Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 Administration Manual page 349
Strm administration guide
Hide thumbs
Also See for SECURITY THREAT RESPONSE MANAGER 2008.2:
- Manual (228 pages) ,
- Getting started (14 pages) ,
- Release note (11 pages)
Table of Contents
Advertisement
Table D-9 Default Rules (continued)
Rule
Default-Rule-Recon:
Aggressive Remote
Scanner Detected
Default-Rule-
Recon: Excessive
Firewall Denies
Across Multiple Hosts
Default-Rule-Recon:
Host Port Scan
Detected by Local
Host
Default-Rule-Recon:
Host Port Scan
Detected by Remote
Host
Default-Rule-Recon:
Increase Magnitude
of High Rate Scans
Default-Rule-Recon:
Increase Magnitude
of Medium Rate
Scans
Default-Rule-Recon:
Local LDAP Server
Scanner
Default-Rule-Recon:
Local Database
Scanner
Default-Rule-Recon:
Local DHCP Scanner
STRM Administration Guide
Rule
Type
Enabled Description
Event
True
Reports an aggressive scan from a
remote source IP address, scanning
other local or remote IP addresses.
More than 50 targets received
reconnaissance or suspicious events in
less than 3 minutes. This may indicate a
manually driven scan, an exploited host
searching for other targets, or a worm
on a system.
Event
True
Reports excessive attempts, across
multiple hosts, to access the firewall and
access is denied. More than 200
attempts from a local source IP address
are detected across at least 400
destination IP addresses in 5 minutes.
Event
True
Reports a single source IP address
scanning more than 100 ports in under
4 minutes.
Event
True
Reports more than 400 ports were
scanned from a single source IP
address in under 2 minutes.
Event
True
If a high rate flow-based scanning attack
is detected, this rule increases the
magnitude of the current event.
Event
True
If a medium rate flow-based scanning
attack is detected, this rule increases
the magnitude of the current event.
Event
True
Reports a source IP address attempting
reconnaissance or suspicious
connections on common LDAP ports to
more than 60 hosts in 10 minutes.
Event
True
Reports a source IP address attempting
reconnaissance or suspicious
connections on common local database
ports to more than 30 hosts in 10
minutes.
Event
True
Reports a source IP address attempting
reconnaissance or suspicious
connections on common DHCP ports to
more than 60 hosts in 10 minutes.
Default Rules
341
Advertisement
Table of Contents
Related Manuals for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2
Related Products for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - AQL EVENT AND FLOW QUERY CLI GUIDE
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - EVENT CATEGORY CORRELATION REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - SNMP AGENT GUIDE REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1
- Juniper STRM LOG MANAGEMENT 2008.2 - S 6-2008
- Juniper MEDIA FLOW CONTROLLER 2.0.4 -
- Juniper MEDIA FLOW MANAGER 2.0.2 - ADMINISTRATOR S GUIDE AND CLI
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INTRUSION DETECTION PREVENTION DEVICES GUIDE REV 01
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - M-SERIES AND MX-SERIES DEVICES GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - NSMXPRESS SERIES II REV 1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - REV1
- Juniper MEDIA FLOW CONTROLLER 2.0.5
- Juniper NETWORK AND SECURITY MANAGER 2010.3
- Juniper 200 Series