B
Default Sentries
E
NTERPRISE
The Enterprise template includes settings with emphasis on internal network
activities. This appendix provides the defaults for the Enterprise template
including:
Default Sentries
•
Default Custom Views
•
Default Rules
•
•
Default Building Blocks
The default sentries for the Enterprise template include:
Table B-1 Default Sentries
Sentry
Behavior - Flow Count
Behavior Change
Behavior - Host Count
Behavior Change
Behavior - Threat Traffic
Packet Rate Behavior
Change
Behavior - P2P Policy
Threshold
Default - Suspicious-
External - Outbound
Unidirectional Flows
Threshold
STRM Administration Guide
T
EMPLATE
Description
Monitors the number of flows on your network and
alerts when a change is detected. By default, this
activity must occur 10 times before an alert generates.
Learns the number of local and remote active hosts in
the network over a weekly period. If the number of
hosts increases dramatically outside the projected
behavior for at least 5 intervals, an event generates.
Detects a behavioral change, within the last 5
minutes, in the packet rate of traffic considered to be
threatening, compared to what has been learned over
the past weeks. This may indicate an attack is in
progress. By default, the minimum number of times, in
flows, this activity must occur before an event
generates is 5.
Detects more than 100 KB/s of Peer-to-Peer (P2P)
traffic within 5 minutes.
Detects an excessive rate of outbound unidirectional
(remote host not responding) flows within 5 minutes.
By default, this activity must occur 5 times before an
alert generates.
D
EFAULTS