About Sentries; Types Of Sentries - Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - REV1 Manual

40 M S
ANAGING ENTRIES

About Sentries

Types of Sentries

You can create sentries that perform actions when certain specified conditions are
met. These actions can include sending an e-mail notification or storing sentry
event information. You can also add sentry alerts for a specific traffic type.
You can save Packages for use with other sentries. For example, if you create a
DDoS Package, you can create sentries at different locations in your network using
the DDoS Package.
Note: For more information on the Offense Manager, see
Offenses.
Sentries contain the following components:
Logic Unit - Includes specific algorithms used to test objects. The Logic Unit
•
contains the default variables for the sentry.
Package - Contains the view objects (default variables) that are forwarded to
•
the Logic Unit and default variables to be used by the sentry. All variables in the
Package configuration have priority over the Logic Unit variables. The objects
are created from any defined view, with the exception of the main network view.
For example, a package may contain all applications that you wish to monitor
for inappropriate use.
Sentry - Specifies which network location you wish the sentry to apply. The
•
network location component of the sentry can also specify any restrictions that
you wish to enforce. The variables in the sentry component have priority over
the Package and Logic Unit variables. For example, you can configure a sentry
to monitor the accounting department network location between 8 am and 5
pm. However, you can also specify that you only wish to be notified of any
misuse if the activity continues for more than 10 minutes.
You can create the following types of sentries:
Behavior
•
Anomaly
•
Security/Policy
•
Threshold
•
Custom
•
Behavior
A Behavior sentry monitors your deployment for volume changes in behavior that
occurs in regular seasonal patterns. STRM learns how a particular object typically
behaves over a period of time and then records the number of hosts
communicating with your network at different points of the day. This allows STRM
to develop an accurate profile of seasonal behavior. For example, if a mail server
typically communicates with 100 hosts per second in the middle of the night and
then suddenly starts communicating with 1000 hosts a second, STRM generates
an alert.
STRM Users Guide
Chapter 5 Investigating