Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 Administration Manual page 248

240 E T
NTERPRISE EMPLATE
D
EFAULTS
Table B-1 Default Sentries (continued)
Sentry
Policy - External - Hidden
FTP Server
Policy - Internal - Clear Text
Application Usage
Policy - Internal - Hidden FTP
Server
Policy - External - IM/Chat
Policy - External - IRC
Connections
Policy - Local P2P Server
Detected
Policy - External - Long
Duration Flow Detected
Policy - External - P2P
Communications Detected
Policy - External - Remote
Desktop Access from the
Internet
Policy - External - SMTP Mail
Sender
STRM Administration Guide
Description
Detects an FTP server on a non-standard port. The
default port for FTP is TCP port 21. Detecting FTP on
other ports may indicate an exploited host, where the
attacker has installed this server to provide backdoor
access to the host.
Detects flows to or from the Internet where the
application types use clear text passwords. This many
include application such as Telnet, FTP, and POP.
Detects an FTP server on a non-standard port. The
default port for FTP is TCP port 21. Detecting FTP on
other ports may indicate an exploited host, where the
attacker has installed this server to provide backdoor
access to the host.
Detects an excessive amount of IM/Chat traffic from a
single source. By default, the minimum number of
times, in flows, this activity must occur before an event
generates is 20.
Detects a local host issuing an excessive number of
IRC connections to the Internet. By default, the
minimum number of times, in flows, this activity must
occur before an event generates is 20.
Detects local hosts operating as a Peer-to-Peer (P2P)
server. This indicates a violation of local network
policy and may indicate illegal activities, such as,
copyright infringement.
Detects a flow communicating to or from the Internet
with a sustained duration of more than 48 hours. This
is not typical behavior for most applications. We
recommend that you investigate the host for potential
malware infections. By default, this parameter is set to
3600 seconds, which means that an event generates
after 3600 seconds of the first instance of the event.
Detects Peer-to-Peer (P2P) communications.
Detects the Microsoft Remote Desktop Protocol from
the Internet to a local host. Most companies consider
this a violation of corporate policy. If this is normal
activity on your network, you should remove this
sentry.
Detects an internal host sending a large number of
SMTP flows from the same source to the Internet, in
one interval. This may indicate a mass mailing, worm,
or spam relay is present. By default, the minimum
number of times, in flows, this activity must occur
before an event generates is 10.