Beruflich Dokumente
Kultur Dokumente
Release 2008.3
FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A
digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and
used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential
area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following
information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it
is not installed in accordance with NetScreen’s installation instructions, it may cause interference with radio and television reception. This equipment has
been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These
specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that
interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be
determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV
technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET
THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE
SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.
Configuring DSMs
Release 2008.3
Revision History
January 2009—Revision 1
The information in this document is current as of the date listed in the revision history.
2
CONTENTS
1 MANAGING USERS
Managing Roles 3
Viewing Roles 3
Creating a Role 4
Editing a Role 8
Deleting a Role 9
Managing User Accounts 10
Creating a User Account 10
Editing a User Account 11
Disabling a User Account 12
Authenticating Users 12
3 SETTING UP STRM
Creating Your Network Hierarchy 29
Considerations 29
Defining Your Network Hierarchy 30
Scheduling Automatic Updates 34
Scheduling Automatic Updates 34
Updating Your Files On-Demand 36
Configuring System Settings 37
Configuring System Notifications 42
Configuring the Console Settings 45
Starting and Stopping STRM 48
Resetting SIM 48
8 OVERVIEW
About the Interface 127
Accessing the Administration Console 128
Using the Interface 128
Deploying Changes 129
9 MANAGING SENTRIES
About Sentries 131
Viewing Sentries 132
Editing Sentry Details 133
Managing Packages 138
Creating a Sentry Package 138
Editing a Sentry Package 140
Managing Logic Units 141
Creating a Logic Unit 141
Editing a Logic Unit 144
10 MANAGING VIEWS
Using STRM Views 145
About Views 145
About Global Views 146
Defining Unique Objects 147
Managing Ports View 148
Default Ports Views 148
Adding a Ports Object 148
Editing a Ports Object 150
Managing Application Views 152
Default Application Views 152
Adding an Applications Object 153
Editing an Applications Object 155
Managing Remote Networks View 157
Default Remote Networks Views 157
Adding a Remote Networks Object 157
Editing a Remote Networks Object 159
Managing Remote Services Views 160
Default Remote Services Views 160
Adding a Remote Services Object 161
Editing a Remote Services Object 162
Managing Collector Views 164
Adding a Flow Collector Object 164
Editing a Flow Collector Object 165
Managing Custom Views 167
About Custom Views 167
Editing Custom Views 176
Editing the Equation 177
Enabling and Disabling Views 178
Using Best Practices 180
11 CONFIGURING RULES
Viewing Rules 182
Enabling/Disabling Rules 183
Creating a Rule 183
Event Rule Tests 193
Offense Rule Tests 209
Copying a Rule 215
Deleting a Rule 215
Grouping Rules 216
Viewing Groups 216
Creating a Group 216
Editing a Group 218
Copying an Item to Another Group(s) 218
Deleting an Item from a Group 220
Assigning an Item to a Group 220
Editing Building Blocks 220
12 DISCOVERING SERVERS
The STRM Administration Guide provides you with information for managing
STRM functionality requiring administrative access.
Audience This guide is intended for the system administrator responsible for setting up
STRM in your network. This guide assumes that you have STRM administrative
access and a knowledge of your corporate network and networking technologies.
Conventions Table 1 lists conventions that are used throughout this guide.
Table 1 Icons
Technical You can access technical documentation, technical notes, and release notes
Documentation directly from the Juniper Customer Support web site at
https://www.juniper.net/suport. Once you access the Technical support web site,
locate the product and software release for which you require documentation.
Your comments are important to us. Please send your e-mail comments about this
guide or any of the Juniper Networks documentation to:
techpubs-comments@juniper.net.
Contacting To help you resolve any issues that you may encounter when installing or
Customer Support maintaining STRM, you can contact Customer Support as follows:
• Open a support case using the Case Management link at
http://www.juniper.net/support.
• Call 1-888-314-JTAC (from the United States, Canada, or Mexico)
or1-408-745-9500 (from elsewhere).
You can add or remove user accounts for all users that you want to access STRM.
Each user is associated with a role, which determines the privileges the user has
to functionality and information within STRM. You can also restrict or allow access
to areas of the network.
Managing Roles You must create a role before you can create user accounts. By default, STRM
provides a default administrative role, which provides access to all areas of STRM.
A user that is assigned administrative privileges (including the default
administrative role) cannot edit their own account. Another administrative user
must make any desired changes.
Parameter Description
Role Specifies the defined user role.
Devices Specifies the devices you want this role to access. This
allows you to restrict or grant access for users assigned to
the role to view logs, events, and offense data received from
assigned security and network devices or device groups.
For non-administrative users, this column indicates a link
that allows an administrative user to edit the permissions for
the role. For more information on editing a user role, see
Editing a Role.
To view the list of devices that have been assigned to this
role, move your mouse over the text in the Devices column.
Associated Users Specifies the users associated with this role.
Action Allows you to edit or delete the user role.
Step 4 Enter values for the parameters. You must select at least one permission to
proceed.
Table 2-2 Create Roles Parameters
Parameter Description
Role Name Specify the name of the role. The name can be up to 15
characters in length and must only contain integers and
letters.
Administrator Select the check box if you want to grant this user
administrative access to the STRM interface. Within the
administrator role, you can grant additional access to the
following:
• System Administrator - Select this check box if you
want to allow users access to all areas of STRM except
Views. Users with this access are not able to edit other
administrator accounts.
• Administrator Manager - Select this check box if you
want to allow users the ability to create and edit other
administrative user accounts. If you select this check box,
the System Administrator check box is automatically
selected.
• Views Administrator - Select this check box if you want
to allow users the ability to create, edit, or delete Views.
For example, the Application View and the Ports View.
Parameter Description
Offense Management Select the check box if you want to grant this user access to
Offense Manager functionality. Within the Offense Manager
functionality, you can grant additional access to the
following:
• Assign Offenses to Users - Select the check box if you
want to allow users to assign offenses to other users.
• Customized Rule Creation - Select the check box if you
want to allow users to create custom rules.
For more information on the Offense Manager, see the
STRM Users Guide.
Event Viewer Select the check box if you want this user to have access to
the Event Viewer. Within the Event Viewer, you can also
grant users additional access to the following:
• User Defined Event Properties - Select the check box if
you want to allow users the ability to create user-defined
event properties.
• Event Search Restrictions Override - Select the check
box if you want to allow users the ability to override event
search restrictions.
• Customized Rule Creation functionality - Select the
check box if you want to allow users to create rules using
the Event Viewer.
For more information on the Event Viewer, see the STRM
Users Guide.
Asset Management Select the check box if you want to grant this user access to
Asset Management functionality. Within the Asset
Management functionality, you can grant additional access
to the following:
• Server Discovery - Select the check box if you want to
allow users the ability to discover servers.
• View VA Data - Select the check box if you want to allow
users access to vulnerability assessment data.
• Perform VA Scans - Select the check box if you want to
allows users to perform vulnerability assessment scans.
Parameter Description
Network Surveillance Select the check box if you want to grant this user access to
Network Surveillance functionality. Within the Network
Surveillance functionality, you can grant additional access to
the following:
• View Flows - Select the check box if you want to allow
users access to content captured using the View Flows
function.
• View Flow Content - Select the check box if you want to
allow users access to data accessed through the View
Flow box.
• View Flows Restrictions Override - Select the check
box if you want to allow users the ability to override sentry
restrictions.
• Sentry Modification - Select the check box if you want to
allows users to modify existing sentries.
For more information, see the STRM Users Guide.
Reporting Select the check box if you want to grant this user access to
Reporting functionality. Within the Reporting functionality,
you can grant users additional access to the following:
• Distribute Reports via Email - Select the check box if
you want to allow users to distribute reports through
e-mail.
• Maintain Templates - Select the check box if you want to
allow users to maintain reporting templates.
For more information, see the STRM Users Guide.
Step 7 From the left panel, click a device or device group that you want users assigned to
this role to have access.
The selected device moves to the Selected Device Objects field.
Step 8 Repeat for all devices.
Step 9 Click Next.
Step 10 Click Return.
Step 11 Close the Manage Roles window.
The STRM Administration Console appears.
Step 12 From the menu, select Configurations > Deploy Configuration Changes.
Managing User You can create a STRM user account, which allows a user access to selected
Accounts network components using the STRM interface. You can also create multiple
accounts for your system that include administrative privileges. Only the main
administrative account can create accounts that have administrative privileges.
You can create and edit user accounts to access STRM including:
• Creating a User Account
• Editing a User Account
• Disabling a User Account
Parameter Description
Username Specify a username for the new user. The username must not
include spaces or special characters.
Password Specify a password for the user to gain access. The password
must be at least five characters in length.
Confirm Password Re-enter the password for confirmation.
Email Address Specify the user’s e-mail address.
Role Using the drop-down list box, select the role you want this user to
assume. For information on roles, see Managing Roles. If you
select Admin, this process is complete.
Step 7 From the menu tree, select the network objects you want this user to be able to
monitor.
The selected network objects appear in the Selected Network Object panel.
Step 8 Choose one of the following options:
a Click Deploy Now to deploy new user information immediately.
b Click Cancel to cancel all updates and return to the Manage Users window.
