Summary of Contents for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2
Page 1
Security Threat Response Manager STRM Administration Guide Release 2008.2 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 408-745-2000 www.juniper.net Part Number: 530-025612-01, Revision 1...
Page 2
Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
ONTENTS BOUT UIDE Audience Conventions Technical Documentation Documentation Feedback Requesting Support VERVIEW About the Interface Accessing the Administration Console Using the Interface Deploying Changes Viewing STRM Audit Logs Logged Actions Viewing the Log File ANAGING SERS Managing Roles Creating a Role Editing a Role Managing User Accounts Creating a User Account...
Page 4
Configuring STRM Settings Configuring System Notifications Configuring the Console Settings Starting and Stopping STRM Resetting SIM Accessing the Embedded SNMP Agent Configuring Access Settings Configuring Firewall Access Updating Your Host Set-up Configuring Interface Roles Changing Passwords Updating System Time ANAGING ACKUP AND ECOVERY Managing Backup Archives...
Page 5
Configuring a Flow Collector Configuring a Flow Processor Configuring a Classification Engine Configuring an Update Daemon Configuring a Flow Writer Configuring an Event Collector Configuring an Event Processor Configuring the Magistrate ANAGING OURCES About Flow Sources NetFlow sFlow J-Flow Packeteer Flowlog File Managing Flow Sources Adding a Flow Source...
Page 6
Managing Application Views Default Application Views Adding an Applications Object Editing an Applications Object Managing Remote Networks View Default Remote Networks Views Adding a Remote Networks Object Editing a Remote Networks Object Managing Remote Services Views Default Remote Services Views Adding a Remote Services Object Editing a Remote Services Object Managing Collector Views...
Page 7
UNIPER ETWORKS NTERPRISE EMPLATE EFAULTS Default Sentries Default Custom Views IP Tracking Group Threats Group Attacker Target Analysis Group Target Analysis Group Policy Violations Group ASN Source Group ASN Destination Group IFIndexIn Group IFIndexOut Group QoS Group Flow Shape Group Default Rules Default Building Blocks NIVERSITY...
Page 8
IFIndexIn Group IFIndexIn Group QoS Group Flow Shape Group Default Rules Default Building Blocks NDEX...
Information that alerts you to potential personal injury. Technical You can access technical documentation, technical notes, and release notes Documentation directly from the Juniper networks Support Web site at http:// www.juniper.net/support Documentation We encourage you to provide feedback, comments, and suggestions so that we Feedback can improve the documentation.
BOUT UIDE • Page number • Software release version Requesting • Open a support case using the Case Management link at Support http://www.juniper.net/support/ or call 1-888-314-JTAC (from the United States, Canada, or Mexico) or 1-408-745-9500 (from elsewhere). STRM Administration Guide...
VERVIEW This chapter provides an overview of the STRM Administration Console and STRM administrative functionality including: About the Interface • Accessing the Administration Console • • Using the Interface • Deploying Changes • Viewing STRM Audit Logs About the Interface You must have administrative privileges to access the Administration Console.
Page 12
VERVIEW Accessing the You can access the STRM Administration Console through the main STRM Administration interface. To access the Administration Console, click Config in the main STRM Console interface. The Administration Console appears. Using the Interface The Administration Console provides several tab and menu options that allow you to configure STRM including: •...
Deploying Changes Table 1-1 Administrative Console Menu Options (continued) Menu Option Sub-Menu Description STRM Restart Restarts the STRM application. Help Help and Support Opens user documentation. About STRM Displays version information. Administration Console The Administration Console provides several toolbar options including: Table 1-2 Administration Console Toolbar Options Icon Description...
Page 14
VERVIEW Table 1-3 Logged Actions Category Action User Authentication Log in to STRM User Authentication Log out of STRM Administrator Authentication Log in to the STRM Administration Console Administrator Authentication Log out of the STRM Administration Console Root Login Log in to STRM, as root Log out of STRM, as root Rules Adding a rule...
Page 15
Viewing STRM Audit Logs Table 1-3 Logged Actions Category Action Protocol Configuration Adding a protocol configuration Deleting a protocol configuration Editing a protocol configuration Flow Sources Adding a flow source Editing a flow source Deleting a flow source Offense Manager Hiding an offense Closing an offense Closing all offenses...
Page 16
VERVIEW Table 1-3 Logged Actions Category Action Scanner Adding a scanner Deleting a scanner Editing a scanner Scanner Schedule Adding a schedule Editing a schedule Deleting a schedule Asset Deleting all assets License Adding a license key. Editing a license key. Viewing the Log File To view the audit logs: Log in to STRM as root.
ANAGING SERS This chapter provides information on managing STRM users including: Managing Roles • Managing User Accounts • • Authenticating Users You can add or remove user accounts for all users that you wish to access STRM. Each user is associated with a role, which determines the privileges the user has to functionality and information within STRM.
Page 20
ANAGING SERS Enter values for the parameters. You must select at least one permission to Step 4 proceed. Table 2-1 Create Roles Parameters Parameter Description Role Name Specify the name of the role. The name can be up to 15 characters in length and must only contain integers and letters.
Page 21
Managing Roles Table 2-1 Create Roles Parameters (continued) Parameter Description Offense Management Select the check box if you wish to grant this user access to Offense Manager functionality. Within the Offense Manager functionality, you can grant additional access to the following: Assign Offenses to Users - Select the check box if you •...
ANAGING SERS Table 2-1 Create Roles Parameters (continued) Parameter Description Network Surveillance Select the check box if you wish to grant this user access to Network Surveillance functionality. Within the Network Surveillance functionality, you can grant additional access to the following: View Flows - Select the check box if you wish to allow •...
Managing User Accounts Click Return. Step 5 Click Save. Step 6 Close the Manage User Roles window. Step 7 The STRM Administration Console appears. From the menu, select Configurations > Deploy configuration changes. Step 8 Managing User You can create a STRM user account, which allows a user access to selected Accounts network components using the STRM interface.
Page 24
ANAGING SERS Table 2-2 User Details Parameters (continued) Parameter Description Password Specify a password for the user to gain access. The password must be at least 5 characters in length. Confirm Password Re-enter the password for confirmation. Email Address Specify the user’s e-mail address. Role Using the drop-down list box, select the role you wish this user to assume.
Page 25
Managing User Accounts Editing a User To edit a user account: Account In the Administration Console, click the System Configuration tab. Step 1 The System Configuration panel appears. Click the Users icon. Step 2 The Manage Users window appears. In the Manage Users area, click the user account you wish to edit. Step 3 The User Details window appears.
ANAGING SERS Authenticating You can configure authentication to validate STRM users and passwords. STRM Users supports the following user authentication types: • System Authentication - Users are authenticated locally by STRM. This is the default authentication type. RADIUS Authentication - Users are authenticated by a Remote Authentication •...
Page 27
Authenticating Users From the Authentication Module drop-down list box, select the authentication type Step 3 you wish to configure. Configure the selected authentication type: Step 4 If you selected System Authentication, go to Step 5 If you selected RADIUS Authentication, enter values for the following parameters: Table 2-3 RADIUS Parameters Parameter...
Page 28
ANAGING SERS Table 2-4 TACACS Parameters (continued) Parameter Description Authentication Specify the type of authentication you wish to perform. The Type options are: PAP (Password Authentication Protocol) - Sends clear text • between the user and the server. CHAP (Challenge Handshake Authentication Protocol) - •...
STRM ETTING This chapter provides information on setting up STRM including: Managing Your License Keys • Creating Your Network Hierarchy • • Scheduling Automatic Updates • Configuring STRM Settings Configuring System Notifications • Configuring the Console Settings • Starting and Stopping STRM •...
Page 30
• For a new or updated license key, please contact your local sales representative. For all other technical issues, please contact Juniper Networks Customer • Support. If you log in to STRM and your Console license key has expired, you are automatically directed to the System Management window.
Page 31
Managing Your License Keys Once you locate and select the license key, click Open. Step 5 The Current License Details window appears. Click Save. Step 6 A message appears indicating the license key was successfully updated. Note: If you wish to revert back to the previous license key, click Revert to Deployed.
STRM ETTING Click Export Licenses. Step 3 The export window appears. Select one of the following options: Step 4 • Open - Opens the license key data in an Excel spreadsheet. Save - Allows you to save the file to your desktop. •...
Page 33
Creating Your Network Hierarchy Group Description IP Address Marketing 10.10.5.0/24 Sales 10.10.8.0/21 Database Cluster 10.10.1.3/32 10.10.1.4/32 10.10.1.5/32 Note: that you do not configure a network group with more than 15 We recommend objects. This may cause you difficulty in viewing detailed information for each group.
Page 34
STRM ETTING Table 3-1 Add New Object Parameters (continued) Parameter Action Name Specify the name for the object. Weight Specify the weight of the object. The range is 1 to 100 and indicates the importance of the object in the system. IP/CIDR(s) Specify the CIDR range(s) for this object.
Page 35
Creating Your Network Hierarchy Table 3-2 Accepted CIDR Values (continued) CIDR Number of Length Mask Networks Hosts 255.252.0.0 262,136 255.254.0.0 131,068 255.255.0.0 65,534 255.255.128.0 128 C 32,512 255.255.192.0 64 C 16,256 255.255.224.0 32 C 8,128 255.255.240.0 16 C 4,064 255.255.248.0 2,032 255.255.252.0 1,016...
Scheduling Automatic Updates Scheduling To schedule automatic updates: Automatic Updates In the Administration Console, click the System Configuration tab. Step 1 The System Configuration panel appears. Click the Auto Update icon. Step 2 The Auto-Update Configuration window appears. In the Update Method list box, select the method you wish to use for updating your Step 3 files: Auto Integrate - Integrates the new configuration files with your existing files to...
STRM ETTING Daily - Updates are downloaded every day at 1 am. • • Weekly - Updates are downloaded every Sunday at 1 am. Monthly - Updates are downloaded on the first day of every month at 1 am. • Click Save.
Configuring STRM Settings Configuring STRM Using the Administration Console, you can configure the STRM system, database, Settings and sentry settings. To configure STRM system settings: In the Administration Console, click the System Configuration tab. Step 1 The System Configuration panel appears. Click the Secure Threat Reponse Manager icon.
Page 40
STRM ETTING Table 3-3 STRM Settings Parameters (continued) Parameter Description Coalescing Events Enables or disables the ability for a sensor device to coalesce (bundle) events. This value applies to all sensor devices. However, if you wish to alter this value for a specific sensor device, edit the Coalescing Event parameter in the sensor device configuration.
Page 41
Configuring STRM Settings Table 3-3 STRM Settings Parameters (continued) Parameter Description Offense Retention Period Using the drop-down list box, select the period of time you wish to retain offense information. The default is 3 days. Identity History Retention Using the drop-down list box, select the length of time you Period wish to store asset profile history records.
Page 42
STRM ETTING Table 3-3 STRM Settings Parameters (continued) Parameter Description Event Log Hashing Enables or disables the ability for STRM to store a hash file for every stored event log file. The default is No. Hashing Algorithm You can use a hashing algorithm for database storage and encryption.
Page 43
Configuring STRM Settings Table 3-3 STRM Settings Parameters (continued) Parameter Description Sentry Database Location Specify the location of the sentry database. The default is /store/sentry/qc_persistentstorage. SNMP Settings Enable Enables or disables SNMP responses in the STRM custom rules engine. The default is No, which means you do not wish to accept events using SNMP.
STRM ETTING Configuring You can configure system performance alerts for thresholds using the STRM System Administration Console. This section provides information for configuring your Notifications system thresholds. To configure system thresholds: In the Administration Console, click the System Configuration tab. Step 1 The System Configuration panel appears.
Page 45
Configuring System Notifications Table 3-4 System Thresholds Parameters (continued) Parameter Description Kilobytes of memory used Specify the threshold amount, in kilobytes, of used memory. This does not consider memory used by the kernel. Percentage of memory Specify the threshold percentage of used memory. used Kilobytes of cache swap Specify the threshold amount of memory, in kilobytes,...
Page 46
STRM ETTING Table 3-4 System Thresholds Parameters (continued) Parameter Description Dropped Transmit Specify the threshold number of transmitted packets that packets are dropped per second due to a lack of space in the buffers. Transmit carrier errors Specify the threshold number of carrier errors that occur per second while transmitting packets.
