Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 Administration Manual page 251

Table B-1 Default Sentries (continued)
Sentry
Recon - Internal - Scanning
Activity (High)
Recon - Internal - Scanning
Activity (Low)
Recon - Internal - Scanning
Activity (Medium)
Suspicious - External -
Anomalous ICMP Flows
Suspicious - External - Invalid
TCP Flag usage
Suspicious - External - Port 0
Flows Detected
Suspicious - External -
Rejected Communication
Attempts
Suspicious - External -
Unidirectional ICMP Detected
STRM Administration Guide
Description
Detects a host performing reconnaissance activity at
an extremely high rate (100,000 hosts per minute),
which is typical of a worm infection or a scanning
application.
Detects a host performing reconnaissance activity at a
rate of 500 hosts per minute. This may indicate a host
configured for network management or normal server
behavior on a busy internal network. However,
typically client hosts in your network should not be
exhibiting this behavior for long periods of time. If this
behavior continues for long periods of time, this may
indicate classic behavior of worm activity. We
recommend that you check the host for infection or
malware installation.
Detects a host performing reconnaissance activity at a
high rate (5000 hosts per minute), which is typical of a
worm infection or a scanning application. This activity
may also indicate network management hosts or even
busy servers on internal networks.
Detects an excessive number of ICMP flows from one
source IP address, where the applied ICMP types and
codes are considered abnormal when seen entering
or leaving the network. By default, the minimum
number of times, in flows, this activity must occur
before an event generates is 15.
Detects flows that appear to have improper flag
combinations. This may indicate various troubling
behaviors, such as OS detection, DoS attacks, or
even forms of reconnaissance. By default, the
minimum number of times, in flows, this activity must
occur before an event generates is 10.
Detects flows whose destination or source ports are 0.
This may be considered suspicious.
Detects flows that indicate a host is attempting to
establish connections to other hosts but is being
refused or is responding with packets containing no
payload. By default, the minimum number of times, in
flows, this activity must occur before an event
generates is 15.
Detects excessive unidirectional ICMP traffic from a
single source. This may indicate an attempt to
enumerate hosts on the network or other serious
network issues. By default, the minimum number of
times, in flows, this activity must occur before an event
generates is 15.
Default Sentries 243