Configuring Rules - Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 Administration Manual

9 C
Rules match events or offenses by performing a series of tests. If all the conditions
of a test are true, the rule generate a response. Building blocks are rules without a
response. Responses to a rule include:
•
•
•
The tests in each rule can also reference other building blocks and rules. You do
not need to create rules in any specific order since the system will check for
dependencies each time a new rule is added, edited, or deleted. If a rule that is
referenced by another rule is deleted or disabled, a warning appears and action is
not taken.
Each rule may contain the following components:
•
•
•
A user with non-administrative access can create rules for areas of the network
that they have access. You must have the appropriate role access to manage
rules.
ONFIGURING
Creation of an offense.
Generation of a response to an external system (syslog, SNMP)
Send an e-mail
Functions - With functions, you can use building blocks and other rules to
create a multi-event or multi-offense function. You can also OR rules together,
using the when we see an event match any of the following rules function.
Building blocks - A building block is a rule without a response and is
commonly used as a common variable in multiple rules or used to build
complex rules or logic that you wish to use in other rules. You can save a group
of tests as building blocks for use with other functions. Building blocks allow you
to re-use specific rule tests in other rules. For example, you can save a building
block that includes the IP addresses of all mail servers in your network and then
use that building block to exclude those hosts from another rule. The building
block defaults are provided as guidelines, which should be reviewed and edited
based on the needs of your network.
Tests - Property of an event or an offense, such as, source IP address, severity
of event, or rate analysis.
STRM Administration Guide
R
ULES