Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 Administration Manual page 300

Strm administration guide
Hide thumbs Also See for SECURITY THREAT RESPONSE MANAGER 2008.2:
Table of Contents

Advertisement

292
U
T
NIVERSITY
EMPLATE
D
EFAULTS
Table B-3 Custom Views - Threats View (continued)
Group
Objects
Suspicious_IP_
This group includes:
Protocol_Usage
• Unidirectional_UDP_And_Misc_Flows - Detects unidirectional
STRM Administration Guide
Illegal_TCP_Flag_Combination - Detects flows with illegal TCP flag
combinations. This may indicate malicious activity, such as port
scanning or operating system detection.
Suspicious_ICMP_Type_Code - Detects flows entering or leaving
your network from the Internet, using ICMP types or codes generally
accepted to be suspicious or malicious. For more information, see
http://techrepublic.com.com /5100-1035_11-5087087.html
TCP_UDP_Port_0 - Detects flows with a source or destination port of
0. This is illegal according to Internet RFCs and should be considered
malicious.
Unidirectional_TCP_Flows - Detects unidirectional TCP flows. This
may indicate application failures to connect to a service, but an
indicate other issues if the quantity or rate of these flows is high.
Unidirectional_ICMP_Reply - Detects unidirectional ICMP replies or
unreachable flows. This may be expected network behavior,
however, an excessive quantity may indicate that a host is scanning
the network attempting to enumerate hosts.
Unidirectional_ICMP_Flows - Detects unidirectional ICMP flows.
This may be expected network behavior, however, an excessive
quantity of these flows from a single source may indicate a host
scanning the network attempting to enumerate hosts.
UDP (or other flows not including TCP or ICMP) flows. This may be
expected network behavior, however, an excessive quantity should
be considered suspicious.
Zero_Payload_Bidirectional_Flows - Detects flows that contain
small amounts (if any) payload. This may be the result of scans
where the target responds with reset packets.
Long_Duration_Flow - Detects a flow communicating to or from the
Internet with a sustained duration of more than 48 hours. This is not
typical behavior for most applications. We recommend that you
investigate the host for potential malware infections.

Advertisement

Table of Contents
loading

Table of Contents