Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 Administration Manual page 264

Strm administration guide
Hide thumbs Also See for SECURITY THREAT RESPONSE MANAGER 2008.2:
Table of Contents

Advertisement

256
E
T
NTERPRISE
EMPLATE
Table B-9 Default Rules (continued)
Rule
Default-Rule-Botnet:
Potential Botnet
Connection (DNS)
Default-Rule-Botnet:
Potential Botnet
Connection (IRC)
Default-Rule-Botnet:
Potential Botnet Events
Become Offenses
Default-Rule-
Compliance:
Compliance Events
Become Offenses
Default-Rule-
Compliance: Excessive
Failed Logins to
Compliance IS
Default-Rule-Database:
Attempted Configuration
Modification by a remote
host
Default-Rule-Database:
Concurrent Logins from
Multiple Locations
Default-Rule-Database:
Failures Followed by
User Changes
Default-Rule-Database:
Groups changed from
Remote Host
D
EFAULTS
Rule
Group
Type
Botnet,Exploit
Event
Botnet
Event
Botnet
Event
Compliance
Event
Compliance
Event
Compliance,
Event
Database
Compliance,
Event
Database
Compliance,
Event
Database
Compliance,
Event
Database
STRM Administration Guide
Enabled Description
False
Reports a host connecting or attempting to
connect to a DNS server on the Internet. This
may indicate a host connecting to a Botnet. The
host should be investigated for malicious code.
Do not enable this rule until you have tuned the
Default-BB-HostDefinition: DNS Servers building
block.
Note: Laptops that include wireless adapters
may cause this rule to generate alerts since the
laptops may attempt to communicate with
another IDPs DNS server. If this occurs, define
the ISPs DNS server in the
Default-BB-HostDefinition: DNS Servers building
block.
True
Reports a host connecting or attempting to
connect to an IRC server on the Internet. This
may indicate a host connecting to a Botnet. The
host should be investigated for malicious code.
True
Reports exploit attacks on events. Enable this
rule if you wish all events categorized as exploits
to create an offense.
False
Reports compliance-based events, such as,
clear text passwords.
False
Reports excessive authentication failures to a
compliance server within 10 minutes.
True
Reports when a configuration modification is
attempted to a database server from a remote
network.
True
Reports when several authentications to a
database server occur across many remote IP
addresses.
True
Reports when there are failures followed by the
addition or change of a user account.
True
Monitors changes to groups on a database
when the change is initiated from a remote
network.

Advertisement

Table of Contents
loading

Table of Contents