Configuring the Console Settings Configuring the The STRM Console provides the interface for STRM. The Console provides real Console Settings time views, reports, alerts, and in-depth investigation of flows for network traffic and security threats. This Console is also used to manage distributed STRM deployments.
Page 48
STRM ETTING Table 3-5 STRM Console Management Parameters (continued) Parameter Description ARP - Safe Interfaces Specify the interface you wish to be excluded from ARP resolution activities. The default is eth0. Enable 3D graphs in the Using the drop-down list box, select one of the following: user interface Yes - Displays Dashboard graphics in 3-dimensional •...
Starting and Stopping STRM Table 3-5 STRM Console Management Parameters (continued) Parameter Description Data Export Settings Include Header in CSV Specify whether you wish to include a header in a CSV Exports export file. Maximum Simultaneous Specify the maximum number of exports you wish to Exports occur at one time.
STRM ETTING Read the information in the window. Step 3 Select one of the following options: Step 4 - Closes all offenses in the database. • Soft Clean Hard Clean - Closes all active SIM data including offenses, targets and •...
Configuring Access Settings The SNMP Agent appears. Configuring The System Configuration tab provides access to the web-based system Access Settings administration interface, which allows you to configure firewall rules, interface roles, passwords, and system time. This section includes: • Firewall access. See Configuring Firewall Access.
Page 52
STRM ETTING In the Device Access box, you must include any STRM systems you wish to have Step 6 access to this managed host. Only managed hosts listed will have access. For example, if you enter one IP address, only that one IP address will be granted access to the managed host.
Page 53
Configuring Access Settings Click Apply Access Controls. Step 8 Wait for the interface to refresh before continuing. Step 9 Updating Your Host You can use the web-based system administration interface to configure the mail Set-up server you wish STRM to use, the global password for STRM configuration, and the IP address for the STRM Console: To configure your host set-up: In the Administration Console, click the System Configuration tab.
Page 54
From the menu, select Managed Host Config > Network Interfaces. Step 5 The Network Interfaces window appears with a list of each interface on your managed host. Note: For assistance with determining the appropriate role for each interface, please contact Juniper Networks Customer Support. STRM Administration Guide...
Page 55
Configuring Access Settings For each interface listed, select the role you wish to assign to the interface using Step 6 the Role list box. Click Save Configuration. Step 7 Wait for the interface to refresh before continuing. Step 8 Changing Passwords To change the passwords: In the Administration Console, click the System Configuration tab.
Page 56
STRM ETTING Updating System You are able to change the time for the following options: Time • System time Hardware time • Time Zone • • Time Server Note: You must change the system time information on the host operating the Console only.
Page 57
Configuring Access Settings In the Time Zone box, select the time zone in which this managed host is located Step 6 using the Change timezone to list box. Click Save. In the Time Server box, you must specify the following options: Step 7 Timeserver hostnames or addresses - Specify the time server hostname or •...
Page 58
STRM ETTING Configuring Time Settings For Your System To update the time settings for your system: In the Administration Console, click the System Configuration tab. Step 1 The System Configuration panel appears. Click the System Management icon. Step 2 The System Management window appears. For the host on which you wish to configure time, click Manage System.
Page 59
Configuring Access Settings In the Time Zone box, select the time zone in which this managed host is located Step 6 using the Change timezone to list box. Click Save. In the System Time box, you must specify the current date and time you wish to Step 7 assign to the managed host.
ANAGING ACKUP AND ECOVERY Using the Administration Console, you can backup and recover configuration information and data for STRM. You can backup and recover the following information for your system: License key information • Sentry configuration • Rules configuration • •...
Page 62
ANAGING ACKUP AND ECOVERY The list of archives includes backup files that exist in the database. If a backup file is deleted, it is removed from the disk and from the database. Also, the entry is removed from this list and an audit event is generated to indicate the removal. If a backup is in progress, a status window appears to indicate the duration of the current backup, which user/process initiated the backup, and provides you with the option to cancel the backup.
Page 63
Managing Backup Archives In the Upload Archive field, click Browse. Step 3 The File Upload window appears. Select the archive file you wish to upload. Click Open. Step 4 Click Upload. Step 5 Deleting a Backup To delete a backup archive: Archive Note: To delete a backup archive file, the backup archive file and the Host Context component must reside on the same system.
ANAGING ACKUP AND ECOVERY Backing Up Your You can backup your configuration information and data using the Backup Information Recovery Configuration window. You can backup your configuration information using a manual process. Also, you can also backup your configuration information and data using a scheduled process.
Page 65
Backing Up Your Information Table 4-2 Backup Recovery Configuration Parameters (continued) Parameter Description Backup Specifies the location you wish to store your backup file. This Repository Path path must exist before the backup process is initiated. If this path does not exist, the backup process aborts. The default is /store/backup.
Page 66
ANAGING ACKUP AND ECOVERY From the Administration Console menu, select Configurations > Deploy All. Step 6 Initiating a Backup To manually initiate a backup: In the Administration Console, click the System Configuration tab. Step 1 The System Configuration panel appears. Click the Backup Recovery icon.
Restoring Your Configuration Information Restoring Your You can restore configuration information from existing backup archives using the Configuration Restore Backup window. Note the following requirements when you are restoring Information configuration information: You can only restore a backup archive created within the same release of •...
Page 68
ANAGING ACKUP AND ECOVERY From the Administration Console menu, select Configurations > Deploy All. Step 8 Note: The restore process only restores your configuration information. For assistance in restoring your data, contact Q1 Labs Customer Support. STRM Administration Guide...
SING THE EPLOYMENT DITOR The deployment editor allows you to manage the individual components of your STRM, and SIM deployment. Once you configure your Flow, Event, and System Views, you can access and configure the individual components of each managed host.
Page 70
SING THE EPLOYMENT DITOR About the You can access the deployment editor using the STRM Administration Console. Deployment Editor You can use the deployment editor to create your deployment, assign connections, and configure each component. The deployment editor provides the following views of your deployment: •...
About the Deployment Editor In the System View, the left panel provides a list of managed hosts, which you can view and configure. The deployment editor polls your deployment for updates to managed hosts. If the deployment editor detects a change to a managed host in your deployment, a message appears notifying you of the change.
Page 72
SING THE EPLOYMENT DITOR Table 5-1 Deployment Editor Menu Options (continued) Menu Option Sub Menu Option Description Manage NATed Opens the Manage NATed Networks Networks window, which allows you to manage the list of NATed networks in your deployment. Rename component Renames an existing component. This option is only available when a component is selected.
About the Deployment Editor Table 5-2 Toolbar Options (continued) Icon Description Deletes selected item from the deployment view. This option is only available when the selected component has a managed host running a compatible version of STRM software. Opens the Add a Managed Host wizard, which allows you to add a managed host to your deployment.
SING THE EPLOYMENT DITOR Note: If you require assistance with the above, please contact Juniper Networks Customer Support. Editing Deployment To edit the deployment editor preferences: Editor Preferences From the deployment editor main menu, select File > Edit Preferences. Step 1 The Deployment Editor Setting window appears.
Building Your Flow View Adding STRM You can add the following STRM components to your Flow View: Components Flow Collector - Collects data from devices and various live and recorded • feeds. Flow Processor - Collects and consolidates data from one or more Flow •...
Page 76
SING THE EPLOYMENT DITOR Enter a unique name for the component you wish to add. The name can be up to Step 3 15 characters in length and may include underscores or hyphens. Make sure you record the assigned name and Click Next. Note: If the message “There are no hosts to which you can assign this component.”...
Page 77
Building Your Flow View The component appears in your Flow View. Repeat for each component you wish to add to your view. Step 6 From the menu, select File > Save to staging. Step 7 Connecting Once you add all the necessary components in your Flow View, you must connect Components them together.
Page 78
SING THE EPLOYMENT DITOR Connecting You can connect deployments in your network to allow deployments to share flow Deployments data. To connect your deployments, you must configure an off-site Flow Processor (target) in your current deployment and the associated off-site Flow Processor in the receiving deployment (source).
Page 79
Building Your Flow View Figure 5-1 Example of Connecting Deployments To connect your deployments: In the deployment editor, click the Flow View tab. Step 1 The Flow View appears. In the Flow Components panel, select either or Add Off-site Add Off-site Source Step 2 Target.
Page 80
SING THE EPLOYMENT DITOR Specify a unique name for the source or target. The name can be up to 15 Step 3 characters in length and may include underscores or hyphens. Click Next. The flow source/target information window appears. Enter values for the parameters: Step 4 Enter a name for the off-site host - Specify the name of the off-site host.
Page 81
Building Your Event View Encrypt traffic from off-site source - Select the check box if you wish to • encrypt traffic from an off-site source. To enable encryption, you must select this check box on the associated off-site source and target. For more information regarding encryption, see Managing Your System View.
Page 82
SING THE EPLOYMENT DITOR from STRM and distributes to the appropriate area, depending on the type of event. The Event Processor also includes information gathered by STRM to indicate any behavioral changes or policy violations for that event. Rules are then applied to the events that allow the Event Processor to process according to the configured rules.
Page 83
Building Your Event View Figure 5-2 Example of SIM Components in your STRM Deployment To build your Event View, you must: Add SIM components to your view. See Adding Components. Step 1 Connect the components. See Connecting Components. Step 2 Forward normalized events.
Page 84
SING THE EPLOYMENT DITOR Enter a unique name for the component you wish to add. The name can be up to Step 3 15 characters in length and may include underscores or hyphens. Click Next. The Assign Component window appears. From the Select a host to assign to list box, select a managed host to which you Step 4 wish to assign the new component.
Building Your Event View Connecting Once you add all the necessary components in your Event View, you must connect Components them together. The Event View only allows you to connect appropriate components together. For example, you can connect an Event Collector to an Event Processor and not a Magistrate component.
Page 86
SING THE EPLOYMENT DITOR If you wish to disconnect the off-site source, you must remove the connections from both deployments. From deployment A, you must remove the off-site target and in deployment B, you must remove the off-site source. If you wish to enable encryption between deployments, you must enable encryption on both off-site source and target.
Page 87
Building Your Event View Specify a unique name for the source or target. The name can be up to 15 Step 3 characters in length and may include underscores or hyphens. Click Next. The event source/target information window appears. Enter values for the parameters: Step 4 •...
SING THE EPLOYMENT DITOR Click Next. Step 5 Click Finish. Step 6 Repeat for all remaining off-site sources and targets. Step 7 From the main menu, select File > Save to staging. Step 8 Note: If you update your Event Collector configuration or the monitoring ports, you must manually update your source and target configurations to maintain the connection between deployments.
STRM software running on a managed host. You can only add a managed host to your deployment when the managed host is running a compatible version of STRM software. For more information, contact Juniper Networks Customer Support. You also can not assign or configure components on a non-Console managed host when the STRM software version is incompatible with the software version that the Console is running.
Page 90
SING THE EPLOYMENT DITOR within the deployment. When enabling encryption on a managed host, the encryption SSH tunnel is created on the client’s host. For example, if you enable encryption for the Event Collector in the below deployment, the connection between the Event Processor and Classification Engine as well as the connection between the Event Processor and Magistrate would be encrypted.
Page 91
Managing Your System View Click Next. Step 2 The Enter the host’s IP window appears. Enter values for the parameters: Step 3 Enter the IP of the server or appliance to add - Specify the IP address of the • host you wish to add to your System View.
Page 92
SING THE EPLOYMENT DITOR Note: If you wish to enable NAT for a managed host, the NATed network must be using static NAT translation. For more information on using NAT, see Using NAT with STRM. • Enable Encryption - Select the check box if you wish to create an encryption tunnel for the host.
Page 93
Managing Your System View Click Next. Step 3 The attributes window appears. Edit the following values, as necessary: Step 4 Host is NATed - Select the check box if you wish to use existing Network • Address Translation (NAT) on this managed host. For more information on NAT, Using NAT with STRM.
Page 94
SING THE EPLOYMENT DITOR Enable Encryption - Select the check box if you wish to create an encryption • tunnel for the host. To enable encryption between two managed hosts, each managed host must be running at least STRM 5.1. If you selected the Host is NATed check box, the Configure NAT settings window appears.
Page 95
Managing Your System View Using NAT with Network Address Translation (NAT) translates an IP address in one network to a STRM different IP address in another network. NAT provides increased security for your deployment since requests are managed through the translation process and essentially hides internal IP address.
