Default Sentries - Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 Administration Manual

C

Default Sentries

U
NIVERSITY
The University template includes settings with emphasis on internal network
activities. This appendix provides the defaults for the University template including:
Default Sentries
•
Default Custom Views
•
• Default Rules
• Default Building Blocks
The default sentries for the University template include:
Table C-1 Default Sentries
Sentry
Behavior - Flow Count
Behavior Change
Behavior - Host Count
Behavior Change
Behavior - Threat Traffic
Packet Rate Behavior
Change
Default - Suspicious - Internal
- Inbound Unidirectional
Flows Threshold
DoS - External - Distributed
DoS Attack (High Number of
Hosts)
STRM Administration Guide
T
EMPLATE
Description
Monitors the number of flows on your network and
alerts when a change is detected. By default, this
activity must occur 10 times before an alert generates.
Learns the number of local and remote active hosts in
the network over a weekly period. If the number of
hosts increases dramatically outside the projected
behavior for at least 5 intervals, an event generates.
Detects a behavioral change, within the last 5
minutes, in the packet rate of traffic considered to be
threatening, compared to what has been learned over
the past weeks. This may indicate an attack is in
progress. By default, the minimum number of times, in
flows, this activity must occur before an event
generates is 5.
Detects an excessive rate (more than 1000) of
inbound unidirectional (local host not responding)
flows within the last 5 minutes. This may indicate a
scan is in progress, worms, DoS attack, or issues with
your network configuration. By default, this activity
must occur 5 times before an alert generates.
Detects a large number of hosts (100,000) sending
identical, non-responsive packets to a single target. In
this case, the target is treated as the attacker in the
Offense Manager.
D
EFAULTS