Policy Violations Group - Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 Administration Manual

Policy Violations
Group
Table B-5 Custom Views - TargetAnalysis (continued)
Group Objects
PeripheralComms This group includes:
Analysis
•
• Spam_Relay_Possible - The network flow analysis indicates that a
• Outbound_Mail_Relay_Possible - The network flow analysis
Pre-configured groups that specify traffic flows from your internal and external
policies, such as mail policies, web polices, P2P, games, applications and
compliance policies including:
Table B-6 Custom Views - PolicyViolations
Group Objects
Mail_Policy_ This group includes:
Violation
•
•
IRC_IM_Policy_ This group includes:
Violation
•
•
STRM Administration Guide
Service_Unresponsive_After_Attack - The network flow analysis
indicates that the service on the target that was attacked is
unresponsive to other hosts on the network. This may indicate that
the attack has intentionally, or inadvertently crashed the service
running on this host.
target is accepting and servicing SMTP mail server connections.
Given this activity is occurring in the presence of security events
targeting this host, it is possible the attacker has installed an SMTP
server to operate as a spam relay. If this target is a mail server, this
behavior is to be expected.
indicates that a target is sending mail to SMTP servers on the
Internet. Given this activity is occurring in the presence of a security
event targeting this host, it is possible the attacker has installed mass
mailing malware on the target. This behavior is also to be expected if
the target is a known mail server.
Outbound_Mail_Sender - Detects flows sent from local hosts to the
Internet on port 25 (SMTP) or detected with the SMTP application
signature. This may indicate hosts violating network mail policy, or
that a host is infected with a mass mailing agent. We recommend
updating this equation to not include network mail servers.
Remote_Connection_to_Internal_Mail_Server - Detects
bidirectional flows inbound into the local network on port 25 (SMTP).
This indicates communication with a local SMTP server. Additionally,
such servers may be the result of an infected host which is
inadvertently running a SPAM relay. We recommend updating this
equation to not include network mail servers.
IRC_Connection_to_Internet - Detects bidirectional flows from local
client hosts to the Internet on common IRC port or detected though
an application signature. This indicates an active IRC connection.
This can simply be a user disregarding corporate policy, or can
indicate a host that has been exploited and is connected to an IRC
botnet. IRC botnets are used to remotely control exploited hosts to
perform DoS attacks and other illegal activities.
IM_Communications - Detects bidirectional flows from client hosts
on the network indicating the use of common Instant Messaging
clients (IM), such as MSN.
Default Custom Views 251