Threats Group - Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 Administration Manual
Strm administration guide
Hide thumbs
Also See for SECURITY THREAT RESPONSE MANAGER 2008.2:
- Manual (228 pages) ,
- Getting started (14 pages) ,
- Release note (11 pages)
Table of Contents
Advertisement
Threats Group
Pre-configured groups that specify traffic flows from suspicious IP addresses,
protocols, server ports, and network sweeps including:
Table D-3 Custom Views - Threats View
Group
Exceptions
DoS
Objects
This group includes:
Network_Management_Hosts - Defines network management
servers or other system responsible for reconnaissance, SNMP,
large numbers of ICMP requests, or other attacks, such as, traffic
on your network such as vulnerability assessment (VA) scanners.
The Denial of Service (DoS) group includes:
• Inbound_Flood_NoResponse_High - Defines a remote source
sending packets, which are not being responded to, at a rate greater
than 100,000 packets per second.
• Inbound_Flood_NoResponse_Medium - Defines a remote source
sending packets, which are not being responded to, at a rate greater
than 5,000 packets per second.
• Inbound_Flood_NoResponse_Low - Defines a remote source
sending packets, which are not being responded to, at a rate greater
than 500 packets per second.
• Outbound_Flood_NoResponse_High - Defines a local source
sending packets, which are not being responded to, at a rate greater
than 100,000 packets per second.
• Outbound_Flood_NoResponse_Medium - Defines a local source
sending packets, which are not being responded to, at a rate greater
than 500 packets per second.
• Outbound_Flood_NoResponse_Low - Defines a local source
sending packets, which are not being responded to, at a rate greater
than 500 packets per second.
• Multihost_Attack_High - Defines a scan of more than 100,000 hosts
per minute.
• Multihost_Attack_Medium - Defines a scan of more than 5,000
hosts per minute.
• Multihost_Attack_Low - Defines a scan of more than 500 hosts per
minute.
• Potential_TCP_DoS - Detects TCP Syn flood flows with a packet
arrival rate of more then 300 packets per second and have lasted for
at least 5 seconds. This may indicate an attempted TCP DoS attack.
• Potential_UDP_DoS - Detects UDP Flows with a packet arrival rate
of more then 750 packets per second and have lasted for at least 3
seconds. This may indicate an attempted ICMP DoS attack.
• Potential_ICMP_DoS - Detects ICMP flows with a packet arrival rate
of more then 300 packets per second and have lasted for at least 2
seconds. This may indicate an attempted ICMP DoS attack.
•
Potential_Multihost_Attack - Detects type B superflows. This may
indicate a service failure or an attack.
STRM Administration Guide
Default Custom Views
329
Advertisement
Table of Contents