Step 9 Close the Manage Users window.
The STRM Administration Console appears.
Authenticating You can configure authentication to validate STRM users and passwords. STRM
Users supports the following user authentication types:
• System Authentication - Users are authenticated locally by STRM. This is the
default authentication type.
• RADIUS Authentication - Users are authenticated by a Remote Authentication
Dial-in User Service (RADIUS) server. When a user attempts to login, STRM
encrypts the password only, and forwards the username and password to the
RADIUS server for authentication.
To configure authentication:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the Authentication icon.
The Authentication window appears.
Step 3 From the Authentication Module drop-down list box, select the authentication type
you want to configure.
Step 4 Configure the selected authentication type:
a If you selected System Authentication, go to Step 5
Parameter Description
RADIUS Server Specify the hostname or IP address of the RADIUS server.
RADIUS Port Specify the port of the RADIUS server.
Authentication Specify the type of authentication you want to perform. The
Type options are:
• CHAP (Challenge Handshake Authentication Protocol) -
Establishes a Point-to-Point Protocol (PPP) connection
between the user and the server.
• MSCHAP (Microsoft Challenge Handshake Authentication
Protocol) - Authenticates remote Windows workstations.
• ARAP (Apple Remote Access Protocol) - Establishes
authentication for AppleTalk network traffic.
• PAP (Password Authentication Protocol) - Sends clear text
between the user and the server.
Shared Secret Specify the shared secret that STRM uses to encrypt RADIUS
passwords for transmission to the RADIUS server.
Parameter Description
TACACS Server Specify the hostname or IP address of the TACACS server.
TACACS Port Specify the port of the TACACS server.
Authentication Specify the type of authentication you want to perform. The
Type options are:
• ASCII
• PAP (Password Authentication Protocol) - Sends clear text
between the user and the server.
• CHAP (Challenge Handshake Authentication Protocol) -
Establishes a PPP connection between the user and the
server.
• MSCHAP (Microsoft Challenge Handshake Authentication
Protocol) - Authenticates remote Windows workstations.
• MSCHAP2 - (Microsoft Challenge Handshake Authentication
Protocol version 2)- Authenticates remote Windows
workstations using mutual authentication.
• EAPMD5 (Extensible Authentication Protocol using MD5
Protocol) - Uses MD5 to establish a PPP connection.
Shared Secret Specify the shared secret that STRM uses to encrypt TACACS
passwords for transmission to the TACACS server.
d If you selected LDAP/ Active Directory, enter values for the following
parameters:
Table 2-6 LDAP/ Active Directory Parameters
Parameter Description
Server URL Specify the URL used to connect to the LDAP server. For
example, ldap://<host>:<port>
LDAP Context Specify the LDAP context you want to use, for example,
DC=Q1LABS,DC=INC.
LDAP Domain Specify the domain you want to use, for example q1labs.inc
Managing Your For your STRM Console, a default license key provides you access to the interface
License Keys for 5 weeks. You must manage your license key using the System Management
window in the STRM Administration Console. This interface provides the status of
the license key for each system (host) in your deployment including:
• Valid - The license key is valid.
• Expired - The license key has expired. To update your license key, see
Updating your License Key.
• Override Console License - This host is using the Console license key. You
can use the Console key or apply a license key for this system. If you want to
use the Console license for any system in your deployment, click Default
License in the Manage License window. The license for that system will default
to the Console license key.
Updating your For your STRM Console, a default license key provides you access to the interface
License Key for 5 weeks. Choose one of the following options for assistance with your license
key:
• For a new or updated license key, please contact your local sales
representative.
• For all other technical issues, please contact Juniper Networks Customer
Support.
If you log in to STRM and your Console license key has expired, you are
automatically directed to the System Management window. You must update the
license key before you can continue. However, if one of your non-Console systems
includes an expired license key, a message appears when you log in indicating a
system requires a new license key. You must navigate to the System Management
window to update that license key.
Step 5 Once you locate and select the license key, click Open.
The Current License Details window appears.
Step 6 Click Save.
A message appears indicating the license key was successfully updated.
Note: If you want to revert back to the previous license key, click Revert to
Deployed. If you revert to the license key used by the STRM Console system,
click Revert to Console.
Step 7 Close the license key window.
The Administration Console appears.
Step 8 From the menu, select Configurations > Deploy All.
The license key information is updated in your deployment.
Exporting Your To export your license key information for all systems in your deployment:
License Key
Information
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the System Management icon.
The System Management window appears providing a list of all hosts in your
deployment.
Step 3 In the View Agent column, click View Agent for the SNMP agent you want to
access.
The SNMP Agent appears.
Configuring The System Configuration tab provides access to the web-based system
Access Settings administration interface, which allows you to configure firewall rules, interface
roles, passwords, and system time. This section includes:
• Firewall access. See Configuring Firewall Access.
• Update your host set-up. See STRMUpdating Your Host Set-up.
• Configure the interface roles for a host. See Configuring Interface Roles.
• Change password to a host. See Changing Passwords.
• Update the system time. See Updating System Time.
Configuring Firewall You can configure local firewall access to enable communications between
Access devices and STRM. Also, you can define access to the web-based system
administration interface.
Step 6 In the Device Access box, you must include any STRM systems you want to have
access to this managed host. Only managed hosts listed will have access. For
example, if you enter one IP address, only that one IP address will be granted
access to the managed host. All other managed hosts are blocked.
To configure access:
a In the IP Address field, enter the IP address of the managed host you want to
have access.
b From the Protocol list box, select the protocol you want to enable access for the
specified IP address and port:
- UDP - Allows UDP traffic.
- TCP - Allows TCP traffic.
- Any - Allows any traffic.
c In the Port field, enter the port on which you want to enable communications.
Note: If you change your External Flow Source Monitoring Port parameter in the
QFlow Configuration, you must also update your firewall access configuration.
d Click Allow.
Step 7 In the System Administration Web Control box, enter the IP address of managed
hosts that you want to allow access to the web-based system administration
interface in the IP Address field. Only IP addresses listed will have access to the
interface. If you leave the field blank, all IP addresses will have access. Click
Allow.
Note: Make sure you include the IP address of your client desktop you want to
access the interface. Failing to do so may affect connectivity.
STRMUpdating Your You can use the web-based system administration interface to configure the mail
Host Set-up server you want STRM to use, the global password for STRM configuration, and
the IP address for the STRM Console:
Step 6 You must enable communications between the STRM Console and the current
host. In the Enter the IP address of the STRM console field, enter the IP address
of the managed host operating the STRM Console.
Step 7 In the Mail Server field, specify the address for the mail server you want STRM to
use. STRM uses this mail server to distribute alerts and event messages. To use
the mail server provided with STRM, enter localhost.
Step 8 In the Enter the global configuration password, enter the password you want to
use to access the host. Confirm the entered password.
Note: The global configuration password must be the same throughout your
deployment. If you edit this password, you must also edit the global configuration
password on all systems in your deployment.
Step 9 In the Enter the web address of the console field, enter the IP address of the
managed host operating the STRM Console.
Step 10 Click Apply Configuration.
Configuring Interface You can assign specific roles to the network interfaces on each managed host.
Roles
To assign roles:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the System Management icon.
The System Management window appears.
Step 3 For the host you want to configure interface roles, click Manage System.
Step 4 Log-in to the System Administration interface. The default is:
Username: root
Password: <your root password>
Note: The username and password are case sensitive.
Step 5 From the menu, select Managed Host Config > Network Interfaces.
The Network Interfaces window appears with a list of each interface on your
managed host.
Note: For assistance with determining the appropriate role for each interface,
please contact Juniper Networks Customer Support.
Step 6 For each interface listed, select the role you want to assign to the interface using
the Role list box.
Step 7 Click Save Configuration.
Step 8 Wait for the interface to refresh before continuing.
Updating System You are able to change the time for the following options:
Time • System time
• Hardware time
• Time Zone
• Time Server
Note: All system time changes must be made within the System Time window. You
must change the system time information on the host operating the Console only.
The change is then distributed to all managed hosts in your deployment.
You can configure time for your system using one of the following methods:
• Configuring Your Time Server Using RDATE
• Configuring Time Settings For Your System
Caution: The time settings window is divided into four sections. You must save
each setting before continuing. For example, when you configure System Time,
you must click Apply within the System Time section before continuing.
Step 6 In the Time Zone box, select the time zone in which this managed host is located
using the Change timezone to list box. Click Save.
Step 7 In the Time Server box, you must specify the following options:
• Timeserver hostnames or addresses - Specify the time server hostname or
IP address.
• Set hardware time too - Select the check box if you want to set the hardware
time as well.
• Synchronize on schedule? - Specify one of the following options:
- No - Select the option if you do not want to synchronize the time specified in
the Run at selected time below options. Go to Step 8.
- Yes - Select the option if you want to synchronize the time. See options
below.
• Simple Schedule - Specify if you want the time update to occur at a specific
time. If not, select the Run at times selected below option.
• Times and dates are selected below - Specify the time you want the time
update to occur.
Step 8 Click Sync and Apply.
Caution: The time settings window is divided into four sections. You must save
each setting before continuing. For example, when you configure System Time,
you must click Apply within the System Time section before continuing.