Page 96
SING THE EPLOYMENT DITOR Adding a NATed Network to STRM To add a NATed network to your STRM deployment: In the deployment editor, click the NATed networks icon. Step 1 Note: You can also use the Actions > Managed NATed Networks menu option to access the Managed NATed Networks window.
Page 97
Managing Your System View Select the NATed network you wish to edit and click Edit. Step 2 The Edit NATed Network window appears. Update the name of the network you wish to use for NAT. Step 3 Click Ok. Step 4 The Manage NATed Networks window appears.
Page 98
SING THE EPLOYMENT DITOR Changing the NAT Status for a Managed Host To change your NAT status for a managed host, make sure you update the managed host configuration within STRM before you update the device. This prevents the host from becoming unreachable and allows you to deploy changes to that host.
Page 99
Managing Your System View Configuring a To configure a managed host: Managed Host From the System View, use the right mouse button (right-click) on the managed Step 1 host you wish to configure and select Configure. The Configure host window appears. Enter values for the parameters: Step 2 •...
Page 100
SING THE EPLOYMENT DITOR From the Select a host drop-down list box, select the host that you wish to assign Step 5 to this component. Click Next. Note: The drop-down list box only displays managed hosts that are running a compatible version of STRM software.
Page 101
Managing Your System View Enter values for the parameters: Step 5 Table 5-5 Host Context Parameters Parameter Description Disk Usage Sentinal Settings Warning Threshold When the configured threshold of disk usage is exceeded, an e-mail is sent to the administrator indicating the current state of disk usage.
Page 102
SING THE EPLOYMENT DITOR Table 5-5 Host Context Parameters (continued) Parameter Description Recovery Threshold Once the system has exceeded the shutdown threshold, disk usage must fall below the recovery threshold before STRM processes are restarted. The default is 0.90, therefore, processes will not be restarted until the disk usage is below 90%.
Configuring STRM Components Configuring STRM This section provides information on configuring STRM components and includes: Components Configuring a Flow Collector • Configuring a Flow Processor • • Configuring a Classification Engine Configuring an Update Daemon • Configuring a Flow Writer •...
Page 104
SING THE EPLOYMENT DITOR Enter values for the parameters: Step 3 Table 5-6 Flow Collector Parameters Parameter Description Server Listen Port The Flow Collector passes data to the next component in the process. Once the link is established, all collected data is passed for further processing.
Page 105
The default is 15 minutes. Endace DAG Interface Specify the Endace Network Monitoring Interface card Card Configuration parameters. For more information, see the Qmmunity web site or contact Juniper Networks Customer Support. STRM Administration Guide...
Page 106
SING THE EPLOYMENT DITOR Table 5-7 Flow Collector Parameters (continued) Parameter Description Flow Buffer Size Specify the amount of memory, in MB, that you wish to reserve for flow storage. The default is 400 MB. Maximum Number of Specify the maximum number of flows you wish to send Flows from the Flow Collector to Flow Processors.
Page 107
Configuring STRM Components Some normally occurring network communications generate flows for which there are no responses, such as web requests to a failed web server or to a host that is down. One-sided flows are generally not a high risk threat and should not apply to superflows.
Page 108
SING THE EPLOYMENT DITOR Table 5-8 Flow Processor Parameters (continued) Parameter Description Flow Collectors When the Flow Processor starts, it attempts to establish a link with one or more Flow Collector(s). If the Flow Collector cannot be reached, the Flow Processor attempts to establish the link periodically, until it succeeds.
Page 109
Configuring STRM Components 101 Enter values for the parameters: Step 5 Table 5-9 Flow Processor Parameters Parameter Description Create Flow Bundles Specify one of the following options: Yes - Allows the Flow Processor to group flows that have • similar properties. No - Disables the bundling of flows •...
Page 110
SING THE EPLOYMENT DITOR Table 5-9 Flow Processor Parameters (continued) Parameter Description Type C Superflows Specify the threshold for type C superflows, which is one host sending data to another host. A unidirectional flow that is an aggregate of all non-ICMP flows that have the same protocol, source host, destination host, source bytes, destination bytes, source packets, and destination packets but different source or destination ports.
Page 111
Configuring STRM Components 103 Table 5-9 Flow Processor Parameters (continued) Parameter Description Branch Filtering By default, branch filtering is disabled and all traffic is forwarded to all Classification Engines. Filtering does not begin unless the Flow Processor receives a branch filter definition from the Classification Engine.
Page 112
SING THE EPLOYMENT DITOR The deployment editor appears. Repeat for all Flow Processors in your deployment you wish to configure. Step 7 Configuring a The Classification Engine receives inputs from one or more Flow Processor(s), Classification Engine classifies the flows into views and objects, and outputs the resulting database entries and flow logs to the Update Daemon to be stored on disk.
Page 113
Configuring STRM Components 105 Table 5-10 Classification Engine Parameters (continued) Parameter Description Update Daemon Specifies the hostname and port of the Update Daemon to Connections which the Classification Engine sends data for storage. This parameter is for information purposes only and is not amendable.
Page 114
Only the processing information. This requires each involved managed host to have a list of views to process. For assistance, contact Juniper Networks Customer Support. Branch Filtering By default, branch filtering is disabled and all traffic is forwarded to all Classification Engines. Filtering does not begin unless the Flow Processor receives a branch filter definition from the Classification Engine.
Page 115
Configuring STRM Components 107 For the Server listen port parameter, specify the Update Daemon listening port Step 3 values. Separate each entry with a comma. This port monitors requests from the Classification Engine. The entered values must match the values configured for the Classification Engine.
Page 116
SING THE EPLOYMENT DITOR Configuring a Flow Once the Classification Engine has processed the flows for an interval, the Flow Writer Writer stores the flow and asset profile data. You can only have one Flow Writer per host, which must be connected to the Classification Engine. To configure a Flow Writer: In either the Flow or System View, select the Flow Writer you wish to configure.
Page 117
Configuring STRM Components 109 Click Save. Step 6 The deployment map appears. Configuring an Event The Event Collector collects security events from various types of security devices Collector in your network. To configure an Event Collector: From either the Event View or System View, select the Event Collector you wish to Step 1 configure.
Page 118
SING THE EPLOYMENT DITOR Enter values for the parameters: Step 5 Table 5-16 Event Collector Advanced Parameters Parameter Description Receives Flow Context Specifies the first Event Collector installed in your deployment. This parameter is for informational purposes only and is not amendable. Auto Detection Specify if you wish the Event Collector to auto analyze and Enabled...
Page 119
Configuring STRM Components 111 Enter values for the parameters: Step 3 Table 5-17 Event Processor Parameters Parameter Description Event Processor Server Specify the port that the Event Processor monitors for Listen Port incoming connections. The default range is from 32000 to 65535.
Page 120
SING THE EPLOYMENT DITOR Table 5-18 Event Processor Parameters Parameter Description Overflow Routing Specify the events per second threshold that the Event Threshold Processor can manage events. Events over this threshold are placed in the cache. Path to Ariel Events Specify the location you wish to store events.
Page 121
Configuring STRM Components 113 In the toolbar, click Advanced to display the advanced parameters. Step 4 The advanced configuration parameters appear. For the Overflow Routing Threshold, specify the events per second threshold Step 5 that the Magistrate can manage events. Events over this threshold are placed in the cache.
ANAGING OURCES This chapter provides information on managing flows sources in your deployment including: About Flow Sources • Managing Flow Sources • • Managing Flow Source Aliases About Flow STRM allows you to integrate internal and external flow sources: Sources Internal flow sources - Includes any additional hardware installed on a •...
Page 124
ANAGING OURCES 5, 7, and 9. For more information on NetFlow, see www.cisco.com. While NetFlow expands the amount of the network that is monitored, the following details some NetFlow limitations including: • NetFlow classifies only application traffic from the TCP port (for example, HTTP on port 80).
About Flow Sources reduced alerting capabilities. This can result in inaccurate presentations of both traffic volumes and bi-directional flows. Once you configure an external flow source for sFlow, you must: Make sure the appropriate firewall rules are configured. • • Make sure the appropriate ports are configured for your Flow Collector.
ANAGING OURCES Flowlog File A file generated from the STRM flow logs. Managing Flow For STRM appliances, STRM automatically adds default flow sources for the Sources physical ports on the appliance. Also, STRM also includes a default NetFlow v5 flow source. If you have installed STRM on your own hardware, STRM attempts to automatically detect and add default flow sources for any physical devices (such as a NIC card).
Page 127
Managing Flow Sources Enter values for the parameters: Step 4 Table 6-1 Add Flow Source Parameter Description Build from existing flow Select the check box if you wish to create this flow source source using an existing flow source as a template. Once the check box is selected, use the drop-down list box to select the desired flow source and click Use as Template.
Page 128
ANAGING OURCES If you selected Flowlog File as the Flow Source Type, configure the Source File Path, which is the source path location for the flow log file. If you selected JFlow, Netflow, Packeteer FDR, or sFlow as the Flow Source Type, configure the following: Table 6-2 External Flow parameters Parameter...
Page 129
Managing Flow Sources Click Edit. Step 3 The Edit Flow Source window appears. Edit values, as necessary. For more information on values for flow source types, Step 4 Adding a Flow Source. Click Save. Step 5 From the Administration Console menu, select Configurations > Deploy Step 6 configuration changes.
ANAGING OURCES Deleting a Flow To delete a flow source: Source In the Administration Console, click the Flow Configuration tab. Step 1 The Flow Configuration panel appears. Click the Manage Flow Source icon. Step 2 The Flow Source window appears. Select the flow source you wish to delete.
Page 131
Managing Flow Source Aliases The Flow Source Alias Management window appears. Enter values for the parameters: Step 4 IP - Specify the IP address of the flow source alias. • • Name - Specify the name of the flow source alias. Click Save.
Page 132
ANAGING OURCES Deleting a Flow To delete a flow source alias: Source Alias In the Administration Console, click the Flow Configuration tab. Step 1 The Flow Configuration panel appears. Click the Manage Flow Source Aliases icon. Step 2 The Flow Source Aliases window appears. Select the flow source alias you wish to delete.
ANAGING ENTRIES Sentries provide an alerting function for your network. A sentry can monitor any number of views and generate an alert when traffic in one of the monitored views meets the specified criteria. A non-administrative user can create sentries, however, only an administrative user can configure advanced sentries on a system-wide basis.
Page 134
ANAGING ENTRIES Sentry - Specifies which network location you wish the sentry to apply. The • network location component of the sentry can also specify any restrictions that you wish to enforce. The variables in the sentry component have priority over the Package and Logic Unit variables.
Page 135
Editing Sentry Details Users - View the available sentries by the user who created the sentry. • Select the sentry you wish to view. Step 5 Table 7-1 provides the details of the Sentry List window: Table 7-1 Sentry List Parameter Description Name...
Page 136
ANAGING ENTRIES Update values for the parameters, as necessary: Step 6 If you are editing a Security/Policy sentry: Table 7-2 Edit Security/Policy Sentry Parameter Description Name Specify a name for this sentry. Description Specify a description for this sentry. This description appears as an annotation in the Offense Manager if this sentry results in an offense being generated.
Page 137
Editing Sentry Details Table 7-2 Edit Security/Policy Sentry (continued) Parameter Description Options Select the check box if you wish this event to be included with other events to create an offense. Use the Address to mark as the target drop-down list box to identify if you wish the destination or source IP address to be used as the target.
Page 138
ANAGING ENTRIES Table 7-3 Edit Behavior, Anomaly, or Threshold Sentry (continued) Parameter Description Restrictions Select the check box for one or more restrictions you wish to enforce for an active sentry including: Date is relevant - Select the check box to indicate that this •...
Page 139
Editing Sentry Details Table 7-4 Default Variables (continued) Parameter Description $$Trend Specify the current traffic trend weight that you wish to assign to current traffic trends against the calculated behavior. This variable is for behavioral sentries. The higher the value indicates more weight on traffic trends than the calculated behavior.
ANAGING ENTRIES Table 7-4 Default Variables (continued) Parameter Description $$LargeWindow Specify a period of time you wish to the system to monitor flows in your network. This allows the system a basis of comparison for traffic over an smaller period of time. If the large window and small window values exceed a certain threshold, the sentry generates an alert.
Page 141
Managing Packages The Package List appears. Click Create New Package. Step 5 The Create New Package panel appears. Enter values for the parameters: Step 6 Table 7-5 Create Sentry Package Parameters Parameter Description Name Specify the name of the sentry package. Description Specify a description for the sentry package.
