Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 Administration Manual page 293
Strm administration guide
Hide thumbs
Also See for SECURITY THREAT RESPONSE MANAGER 2008.2:
- Manual (228 pages) ,
- Getting started (14 pages) ,
- Release note (11 pages)
Table of Contents
Advertisement
Table C-1 Default Sentries (continued)
Sentry
Policy - External - Usenet
Usage
Policy - External - VNC
Access From the Internet to a
Local Host
Policy - P2P Policy Threshold Detects more than 100 KB/s of Peer-to-Peer (P2P)
Recon - External - ICMP
Scan (High)
Recon - External - ICMP
Scan (Low)
Recon - External - ICMP
Scan (Medium)
Recon - External - Potential
Network Scan
Recon - External - Scanning
Activity (High)
STRM Administration Guide
Description
Detects flows to or from a Usenet server. It is
uncommon for legitimate business communications to
use Usenet or NNTP services. The hosts involved
may be violating corporate policy.
Detects VNC (a remote desktop access application)
from the Internet to a local host. Many companies
consider this an policy issue that should be
addressed. If this is normal activity on your network
remove this sentry.
traffic within 5 minutes.
Detects a host scanning more than 100,000 hosts per
minute using ICMP. This indicates a host performing
reconnaissance activity at an extremely high rate. This
is typical of a worm infection or a standard scanning
application.
Detects a host scanning more than 500 hosts per
minute using ICMP. This may indicate a host
configured for network management or normal server
behavior on a busy internal network. However,
typically client hosts in your network should not be
exhibiting this behavior for long periods of time. If this
behavior continues for long periods of time, this may
indicate classic behavior of worm activity. We
recommend that you check the host for infection or
malware installation.
Detects a host scanning more the 5000 hosts per
minute using ICMP. This indicates a host performing
reconnaissance activity at a high rate. This is typical of
a worm infection or a host configured for network
management purposes.
Detects a host sending identical packets to a number
of hosts that have not responded. This may indicate a
host configured for network management or normal
server behavior on a busy internal network. However,
client hosts in your network should not be exhibiting
this behavior for long periods of time.
Detects a host performing reconnaissance activity at
an extremely high rate (100,000 hosts per minute),
which is typical of a worm infection or a scanning
application.
Default Sentries
285
Advertisement
Table of Contents
Related Manuals for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2
Related Products for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - AQL EVENT AND FLOW QUERY CLI GUIDE
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - EVENT CATEGORY CORRELATION REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - SNMP AGENT GUIDE REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1
- Juniper STRM LOG MANAGEMENT 2008.2 - S 6-2008
- Juniper MEDIA FLOW CONTROLLER 2.0.4 -
- Juniper MEDIA FLOW MANAGER 2.0.2 - ADMINISTRATOR S GUIDE AND CLI
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INTRUSION DETECTION PREVENTION DEVICES GUIDE REV 01
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - M-SERIES AND MX-SERIES DEVICES GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - NSMXPRESS SERIES II REV 1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - REV1
- Juniper MEDIA FLOW CONTROLLER 2.0.5
- Juniper NETWORK AND SECURITY MANAGER 2010.3
- Juniper 200 Series