Step 6 In the Time Zone box, select the time zone in which this managed host is located
using the Change timezone to list box. Click Save.
Step 7 In the System Time box, you must specify the current date and time you want to
assign to the managed host. Click Apply.
If you want to set the System Time to the same as the Hardware time, click Set
system time to hardware time.
Step 8 In the Hardware Time box, you must specify the current date and time you want to
assign to the managed host. Click Save.
If you want to set the System Time to the same as the Hardware time, click Set
hardware time to system time.
Creating Your STRM uses the network hierarchy to understand your network traffic and provide
Network Hierarchy you with the ability to view network activity for your entire deployment.
When you develop your network hierarchy, you should consider the most effective
method for viewing network activity. Note that the network you configure in STRM
does not have to resemble the physical deployment of your network. STRM
supports any network hierarchy that can be defined by a range of IP addresses.
You can create your network based on many different variables, including
geographical or business units.
• Within a group, place servers with high volumes of traffic, such as mail servers,
at the top of the group. This provides you a clear visual representation when a
discrepancy occurs. We recommend that you extend this practice to all views.
• Combine multiple Classless Inter-Domain Routings (CIDRs) or subnets into a
single network/group to conserve disk space. For example:
Note: We recommend that you do not configure a network group with more than 15
objects. This may cause you difficulty in viewing detailed information for each
group.
You may also want to define an all encompassing group so when you define new
networks, the appropriate policies and behavioral monitors are applied. For
example:
If you add a new network to the above example, such as 10.10.50.0/24, which is
an HR department, the traffic appears as Cleveland-based and any policies or
sentries applied to the Cleveland group is applied by default.
Step 3 From the menu tree, select the areas of the network you want to add a network
component.
The Manage Group window appears for the selected network component.
Step 4 Click Add.
The Add Network Object window appears.
Parameter Action
Group Specify the group for the new network object. Click Add Group
to specify the group.
Name Specify the name for the object.
Weight Specify the weight of the object. The range is 0 to 100 and
indicates the importance of the object in the system.
IP/CIDR(s) Specify the CIDR range(s) for this object. For more information
on CIDR values, see Accepted CIDR Values.
Description Specify a description for this network object.
Color Specify a color for this object.
Database Length Specify the database length.
Note: We recommend adding key servers as individual objects and grouping other
major but related servers into multi-CIDR objects.
CIDR Number of
Length Mask Networks Hosts
/1 128.0.0.0 128 A 2,147,483,392
/2 192.0.0.0 64 A 1,073,741,696
/3 224.0.0.0 32 A 536,870,848
/4 240.0.0.0 16 A 268,435,424
/5 248.0.0.0 8A 134,217,712
/6 252.0.0.0 4A 67,108,856
/7 254.0.0.0 2A 33,554,428
/8 255.0.0.0 1A 16,777,214
/9 255.128.0.0 128 B 8,388,352
/10 255.192.0.0 64 B 4,194,176
/11 255.224.0.0 32 B 2,097,088
/12 255.240.0.0 16 B 1,048,544
/13 255.248.0.0 8B 524,272
/14 255.252.0.0 4B 262,136
/15 255.254.0.0 2B 131,068
/16 255.255.0.0 1B 65,534
/17 255.255.128.0 128 C 32,512
/18 255.255.192.0 64 C 16,256
/19 255.255.224.0 32 C 8,128
/20 255.255.240.0 16 C 4,064
/21 255.255.248.0 8C 2,032
/22 255.255.252.0 4C 1,016
/23 255.255.254.0 2C 508
CIDR Number of
Length Mask Networks Hosts
/24 255.255.255.0 1C 254
/25 255.255.255.128 2 subnets 124
/26 255.255.255.192 4 subnets 62
/27 255.255.255.224 8 subnets 30
/28 255.255.255.240 16 subnets 14
/29 255.255.255.248 32 subnets 6
/30 255.255.255.252 64 subnets 2
/31 255.255.255.254 none none
/32 255.255.255.255 1/256 C 1
For example, a network is called a supernet when the prefix boundary contains
fewer bits than the network's natural (such as, classful) mask. A network is called a
subnet when the prefix boundary contains more bits than the network's natural
mask:
• 209.60.128.0 is a class C network address with a natural mask of /24.
• 209.60.128.0 /22 is a supernet that yields:
209.60.128.0 /24
209.60.129.0 /24
209.60.130.0 /24
209.60.131.0 /24
• 192.0.0.0 /25
Subnet Host Range
0 192.0.0.1-192.0.0.126
1 192.0.0.129-192.0.0.254
• 192.0.0.0 /26
Subnet Host Range
0 192.0.0.1 - 192.0.0.62
1 192.0.0.65 - 192.0.0.126
2 192.0.0.129 - 192.0.0.190
3 192.0.0.193 - 192.0.0.254
• 192.0.0.0 /27
Subnet Host Range
0 192.0.0.1 - 192.0.0.30
1 192.0.0.33 - 192.0.0.62
2 192.0.0.65 - 192.0.0.94
3 192.0.0.97 - 192.0.0.126
4 192.0.0.129 - 192.0.0.158
5 192.0.0.161 - 192.0.0.190
6 192.0.0.193 - 192.0.0.222
7 192.0.0.225 - 192.0.0.254
STRM allows you to either replace your existing configuration files or integrate the
updates with your existing files to maintain the integrity of your current
configuration and information.
You can also update the configuration files for all systems in your STRM
deployment. However, the views must be currently created in your deployment
editor. For more information on, see Chapter 6 Using the Deployment Editor.
Caution: Failing to build your deployment map before you configure automatic or
manual updates results in your remote systems not being updated.
Step 3 In the Update Method list box, select the method you want to use for updating your
files:
• Auto Integrate - Integrates the new configuration files with your existing files to
maintain the integrity of your information.
• Auto Update - Replaces your existing configuration files with the new
configuration files.
Step 4 By default, all views are updated. To prevent views from being updated, select the
check box(es) in the Protected Views section for the views you do not want to
update with the new configuration files. The configuration files for the selected
views are not updated.
Step 5 Schedule automatic updates:
a Select the Schedule Autoupdates check box to enable automatic updates
based on the frequency configured in the next step.
b In the Frequency list boxes, select the frequency of the automatic updates. You
must select the frequency (Monthly, Daily, Weekly), date, and time. You must
select the Schedule Autoupdates check box to save the configured frequency.
Otherwise, the frequency defaults to weekly.
Step 6 Click Save.
Step 7 From the menu, select Configurations > Deploy Configuration Changes.
The updates are enforced through your deployment.
Note: STRM automatic updates are not enforced through your deployment
automatically. After each automatic update, you must log in to STRM and from the
Updating Your Files You can update your files, whenever necessary, using the Auto-Update window.
On-Demand
To update your files:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the Auto Update icon.
The Auto-Update Configuration window appears.
Step 3 In the Update Method list box, select the method you want to use for updating your
files:
• Auto Integrate - Integrates the new configuration files with your existing files to
maintain the integrity of your information.
• Auto Update - Replaces your existing configuration files with the new
configuration files.
Step 4 In the Protected views section, select the check box(s) for the views you do not
want to update with the new configuration files. The configuration files for the
selected views are not updated.
Step 5 Click Save and Update Now.
Your views are updated.
Step 6 From the menu, select Configurations > Deploy Configuration Changes.
The updates are enforced through your deployment.
Configuring Using the Administration Console, you can configure the system, database, and
System Settings sentry settings.
Parameter Description
Settings
Administrative Email Specify the e-mail address of the designated system
Address administrator. The default is root@localhost.
Alert Email From Address Specify the e-mail address from which you want to
receive e-mail alerts.
Resolution Interval Length Specify the interval length, in minutes. The default is 1
minute.
Delete Root Mail Root mail is the default location for host context
messages. Specify one of the following:
• Yes - Delete the local administrator e-mail. This is the
default.
• No - Do not delete local administrator e-mail.
Temporary Files Specify the time period the system stores temporary files.
Retention Period The default is 6 hours.
Asset Profile Reporting Specify the interval, in seconds, that the database stores
Interval new asset profile information. The default is 900 seconds.
Asset Profile Views Specify the views you want the system to use when
accumulating asset profile data.
VIS passive Asset Profile Specify the interval, in seconds, that the database stores
Interval all passive asset profile information. The default is 86,400
seconds.
Audit Log Enable Enables or disables the ability to collect audit logs. You
can view audit log information using the Event Viewer.
The default is Yes.
TNC Recommendation Trusted Network Computing (TNC) recommendations
Enable enable you to restrict or deny access to the network
based on user name or other credentials. Specify one of
the following:
• Yes - Enables the TNC recommendation functionality.
• No - Disables the TNC recommendation functionality.
Parameter Description
Coalescing Events Enables or disables the ability for a sensor device to
coalesce (bundle) events. This value applies to all sensor
devices. However, if you want to alter this value for a
specific sensor device, edit the Coalescing Event
parameter in the sensor device configuration. For more
information, see the Managing Sensor Devices Guide.
The default is Yes.
Store Event Payload Enables or disables the ability for a sensor device to store
event payload information. This value applies to all sensor
devices. However, if you want to alter this value for a
specific sensor device, edit the Event Payload parameter
in the sensor device configuration. For more information,
see the Managing Sensor Devices Guide.