Page 142
ANAGING ENTRIES Table 7-5 Create Sentry Package Parameters (continued) Parameter Description Components In the menu tree, select the components you wish this package to monitor. The added components appear under the Selected Components column. Permissions Specify the users you wish to be able to use this package. Categories For each event, you must select a high-level and low-level event category.
Managing Logic Units Update parameters (see Table 7-5), as necessary. Step 6 Click Save. Step 7 Managing Logic A Logic Unit determines if a violation has occurred and if an alert needs to be Units generated. A Logic Unit contains the algorithm that a sentry uses to monitor your network for suspicious behavior.
Page 144
ANAGING ENTRIES Enter values for the parameters: Step 6 Table 7-6 Create new Logic Unit Parameters Parameter Action Name Specify a name for this Logic Unit. Description Specify a description for this Logic Unit, Create your own equation in the Equation field using JavaScript code. The entry Step 7 must include the following format: var testObj = new CustomFunction( $$Counter,...
Page 145
Managing Logic Units Table 7-7 JavaScript Functions Function Description thresholdCheck Monitors policy and threshold objects. By default, this value monitors each object separately. If you wish to test objects as group, you must add the value set. This function includes: components - String of component names from one or more •...
ANAGING ENTRIES Editing a Logic Unit To edit a Logic Unit: In the Administration Console, click the System Configuration tab. Step 1 The System Configuration panel appears. Click the Sentries icon. Step 2 The Sentries window appears. From the View By drop-down list box, select Object. Step 3 The Sentry Objects menu tree appears.
ANAGING IEWS You can display network traffic with many different views. A view represents traffic activity on your network for a specific profile. The Local Network View has n-levels of depth that is specific to your network hierarchy. All views, with the exception of the Network View, have group levels and leaf object levels.
Page 148
ANAGING IEWS Each view is assigned a weight. Configured for traffic alerting purposes, weight is the numeric value assigned to a flow property. STRM adds the weight value to the sentry flow property weight value and assigns a sequence of ranking events. An alert may be signalled when STRM interprets the combination of the numerical weight values.
Using STRM Views 141 Remote Services View - Displays traffic originating from user defined network • ranges or, if desired, the Juniper Networks automatic update server. Collector View - Displays traffic seen by each Flow Collector • Protocol - Displays traffic originating from protocol usage.
ANAGING IEWS Managing Ports Ports Views display traffic originating from identified destination ports. Using the View Ports View, you can view traffic by port. This section provides information on managing the Ports View including: Default Ports Views • Adding a Ports Object •...
Page 151
Managing Ports View 143 Enter values for the following parameters: Step 4 Table 8-2 Ports - Add New Object Parameters Parameter Description Group Select the group for this object. Using the drop-down list box, select a group or click Add Group to add a new group. Name Specify object name.
Page 152
ANAGING IEWS Editing a Ports To edit an existing object: Object In the Administration Console, click the Views Configuration tab. Step 1 The Views Configuration panel appears. Click the Ports icon. Step 2 The Manage Group window appears. Table 8-3 Manage Group Parameter Description Name...
Page 153
Managing Ports View 145 Edit values as necessary. See Table 8-2. Step 5 Click Save. Step 6 Click Return. Step 7 Close the Ports View window. Step 8 From the Administration Console menu, select Configuration > Deploy Step 9 Configuration Changes. All changes are deployed.
ANAGING IEWS Managing Application Views display traffic originating from the application server by the client Application Views connection and the server connection. Using the Application Views, you can view traffic by application identification. This section provides information on managing Application Views including: Default Application Views •...
Page 155
Managing Application Views 147 Table 8-5 Application Views (continued) Sub-Component Description Misc Specifies identified miscellaneous application traffic, such as, Appletalk-IP, Authentication, DHCP, DNS, DNS-Port, ManagementService, Misc-Ports, MiscApp, Network-Config-Ports, RPC, SNMP-Ports, Syslog, and Time. Multimedia Specifies traffic originating from multimedia application traffic, such as, WebEx, video frames, or Intellex.
Page 156
ANAGING IEWS Enter values for the following parameters: Step 4 Table 8-6 Applications - Add New Object Parameters Parameter Description Group Select the group for this object. Using the drop-down list box, select a group or click Add Group to add a new group. Name Specify the name for the object.
Page 157
Managing Application Views 149 From the Administration Console menu, select Configuration > Deploy Step 8 Configuration Changes. All changes are deployed. Editing an To edit an applications object: Applications Object In the Administration Console, click the Views Configuration tab. Step 1 The Views Configuration panel appears.
Page 158
ANAGING IEWS Edit values as necessary, see Table 8-6. Step 5 Click Save. Step 6 Click Return. Step 7 Close the Applications View window. Step 8 From the Administration Console menu, select Configuration > Deploy Step 9 Configuration Changes. All changes are deployed. STRM Administration Guide...
Managing Remote Networks View 151 Managing Remote Remote Networks View displays user traffic originating from named remote Networks View networks. Using the Remote Networks View, you can view traffic by known remote networks. This section provides information on managing the Remote Networks View including: Default Remote Networks Views •...
Page 160
ANAGING IEWS Enter values for the following parameters: Step 4 Table 8-10 Remote Networks - Add New Object Parameters Parameter Description Group Select the group for this object. Using the drop-down list box, select a group or click Add Group to add a new group. Name Specify the name for the object.
Page 161
Managing Remote Networks View 153 Editing a Remote To edit an existing Remote Networks object: Networks Object From the Administration Console, click the Views Configuration tab. Step 1 The Views Configuration panel appears. Click the Remote Networks icon. Step 2 The Manage Group window appears.
ANAGING IEWS Edit values as necessary. See Table 8-10. Step 5 Click Save. Step 6 Click Return. Step 7 Close the Remote Networks View window. Step 8 From the Administration Console menu, select Configuration > Deploy Step 9 Configuration Changes. All changes are deployed.
Page 163
Managing Remote Services Views 155 Table 8-13 Remote Services - Manage Group Parameters (continued) Parameter Description Reserved_IP_ Specifies traffic originating from reserved IP address ranges. Ranges Spam Specifies traffic originating from addresses commonly known to produce SPAM or unwanted e-mail. Spy_Adware Specifies traffic originating from addresses commonly known to contain spyware or adware.
Page 164
ANAGING IEWS Table 8-14 Remote Services - Add New Object Parameters Parameter Description Group Select the group for this object. Using the drop-down list box, select a group or click Add Group to add a new group. Name Specify the name for the object. Weight Specify the object weight or use the arrows to change the existing numeric value.
Page 165
Managing Remote Services Views 157 The Manage Group window appears. Table 8-16 Manage Group Parameter Description Name Specifies the name assigned to the object. Value Specifies ports assigned to this object. Weight Specifies the weight assigned to the object. Color Specifies the color displayed when viewed on the Network Surveillance graphs.
ANAGING IEWS From the Administration Console menu, select Configuration > Deploy Step 9 Configuration Changes. All changes are deployed. Managing Collector The Collector Views display traffic seen from the Flow Collector and provides the Views AllCollectors group. This group specifies the traffic originating from all Flow Collectors that reside on your network.
Page 167
Managing Collector Views 159 Table 8-17 Flow Collector - Add New Object Parameters (continued) Parameter Description Collector ID Using the drop-down list box, select the Flow Collector you wish to use as the source. Color Specify a color for this object. Enter the RGB alpha-numeric value or click Select Color to access the color palette.
Page 168
ANAGING IEWS Table 8-19 Manage Group Parameter Description Name Specifies the name assigned to the object. Value Specifies ports assigned to this object. Weight Specifies the weight assigned to the object. Color Specifies the color displayed when viewed on the Network Surveillance graphs.
Managing Custom Views 161 Managing Custom Custom Views uniquely identify specific traffic flows, such as SSH traffic on a Views non-standard port, or traffic originating from another country. Each Custom View object must be configured with an equation, which creates a set of properties that applies a filter for each network flow.
Page 170
ANAGING IEWS IFIndex Out • • FlowShape • The objects for the IP Tracking, Threats, Attacker Target Analysis, Target Analysis, and Policy Violations groups depend on the template chosen during the installation process. For more information on the defaults, see: •...
Page 171
Managing Custom Views 163 Enter values for the following parameters: Step 4 Table 8-20 Custom View - Properties for New View: Staging/Globalconfig Parameter Description Name Specify a name for the new view. Description Specify a description for the new view. Click Save.
Page 172
ANAGING IEWS Enter values for the following parameters: Step 8 Table 8-21 Properties Views Parameter Description Group Using the drop-down list box, select the group you wish to add the object. Click Add Group. Name Specify the name for the object. Weight Specify the object weight or use the arrows to change the existing numeric value.
Page 173
Managing Custom Views 165 From the Elements panel, select an element and enter the parameter values to Step 11 configure the element. See Table 8-22. The element is assigned to the selected object. This creates the first instance on the Equation Editor. Select another object from the Objects box and assign an associated element.
Page 174
ANAGING IEWS Table 8-22 Element Options (continued) Parameter Description Name Specify the element name. Protocol Specify the protocol identification number. You must enter the protocol number and not the name. Click Add. Note: For a list of default protocol identification numbers, see STRM Default Application Configuration Guide.
Page 175
Managing Custom Views 167 Table 8-22 Element Options (continued) Parameter Description Value Enter the character that represents the TCP/IP flags element type you wish to add. STRM accepts the following: A, ACK - (Acknowledge) - Receiver sends an acknowledgement that equals the senders sequence.
Page 176
ANAGING IEWS Table 8-22 Element Options (continued) Parameter Description Property Using the drop-down list box, select the flow property. Options include: ClassL2L - Traffic between two local objects on your network. • ClassL2R - Traffic between one local object and one remote object. •...
Page 177
Managing Custom Views 169 Table 8-22 Element Options (continued) Parameter Description Value Specify the application identification number. Click Add. Collector Element Type Name Specify the element name. Property Using the drop-down list box, select the element property. Options include: CollectorID and CollectorInterface. Value Specify the user-defined Flow Collector Identification or Collector Interface name.
Page 178
ANAGING IEWS Table 8-22 Element Options (continued) Parameter Description Flow Context Property Name Specify the element name. Property Using the drop-down list box, select the flow text property. Options include: PortIsNew, TargetIsSrc, AttackerIsSrc, TargetIsDst, AttackerIsDst, TargetIsKnownLocal, AttackerIsKnownLocal, TargetIsLocal, AttackerIsLocal, TargetPort, AttackerPort, BeforeEvent, and AfterEvent.
Page 179
Managing Custom Views 171 Edit the necessary parameters, see Table 8-22. Step 5 Click Save. Step 6 Click Return. Step 7 Close the Custom View window. Step 8 From the Administration Console menu, select Configuration > Deploy Step 9 Configuration Changes. All changes are deployed.
ANAGING IEWS Editing the Operators You can edit the operators as they appear in the Drop Area of the Equation Editor. You can access the following using the right mouse button (right-click) on each operator: • And Operator - To change the default AND operator to OR, use the right mouse button (right-click) on the operator and select OR from the menu.
Page 181
Enabling and Disabling Views 173 Using the drop-down list box, select one of the following for each view: Step 3 Table 8-23 View Management Parameter Description Enabled Using the drop-down list box, select Enabled to enable this view. This enables the Classification Engine, data collection, data storage, graphing capabilities, and enables access from the interface.
ANAGING IEWS Table 8-23 View Management (continued) Parameter Description Disabled Using the drop-down list box, select Disabled to disable the view. This disables the Classification Engine, data collection, data storage, graphing capabilities, and removes the view from the interface. To enable access from the interface, select Enabled. Note: Selecting the Disabled mode can save processing power on your system.
ONFIGURING ULES Rules match events or offenses by performing a series of tests. If all the conditions of a test are true, the rule generate a response. Building blocks are rules without a response. Responses to a rule include: Creation of an offense. •...
ONFIGURING ULES You can configure the following rule types: • Event Rule - An event rule performs tests on events as they are processed in real-time by the Event Processor. You can create an event rule to detect a single event (within certain properties) or event sequences. For example, if you wish to monitor your network for invalid login attempts, access multiple hosts, or a reconnaissance event followed by an exploit, you can create an event rule.
Page 185
Enabling/Disabling Rules The list of deployed rules appear. Select the rule you wish to view. Step 4 In the Rule and Notes fields, descriptive information appears. The default rules that appear depends on the template chosen during the installation process. For more information on the defaults, see: Enterprise Template - See Appendix B Enterprise Template Defaults.
