Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT REV 1 Manual page 99
Strm log management users guide
Hide thumbs
Also See for SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT REV 1:
- Manual (36 pages) ,
- Administration manual (92 pages) ,
- Manual (246 pages)
Table of Contents
Advertisement
Table B-6 Default Rules (continued)
Rule
Default-Rule-Botnet:
Potential Botnet
Connection (DNS)
Default-Rule-Botnet:
Potential Botnet
Connection (IRC)
Default-Rule-
Compliance:
Compliance Events
Become Offenses
Default-Rule-
Compliance: Excessive
Failed Logins to
Compliance IS
Default-Rule-Database:
Attempted Configuration
Modification by a remote
host
Default-Rule-Database:
Concurrent Logins from
Multiple Locations
Default-Rule-Database:
Failures Followed by
User Changes
Default-Rule-Database:
Groups changed from
Remote Host
Default-Rule-Database:
Multiple Database
Failures Followed by
Success
Default-Rule-Database:
Remote Login Failure
Rule
Group
Type
Botnet,Exploit
Event
Botnet
Event
Compliance
Event
Compliance
Event
Database
Event
Database
Event
Database
Event
Database
Event
Database
Event
Database
Event
STRM Log Management Users Guide
Enabled Description
False
Reports a host connecting or attempting to
connect to a DNS server on the Internet. This
may indicate a host connecting to a Botnet. The
host should be investigated for malicious code.
Do not enable this rule until you have tuned the
Default-BB-HostDefinition: DNS Servers building
block.
Note: Laptops that include wireless adapters
may cause this rule to generate alerts since the
laptops may attempt to communicate with
another IDPs DNS server. If this occurs, define
the ISPs DNS server in the
Default-BB-HostDefinition: DNS Servers building
block.
True
Reports a host connecting or attempting to
connect to an IRC server on the Internet. This
may indicate a host connecting to a Botnet. The
host should be investigated for malicious code.
False
Reports compliance-based events, such as,
clear text passwords.
False
Reports excessive authentication failures to a
compliance server within 10 minutes.
True
Reports when a configuration modification is
attempted to a database server from a remote
network.
True
Reports when several authentications to a
database server occur across many remote IP
addresses.
True
Reports when there are failures followed by the
addition or change of a user account.
True
Monitors changes to groups on a database
when the change is initiated from a remote
network.
True
Reports when there are multiple database
failures followed by a success within a short
period of time.
True
Increases the severity of a failed login attempt to
a database from a remote network.
Default Rules
93
Advertisement
Table of Contents
Related Manuals for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT REV 1
Related Products for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - AQL EVENT AND FLOW QUERY CLI GUIDE
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - EVENT CATEGORY CORRELATION REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - SNMP AGENT GUIDE REV 1
- Juniper STRM LOG MANAGEMENT 2008.2 - S 6-2008
- Juniper MEDIA FLOW CONTROLLER 2.0.4 -
- Juniper MEDIA FLOW MANAGER 2.0.2 - ADMINISTRATOR S GUIDE AND CLI
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INTRUSION DETECTION PREVENTION DEVICES GUIDE REV 01
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - M-SERIES AND MX-SERIES DEVICES GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - NSMXPRESS SERIES II REV 1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - REV1
- Juniper MEDIA FLOW CONTROLLER 2.0.5
- Juniper NETWORK AND SECURITY MANAGER 2010.3
- Juniper 200 Series