The default is Yes.
Global Iptables Access Specify the IP address of a non-Console system that does
not have IP tables configuration to which you want to
enable direct access. To enter multiple systems, enter a
comma-separated list of IP addresses.
Dynamic Custom View Specify the interval period, in seconds, you want to deploy
Deploy Interval changes for any dynamic custom view, such as, ASN or
ifIndex Views. When the Classification Engine collects
dynamic view information and reports this information to
configuration services, this is the interval that
configuration services component deploys the changes.
The default is 15 seconds.
Database Settings
User Data Files Specify the location of the user profiles. The default is
/store/users.
Database Storage Specify the location of the database files. The default
Location location is /store/db.
Sentry Database Location Specify the location of the sentry database. The default is
/store/sentry/db.
Network View Graph Using the drop-down list box, select the period of time you
Retention Period want to store the network view graph information. The
default is 4 weeks.
All Views - Group Using the drop-down list box, select the period of time you
Database Retention want to store the group views information. The default is 1
Period week.
All Views - Object Using the drop-down list box, select the period of time you
Database Retention want to store the object views information. The default is 1
Period week.
Offense Retention Period Using the drop-down list box, select the period of time you
want to retain offense information. The default is 3 days.
Parameter Description
Identity History Retention Using the drop-down list box, select the length of time you
Period want to store asset profile history records. The default is 1
week.
Attacker History Retention Specify the amount of time that you want to store the
Period attacker history. The default is 6 months.
Ariel Database Settings
Flow Data Storage Specify the location that you want to store the flow log
Location information. The default location is /store/ariel/flows.
Flow Data Retention Specify the period of time you want to store flow data. The
Period default is 1 week.
Asset Profile Storage Specify the location that you want to store the asset
Location profile storage location. The default location is
/store/ariel/hprof.
Asset Profile Retention Specify the period of time, in days, that you want to store
Period the asset profile information. The default is 30 days.
Device Log Storage Specify the location that you want to store the device log
Location information. The default location is /store/ariel/events.
Device Log Data Specify the amount of time that you want to store the
Retention Period device log data. The default is 30 days.
Custom View Retention Specify the amount of time, in seconds, that you want to
Period store custom view information. The default is 259,2000
seconds.
Maximum Real Time Specify the maximum number of results you want to view
Results in the Event Viewer and Flow Viewer. The default is
10,000.
Reporting Max Matched Specify the maximum number of results you want a report
Results to return. This value applies to the search results in the
Event Viewer and Flow Viewer. The default is 1,000,000.
Command Line Max Specify the maximum number of results you want the
Matched Results command line to return. The default is 0.
Web Execution Time Limit Specify the maximum amount of time, in seconds, you
want a query in the interface to process before a time-out
occurs. This value applies to the search results in the
Event Viewer and Flow Viewer. The default is 600
seconds.
Reporting Execution Time Specify the maximum amount of time, in seconds, you
Limit want a reporting query to process before a time-out
occurs. The default is 57,600 seconds.
Command Line Execution Specify the maximum amount of time, in seconds, you
Time Limit want a query in the command line to process before a
time-out occurs. The default is 0 seconds.
Flow Log Hashing Enables or disables the ability for STRM to store a hash
file for every stored flow log file. The default is No.
Parameter Description
Event Log Hashing Enables or disables the ability for STRM to store a hash
file for every stored event log file. The default is No.
Hashing Algorithm You can use a hashing algorithm for database storage
and encryption. You can use one of the following hashing
algorithms:
• Message-Digest Hash Algorithm - Transforms digital
signatures into shorter values called Message-Digests
(MD).
• Secure Hash Algorithm (SHA) Hash Algorithm -
Standard algorithm that creates a larger (60 bit) MD.
Specify the log hashing algorithm you want to use for your
deployment. The options are:
• MD2 - Algorithm defined by RFC 1319.
• MD5 - Algorithm defined by RFC 1321.
• SHA-1 - Default. Algorithm defined by Secure Hash
Standard (SHS), NIST FIPS 180-1.
• SHA-256 - Algorithm defined by the draft Federal
Information Processing Standard 180-2, SHS.
SHA-256 is a 255-bit hash algorithm intended for 128
bits of security against security attacks.
• SHA-384 - Algorithm defined by the draft Federal
Information Processing Standard 180-2, SHS.
SHA-384 is a bit hash algorithm is provided by
truncating the SHA-512 output.
• SHA-512 - Algorithm defined by the draft Federal
Information Processing Standard 180-2, SHS.
SHA-512 is a bit hash algorithm intended to provide
256 bits of security.
Sentry Settings
Alert Directory Specify the location you want to store active alerts for
each user. The default is /store/sentry/alerts.
Default Sentry Scripts Specify the default sentry scripts you want to execute.
The default is /opt/STRM/triggerbin/system.js
List of Sentry Scripts Specify the sentry scripts you want to execute, in the
order of execution. Separate each entry with a comma.
The default is system.js,activity_anomaly.js,
learn_policy.js,threshold.js,behavioral.js.
Sentry Properties Specify the sentry properties location. The default is
/store/sentry/persistent_properties.xml
Sentry Response Queue Specify the sentry response queue file. The default is
/store/sentry/response_queue.xml.
Sentry Database Location Specify the location of the sentry database. The default is
/store/sentry/qc_persistentstorage.
Parameter Description
Transaction Sentry Settings
Transaction Max Time A transaction sentry detects unresponsive applications
Limit using transaction analysis. If an unresponsive application
is detected, the transaction sentry attempts to return the
application to a functional state.
Using the drop-down list box, select the length of time you
want the system to check for transactional issues in the
database. The default is 10 minutes.
Resolve Transaction on Using the drop-down list box, select whether you want the
Non-Encrypted Host transaction sentry to resolve all erroneous conditions
detected on the Console or non-encrypted managed
hosts.
If you select No, the conditions are detected and logged
but you must manually intervene and correct the error.
The default is Yes.
Resolve Transaction on Using the drop-down list box, select whether you want the
Encrypted Host transaction sentry to resolve all erroneous conditions
detected on the encrypted managed host.
If you select No, the conditions are detected and logged
but you must manually intervene and correct the error.
The default is Yes.
SNMP Settings
Enable Enables or disables Simple Network Management
Protocol (SNMP) responses in the STRM custom rules
engine. The default is No, which means you do not want
to accept events using SNMP.
Destination Host Specify the IP address to which you want to send SNMP
notifications.
Destination Port Specify the port to which you want to send SNMP
notifications. The default is 162.
Community (V2) Specify the SNMP community, such as public. This
parameter only applies if you are using SNMPv2.
User Name Specify the name of the user you want to access SNMP
related properties.
Security Level Specify the security level for SNMP. The options are:
• NOAUTH_NOPRIV - Indicates no authorization and no
privacy. This the default.
• AUTH_NOPRIV - Indicates authorization is permitted
but no privacy.
• AUTH_PRIV - Allows authorization and privacy.
Authentication Protocol Specify the algorithm you want to use to authenticate
SNMP traps.
Parameter Description
Authentication Password Specify the password you want to use to authenticate
SNMP.
Privacy Protocol Specify the protocol you want to use to decrypt SNMP
traps.
Privacy Password Specify the password used to decrypt SNMP traps.
Embedded SNMP Agent Settings
Enabled Enables or disables access to data from the SNMP Agent
using SNMP requests. The default is No.
Community String Specify the SNMP community, such as public. This
parameter only applies if you are using SNMPv2 and
SNMPv3.
IP Access List Specify the systems that can access data from the SNMP
agent using SNMP request. If the Enabled option is set to
Yes, this option is enforced.
Configuring You can configure system performance alerts for thresholds using the STRM
System Administration Console. This section provides information for configuring your
Notifications system thresholds.
Parameter Description
User CPU usage Specify the threshold percentage of user CPU usage.
Nice CPU usage Specify the threshold percentage of user CPU usage at
the nice priority.
System CPU usage Specify the threshold percentage of CPU usage while
operating at the system level.
Idle CPU usage Specify the threshold percentage of idle CPU time.
Percent idle time Specify the threshold percentage of idle time.
Run queue length Specify the threshold number of processes waiting for
run time.
Number of processes in Specify the threshold number of processes in the
the process list process list.
System load over 1 Specify the threshold system load average over the last
minute minute.
System load over 5 Specify the threshold system load average over the last 5
minutes minutes.
System load over 15 Specify the threshold system load average over the last
minutes 15 minutes.
Kilobytes of memory free Specify the threshold amount, in kilobytes, of free
memory.
Kilobytes of memory used Specify the threshold amount, in kilobytes, of used
memory. This does not consider memory used by the
kernel.
Percentage of memory Specify the threshold percentage of used memory.
used
Kilobytes of cached swap Specify the threshold amount of memory, in kilobytes,
memory shared by the system.
Kilobytes of buffered Specify the threshold amount of memory, in kilobytes,
memory used as a buffer by the kernel.
Kilobytes of memory used Specify the threshold amount of memory, in kilobytes,
for disc cache used to cache data by the kernel.
Kilobytes of swap memory Specify the threshold amount of free swap memory, in
free kilobytes.
