Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 Administration Manual page 335
Strm administration guide
Hide thumbs
Also See for SECURITY THREAT RESPONSE MANAGER 2008.2:
- Manual (228 pages) ,
- Getting started (14 pages) ,
- Release note (11 pages)
Table of Contents
Advertisement
Table D-1 Default Sentries (continued)
Sentry
Invalid TCP Flag usage
Potential Network Scan
Potential Unresponsive
Service or Distributed DoS
Scanning Activity (High)
Scanning Activity (Low)
Scanning Activity (Medium)
Suspicious Inbound Packets
Suspicious Outbound
Packets
TCP DoS
Threat Traffic Packet Rate
Behavior Change
STRM Administration Guide
Description
Detects flows that appear to have improper flag
combinations. This may indicate various troubling
behaviors, such as OS detection, DoS attacks, or
even forms of reconnaissance. By default, the
minimum number of times, in flows, this activity must
occur before an event generates is 10.
Detects a host sending identical packets to a number
of hosts that have not responded. This may indicate a
host configured for network management or normal
server behavior on a busy internal network. However,
client hosts in your network should not be exhibiting
this behavior for long periods of time.
Detects a low number of hosts sending identical,
non-responsive packets to a single target.
Detects a host performing reconnaissance activity at
an extremely high rate (100,000 hosts per minute),
which is typical of a worm infection or a scanning
application.
Detects a host performing reconnaissance activity at a
rate of 500 hosts per minute. This may indicate a host
configured for network management or normal server
behavior on a busy internal network. However,
typically client hosts in your network should not be
exhibiting this behavior for long periods of time. If this
behavior continues for long periods of time, this may
indicate classic behavior of worm activity. We
recommend that you check the host for infection or
malware installation.
Detects a host performing reconnaissance activity at a
high rate (5000 hosts per minute), which is typical of a
worm infection or a scanning application. This activity
may also indicate network management hosts or even
busy servers on internal networks.
Detects the number of inbound suspicious packets
reached at a level above 1000 pps.
Detects the number of outbound suspicious packets
reached at a level above 1000 pps.
Detects flows that appear to be a TCP DoS attack
attempt.
Detects a behavioral change, within the last 5
minutes, in the packet rate of traffic considered to be
threatening, compared to what has been learned over
the past weeks. This may indicate an attack is in
progress. By default, the minimum number of times, in
flows, this activity must occur before an event
generates is 5.
Default Sentries
327
Advertisement
Table of Contents
Related Manuals for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2
Related Products for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - AQL EVENT AND FLOW QUERY CLI GUIDE
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - EVENT CATEGORY CORRELATION REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - SNMP AGENT GUIDE REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1
- Juniper STRM LOG MANAGEMENT 2008.2 - S 6-2008
- Juniper MEDIA FLOW CONTROLLER 2.0.4 -
- Juniper MEDIA FLOW MANAGER 2.0.2 - ADMINISTRATOR S GUIDE AND CLI
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INTRUSION DETECTION PREVENTION DEVICES GUIDE REV 01
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - M-SERIES AND MX-SERIES DEVICES GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - NSMXPRESS SERIES II REV 1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - REV1
- Juniper MEDIA FLOW CONTROLLER 2.0.5
- Juniper NETWORK AND SECURITY MANAGER 2010.3
- Juniper 200 Series