Page 186
ONFIGURING ULES Choose one of the following options: Step 3 From the Actions drop-down list box, select New Event Rule to configure a rule for events. From the Actions drop-down list box, click New Offense Rule to configure a rule for offenses. The Custom Rule wizard appears.
Creating a Rule The Rules Test Stack Editor window appears. To add a test to a rule: Step 5 In the Test Group drop-down list box, select the type of test you wish to apply to this rule. The resulting list of tests appear. For information on tests, see Event Rule Tests Offense Rule Tests.
Page 188
ONFIGURING ULES Enter the name you wish to assign to this building block. Click Save. To assign multi-event or multi-offense functions to the rule, select Functions from Step 8 the Test Group drop-down list box and configure the function: The functions include: Table 9-1 Functions Group Test Description...
Page 189
Creating a Rule Table 9-1 Functions Group (continued) Test Description Default Test Name Parameters Multi-Rule Allows you to use saved when all of these Configure the following parameters: Event Function building blocks or other rules to rules, in order, from these rules - Specify the rules you •...
Page 190
ONFIGURING ULES Table 9-1 Functions Group (continued) Test Description Default Test Name Parameters Multi-Rule Allows you to use saved when at least this Configure the following parameters: Event Function building blocks or other rules to number of these this number - Specify the number •...
Page 191
Creating a Rule Table 9-1 Functions Group (continued) Test Description Default Test Name Parameters Multi-Event Allows you to test the number of when a(n) IP address/ Configure the following parameters: Counter events from configured Port/QID/Event/ IP address/ Port/QID/Event/ • Function conditions, such as, source IP Device/Category Device/Category - Specify the...
Page 192
ONFIGURING ULES Table 9-1 Functions Group (continued) Test Description Default Test Name Parameters Multi-Rule You can also use building when all of these Configure the following parameters: Function blocks or existing rules to rules, in order, with rules - Specify the rules you wish •...
Page 193
Creating a Rule Table 9-1 Functions Group (continued) Test Description Default Test Name Parameters Multi-Rule You can also use building when at least this Configure the following parameters: Function blocks or existing rules to number of these this number - Specify the number •...
Page 194
ONFIGURING ULES Table 9-1 Functions Group (continued) Test Description Default Test Name Parameters Multi-Rule You can also use building when any of these Configure the following parameters: Function blocks or existing rules to rules with the same IP rules - Specify the rules you wish •...
Page 195
Creating a Rule In the groups area, select the check box(es) of the groups to which you wish to Step 9 assign this rule. For more information on grouping rules, see Grouping Rules. In the Notes field, enter any notes you wish to include for this rule. Click Next. Step 10 The Rule Responses window appears, which allows you to configure the action STRM takes when the event sequence is detected.
Page 196
ONFIGURING ULES Table 9-3 Event Rule Response Parameters (continued) Parameter Description Dispatch New Event Select the check box to dispatch a new event in addition to the original event, which will be processed like all other events in the system. The Dispatch New Event parameters appear when you select the check box.
Page 197
Creating a Rule Table 9-3 Event Rule Response Parameters (continued) Parameter Description Ensure the Select the check box if you wish, as a result of this dispatched event is rule, the event is forwarded to the Magistrate part of an offense component.
Page 198
Select the check box to send an SNMP trap. For an event rule, the SNMP trap output includes system time, the trap OID, and the notification data, as defined by the Juniper Networks MIB. For more information on the Juniper Networks MIB, see Appendix A Juniper Networks MIB For example, the SNMP notification may resemble: "Wed Sep 28 12:20:57 GMT 2005, QRADAR...
Page 199
Creating a Rule Table 9-4 Offense Rule Response Parameters (continued) Parameter Description Offense Name Select one of the following options: This information should contribute to the • name of the associated offense(s) - Select this option if you wish the Event Name information to contribute to the name of the offense(s).
Page 200
Select the check box to send an SNMP trap. For an offense rule, the SNMP trap output includes system time, the trap OID, and the notification data, as defined by the Juniper Networks MIB. For more information on the Juniper Networks MIB, see Appendix Juniper Networks MIB For example, the SNMP notification may resemble: "Wed Sep 28 12:20:57 GMT 2005, QRADAR...
Page 201
Creating a Rule Review the configured rule. Click Finish. Step 13 STRM Administration Guide...
Page 202
ONFIGURING ULES Event Rule Tests This section provides information on the tests you can apply to the rules including: • Network Property Tests Event Property Tests • IP/Port Tests • Host Profile Tests • Date/Time Tests • • Device Tests Network Property Tests The network property test group includes: Table 9-5 Network Property Tests...
Page 203
Creating a Rule Table 9-6 Event Property Tests Test Description Default Test Name Parameters Local Network Valid when the event occurs when the local network is one of the following - Specify the Object in the specified network. one of the following areas of the network you wish this test networks to apply.
Page 204
ONFIGURING ULES Table 9-6 Event Property Tests (continued) Test Description Default Test Name Parameters Credibility Valid when the event when the event credibility Configure the following parameters: credibility is greater than, is greater than 5 greater than - Specify whether the •...
Page 205
Creating a Rule Table 9-6 Event Property Tests (continued) Test Description Default Test Name Parameters False Positive When you tune false when the false positive signatures - Specify the false positive Tuning positive events in the Event signature matches one of signature you wish this test to Viewer, the resulting tuning the following signatures...
Page 206
ONFIGURING ULES Table 9-7 IP / Port Test Group (continued) Test Description Default Test Name Parameters Remote Port Valid when the remote port when the remote port is one ports - Specify the ports you wish of the event is one of the of the following ports this test to consider.
Page 207
Creating a Rule Table 9-8 Host Profile Tests (continued) Test Description Default Test Name Parameters Host Existence Valid when the local source or when the local source Configure the following parameters: destination host is known to exist host exists either source - Specify if you wish this •...
Page 208
ONFIGURING ULES Table 9-8 Host Profile Tests (continued) Test Description Default Test Name Parameters Host Valid when the local source or when the local Configure the following parameters: Vulnerability destination host vulnerability risk destination host destination - Specify if you wish •...
Page 209
Creating a Rule Table 9-8 Host Profile Tests (continued) Test Description Default Test Name Parameters Target Threat Threat under is the value applied when the amount of Configure the following parameters: to the threat a network is under the threat the target is greater than - Specify if you wish •...
Page 210
ONFIGURING ULES Date/Time Tests The date and time tests include: Table 9-9 Date/Time Tests Test Description Default Test Name Parameters Event Day Valid when the event occurs when the event(s) Configure the following parameters: on the configured day of the occur on the selected on - Specify if you wish this test •...
Creating a Rule Offense Rule Tests This section provides information on the tests you can apply to the rules including: IP/Port Tests • Host Profile Tests • • Date/Time Tests Device Tests • Offense Property Tests • IP/Port Tests The IP/Port tests include: Table 9-11 IP / Port Test Group Test Description...
Page 212
ONFIGURING ULES Host Profile Tests The host profile tests include: Table 9-12 Host Profile Tests Test Description Default Test Name Parameters Attacker Threat Threat Posing is the when the amount of Configure the following parameters: Level calculated value for this threat the attacker is greater than - Specify if you wish •...
Page 213
Creating a Rule Date/Time Tests The date and time tests include: Table 9-13 Date/Time Tests Test Description Default Test Name Parameters Event Day Valid when the offense when the offense(s) Configure the following parameters: occurs on the configured day occur on the selected on - Specify if you wish this rule •...
Page 214
ONFIGURING ULES Offense Property Tests The offense property tests include: Table 9-15 Offense Property Tests Test Description Default Test Name Parameters Network Object Valid when the network is when the networks Configure the following parameters: affected are any or all of the affected are any of one of any - Specify if you wish this test •...
Page 215
Creating a Rule Table 9-15 Offense Property Tests (continued) Test Description Default Test Name Parameters Attack Context Attack Context is the when the attack context is this context - Specify the context relationship between the this context you wish this test to consider. The attacker and target.
ONFIGURING ULES Table 9-15 Offense Property Tests (continued) Test Description Default Test Name Parameters Target Count in Valid when the number of when the number of Configure the following parameters: an Offense targets for an offense greater targets under attack is greater than - Specify if you wish •...
Grouping Rules Grouping Rules You can now group and view your rules and building blocks based on your chosen criteria. Categorizing your rules or building blocks into groups allows you to efficiently view and track your rules. For example, you can view all rules related to compliance.
Page 218
ONFIGURING ULES From the menu tree, select the group under which you wish to create a new group. Step 4 Note: Once you create the group, you can drag and drop menu tree items to change the organization of the tree items. Click New Group.
Page 219
Grouping Rules Editing a Group To edit a group: Click the Offense Manager tab. Step 1 The Offense Manager interface appears. In the navigation menu, click Rules. Step 2 Click Groups. Step 3 The Group window appears. From the menu tree, select the group you wish to edit. Step 4 Click Edit.
Page 220
ONFIGURING ULES Click Groups. Step 3 The Group window appears. From the menu tree, select the rule or building block you wish to copy to another Step 4 group. Click Copy. Step 5 The Choose Group window appears. Select the check box for the group(s) to which you wish to copy the rule or building Step 6 block.
Editing Building Blocks Deleting an Item from To delete a rule or building block from a group: a Group Note: Deleting a group removes this rule or building block from the Rules interface. Deleting an item from a group does not delete the rule or building block from the Rules interface.
Page 222
ONFIGURING ULES To edit a building block: Select the Offense Manager tab. Step 1 The Offense Manager window appears. In the navigation menu, click Rules. Step 2 The rules window appears. In the Display drop-down list box, select Building Blocks. Step 3 The Building Blocks appear.
ISCOVERING ERVERS The Server Discovery function uses STRM’s Asset Profile database to discover different server types based on port definitions, then allows you to select which servers should be added to a server-type building block. This feature makes the discovery and tuning process simpler and faster by allowing a quick mechanism to insert servers into building blocks.
Page 226
ISCOVERING ERVERS In the Matching Servers table, select the check box(es) of all servers you wish to Step 7 assign to the server role. Note: If you wish to modify the search criteria, click either Edit Port or Edit Definition. The Rules Wizard appears. For more information on the rules wizard, Chapter 9 Configuring Rules.
ORWARDING YSLOG STRM allows you to forward received log data to other products. You can forward syslog data (raw log data) received from devices as well as STRM normalized event data. You can forward data on a per Event Collector/ Event Processor basis and you can configure multiple forwarding destinations.
Page 228
ORWARDING YSLOG Enter values for the parameters: Step 4 Forwarding Event Collector - Using the drop-down list box, select the • deployed Event Collector from which you wish to forward log data. IP - Enter the IP address of the system to which you wish to forward log data. •...
Page 229
Delete a Syslog Destination Delete a Syslog To delete a syslog forwarding destination: Destination In the Administration Console, click the SIM Configuration tab. Step 1 The SIM Configuration panel appears. Click the Syslog Forwarding Destinations icon. Step 2 The Syslog Forwarding Destinations window appears. Select the entry you wish to delete.
UNIPER ETWORKS This appendix provides information on the Juniper Networks Management Information Base (MIB). The Juniper Networks MIB allows you to send SNMP traps to other network management systems. The Juniper Networks OID is 1.3.6.1.4.1.20212. Note: STRM does not support outbound SNMP traps.
Page 232
UNIPER ETWORKS CONTACT-INFO " Juniper Technical Assistance Center Juniper Networks, Inc. 1194 N. Mathilda Avenue Sunnyvale, CA 94089 E-mail: support@juniper.net" DESCRIPTION "Security Threat Response Manger trap definitions for STRM" ::= { jnxStrm 1 } strmTrap OBJECT IDENTIFIER ::= { jnxStrm 0 } --- Variables within the STRM Trap Info --- .2636.7.1.*...
Page 233
::= { strmTrapInfo 3 } --- Offense Properties strmOffenseID OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Offense ID" ::= { strmTrapInfo 4 } strmOffenseDescription OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Description of the Offense" ::= { strmTrapInfo 6 } strmOffenseLink OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify...
Page 236
UNIPER ETWORKS --- Target Properties strmTargetIP OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Target IP" ::= { strmTrapInfo 18 } strmTargetUserName OBJECT-TYPE SYNTAX DisplayString (SIZE(0..64)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Target's User Name" ::= { strmTrapInfo 19 } strmTargetCount OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS accessible-for-notify STATUS current...