Kilobytes of swap memory Specify the threshold amount, in kilobytes, of used swap
used memory.
Percentage of swap used Specify the threshold percentage of used swap space.
Number of interrupts per Specify the threshold number of received interrupts per
second second.
Received packets per Specify the threshold number of packets received per
second second.
Transmitted packets per Specify the threshold number of packets transmitted per
second second.
Parameter Description
Received bytes per Specify the threshold number of bytes received per
second second.
Transmitted bytes per Specify the threshold number of bytes transmitted per
second second.
Received compressed Specify the threshold number of compressed packets
packets received per second.
Transmitted compressed Specify the threshold number of compressed packets
packets transmitted per second.
Received multicast Specify the threshold number of received Multicast
packets packets per second.
Receive errors Specify the threshold number of corrupt packets received
per second.
Transmit errors Specify the threshold number of corrupt packets
transmitted per second.
Packet collisions Specify the threshold number of collisions that occur per
second while transmitting packets.
Dropped receive packets Specify the threshold number of received packets that
are dropped per second due to a lack of space in the
buffers.
Dropped transmit packets Specify the threshold number of transmitted packets that
are dropped per second due to a lack of space in the
buffers.
Transmit carrier errors Specify the threshold number of carrier errors that occur
per second while transmitting packets.
Receive frame errors Specify the threshold number of frame alignment errors
that occur per second on received packets.
Receive fifo overruns Specify the threshold number of First In First Out (FIFO)
overrun errors that occur per second on received
packets.
Transmit fifo overruns Specify the threshold number of First In First Out (FIFO)
overrun errors that occur per second on transmitted
packets.
Transactions per second Specify the threshold number of transfers per second
sent to the system.
Sectors written per Specify the threshold number of sectors transferred to or
second from the system
Configuring the The STRM Console provides the interface for STRM. The Console provides real
Console Settings time views, reports, alerts, and in-depth investigation of flows for network traffic
and security threats. You can also manage the Console to manage distributed
STRM deployments.
You can access the Console from a standard web browser. When you access the
system, a prompt appears for a user name and password, which must be
configured in advance by the STRM administrator. STRM supports the following
web browsers:
• Internet Explorer 6.0 or 7.0
• Mozilla Firefox 3.0
Parameter Description
Console Settings
Parameter Description
ARP - Safe Interfaces Specify the interface you want to be excluded from ARP
resolution activities.
Enable 3D graphs in the Using the drop-down list box, select one of the following:
user interface
• Yes - Displays Flow Viewer, Event Viewer, and
Dashboard graphics in 3-dimensional format.
• No - Displays Flow Viewer, Event Viewer, and
Dashboard graphics in 2-dimensional format.
Authentication Settings
Persistent Session Specify the length of time, in days, that a user system will
Timeout (in days) be persisted, in days. The default is 0, which disables this
features and the remember me option upon login.
Maximum Login Failures Specify the number of times a login attempt may fail. The
default is 5.
Login Failure Attempt Specify the length of time during which a maximum login
Window (in minutes) failures may occur before the system is locked. The
default is 10 minutes.
Login Failure Block Time Specify the length of time that the system is locked if the
(in minutes) the maximum login failures value is exceeded. The
default is 30 minutes.
Login Host Whitelist Specify a list of hosts who are exempt from being locked
out of the system. Enter multiple entries using a
comma-separated list.
Inactivity Timeout (in Specify the amount of time that a user will be
minutes) automatically logged out of the system if no activity
occurs.
Login Message File Specify the location and name of a file that includes
content you want to appear on the STRM login window.
This file may be in text or HTML format and the contents
of the file appear below the current log in window.
Parameter Description
Event Permission Using the drop-down list box, specify the level of network
Precedence permissions you want to assign users. This affects the
events that appear in the Event Viewer. The options
include:
• Network Only - A user must have access to either the
source network or the destination network of the event
to have the event appear in the Event Viewer.
• Devices Only - A user must have access to either the
device or device group that created the event to have
the event appear in the Event Viewer.
• Networks and Devices - A user must have access to
both the source or the destination network and the
device or device group to have an event appear in the
Event Viewer.
• None - All events appear in the Event Viewer. Any
user with Event Viewer role permissions are able to
view all events.
Note: For more information on managing users, see
Chapter 1 Managing Users.
DNS Settings
Enable DNS Lookups for Enable or disable the ability for STRM to search for DNS
Asset Profiles information in asset profiles. When enabled, this
information is available using the right-mouse button
(right-click) on the IP address or host name located in the
Host Name (DNS Name) field in the asset profile. The
default is False.
Enable DNS Lookups for Enable or disable the ability for STRM to search for host
Host Identity identity information. When enabled, this information is
available using the right-mouse button (right-click) on any
IP address or asset name in the interface. The default is
True.
WINS Settings
WINS Server Specify the location of the Windows Internet Naming
Server (WINS) server.
Reporting Settings
Report Retention Period Specify the period of time, in days, that you want the
system to maintain reports. The default is 30 days.
Data Export Settings
Include Header in CSV Specify whether you want to include a header in a CSV
Exports export file.
Maximum Simultaneous Specify the maximum number of exports you want to
Exports occur at one time.
Step 5 From the Administration Console menu, select Configurations > Deploy
Configuration Changes.
Resetting SIM Using the Administration Console, you can reset the SIM module, which allows you
to remove all offenses, attackers, and target information from the database and the
disk. This option is useful after tuning your deployment to avoid receiving any
additional false positive information.
• Hard Clean - Closes all active SIM data including offenses, targets and
attackers.
Step 5 If you want to continue, select the Are you sure you want to reset the data
model? check box.
Step 6 Click Proceed.
A message appears indicating that the SIM reset process has started. This
process may take several minutes, depending on the amount of data in your
system.
Step 7 Once the SIM reset process is complete, reset your browser.
Note: If you attempt to navigate to other areas of the user interface during the SIM
reset process, an error message appears.
Note: To access the authorized services functionality, a user role must exist with
only the Offense Management check box selected. The Assign Offenses to Users
and the Customized Rule Creation check boxes must be clear. For more
information on creating user roles, see Chapter 4 Managing Users.
Parameter Description
Service Name Specifies the name of the authorized service.
Authorized By Specifies the name of the user or administrator that
authorized the addition of the service.
Authentication Token Specifies the token associated with this authorized service.
User Role Specifies the user role associated with this authorized
service.
Parameter Description
Created Specifies the date that this authorized service was created.
Expired Specifies the date and time that the authorized service will
expire. Also, this field indicates when a service has expired.
Step 3 To select a token from an authorized service, select the appropriate authorized
service. The token appears in the Selected Token field in the top bar. This allows
you to copy the desired token into your third-party application to authenticate with
STRM
Parameter Description
Service Name Specify a name for this authorized service. The name can be
up to 255 characters in length.
User Role Using the drop-down list box, select the user role you want to
assign to this authorized service. The user roles assigned to
an authorized service determines the functionality in the
STRM interface this service can access.
Expiry Date Specify a date you want this service to expire or select the No
Expiry check box if you do not want this service to expire. By
default, the authorized service if valid for 30 days.
Using the Administration Console, you can backup and recover configuration
information and data for STRM. You can backup and recover the following
information for your system:
• License key information
• Sentry configuration
• Rules configuration
• Configuration database information
• User profile information
• Views configuration
The list of archives includes backup files that exist in the database. If a backup file
is deleted, it is removed from the disk and from the database. Also, the entry is
removed from this list and an audit event is generated to indicate the removal.
If a backup is in progress, a status window appears to indicate the duration of the
current backup, which user/process initiated the backup, and provides you with the
option to cancel the backup.
Each archive file includes the data from the previous day.
The Backup Archives window provides the following information for each backup
archive.
Table 6-1 Backup Archive Window Parameters
Parameter Description
Host Specifies the host that initiated the backup process.
Name Specifies the name of the backup archive. To download the
backup file, click the name of the backup.
Type Specifies the type of backup. The options are:
• db (database)
• config (configuration data)
• data (events, flows, and asset profile information)
Size Specifies the size of the archive file.
Time Initiated Specifies the time that the backup file was created.
Duration Specifies the time to complete the backup process.
Initialized By Specifies whether the backup file was created by a user or
through a scheduled process.
Backing Up Your You can backup your configuration information and data using the Backup
Information Recovery Configuration window. You can backup your configuration information
using a manual process. Also, you can also backup your configuration information
and data using a scheduled process. By default, STRM creates a backup archive
of your configuration information every night at midnight and the backup includes
configuration and/or data from the previous day. This section provides on both
methods of backing up your data including:
• Scheduling Your Backup
• Initiating a Backup
Parameter Description
General Backup Configuration
Parameter Description
Backup Specifies the location you want to store your backup file. This
Repository Path path must exist before the backup process is initiated. If this path
does not exist, the backup process aborts. The default is
/store/backup.
Note: If you modify this path, make sure the new path is valid on
every system in your deployment.
Backup Retention Specify the length of time, in days, that you want to maintain
Period backup files. The default is 2 days.
Note: This period of time only affects backup files generated as a
result of a scheduled process. Manually initiated backup
processes are not affected by this value.
