address generating Target Vulnerable to multiple (at least 5) exploits or malicious Detected Exploit software (malware) events in the last 5 minutes.
Page 349 Default Rules Table D-9 Default Rules (continued) Rule Rule Type Enabled Description Default-Rule-Recon: Event True Reports an aggressive scan from a Aggressive Remote remote source IP address, scanning Scanner Detected other local or remote IP addresses. More than 50 targets received reconnaissance or suspicious events in less than 3 minutes.
Page 350 ISP T EMPLATE EFAULTS Table D-9 Default Rules (continued) Rule Rule Type Enabled Description Default-Rule-Recon: Event True Reports a source IP address attempting Local DNS Scanner reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes. Default-Rule-Recon: Event True...
Page 351 Default Rules Table D-9 Default Rules (continued) Rule Rule Type Enabled Description Default-Rule-Recon: Event True Reports a scan from a local host against Local Scanner other hosts or remote targets. At least Detected 60 hosts were scanned within 20 minutes. This activity was using a protocol other than TCP, UDP, or ICMP.
Page 352 ISP T EMPLATE EFAULTS Table D-9 Default Rules (continued) Rule Rule Type Enabled Description Default-Rule-Recon: Event True Reports a scan from a remote host Remote Database against other local or remote targets. At Scanner least 30 hosts were scanned in 10 minutes.
Page 353 Default Rules Table D-9 Default Rules (continued) Rule Rule Type Enabled Description Default-Rule-Recon: Event True Reports a remote host attempting Remote Proxy Server reconnaissance or suspicious Scanner connections on common proxy server ports to more than 30 hosts in 10 minutes.
Page 354: Default Building Blocks
ISP T EMPLATE EFAULTS Table D-9 Default Rules (continued) Rule Rule Type Enabled Description Default-Rule-Recon: Event True Reports a remote host attempting Remote Windows reconnaissance or suspicious Server Scanner connections on common Windows server ports to more than 60 hosts in 10 minutes.
Page 355 Default Building Blocks Table D-10 Default Building Blocks (continued) Block Associated Building Blocks, Building Block Type Description if applicable Default-BB-Category Event Edit this BB to include any geographic Definition: Countries with location that typically would not be allowed no Remote Access remote access to the enterprise.
Page 356 ISP T EMPLATE EFAULTS Table D-10 Default Building Blocks (continued) Block Associated Building Blocks, Building Block Type Description if applicable Default-BB-Category Event STRM monitors event rates of all source IP Definition: Rate Analysis addresses/QIDs and destination IP Marked Events addresses/QIDs and marks events that exhibit abnormal rate behavior.
Page 357 Default Building Blocks Table D-10 Default Building Blocks (continued) Block Associated Building Blocks, Building Block Type Description if applicable Default-BB-FalsePositive: Event Edit this BB to include all false positive All Default-BB-FalsePositive All Default False Positive building blocks. building blocks Building Blocks Default-BB-FalsePositive: Event Edit this BB to define all the false positive Default-BB-HostDefinition:...
Page 358 ISP T EMPLATE EFAULTS Table D-10 Default Building Blocks (continued) Block Associated Building Blocks, Building Block Type Description if applicable Default-BB-FalsePositive: Event Edit this BB to include any event QIDs that Global False Positive you wish to ignore. Events Default-BB-FalsePositive: Event Edit this BB to define all the false positive Internal Attacker to QIDs that occur to or from Local-to-Local...
Page 359 Default Building Blocks Table D-10 Default Building Blocks (continued) Block Associated Building Blocks, Building Block Type Description if applicable Default-BB-FalsePositive: Event Edit this BB to define all the false positive Remote Attacker to QIDs that occur to or from Remote-to-Local Internal Target False (R2L) based servers.
Page 360 ISP T EMPLATE EFAULTS Table D-10 Default Building Blocks (continued) Block Associated Building Blocks, Building Block Type Description if applicable Default-BB-FalsePositive: Event Edit this BB to define all the false positive Default-BB-HostDefinition: Virus Definition Update QIDs that occur to or from virus definition or Virus Definition Categories other automatic update hosts that are...
Page 361 Default Building Blocks Table D-10 Default Building Blocks (continued) Block Associated Building Blocks, Building Block Type Description if applicable Default-BB-Host Event Edit this BB to define typical FTP servers. Default-BB-False Positive: FTP Definition: FTP Servers Server False Positives Categories Default-BB-FalsePositve: FTP Server False Positive Events Default-BB-Host Event Edit this BB by replace the other network...
Page 362 ISP T EMPLATE EFAULTS Table D-10 Default Building Blocks (continued) Block Associated Building Blocks, Building Block Type Description if applicable Default-BB-Host Event Edit this BB to include the networks where Definition: Server your servers are located. Networks Default-BB-Host Event Edit this BB to define generic servers. Definition: Servers Default-BB-Host Event Edit this BB to define SNMP senders or...
Page 363 Default Building Blocks Table D-10 Default Building Blocks (continued) Block Associated Building Blocks, Building Block Type Description if applicable Default-BB-Policy: IRC/IM Event Edit this BB to define all policy IRC/IM Connection Violations connection violations. Default-BB-Policy: Policy Event Edit this BB to include all events that indicate Peer-to-Peer (P2P) events.
Page 364 Building Block Type Description if applicable Default-BB-Recon Event Define all Juniper Networks default Detected: All Recon Rules reconnaissance tests. This BB is used to detect a host that has performed reconnaissance such that other follow on tests can be performed. For example, reconnaissance followed by firewall accept.
Page 365 Default Building Blocks Table D-10 Default Building Blocks (continued) Block Associated Building Blocks, Building Block Type Description if applicable User-BB-Host Event Edit this BB to include the IP address of User-BB-FalsePositives: User Definition: User Defined your custom server type. Once you have Defined Server Type 1 False Server Type 1 added the servers, add any events or...
Page 367 NDEX content filter 102 conventions 1 administration console Custom Views about 3 about 161 accessing 4 Attacker Target Analysis Group 249 using 4 creating 162 administrative e-mail address 31 editing 170 administrator role 12 equation aeriel database settings 33 editing 171 alert directory 34 equation editor 164 alert e-mail from address 31...
Page 368 NDEX element type 165 equations editing 171 global IPtables access 32 elements 140 objects 140 Event Collector about 73 hashing configuring 109 alogrithm 34 Event Processor event log 34 about 73 flow log 33 configuring 110 hlocal 131 event rule 176 host about 176 adding 82...
Page 369 NDEX flow data 33 enabling 86 identity history 33 removing 89 offense 33 using with QRadar 87 views NetFlow 95 group 32 Network Address Translation. See NAT object 32 network hierarchy unused database 32 creating 24 role 11 network surveillance role 14 administrator 12 network taps 95 asset management 13...
Page 370 NDEX user reset 41 authentication 18 SNMP creating account 15 embedded SNMP agent settings 35 editing account 17 SNMP agent managing 11 accessing 42 roles 11 SNMP settings 35 user accounts source managing 15 off-site 70 user data files 32 starting QRadar 41 stopping QRadar 41 storage 107...