Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 Administration Manual page 264
Strm administration guide
Hide thumbs
Also See for SECURITY THREAT RESPONSE MANAGER 2008.2:
- Manual (228 pages) ,
- Getting started (14 pages) ,
- Release note (11 pages)
Table of Contents
Advertisement
256
E
T
NTERPRISE
EMPLATE
Table B-9 Default Rules (continued)
Rule
Default-Rule-Botnet:
Potential Botnet
Connection (DNS)
Default-Rule-Botnet:
Potential Botnet
Connection (IRC)
Default-Rule-Botnet:
Potential Botnet Events
Become Offenses
Default-Rule-
Compliance:
Compliance Events
Become Offenses
Default-Rule-
Compliance: Excessive
Failed Logins to
Compliance IS
Default-Rule-Database:
Attempted Configuration
Modification by a remote
host
Default-Rule-Database:
Concurrent Logins from
Multiple Locations
Default-Rule-Database:
Failures Followed by
User Changes
Default-Rule-Database:
Groups changed from
Remote Host
D
EFAULTS
Rule
Group
Type
Botnet,Exploit
Event
Botnet
Event
Botnet
Event
Compliance
Event
Compliance
Event
Compliance,
Event
Database
Compliance,
Event
Database
Compliance,
Event
Database
Compliance,
Event
Database
STRM Administration Guide
Enabled Description
False
Reports a host connecting or attempting to
connect to a DNS server on the Internet. This
may indicate a host connecting to a Botnet. The
host should be investigated for malicious code.
Do not enable this rule until you have tuned the
Default-BB-HostDefinition: DNS Servers building
block.
Note: Laptops that include wireless adapters
may cause this rule to generate alerts since the
laptops may attempt to communicate with
another IDPs DNS server. If this occurs, define
the ISPs DNS server in the
Default-BB-HostDefinition: DNS Servers building
block.
True
Reports a host connecting or attempting to
connect to an IRC server on the Internet. This
may indicate a host connecting to a Botnet. The
host should be investigated for malicious code.
True
Reports exploit attacks on events. Enable this
rule if you wish all events categorized as exploits
to create an offense.
False
Reports compliance-based events, such as,
clear text passwords.
False
Reports excessive authentication failures to a
compliance server within 10 minutes.
True
Reports when a configuration modification is
attempted to a database server from a remote
network.
True
Reports when several authentications to a
database server occur across many remote IP
addresses.
True
Reports when there are failures followed by the
addition or change of a user account.
True
Monitors changes to groups on a database
when the change is initiated from a remote
network.
Advertisement
Table of Contents
Related Manuals for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2
Related Products for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - AQL EVENT AND FLOW QUERY CLI GUIDE
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - EVENT CATEGORY CORRELATION REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - SNMP AGENT GUIDE REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1
- Juniper STRM LOG MANAGEMENT 2008.2 - S 6-2008
- Juniper MEDIA FLOW CONTROLLER 2.0.4 -
- Juniper MEDIA FLOW MANAGER 2.0.2 - ADMINISTRATOR S GUIDE AND CLI
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INTRUSION DETECTION PREVENTION DEVICES GUIDE REV 01
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - M-SERIES AND MX-SERIES DEVICES GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - NSMXPRESS SERIES II REV 1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - REV1
- Juniper MEDIA FLOW CONTROLLER 2.0.5
- Juniper NETWORK AND SECURITY MANAGER 2010.3
- Juniper 200 Series