Nightly Backup Select one of the following options:
Schedule
• No Nightly Backups - Disables the creation of a backup
archive on a daily basis.
• Configuration Backup Only - Enables the creation of a daily
backup at midnight that includes configuration information
only.
• Configuration and Data Backups - Enables the creation of a
daily backup at midnight that includes configuration
information and data. If you select the Configuration and Data
Backups option, you can select the hosts you want to backup.
This option backs up all database table information including:
- Offenses (including targets and attacker information)
- Asset data
- Categories
- Vulnerability data.
Once you select the host, you can select one of the following
options: Event Data, Flow Data, and Asset Profile Data.
Configuration Only Backup
Backup Time Limit Specify the length of time, in minutes, that you want to allow the
backup to process.
Backup Priority Specify the level of importance (low, medium, high) you want the
system to place on the configuration information backup process
compared to other processes.
Data Backup
Backup Time Limit Specify the length of time, in minutes, that you want to allow the
(min) backup to process.
Backup Priority Specify the level of importance (low, medium, high) you want the
system to place on the data backup process compared to other
processes.
Step 6 From the Administration Console menu, select Configurations > Deploy All.
Restoring Your You can restore configuration information from existing backup archives using the
Configuration Restore Backup window. Note the following requirements when you are restoring
Information configuration information:
• You can only restore a backup archive created within the same release of
software. For example, if you are running STRM 6.1.2, the backup archive must
of been created in STRM 6.1.2. You can not restore configuration information
archived in a previous release.
• Each backup archive includes IP address information of the system from which
the backup archive was created. The IP address of the system on which you
want to restore the information must match the IP address of the backup
archive. If the IP addresses do not match, the restore process will fail.
Note: The restore process only restores your configuration information. For
assistance in restoring your data, contact Juniper Networks Customer Support.
The deployment editor allows you to manage the individual components of your
STRM, and SIM deployment. Once you configure your Flow, Event, and System
Views, you can access and configure the individual components of each managed
host.
Caution: Many third-party web browsers that use the Internet Explorer engine,
such as Maxthon or MyIE, install components that may be incompatible with the
STRM Administration Console. You must disable any third-party web browsers
installed on your system. For further assistance, please contact customer support.
If you want to access the STRM Administration Console from behind a proxy
server or firewall, you must configure the appropriate proxy settings on your
desktop. This allows the software to automatically detect the proxy settings from
your browser. To configure the proxy settings, open the Java configuration located
in your Control Panel and configure the IP address of your proxy server. For more
information on configuring proxy settings, see your Microsoft documentation.
About the You can access the deployment editor using the STRM Administration Console.
Deployment Editor You can use the deployment editor to create your deployment, assign connections,
and configure each component.
In the Flow View, the left panel provides a list of components that you can add to
your view and the right panel provides the existing view of your deployment.
In the Event View, the left panel provides a list of SIM components you can add to
the view and the right panel provides an existing view of your SIM deployment.
In the System View, the left panel provides a list of managed hosts, which you can
view and configure. The deployment editor polls your deployment for updates to
Accessing the In the Administration Console, click the deployment editor icon. The
Deployment Editor deployment editor appears. Once you update your configuration settings using the
deployment editor, you must save those changes to the staging area. You must
either manually deploy all changes using the Administration Console Deploy menu
option or, upon exiting the Administration Console, a window appears prompting
you to deploy changes before you exit. All deployed changes are then enforced
throughout your deployment.
Using the Editor The deployment editor provides you with several menu and toolbar options when
configuring your views including:
• Menu Options
• Toolbar Options
Menu Options
The menu options that appear depend on the selected component in your view.
Table 7-1 provides a list of the menu options and the component for which they
appear.
Table 7-1 Deployment Editor Menu Options
Toolbar Options
The toolbar options include:
Table 7-2 Toolbar Options
Icon Description
Saves deployment to the staging area and closes the deployment editor.
Icon Description
Deletes selected item from the deployment view.
This option is only available when the selected component has a managed
host running a compatible version of STRM software.
Opens the Add a Managed Host wizard, which allows you to add a
managed host to your deployment.
Opens the Manage NATed Networks window, which allows you to manage
the list of NATed networks in your deployment.
Zoom in.
Zoom out.
Note: If you require assistance with the above, please contact Juniper Networks
Customer Support.
Building Your Flow The Flow View allows you to create and manage the flow-based software
View components of your STRM deployment, for example, a Flow Collector or Flow
Processor. If you are using a STRM appliance, a default Flow View appears with
the appropriate components. You can edit or update the view, as necessary.
Once you have completed building your Flow View, you can use the Event View to
manage your SIM components. See Building Your Event View.
Adding STRM You can add the following STRM components to your Flow View:
Components • Flow Collector - Collects data from devices and various live and recorded
feeds.
• Flow Processor - Collects and consolidates data from one or more Flow
Collector(s).
• Classification Engine - Receives input from one or more Flow Processor(s) as
well as classifies and accumulates statistical data on flows.
• Update Daemon - Stores TopN and database data once the Classification
Engine has processed the flows for an interval.
• Flow Writer - Stores the flow and asset profile data once the Classification
Engine has processed the flows for an interval.
Step 2 In the Flow Components panel, select a component you want to add to your
deployment.
The Adding a New Component Wizard appears.
Step 3 Enter a unique name for the component you want to add. The name can be up to
15 characters in length and may include underscores or hyphens. Make sure you
record the assigned name and Click Next.
Note: If the message “There are no hosts to which you can assign this
component.” appears, your deployment does not include hosts with the capabilities
to support the selected component or the host already has a full compliment of
components installed.
The Assign Component window appears.
Step 4 From the Select a host drop-down list box, select the managed host to which you
want to assign the new component. Click Next.
The component ready to be added window appears.
Step 5 Click Finish.
Connecting Once you add all the necessary components in your Flow View, you must connect
Components them together. The Flow View only allows you to connect appropriate components
together. For example, you can connect a Flow Processor to a Flow Collector and
not an Update Daemon.
To connect components:
Step 1 In the Flow View, select the component for which you want to establish a
connection.
Step 2 From the menu, select Actions > Add Connection.
Note: You can also use the right mouse button (right-click) to access the Actions
menu item.
An arrow appears in your map.
Step 3 Drag the end of the arrow to the component on which you want to establish a
connection. You can only connect appropriate components, for example, you can
connect a Classification Engine to an Update Daemon. Table 7-3 provides a list of
components you are able to connect.
Table 7-3 Component Connections
Connecting You can connect deployments in your network to allow deployments to share flow
Deployments data. To connect your deployments, you must configure an off-site Flow Processor
(target) in your current deployment and the associated off-site Flow Processor in
the receiving deployment (source). You can add the following components to your
Flow View:
• Off-site Source - Indicates an off-site Flow Processor from which you want to
receive data. The source must be configured with appropriate permissions to
send flows to the off-site target.
• Off-site Target - Indicates an off-site Flow Processor to which you want to send
data.
Note: The procedures in the section provide information on adding flow sources
using the Flow View. You can also add sources using the System View. For
information on the System View, see Managing Your System View.
If you want to disconnect the off-site source, you must remove the connections
from both deployments. From deployment A, you must remove the off-site target
and in deployment B, you must remove the off-site source.
Note: To enable encryption between two managed hosts, each managed host
must be running at least STRM 5.1.
Step 2 In the Flow Components panel, select either Add Off-site Source or Add Off-site
Target.
The Adding a New Component Wizard appears.
Step 3 Specify a unique name for the source or target. The name can be up to 15
characters in length and may include underscores or hyphens. Click Next.
The flow source/target information window appears.
• Encrypt traffic from off-site source - Select the check box if you want to
encrypt traffic from an off-site source. To enable encryption, you must select
this check box on the associated off-site source and target. For more
information regarding encryption, see Managing Your System View.
Step 5 Click Next.
Step 6 Click Finish.
Step 7 Repeat for all remaining off-site sources and targets.
Step 8 From the main menu, select File > Save to staging.
Note: If you update your Flow Processor configuration or the monitoring ports, you
must manually update your source and target configurations to maintain the
connection between deployments.
Renaming You may want to rename a component in your view to uniquely identify
Components components through your deployment.
To rename a component:
Step 1 Select the component you want to rename.
Step 2 From the menu, select Actions > Rename component.
Note: You can also use the right mouse button (right-click) to access the Actions
menu items.
The Rename component window appears.
Step 3 Enter a new name for the component. The name must be alphanumeric with no
special characters.
Step 4 Click Ok.
Building Your The Event View allows you to create and manage the SIM components for your
Event View deployment including:
• Event Collector - Collects security events from various types of security
devices in your network. The Event Collector gathers events from local, remote,
and device sources. The Event Collector then normalizes the events and sends
the information to the Event Processor. The Event Collector also bundles all
virtually identical events to conserve system usage.
• Event Processor - An Event Processor processes flows collected from one or
more Event Collector(s). The events are bundled once again to conserve
network usage. Once received, the Event Processor correlates the information
from STRM and distributes to the appropriate area, depending on the type of
event. The Event Processor also includes information gathered by STRM to
indicate any behavioral changes or policy violations for that event. Rules are
then applied to the events that allow the Event Processor to process according
to the configured rules. Once complete, the Event Processor sends the events
to the Magistrate.
