Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 Administration Manual page 273

Table B-9 Default Rules (continued)
Rule
Default-Rule-Recon:
Single Merged Recon
Events
Default-Rule-System:
Device Stopped
Sending Events
Default-Rule-Recon:
Multiple System Errors
Default-Rule-
Vulnerabilities:
Vulnerability Reported
by Scanner
Default-Rule-Worms
Detection: Local Mass
Mailing Host Detected
Default-Rule-Worms
Detection: Possible
Local Worm Detected
Default-Rule-Worms
Detection: Worm
Detected (Events)
Rule
Group Type
Recon Event
System Event
System Event
Compliance Event
Worm Event
Worm Event
Worm Event
STRM Administration Guide
Enabled Description
True Reports merged reconnaissance events
generated by some devices. This rule causes all
these events to create an offense. All devices of
this type and their categories should be added to
the Default-BB-ReconDetected: Devices which
Merge Recon into Single Events building block.
False Reports when an event source has not sent an
event to the system in over 1 hour. Edit this rule
to add devices you wish to monitor.
False Reports when as source has 10 system errors
within 3 minutes.
False Reports when a vulnerability is discovered on a
local host.
True Reports a local host sending more than 20
SMTP flows in 1 minute. This may indicate a
host being used as a spam relay or infected with
a form of mass mailing worm.
True Reports a local host generating reconnaissance
or suspicious events across a large number of
hosts (greater than 300) in 20 minutes. This may
indicate the presence of a worm on the network
or a wide spread scan.
True Reports exploits or worm activity on a system for
local-to-local or local-to-remote traffic.
Default Rules 265