Page 237
strmTop5TargetUsernames OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top 5 Target Usernames by Magnitude" ::= { strmTrapInfo 50 } strmTopTargetUsername OBJECT-TYPE SYNTAX DisplayString (SIZE(0..32)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top Target" ::= { strmTrapInfo 51 } strmTargetNetworks OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current...
Page 238
UNIPER ETWORKS strmTopCategory OBJECT-TYPE SYNTAX DisplayString (SIZE(0..64)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Top Category" ::= { strmTrapInfo 26 } strmCategoryID OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Category ID of Event that triggered the Event CRE Rule" ::= { strmTrapInfo 27 } strmCategory OBJECT-TYPE SYNTAX DisplayString (SIZE(0..64)) MAX-ACCESS accessible-for-notify...
Page 239
::= { strmTrapInfo 30 } --- Rule Properties strmRuleCount OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Total Number of Rules contained in the Offense" ::= { strmTrapInfo 31 } strmRuleNames OBJECT-TYPE SYNTAX DisplayString (SIZE(0..1024)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Names of the Rules that contributed to the Offense(comma separated)"...
Page 240
UNIPER ETWORKS DESCRIPTION "Description/Notes of the Rules that was triggered in the CRE" ::= { strmTrapInfo 35 } --- Event Properties strmEventCount OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Total Number of Events contained in the Offense" ::= { strmTrapInfo 36 } strmEventID OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify...
Page 241
MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Description/Notes of the Event that triggered the Event CRE Rule" ::= { strmTrapInfo 40 } --- IP Properties strmSourceIP OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Source IP of the Event that triggered the Event CRE Rule"...
Page 242
::= { strmTrapInfo 44 } strmProtocol OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Protocol of the Event that triggered the Event CRE Rule" ::= { strmTrapInfo 45 } strmAttackerPort OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Source Port of the Event that triggered the Event CRE Rule"...
NTERPRISE EMPLATE EFAULTS The Enterprise template includes settings with emphasis on internal network activities. This appendix provides the defaults for the Enterprise template including: Default Sentries • Default Custom Views • Default Rules • • Default Building Blocks Default Sentries The default sentries for the Enterprise template include: Table B-1 Default Sentries Sentry...
NTERPRISE EMPLATE EFAULTS Table B-1 Default Sentries (continued) Sentry Description Default - Suspicious - Internal Detects an excessive rate (more than 1000) of - Inbound Unidirectional inbound unidirectional (local host not responding) Flows Threshold flows within the last 5 minutes. This may indicate a scan is in progress, worms, DoS attack, or issues with your network configuration.
Page 247
Default Sentries Table B-1 Default Sentries (continued) Sentry Description DoS - Internal - Distributed Detects a low number of hosts (500) sending identical, DoS Attack (Low Number of non-responsive packets to a single target. In this Hosts) case, the target is treated as the attacker in the Offense Manager.
Page 248
NTERPRISE EMPLATE EFAULTS Table B-1 Default Sentries (continued) Sentry Description Policy - External - Hidden Detects an FTP server on a non-standard port. The FTP Server default port for FTP is TCP port 21. Detecting FTP on other ports may indicate an exploited host, where the attacker has installed this server to provide backdoor access to the host.
Page 249
Default Sentries Table B-1 Default Sentries (continued) Sentry Description Policy - External - SSH or Detects an SSH or Telnet server on a non-standard Telnet Detected on port. The default port for SSH and Telnet servers is Non-Standard Ports TCP port 22 and 23. Detecting SSH/Telnet operating on other ports may indicate an exploited host, where the attacker has installed these servers to provide backdoor access to the host.
Page 250
NTERPRISE EMPLATE EFAULTS Table B-1 Default Sentries (continued) Sentry Description Recon - External - Scanning Detects a host performing reconnaissance activity at Activity (High) an extremely high rate (100,000 hosts per minute), which is typical of a worm infection or a scanning application.
Page 251
Default Sentries Table B-1 Default Sentries (continued) Sentry Description Recon - Internal - Scanning Detects a host performing reconnaissance activity at Activity (High) an extremely high rate (100,000 hosts per minute), which is typical of a worm infection or a scanning application.
Page 252
NTERPRISE EMPLATE EFAULTS Table B-1 Default Sentries (continued) Sentry Description Suspicious - External - Detects excessive unidirectional ICMP responses Unidirectional ICMP from a single source. This may indicate an attempt to Responses Detected enumerate hosts on the network, or can be an indicator of other serious network issues.
Default Custom Views Table B-1 Default Sentries (continued) Sentry Description Suspicious - Internal - Detects flows that indicate a host is sending an Unidirectional TCP Flows excessive quantity (at least 15) of unidirectional flows. These types of flows may be considered normal, however, client workstations and other devices, should not be seen emitting large quantities of such flows, and therefore should be considered suspicious.
NTERPRISE EMPLATE EFAULTS Threats Group Pre-configured groups that specify traffic flows from suspicious IP addresses, protocols, server ports, and network sweeps including: Table B-3 Custom Views - Threats View Group Objects Exceptions This group includes: Network_Management_Hosts - Defines network management servers or other system responsible for reconnaissance, SNMP, large numbers of ICMP requests, or other attacks, such as, traffic on your network such as vulnerability assessment (VA) scanners.
Page 255
Default Custom Views Table B-3 Custom Views - Threats View (continued) Group Objects Scanning This scanning group includes: • ICMPScan_High - Detects a host sending ICMP packets to more than 100,000 hosts more minute. • ICMPScan_Medium - Detects a host sending ICMP packets to more than 5,000 hosts more minute.
Page 256
NTERPRISE EMPLATE EFAULTS Table B-3 Custom Views - Threats View (continued) Group Objects Suspicious_IP_ This group includes: Protocol_Usage • Illegal_TCP_Flag_Combination - Detects flows with illegal TCP flag combinations. This may indicate malicious activity, such as port scanning or operating system detection. •...
Default Custom Views Table B-3 Custom Views - Threats View (continued) Group Objects Remote_Access_ This group includes: Violation • Hidden_Telnet_SSH - Detects flows where the application type is Telnet or SSH but the destination server port is not one of the common ports for this application.
NTERPRISE EMPLATE EFAULTS Table B-4 Custom Views - AttackerTargetAnalysis (continued) Group Objects PeripheralComms This group includes: Analysis • Activity_Before_Event - The network flow analysis indicates a target and attacker were communicating prior to the event that triggered this analysis. This can indicate a false positive, or that this attacker is concentrating on breaking this host.
Default Custom Views Table B-5 Custom Views - TargetAnalysis (continued) Group Objects PeripheralComms This group includes: Analysis • Service_Unresponsive_After_Attack - The network flow analysis indicates that the service on the target that was attacked is unresponsive to other hosts on the network. This may indicate that the attack has intentionally, or inadvertently crashed the service running on this host.
NTERPRISE EMPLATE EFAULTS Table B-6 Custom Views - PolicyViolations (continued) Group Objects Remote_Access_ Remote_Access_Shell - Detects bidirectional flows, where Policy_Violation remote hosts were connecting to local remote access servers. Detection of any of the following access technologies include: Citrix, PCAnywhere, SSH, Telnet, or VNC. P2P_ This group includes: Policy_Violation...
Default Custom Views Table B-7 Custom Views - QoS View QoS Group Group Objects NetworkControl Specifies QoS values related to link layer and routing Object protocols. IPRoutingControl Specifies QoS values used by IP routing protocols. Expedited Specifies values related to expedited forwarding, such as, a virtual leased line or premium service.
NTERPRISE EMPLATE EFAULTS Default Rules Default rules for the Enterprise template include: Table B-9 Default Rules Rule Rule Group Type Enabled Description Default-Response- Response Offense False Reports any offense matching the severity, E-mail: Offense E-mail credibility, and relevance minimums to e-mail. Sender You must configure the e-mail address.
Page 263
Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule- Anomaly Event False Reports a host emitting events at a rate greater Anomaly: Rate Analysis than normal. This may be normal, but in some Marked Events cases can be an early warning sign that the host has changed behavior.
Page 264
NTERPRISE EMPLATE EFAULTS Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Botnet: Botnet,Exploit Event False Reports a host connecting or attempting to Potential Botnet connect to a DNS server on the Internet. This Connection (DNS) may indicate a host connecting to a Botnet. The host should be investigated for malicious code.
Page 265
Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Database: Compliance, Event True Reports when there are multiple database Multiple Database Database failures followed by a success within a short Failures Followed by period of time. Success Default-Rule-Database: Compliance,...
Page 266
NTERPRISE EMPLATE EFAULTS Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Exploit: Exploit Event False Reports an attack from a local host where the Attacker Vulnerable to attacker is vulnerable to the attack being used. It this Exploit is possible that the attacker was a target in an earlier offense.
Page 267
Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-False False Positive Event True Reports events that include false positive rules Positive: False Positive and building blocks, such as, Rules and Building Default-BB-FalsePositive: Windows Server Blocks False Positive Events.
Page 268
NTERPRISE EMPLATE EFAULTS Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Policy: Authentication, Event False Reports when a new host has been discovered New Host Discovered in Compliance in the DMZ. Default-Rule-Policy: Policy Event False Reports when an existing host has a newly New Service discovered service.
Page 269
Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports a source IP address attempting Local LDAP Server reconnaissance or suspicious connections on Scanner common LDAP ports to more than 60 hosts in 10 minutes.
Page 270
NTERPRISE EMPLATE EFAULTS Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports a source IP address attempting Local Proxy Server reconnaissance or suspicious connections on Scanner common proxy server ports to more than 60 hosts in 10 minutes.
Page 271
Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports on events that are detected by the Local Windows Server system and when the attack context is Scanner Local-to-Local (L2L). Default-Rule-Recon: Recon Event False Adds an additional event into the event stream...
Page 272
NTERPRISE EMPLATE EFAULTS Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports a remote host attempting Remote P2P Server reconnaissance or suspicious connections on Scanner common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes. Default-Rule-Recon: Recon Event...
Page 273
Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports merged reconnaissance events Single Merged Recon generated by some devices. This rule causes all Events these events to create an offense. All devices of this type and their categories should be added to the Default-BB-ReconDetected: Devices which Merge Recon into Single Events building block.
NTERPRISE EMPLATE EFAULTS Default Building Default building blocks for the Enterprise template include: Blocks Table B-10 Default Building Blocks Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Category Category Event Edit this BB to include all events Definition: Authentication Definitions, that indicate an unsuccessful...
Page 275
Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Category Category Event Edit this BB to include all events Definition: Firewall Definitions that may indicate a firewall system System Errors error.
Page 276
NTERPRISE EMPLATE EFAULTS Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Category Category Event STRM monitors event rates of all Definition: Rate Analysis Definitions source IP addresses/QIDs and Marked Events destination IP addresses/QIDs and marks events that exhibit abnormal rate behavior.
Page 277
Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Category Category Event Edit this BB to include all event Definition: Windows Definitions, categories that indicate Compliance Events Compliance compliance events. Default-BB-Category Category Event Edit this BB to define worm events.
Page 278
NTERPRISE EMPLATE EFAULTS Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-FalsePositive: False Event Edit this BB to define all the false Default-BB-HostDefinition: Database Server False Positive positive categories that occur to or Database Servers Positive Categories from database servers that are...
Page 279
Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-FalsePositive: False Event Edit this BB to define all the false Default-BB-HostDefinition: FTP False Positive Events Positive positive QIDs that occur to or from FTP Servers FTP-based servers that are defined in the...
Page 280
Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-FalsePositive: False Event Edit this BB to define all the false Default-BB-HostDefinition: Proxy Server False Positive positive categories that occur to or Proxy Servers Positive Categories from proxy servers that are defined in the Default-BB-HostDefinition:...
Page 281
Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-FalsePositive: False Event Edit this BB to define all false Default-BB-HostDefinition: Syslog Sender False Positive positive events that occur to or Syslog Servers and Positive Events from syslog sources or...
Page 282
NTERPRISE EMPLATE EFAULTS Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Host Host Event Edit this BB to define typical DNS Default-BB-False Positive: Definition: DNS Servers Definitions servers. DNS Server False Positives Categories Default-BB-FalsePositve: DNS Server False...
Page 283
Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Host Host Event Edit this BB to define SNMP Default-BB-PortDefinition: Definition: SNMP Sender Definitions senders or receivers. SNMP Ports or Receiver Default-BB-Host Host Event Edit this BB to define typical SSH...