You must connect the Event Processor to a Classification Engine or another
Event Processor in your deployment. The Classification Engine is responsible
for sending the latest event information to the Event Processor. See Figure 7-2
for an example.
• Magistrate - The Magistrate component provides the core processing
components of SIM. You can add one Magistrate component for each
deployment. The Magistrate provides views, reports, alerts, and analysis of
network traffic and security events. The Magistrate processes the event against
the defined custom rules to create an offense. If no custom rules exist, the
Magistrate uses the default rules to process the event. An offense is an event
that has been processed through STRM using multiple inputs, individual
events, and events combined with analyzed behavior and vulnerabilities.
Magistrate prioritizes the offenses and assigns a magnitude value based on
several factors, including number of events, severity, relevance, and credibility.
Once processed, Magistrate also produces a list for each attacker, which
provides you with a list of attackers for each event. Once the Magistrate
establishes the magnitude for an event, the Magistrate provides multiple
options for resolution.
By default, the Event View includes a Magistrate component. Figure 7-2 shows an
example of STRM deployment that includes the SIM components. The example
shows that the Event Processor is connected to the Classification Engine, which
allows for the exchange of flow information.
Step 3 Enter a unique name for the component you want to add. The name can be up to
15 characters in length and may include underscores or hyphens. Click Next.
The Assign Component window appears.
Step 4 From the Select a host to assign to list box, select a managed host to which you
want to assign the new component. Click Next.
Step 5 Click Finish.
Step 6 Repeat for each component you want to add to your view.
Step 7 From the main menu, select File > Save to staging.
Connecting Once you add all the necessary components in your Event View, you must connect
Components them together. The Event View only allows you to connect appropriate components
together. For example, you can connect an Event Collector to an Event Processor
and not a Magistrate component.
To connect components:
Step 1 In the Event View, select the component for which you want to establish a
connection.
Step 2 From the menu, select Actions > Add Connection.
Note: You can also use the right mouse button (right-click) to access the Action
menu item.
An arrow appears in your map.
Step 3 Drag the end of the arrow to the component on which you want to establish a
connection. You can only connect appropriate components, for example, you can
connect an Event Collector to an Event Processor. Table 7-4 provides a list of
components you are able to connect.
Table 7-4 Component Connections
Forwarding To forward normalized events, you must configure an off-site Event Collector
Normalized Events (target) in your current deployment and the associated off-site Event Collector in
the receiving deployment (source).
For example, if you want to forward normalized events between two deployments
(A and B), where deployment B wants to receive events from deployment A you
must configure deployment A with an off-site target to provide the IP address of the
managed host that includes Event Collector B. You must then connect Event
Collector A to the off-site target. In deployment B, you must configure an off-site
source with the IP address of the managed host that includes Event Collector A
and the port to which Event Collector A is monitoring.
If you want to disconnect the off-site source, you must remove the connections
from both deployments. From deployment A, you must remove the off-site target
and in deployment B, you must remove the off-site source.
Off-site
Target
Magistrate Magistrate
Step 3 Specify a unique name for the source or target. The name can be up to 15
characters in length and may include underscores or hyphens. Click Next.
The event source/target information window appears.
Note: If you update your Event Collector configuration or the monitoring ports, you
must manually update your source and target configurations to maintain the
connection between deployments.
Renaming You may want to rename a component in your view to uniquely identify
Components components through your deployment.
To rename a component:
Step 1 Select the component you want to rename.
Step 2 From the menu, select Actions > Rename Component.
Note: You can also use the right mouse button (right-click) to access the Action
menu items.
The Rename component window appears.
Step 3 Enter a new name for the component. The name must be alphanumeric with no
special characters.
Step 4 Click Ok.
Managing Your The System View allows you to manage all managed hosts in your network. A
System View managed host is a component in your network that includes STRM software. If you
are using a STRM appliance, the components for that appliance model appear. If
your STRM software is installed on your own hardware, the System View includes
a Host Context component. The System View allows you to select which
component(s) you want to run on each managed host.
Setting Up Managed Using the deployment editor you can manage all hosts in your deployment
Hosts including:
• Add a managed host to your deployment. See Adding a Managed Host.
• Edit an existing managed host. See Editing a Managed Host.
• Remove a managed host. See Removing a Managed Host.
When adding a managed host, you can also enable encryption between managed
hosts running at least STRM 5.1. The deployment editor determines the version of
STRM software running on a managed host. You can only add a managed host to
your deployment when the managed host is running a compatible version of STRM
software. For more information, contact Juniper Networks Customer Support.
You also can not assign or configure components on a non-Console managed host
when the STRM software version is incompatible with the software version that the
Console is running. If a managed host has previously assigned components and is
running an incompatible software version, you can still view the components,
however, you are not able to update or delete the components.
Note: To enable encryption between two managed hosts, each managed host
must be running at least STRM 5.1.
Encryption provides greater security for all STRM traffic between managed hosts.
To provide enhanced security, STRM also provides integrated support for
OpenSSh and attachmateWRQ® Reflection SSH software. Reflection SSH
software provides a FIPS 140-2 certified encryption solution. When integrated with
STRM, Reflection SSH provides secure communication between STRM
components. For information on Reflection SSH, see the following web site:
www.wrq.com/products/reflection/ssh
Note: You must have Reflection SSH installed on each managed host you want to
encrypt using Reflection SSH. Also, Reflection SSH is not compatible with other
SSH software, such as, Open SSH.
Figure 7-4 shows the flow of traffic within a STRM deployment including flows, flow
context, and event traffic. The figure also displays the client/server relationships
Note: If you want to enable NAT for a managed host, the NATed network must be
using static NAT translation. For more information on using NAT, see Using NAT
with STRM.
• Enable Encryption - Select the check box if you want to create an encryption
tunnel for the host. To enable encryption between two managed hosts, each
managed host must be running at least STRM 5.1.
If you selected the Host is NATed check box, the Configure NAT settings window
appears. Go to Step 4. Otherwise, go to Step 5.
Step 4 To select a NATed network, enter values for the following parameters:
• Enter public IP of the server or appliance to add - Specify the public IP
address of the managed host. The managed host uses this IP address to
communicate with another managed host that belongs to a different network
using NAT.
• Select NATed network - Using the drop-down list box, select network you want
this managed host to use.
Note: For information on managing your NATed networks, see Using NAT with
STRM.
Step 5 Click Next.
Step 6 Click Finish.
Note: If your deployment included undeployed changes, a window appears
enabling you to deploy all changes.
The System View appears with the host in the Managed Hosts panel.
• Enable Encryption - Select the check box if you want to create an encryption
tunnel for the host. To enable encryption between two managed hosts, each
managed host must be running at least STRM 5.1.
If you selected the Host is NATed check box, the Configure NAT settings window
appears. Go to Step 5. Otherwise, go to Step 6.
Step 5 To select a NATed network, enter values for the following parameters:
• Enter public IP of the server or appliance to add - Specify the public IP
address of the managed host. The managed host uses this IP address to
communicate with another managed host that belongs to a different network
using NAT.
• Select NATed network - Using the drop-down list box, select network you want
this managed host to use.
Note: For information on managing your NATed networks, see Using NAT with
STRM.
Step 6 Click Next.
Step 7 Click Finish.
The System View appears with the updated host in the Managed Hosts panel.
Using NAT with Network Address Translation (NAT) translates an IP address in one network to a
STRM different IP address in another network. NAT provides increased security for your
deployment since requests are managed through the translation process and
essentially hides internal IP address.
Before you enable NAT for a STRM managed host, you must set-up your NATed
networks using static NAT translation. This ensures communications between
managed hosts that exist within different NATed networks. For example, in
Figure 7-5 the QFlow 1101 in Network 1 has an internal IP address of
10.100.100.0. When the QFlow 1101 wants to communicate with the Event
Collector in Network 2, the NAT router translates the IP address to 192.15.2.1.
NAT
Router
.1
00 19
2.
.1
15
00
.2
.1
.1
Network 1
10
Network 2
QFlow 1101
Event Collector
Classification Engine
Event Collector
Note: Your static NATed networks must be set-up and configured on your network
before you enable NAT using STRM. For more information, see your network
administrator.
You can add a non-NATed managed host using inbound NAT for the public IP
address and dynamic for outbound NAT but are located on the same switch as the
Console or managed host. However, you must configure the managed host to use
the same IP address for the public and private IP addresses.
When adding or editing a managed host, you can enable NAT for that managed
host. You can also use the deployment editor to manage your NATed networks
including:
• Adding a NATed Network to STRM
• Editing a NATed Network
• Deleting a NATed Network From STRM
• Changing the NAT Status for a Managed Host
Step 2 Select the NATed network you want to edit and click Edit.
The Edit NATed Network window appears.
Step 3 Update the name of the network you want to use for NAT.
Step 4 Click Ok.
The Manage NATed Networks window appears.
Step 5 Click Ok.
A confirmation window appears.
Step 6 Click Yes.
To change the status of NAT (enable or disable) for an existing managed host:
Step 1 In the deployment editor, click the System View tab.
Step 2 Use the right mouse button (right-click) on the managed host you want to edit and
select Edit Managed Host.
