Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT REV 1 Manual page 97

A
Default Rules
Table B-6 Default Rules
Rule
Default-Rule-Anomaly:
Devices with High Event
Rates
Default-Rule-Anomaly:
Excessive Database
Connections
Default-Rule-
Anomaly: Excessive
Firewall Accepts Across
Multiple Hosts
Default-Rule-
Anomaly: Excessive
Firewall Denies from
Single Source
Default-Rule-
Anomaly: Potential
Honeypot Access
D
EFAULT
B
LOCKS
This appendix provides the defaults for the rules and building blocks including:
• Default Rules
Default Building Blocks
•
Default rules include:
Rule
Group Type
Anomaly Event
Anomaly Event
Anomaly Event
Anomaly Event
Anomaly Event
STRM Log Management Users Guide
R
ULES AND
Enabled Description
False Monitors devices for high event rates. Typically,
the default threshold is low for most networks
and we recommend that you adjust this value
before enabling this rule. To configure which
devices will be monitored, edit the
Default-BB-DeviceDefinition: Devices to Monitor
for High Event Rates building block.
True Reports an excessive number of successful
database connections.
True Reports excessive firewall accepts across
multiple hosts. More than 100 events were
detected across at least 100 unique destination
IP addresses in 5 minutes.
True Reports excessive firewall denies from a single
host. Detects more than 400 firewall deny
attempts from a single source to a single
destination within 5 minutes.
False Reports an event that was targeting or sourced
from a honeypot or tarpit defined address.
Before enabling this rule, you must configure the
Default-BB-HostDefinition: Honeypot like
addresses building block and create the
appropriate sentry from the Network
Surveillance interface.
B
UILDING