Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT REV 1 Manual page 100

94 D R
EFAULT ULES AND
Table B-6 Default Rules (continued)
Rule
Default-Rule-Database:
Remote Login Success
Default-Rule-Database:
User Rights Changed
from Remote Host
Default-Rule-DDoS
Attack Detected
Default-Rule-DoS:
Network DoS Attack
Detected
Default-Rule-DoS:
Service DoS Attack
Detected
Default-Rule-Exploit:
Exploit Followed by
Suspicious Host Activity
Default-Rule-Exploit:
Exploit/Malware Events
Across Multiple Targets
Default-Rule-Exploit:
Multiple Exploit Types
Against Single target
Default-Rule-Exploit:
Potential VoIP Toll
Fraud
Default-Rule-Exploit:
Recon followed by
Exploit
Default-Rule-False
Positive: False Positive
Rules and Building
Blocks
B B
UILDING LOCKS
Rule
Group Type
Database Event
Database Event
D\DoS Event
D\DoS Event
D\DoS Event
Exploit Event
Exploit Event
Exploit Event
Exploit Event
Exploit Event
False Positive Event
STRM Log Management Users Guide
Enabled Description
True Reports when a successful authentication
occurs to a database server from a remote
network.
True Reports when changes to user privileges occurs
to a database from a remote network.
False Reports network Distributed Denial of Service
(DDoS) attacks on a system.
True Reports network Denial of Service (DoS) attacks
on a system.
True Reports a DoS attack against a local target that
is known to exist and the target port is open.
False Reports an exploit or attack type activity from a
source IP address followed by suspicious
account activity on the destination host within 15
minutes.
True Reports a source IP address generating multiple
(at least 5) exploits or malicious software
(malware) events in the last 5 minutes. These
events are not targeting hosts that are
vulnerable and may indicate false positives
generating from a device.
True Reports a target attempting to be exploited using
multiple types of attacks from one or more
attackers.
False Reports multiple failed logins to your VoIP
hardware followed by sessions being opened. At
least 3 events were detected within 30 seconds.
This action could indicate that illegal users are
executing VoIP sessions on your network.
True Reports reconnaissance followed by an exploit
from the same source IP address to the same
destination port within 1 hour.
True Reports events that include false positive rules
and building blocks, such as,
Default-BB-FalsePositive: Windows Server
False Positive Events. Events that match the
above conditions are stored but also dropped. If
you add any new building blocks or rules to
remove events from becoming offenses, you
must add these new rules or building blocks to
this rule.