Page 284
Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Network Network Event Edit this BB to include all networks Definition: Client Definition that include client hosts. Networks Default-BB-Network Network Event Edit this BB by replacing the other Definition: Honeypot like Definition network with network objects...
Page 285
Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-PortDefinition: Compliance, Event Edit this BB to include all common IM Ports Port\ IM ports. Protocol Definition Default-BB-PortDefinition: Port\ Event Edit this BB to include all common IRC Ports Protocol IRC ports.
Page 286
Group Type Description Blocks, if applicable Default-BB-Recon Recon Event Define all Juniper Networks default Detected: All Recon Rules reconnaissance tests. This BB is used to detect a host that has performed reconnaissance such that other follow on tests can be performed.
Page 287
Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable User-BB-FalsePositive: User Tuning Event Edit this BB to include any User-BB-HostDefinition: User Defined Server Type categories you wish to consider User Defined Server Type 2 False Positive false positives for hosts defined in...
Page 288
NTERPRISE EMPLATE EFAULTS Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable User-BB-Host User Tuning Event Edit this BB to include the IP User-BB-FalsePositives: Definition: User Defined address of your custom server User Defined Server Type Server Type 2 type.
NIVERSITY EMPLATE EFAULTS The University template includes settings with emphasis on internal network activities. This appendix provides the defaults for the University template including: Default Sentries • Default Custom Views • • Default Rules • Default Building Blocks Default Sentries The default sentries for the University template include: Table C-1 Default Sentries Sentry...
NIVERSITY EMPLATE EFAULTS Table C-1 Default Sentries (continued) Sentry Description DoS - External - Distributed Detects a low number of hosts (500) sending identical, DoS Attack (Low Number of non-responsive packets to a single target. In this Hosts) case, the target is treated as the attacker in the Offense Manager.
Page 291
Default Sentries Table C-1 Default Sentries (continued) Sentry Description DoS - Internal - Flood Attack Detects flood attacks above 5000 packets per second. (Medium) This activity typically indicates a serious attack. DoS - Internal - Flood Attack Detects flood attacks above 500 packets per second. (Low) This activity may indicate an attack.
Page 292
NIVERSITY EMPLATE EFAULTS Table C-1 Default Sentries (continued) Sentry Description Policy - External - IM/Chat Detects an excessive amount of IM/Chat traffic from a single source. By default, the minimum number of times, in flows, this activity must occur before an event generates is 20.
Page 293
Default Sentries Table C-1 Default Sentries (continued) Sentry Description Policy - External - Usenet Detects flows to or from a Usenet server. It is Usage uncommon for legitimate business communications to use Usenet or NNTP services. The hosts involved may be violating corporate policy. Policy - External - VNC Detects VNC (a remote desktop access application) Access From the Internet to a...
Page 294
NIVERSITY EMPLATE EFAULTS Table C-1 Default Sentries (continued) Sentry Description Recon - External - Scanning Detects a host performing reconnaissance activity at a Activity (Low) rate of 500 hosts per minute. This may indicate a host configured for network management or normal server behavior on a busy internal network.
Page 295
Default Sentries Table C-1 Default Sentries (continued) Sentry Description Recon - Internal - Scanning Detects a host performing reconnaissance activity at a Activity (Low) rate of 500 hosts per minute. This may indicate a host configured for network management or normal server behavior on a busy internal network.
Page 296
NIVERSITY EMPLATE EFAULTS Table C-1 Default Sentries (continued) Sentry Description Suspicious - External - Detects flows that indicate a host is sending an Unidirectional TCP Flows excessive quantity (at least 40) of unidirectional flows. These types of flows may be considered normal, however, client workstations and other devices, should not be seen emitting large quantities of such flows, and therefore should be considered suspicious.
Default Custom Views Table C-1 Default Sentries (continued) Sentry Description Excessive Unidirectional Detects an excessive number of UDP, non-TCP, or UDP or Misc Flows ICMP from a single source. By default, the minimum number of times, in flows, this activity must occur before an event generates is 80.
NIVERSITY EMPLATE EFAULTS Threats Group Pre-configured groups that specify traffic flows from suspicious IP addresses, protocols, server ports, and network sweeps including: Table B-3 Custom Views - Threats View Group Objects Exceptions This group includes: Network_Management_Hosts - Defines network management servers or other system responsible for reconnaissance, SNMP, large numbers of ICMP requests, or other attacks, such as, traffic on your network such as vulnerability assessment (VA) scanners.
Page 299
Default Custom Views Table B-3 Custom Views - Threats View (continued) Group Objects Scanning This scanning group includes: • ICMPScan_High - Detects a host sending ICMP packets to more than 100,000 hosts more minute. • ICMPScan_Medium - Detects a host sending ICMP packets to more than 5,000 hosts more minute.
Page 300
NIVERSITY EMPLATE EFAULTS Table B-3 Custom Views - Threats View (continued) Group Objects Suspicious_IP_ This group includes: Protocol_Usage • Illegal_TCP_Flag_Combination - Detects flows with illegal TCP flag combinations. This may indicate malicious activity, such as port scanning or operating system detection. •...
Default Custom Views Table B-3 Custom Views - Threats View (continued) Group Objects Remote_Access_ This group includes: Violation • Hidden_Telnet_SSH - Detects flows where the application type is Telnet or SSH but the destination server port is not one of the common ports for this application.
NIVERSITY EMPLATE EFAULTS Table B-4 Custom Views - AttackerTargetAnalysis (continued) Group Objects PeripheralComms This group includes: Analysis • Activity_Before_Event - The network flow analysis indicates a target and attacker were communicating prior to the event that triggered this analysis. This can indicate a false positive, or that this attacker is concentrating on breaking this host.
Default Custom Views Table B-5 Custom Views - TargetAnalysis (continued) Group Objects PeripheralComms This group includes: Analysis • Service_Unresponsive_After_Attack - The network flow analysis indicates that the service on the target that was attacked is unresponsive to other hosts on the network. This may indicate that the attack has intentionally, or inadvertently crashed the service running on this host.
NIVERSITY EMPLATE EFAULTS Table B-6 Custom Views - PolicyViolations (continued) Group Objects Remote_Access_ Remote_Access_Shell - Detects bidirectional flows, where Policy_Violation remote hosts were connecting to local remote access servers. Detection of any of the following access technologies include: Citrix, PCAnywhere, SSH, Telnet, or VNC. P2P_ This group includes: Policy_Violation...
Default Custom Views Table B-7 Custom Views - QoS View QoS Group Group Objects NetworkControl Specifies QoS values related to link layer and routing Object protocols. IPRoutingControl Specifies QoS values used by IP routing protocols. Expedited Specifies values related to expedited forwarding, such as, a virtual leased line or premium service.
NIVERSITY EMPLATE EFAULTS Default Rules Default rules for the University template include: Table B-9 Default Rules Rule Rule Group Type Enabled Description Default-Response- Response Offense False Reports any offense matching the severity, E-mail: Offense E-mail credibility, and relevance minimums to e-mail. Sender You must configure the e-mail address.
Page 307
Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule- Anomaly Event False Reports a host emitting events at a rate greater Anomaly: Rate Analysis than normal. This may be normal, but in some Marked Events cases can be an early warning sign that the host has changed behavior.
Page 308
NIVERSITY EMPLATE EFAULTS Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Botnet: Botnet,Exploit Event False Reports a host connecting or attempting to Potential Botnet connect to a DNS server on the Internet. This Connection (DNS) may indicate a host connecting to a Botnet. The host should be investigated for malicious code.
Page 309
Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Database: Database, Event True Reports when there are multiple database Multiple Database Compliance failures followed by a success within a short Failures Followed by period of time. Success Default-Rule-Database: Database,...
Page 310
NIVERSITY EMPLATE EFAULTS Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Exploit: Exploit Event False Reports an attack from a local host where the Attacker Vulnerable to attacker is vulnerable to the attack being used. It this Exploit is possible that the attacker was a target in an earlier offense.
Page 311
Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-False False Positive Event True Reports events that include false positive rules Positive: False Positive and building blocks, such as, Rules and Building Default-BB-FalsePositive: Windows Server Blocks False Positive Events.
Page 312
NIVERSITY EMPLATE EFAULTS Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Policy: Authentication, Event False Reports when a new host has been discovered New Host Discovered in Compliance in the DMZ. Default-Rule-Policy: Policy Event False Reports when an existing host has a newly New Service discovered service.
Page 313
Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports a source IP address attempting Local LDAP Server reconnaissance or suspicious connections on Scanner common LDAP ports to more than 60 hosts in 10 minutes.
Page 314
NIVERSITY EMPLATE EFAULTS Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports a source IP address attempting Local Proxy Server reconnaissance or suspicious connections on Scanner common proxy server ports to more than 60 hosts in 10 minutes.
Page 315
Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports a source IP address attempting Local Windows Server reconnaissance or suspicious connections on Scanner common Windows server ports with the same source IP address more than 5 times, across more than 200 destination IP address(es) within 20 minutes.
Page 316
NIVERSITY EMPLATE EFAULTS Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports a remote host attempting Remote Mail Server reconnaissance or suspicious connections on Scanner common mail server ports to more than 30 hosts in 10 minutes.
Page 317
Default Rules Table B-9 Default Rules (continued) Rule Rule Group Type Enabled Description Default-Rule-Recon: Recon Event True Reports a remote host attempting Remote Windows reconnaissance or suspicious connections on Server Scanner common Windows server ports to more than 60 hosts in 10 minutes. Default-Rule-Recon: Recon Event...
NIVERSITY EMPLATE EFAULTS Default Building Default building blocks for the University template include: Blocks Table B-10 Default Building Blocks Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Category Category Event Edit this BB to include all events Definition: Authentication Definitions, that indicate an unsuccessful...
Page 319
Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Category Category Event Edit this BB to include all events Definition: Firewall Definitions that may indicate a firewall system System Errors error.
Page 320
NIVERSITY EMPLATE EFAULTS Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Category Category Event STRM monitors event rates of all Definition: Rate Analysis Definitions source IP addresses/QIDs and Marked Events destination IP addresses/QIDs and marks events that exhibit abnormal rate behavior.
Page 321
Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Category Category Event Edit this BB to include all event Definition: Windows Definitions, categories that indicate Compliance Events Compliance compliance events. Default-BB-Category Category Event Edit this BB to define worm events.
Page 322
NIVERSITY EMPLATE EFAULTS Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-FalsePositive: False Event Edit this BB to define all the false Default-BB-HostDefinition: Database Server False Positive positive categories that occur to or Database Servers Positive Categories from database servers that are...
Page 323
Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-FalsePositive: False Event Edit this BB to define all the false Default-BB-HostDefinition: FTP False Positive Events Positive positive QIDs that occur to or from FTP Servers FTP-based servers that are defined in the...
Page 324
Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-FalsePositive: False Event Edit this BB to define all the false Default-BB-HostDefinition: Proxy Server False Positive positive categories that occur to or Proxy Servers Positive Categories from proxy servers that are defined in the Default-BB-HostDefinition:...
Page 325
Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-FalsePositive: False Event Edit this BB to define all false Default-BB-HostDefinition: Syslog Sender False Positive positive events that occur to or Syslog Servers and Positive Events from syslog sources or...
Page 326
NIVERSITY EMPLATE EFAULTS Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Host Host Event Edit this BB to define typical DNS Default-BB-False Positive: Definition: DNS Servers Definitions servers. DNS Server False Positives Categories Default-BB-FalsePositve: DNS Server False...
Page 327
Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Host Host Event Edit this BB to define SNMP Default-BB-PortDefinition: Definition: SNMP Sender Definitions senders or receivers. SNMP Ports or Receiver Default-BB-Host Host Event Edit this BB to define typical SSH...
Page 328
Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-Network Network Event Edit this BB to include all networks Definition: Client Definition that include client hosts. Networks Default-BB-Network Network Event Edit this BB by replacing the other Definition: Honeypot like Definition network with network objects...
Page 329
Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable Default-BB-PortDefinition: Compliance, Event Edit this BB to include all common IM Ports Port\ IM ports. Protocol Definition Default-BB-PortDefinition: Port\ Event Edit this BB to include all common IRC Ports Protocol IRC ports.
Page 330
Group Type Description Blocks, if applicable Default-BB-Recon Recon Event Define all Juniper Networks default Detected: All Recon Rules reconnaissance tests. This BB is used to detect a host that has performed reconnaissance such that other follow on tests can be performed.
