Default Rules - Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 Administration Manual

Default Rules

Default rules for the ISP template include:
Table D-9 Default Rules
Rule
Default-Response-E-
mail: Offense E-mail
Sender
Default-Response-
Sylog:Offense
SYSLOG Sender
Default-Rule-
Anomaly: Excessive
Firewall Accepts
Across Multiple Hosts
Default-Rule-
Anomaly: Excessive
Firewall Denies from
Single Source
Default-Rule-
Anomaly: Long
Duration Flow
Default-Rule-
Anomaly: Potential
Honeypot Access
STRM Administration Guide
Rule
Type Enabled Description
Offense False Reports any offense matching the
severity, credibility, and relevance
minimums to e-mail. You must configure
the e-mail address. You can limit the
number of e-mails sent by tuning the
severity, credibility, and relevance limits.
Also, this rule only sends one e-mail
every hour, per offense.
Offense False Reports any offense matching the
severity, credibility, or relevance
minimum to syslog.
Event False Reports excessive accepts, across
multiple hosts, to access the firewall and
access was granted. More than 100
events were detected across at least
100 unique destination IP addresses in
5 minutes.
Event True Reports excessive denies, from a single
local host, to access the firewall.
Firewall or ACL denies were detected
from the same source IP address more
than 400 times from a single local
source within 5 minutes.
Event True Reports a flow communicating to or
from the Internet with a sustained
duration of more than 48 hours. This is
not typical behavior for most
applications. We recommend that you
investigate the host for potential
malware infections.
Event False Reports an event that was targeting or
sourced from a honeypot or tarpit
defined address. Before enabling this
rule, you must configure the
Default-BB-HostDefinition: Honeypot
like Addresses building block and create
the appropriate sentry from the Network
Surveillance interface.
Default Rules 337