Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 Administration Manual page 296

288 U T
NIVERSITY EMPLATE
D
EFAULTS
Table C-1 Default Sentries (continued)
Sentry
Suspicious - External -
Unidirectional TCP Flows
Suspicious - Internal -
Anomalous ICMP Flows
Suspicious - Internal - Invalid
TCP Flag usage
Suspicious - External -
Outbound Unidirectional
Flows Threshold
Suspicious - Internal - Port 0
Flows Detected
Suspicious - Internal -
Rejected Communication
Attempts
Suspicious - Internal -
Unidirectional ICMP Detected
Suspicious - Internal -
Unidirectional ICMP
Responses Detected
Suspicious - Internal -
Unidirectional TCP Flows
STRM Administration Guide
Description
Detects flows that indicate a host is sending an
excessive quantity (at least 40) of unidirectional flows.
These types of flows may be considered normal,
however, client workstations and other devices,
should not be seen emitting large quantities of such
flows, and therefore should be considered suspicious.
Detects an excessive number of ICMP flows from one
source IP address, where the applied ICMP types and
codes are considered abnormal when seen entering
or leaving the network. By default, the minimum
number of times, in flows, this activity must occur
before an event generates is 40.
Detects flows that appear to have improper flag
combinations. This may indicate various troubling
behaviors, such as OS detection, DoS attacks, or
even forms of reconnaissance. By default, the
minimum number of times, in flows, this activity must
occur before an event generates is 10.
Detects an excessive rate of outbound unidirectional
(remote host not responding) flows within 5 minutes.
Detects flows whose destination or source ports are 0.
This may be considered suspicious.
Detects flows that indicate a host is attempting to
establish connections to other hosts but is being
refused or is responding with packets containing no
payload. By default, the minimum number of times, in
flows, this activity must occur before an event
generates is 40.
Detects excessive unidirectional ICMP traffic from a
single source. This may indicate an attempt to
enumerate hosts on the network or other serious
network issues. By default, the minimum number of
times, in flows, this activity must occur before an event
generates is 40.
Detects excessive unidirectional ICMP responses
from a single source. This may indicate an attempt to
enumerate hosts on the network, or can be an
indicator of other serious network issues. By default,
the minimum number of times, in flows, this activity
must occur before an event generates is 40.
Detects flows that indicate a host is sending an
excessive quantity (at least 40) of unidirectional flows.
These types of flows may be considered normal,
however, client workstations and other devices,
should not be seen emitting large quantities of such
flows, and therefore should be considered suspicious.