Page 331
Default Building Blocks Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable User-BB-FalsePositive: User Tuning Event Edit this BB to include any User-BB-HostDefinition: User Defined Server Type categories you wish to consider User Defined Server Type 2 False Positive false positives for hosts defined in...
Page 332
NIVERSITY EMPLATE EFAULTS Table B-10 Default Building Blocks (continued) Block Associated Building Building Block Group Type Description Blocks, if applicable User-BB-Host User Tuning Event Edit this BB to include the IP User-BB-FalsePositives: Definition: User Defined address of your custom server User Defined Server Type Server Type 2 type.
ISP T EMPLATE EFAULTS The ISP template includes settings with emphasis on internal network activities. This appendix provides the defaults for the ISP template including: Default Sentries • Default Custom Views • • Default Rules • Default Building Blocks Default Sentries The default sentries for the ISP template include: Table D-1 Default Sentries Sentry...
ISP T EMPLATE EFAULTS Table D-1 Default Sentries (continued) Sentry Description Excessive Inbound Detects an excessive rate (more than 1000) of Unidirectional Flows inbound unidirectional (local host not responding) Threshold flows within the last 5 minutes. This may indicate a scan is in progress, worms, DoS attack, or issues with your network configuration.
Page 335
Default Sentries Table D-1 Default Sentries (continued) Sentry Description Invalid TCP Flag usage Detects flows that appear to have improper flag combinations. This may indicate various troubling behaviors, such as OS detection, DoS attacks, or even forms of reconnaissance. By default, the minimum number of times, in flows, this activity must occur before an event generates is 10.
ISP T EMPLATE EFAULTS Table D-1 Default Sentries (continued) Sentry Description UDP DoS Detects flows that appear to be a UDP DoS attack attempt. Default Custom This section provides the default custom views for the Enterprise template Views including: • IP Tracking Group Threats Group •...
Default Custom Views Threats Group Pre-configured groups that specify traffic flows from suspicious IP addresses, protocols, server ports, and network sweeps including: Table D-3 Custom Views - Threats View Group Objects Exceptions This group includes: Network_Management_Hosts - Defines network management servers or other system responsible for reconnaissance, SNMP, large numbers of ICMP requests, or other attacks, such as, traffic on your network such as vulnerability assessment (VA) scanners.
Page 338
ISP T EMPLATE EFAULTS Table D-3 Custom Views - Threats View (continued) Group Objects Scanning This scanning group includes: • ICMPScan_High - Detects a host sending ICMP packets to more than 100,000 hosts more minute. • ICMPScan_Medium - Detects a host sending ICMP packets to more than 5,000 hosts more minute.
Page 339
Default Custom Views Table D-3 Custom Views - Threats View (continued) Group Objects Suspicious_IP_ This group includes: Protocol_Usage • Illegal_TCP_Flag_Combination - Detects flows with illegal TCP flag combinations. This may indicate malicious activity, such as port scanning or operating system detection. •...
ISP T EMPLATE EFAULTS Table D-3 Custom Views - Threats View (continued) Group Objects Remote_Access_ This group includes: Violation • Hidden_Telnet_SSH - Detects flows where the application type is Telnet or SSH but the destination server port is not one of the common ports for this application.
Default Custom Views Table B-4 Custom Views - AttackerTargetAnalysis (continued) Group Objects PeripheralComms This group includes: Analysis • Activity_Before_Event - The network flow analysis indicates a target and attacker were communicating prior to the event that triggered this analysis. This can indicate a false positive, or that this attacker is concentrating on breaking this host.
ISP T EMPLATE EFAULTS Table B-5 Custom Views - TargetAnalysis (continued) Group Objects PeripheralComms This group includes: Analysis • Service_Unresponsive_After_Attack - The network flow analysis indicates that the service on the target that was attacked is unresponsive to other hosts on the network. This may indicate that the attack has intentionally, or inadvertently crashed the service running on this host.
Default Custom Views Table B-6 Custom Views - PolicyViolations (continued) Group Objects Remote_Access_ Remote_Access_Shell - Detects bidirectional flows, where Policy_Violation remote hosts were connecting to local remote access servers. Detection of any of the following access technologies include: Citrix, PCAnywhere, SSH, Telnet, or VNC. P2P_ This group includes: Policy_Violation...
ISP T EMPLATE EFAULTS Table B-7 Custom Views - QoS View (continued) QoS Group Group Objects IP Routing Control Specifies QoS values used by IP routing protocols. Expedited Specifies values related to expedited forwarding, such as, a virtual leased line or premium service. Class 4 Specifies values related to Class 4 traffic.
Default Rules Default Rules Default rules for the ISP template include: Table D-9 Default Rules Rule Rule Type Enabled Description Default-Response-E- Offense False Reports any offense matching the mail: Offense E-mail severity, credibility, and relevance Sender minimums to e-mail. You must configure the e-mail address.
Page 346
ISP T EMPLATE EFAULTS Table D-9 Default Rules (continued) Rule Rule Type Enabled Description Default-Rule- Event False Detects a host emitting events at a rate Anomaly: Rate greater than normal. This may be Analysis Marked normal, but in some cases can be an Events early warning sign that the host has changed behavior.
Page 347
Default Rules Table D-9 Default Rules (continued) Rule Rule Type Enabled Description Default-Rule-Botnet: Event False Reports a host connecting or attempting Potential Botnet to connect to an IRC server on the Connection (IRC) Internet. This may indicate a host connecting to a Botnet. The host should be investigated for malicious code.
Page 348
ISP T EMPLATE EFAULTS Table D-9 Default Rules (continued) Rule Rule Type Enabled Description Default-Rule-Exploit: Event True Reports an IP address generating Target Vulnerable to multiple (at least 5) exploits or malicious Detected Exploit software (malware) events in the last 5 minutes.
Page 349
Default Rules Table D-9 Default Rules (continued) Rule Rule Type Enabled Description Default-Rule-Recon: Event True Reports an aggressive scan from a Aggressive Remote remote source IP address, scanning Scanner Detected other local or remote IP addresses. More than 50 targets received reconnaissance or suspicious events in less than 3 minutes.
Page 350
ISP T EMPLATE EFAULTS Table D-9 Default Rules (continued) Rule Rule Type Enabled Description Default-Rule-Recon: Event True Reports a source IP address attempting Local DNS Scanner reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes. Default-Rule-Recon: Event True...
Page 351
Default Rules Table D-9 Default Rules (continued) Rule Rule Type Enabled Description Default-Rule-Recon: Event True Reports a scan from a local host against Local Scanner other hosts or remote targets. At least Detected 60 hosts were scanned within 20 minutes. This activity was using a protocol other than TCP, UDP, or ICMP.
Page 352
ISP T EMPLATE EFAULTS Table D-9 Default Rules (continued) Rule Rule Type Enabled Description Default-Rule-Recon: Event True Reports a scan from a remote host Remote Database against other local or remote targets. At Scanner least 30 hosts were scanned in 10 minutes.
Page 353
Default Rules Table D-9 Default Rules (continued) Rule Rule Type Enabled Description Default-Rule-Recon: Event True Reports a remote host attempting Remote Proxy Server reconnaissance or suspicious Scanner connections on common proxy server ports to more than 30 hosts in 10 minutes.
ISP T EMPLATE EFAULTS Table D-9 Default Rules (continued) Rule Rule Type Enabled Description Default-Rule-Recon: Event True Reports a remote host attempting Remote Windows reconnaissance or suspicious Server Scanner connections on common Windows server ports to more than 60 hosts in 10 minutes.
Page 355
Default Building Blocks Table D-10 Default Building Blocks (continued) Block Associated Building Blocks, Building Block Type Description if applicable Default-BB-Category Event Edit this BB to include any geographic Definition: Countries with location that typically would not be allowed no Remote Access remote access to the enterprise.
Page 356
ISP T EMPLATE EFAULTS Table D-10 Default Building Blocks (continued) Block Associated Building Blocks, Building Block Type Description if applicable Default-BB-Category Event STRM monitors event rates of all source IP Definition: Rate Analysis addresses/QIDs and destination IP Marked Events addresses/QIDs and marks events that exhibit abnormal rate behavior.
Page 357
Default Building Blocks Table D-10 Default Building Blocks (continued) Block Associated Building Blocks, Building Block Type Description if applicable Default-BB-FalsePositive: Event Edit this BB to include all false positive All Default-BB-FalsePositive All Default False Positive building blocks. building blocks Building Blocks Default-BB-FalsePositive: Event Edit this BB to define all the false positive Default-BB-HostDefinition:...
Page 358
ISP T EMPLATE EFAULTS Table D-10 Default Building Blocks (continued) Block Associated Building Blocks, Building Block Type Description if applicable Default-BB-FalsePositive: Event Edit this BB to include any event QIDs that Global False Positive you wish to ignore. Events Default-BB-FalsePositive: Event Edit this BB to define all the false positive Internal Attacker to QIDs that occur to or from Local-to-Local...
Page 359
Default Building Blocks Table D-10 Default Building Blocks (continued) Block Associated Building Blocks, Building Block Type Description if applicable Default-BB-FalsePositive: Event Edit this BB to define all the false positive Remote Attacker to QIDs that occur to or from Remote-to-Local Internal Target False (R2L) based servers.
Page 360
ISP T EMPLATE EFAULTS Table D-10 Default Building Blocks (continued) Block Associated Building Blocks, Building Block Type Description if applicable Default-BB-FalsePositive: Event Edit this BB to define all the false positive Default-BB-HostDefinition: Virus Definition Update QIDs that occur to or from virus definition or Virus Definition Categories other automatic update hosts that are...
Page 361
Default Building Blocks Table D-10 Default Building Blocks (continued) Block Associated Building Blocks, Building Block Type Description if applicable Default-BB-Host Event Edit this BB to define typical FTP servers. Default-BB-False Positive: FTP Definition: FTP Servers Server False Positives Categories Default-BB-FalsePositve: FTP Server False Positive Events Default-BB-Host Event Edit this BB by replace the other network...
Page 362
ISP T EMPLATE EFAULTS Table D-10 Default Building Blocks (continued) Block Associated Building Blocks, Building Block Type Description if applicable Default-BB-Host Event Edit this BB to include the networks where Definition: Server your servers are located. Networks Default-BB-Host Event Edit this BB to define generic servers. Definition: Servers Default-BB-Host Event Edit this BB to define SNMP senders or...
Page 363
Default Building Blocks Table D-10 Default Building Blocks (continued) Block Associated Building Blocks, Building Block Type Description if applicable Default-BB-Policy: IRC/IM Event Edit this BB to define all policy IRC/IM Connection Violations connection violations. Default-BB-Policy: Policy Event Edit this BB to include all events that indicate Peer-to-Peer (P2P) events.
Page 364
Building Block Type Description if applicable Default-BB-Recon Event Define all Juniper Networks default Detected: All Recon Rules reconnaissance tests. This BB is used to detect a host that has performed reconnaissance such that other follow on tests can be performed. For example, reconnaissance followed by firewall accept.
Page 365
Default Building Blocks Table D-10 Default Building Blocks (continued) Block Associated Building Blocks, Building Block Type Description if applicable User-BB-Host Event Edit this BB to include the IP address of User-BB-FalsePositives: User Definition: User Defined your custom server type. Once you have Defined Server Type 1 False Server Type 1 added the servers, add any events or...
Page 367
NDEX content filter 102 conventions 1 administration console Custom Views about 3 about 161 accessing 4 Attacker Target Analysis Group 249 using 4 creating 162 administrative e-mail address 31 editing 170 administrator role 12 equation aeriel database settings 33 editing 171 alert directory 34 equation editor 164 alert e-mail from address 31...
Page 368
NDEX element type 165 equations editing 171 global IPtables access 32 elements 140 objects 140 Event Collector about 73 hashing configuring 109 alogrithm 34 Event Processor event log 34 about 73 flow log 33 configuring 110 hlocal 131 event rule 176 host about 176 adding 82...
Page 369
NDEX flow data 33 enabling 86 identity history 33 removing 89 offense 33 using with QRadar 87 views NetFlow 95 group 32 Network Address Translation. See NAT object 32 network hierarchy unused database 32 creating 24 role 11 network surveillance role 14 administrator 12 network taps 95 asset management 13...
Need help?
Do you have a question about the SECURITY THREAT RESPONSE MANAGER 2008.2 and is the answer not in the manual?
Questions and answers