Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT REV 1 Manual page 119

Table B-7 Default Building Blocks (continued)
Building Block
Default-BB-Recon
Detected: All Recon Rules
Default-BB-Recon
Detected: Devices That
Merge Recon into Single
Event
Default-BB-Recon
Detected: Host Portscan
Default-BB-Recon
Detected: Port Scan
Detected Across Multiple
Hosts
User-BB-FalsePositive:
User Defined False
Positives Tunings
Block
Group Type
Recon Event Define all Juniper default
Recon Event Edit this BB to include all devices
Recon Event Edit this BB to define
Recon Event Edit this BB to indicate port
User Tuning Event This BB contains any events that
STRM Log Management Users Guide
Description
reconnaissance tests. This BB is
used to detect a host that has
performed reconnaissance such
that other follow on tests can be
performed. For example,
reconnaissance followed by
firewall accept.
that accumulate reconnaissance
across multiple hosts or ports into
a single event. This rule forces
these events to become offenses.
reconnaissance scans on hosts in
your deployment.
scanning activity across multiple
hosts. By default, this BB applies
when an attacker is performing
reconnaissance against more than
5 hosts within 10 minutes. If
internal, this may indicate an
exploited machine or a worm
scanning for targets.
you have tuned using the False
Positive tuning function. For more
information, see the STRM Users
Guide.
Default Building Blocks
Associated Building
Blocks, if applicable
113