The Edit a managed host wizard appears.
Step 3 Click Next.
The networking and tunneling attributes window appears.
Step 4 Choose one of the following:
a If you want to enable NAT for the managed host, select the check box. Go to
Step 5
Note: If you want to enable NAT for a managed host, the NATed network must be
using static NAT translation.
b If you want to disable NAT for the managed host, clear the check box. Go to
Step 6
Step 5 To select a NATed network, enter values for the following parameters:
• Change public IP of the server or appliance to add - Specify the public IP
address of the managed host. The managed host uses this IP address to
communicate with another managed host that belongs to a different network
using NAT.
• Select NATed network - Using the drop-down list box, select network you want
this managed host to use.
• Manage NATs List - Update the NATd network configuration. For more
information see, Using NAT with STRM.
Step 6 Click Next.
Step 7 Click Finish.
The System View appears with the updated host in the Managed Hosts panel.
Note: Once you change the NAT status for an existing managed host error
messages may appear. Ignore all error messages.
Step 8 Update the configuration for the device (firewall) to which the managed host is
communicating.
Step 9 From the STRM Administration Console menu, select Configurations > Deploy
All.
Assigning a You can assign the STRM components added in the Flow or Event Views to the
Component to a Host managed hosts in your deployment. This section provides information on assigning
a component to a host using the System View, however, you can also assign
components to a host in the Flow or Event Views.
To assign a host:
Step 1 Click the System View tab.
Step 2 From the Managed Host list, select the managed host to which you want to assign
a STRM component.
The System View of the host appears.
Step 3 Select the component you want to assign to a managed host.
Step 4 From the menu, select Actions > Assign.
Note: You can also use the right mouse button (right-click) to access the Actions
menu items.
The Assign Component wizard appears.
Step 5 From the Select a host drop-down list box, select the host that you want to assign
to this component. Click Next.
Note: The drop-down list box only displays managed hosts that are running a
compatible version of STRM software.
Step 6 Click Finish.
Configuring Host The Host Context component monitors all STRM components to make sure that
Context each component is operating as expected.
Parameter Description
Disk Usage Sentinal Settings
Warning Threshold When the configured threshold of disk usage is exceeded,
an e-mail is sent to the administrator indicating the current
state of disk usage. The default is 0.75, therefore, when disk
usage exceeds 75%, an e-mail is sent indicating that disk
usage is exceeding 75%. If disk usage continues to increase
above the configured threshold, a new e-mail is sent after
every 5% increase in usage. By default, Host Context
monitors the below partitions for disk usage:
• /
• /store
• /store/tmp
Specify the desired warning threshold for disk usage.
Note: Notification e-mails are send to the Administrative
Email Address and are sent from the Alert Email From
Address, which is configured in the System Settings. For
more information, see Chapter 3 Setting Up STRM.
Shutdown Threshold When the system exceeds the shutdown threshold, all
STRM processes are stopped. An e-mail is sent to the
administrator indicating the current state of the system. The
default is 0.95, therefore, when disk usage exceeds 95%, all
STRM processes stop.
Specify the shutdown threshold.
Note: Notification e-mails are send to the Administrative
Email Address and are sent from the Alert Email From
Address, which is configured in the System Settings. For
more information, see Chapter 3 Setting Up STRM.
Parameter Description
Recovery Threshold Once the system has exceeded the shutdown threshold,
disk usage must fall below the recovery threshold before
STRM processes are restarted. The default is 0.90,
therefore, processes will not be restarted until the disk usage
is below 90%.
Specify the recovery threshold.
Note: Notification e-mails are send to the Administrative
Email Address and are sent from the Alert Email From
Address, which is configured in the System Settings. For
more information, see Chapter 3 Setting Up STRM.
Inspection Interval Specify the frequency, in milliseconds, that you want to
determine disk usage.
SAR Sentinel Settings
Inspection Interval Specify the frequency, in milliseconds, that you want to
inspect SAR output. The default is 300,000 ms.
Alert Interval Specify the frequency, in milliseconds, that you want to be
notified that the thresholds have been exceeded. The default
is 7,200,000 ms.
Time Resolution Specify the time, in seconds, that you want the SAR
inspection to be engaged. The default is 60 seconds.
Log Monitor Settings
Inspection Interval Specify the frequency, in milliseconds, that you want to
monitor the log files. The default is 60,000 ms.
Monitored SYSLOG Specify a filename for the SYSLOG file. The default is
File Name /var/log/STRM.error.
Alert Size Specify the maximum number of lines you want to monitor
from the log file. The default is 1000.
Configuring STRM This section provides information on configuring STRM components and includes:
Components • Configuring a Flow Collector
• Configuring a Flow Processor
• Configuring a Classification Engine
• Configuring an Update Daemon
• Configuring a Flow Writer
• Configuring an Event Collector
• Configuring an Event Processor
• Configuring the Magistrate
Configuring a Flow The Flow Collector collects data from devices and various live and recorded feeds,
Collector such as, network taps, span/mirror ports, NetFlow, and STRM flow logs. The Flow
Collector then groups related individual packets into a flow. A flow starts when the
Flow Collector detects the first packet with a unique source IP address, destination
IP address, source port, and destination port as well as other specific protocol
options, which may determine the start of a communication. Each additional packet
is evaluated and counts of bytes and packets are added to the statistical counters
in the flow record. At the end of an interval a status record of the flow is sent to a
Flow Processor and statistical counters for the flow are reset. A flow ends when no
activity for the flow is seen within the configured period of time.
Flow reporting generates records of all the active or expired flows during a
specified period of time. STRM defines these flows as a communication session
between two pairs of unique IP address/ports that use the same protocol. If the
protocol does not support port-based connections, STRM combines all packets
between the two hosts into a single flow record. However, a Flow Collector does
not record flows until a connection is made to another STRM component and data
is retrieved.
Parameter Description
Server Listen Port The Flow Collector passes data to the next component
in the process. Once the link is established, all collected
data is passed for further processing.
Specify the port that the Flow Collector monitors for
incoming Flow Processor connections.
The default range is from 32000 to 65535.
Flow Collector ID In larger installations, several Flow Collectors can be
installed throughout the deployment. As several Flow
Collectors can function simultaneously, you must
provide each Flow Collector a unique name. You can
use that name to determine where data is originating
from in the Collector View, if configured.
Specify the Flow Collector ID.
Maximum Content Capture Flow Collectors capture a configurable number of bytes
at the start of each flow. Transferring large amounts of
content across the network may affect network and
STRM performance. On managed hosts where the Flow
Collectors are located on close high-speed links, you
can increase the content capture length.
Specify the capture length, in bytes, to attach to a flow.
A value of 0 disables content capture. The default is 64
bytes.
Note: Increasing content capture length will increase
disk storage requirements for recommended disk
allotment.
Parameter Description
Alias Autodetection Specify one of the following options:
• Yes - Allows the Flow Collector to detect external flow
source aliases. When a Flow Collector receives traffic
from a device with an IP address but no current alias,
the Flow Collector attempts a reverse DNS lookup to
determine the hostname of the device. If the lookup is
successful, the Flow Collector adds this information
to the database and reports this information to all
Flow Collector in your deployment.
• No - Disables the Flow Collector from detecting
external flow sources aliases.
For more information on flow sources, see Chapter 7
Managing Flow Sources.
Parameter Description
Maximum Data Specify the amount of bytes/packets you want the Flow
Capture/Packet Collector to capture.
Time Synchronization Specify the IP address or hostname of the time server.
Server IP Address
Time Synchronization Specify the length of time you want the managed host to
Timeout Period continue attempting to synchronize the time before timing
out. The default is 15 minutes.
Parameter Description
Endace DAG Interface Specify the Endace Network Monitoring Interface card
Card Configuration parameters. For more information, see the Technical
support web site or contact Juniper Networks Customer
Support.
Flow Buffer Size Specify the amount of memory, in MB, that you want to
reserve for flow storage. The default is 400 MB.
Maximum Number of Specify the maximum number of flows you want to send
Flows from the Flow Collector to Flow Processors.
Remove duplicate flows Enables or disables the ability to remove duplicate flows.
External Flow Specify the method you want to use to remove duplicate
De-duplication method external flow sources (de-duplication). Options include:
• Source - Compares originating flow sources. This
method of removing duplicate external flows compares
the IP address of the device that exported the current
external flow record to that of the IP address of the
device that exported the first external record of the
particular flow. If the IP addresses do not match the
current external flow record is discarded.
• Record - Compares individual external flow records. This
method of removing duplicate external flows logs a list of
every external flow record detected by a particular device
and compares each subsequent record to that list. If the
current record is found in the list, that record is discarded.
External flow record This parameter is only valid if you configure the External
comparison mask Flow De-duplication method parameter to Record.
Specify the external flow record fields you want to use to
remove duplicate flows. Valid options include: D (Direction),
B (ByteCount), or P (PacketCount). Possible combinations
of the options include:
• DBP - Uses direction, byte count, and packet count when
comparing flow records.
• XBP - Uses byte count and packet count when
comparing flow records.
• DXP - Uses direction and packet count when comparing
flow records.
• DBX - Uses direction and byte count when comparing
flow records.
• DXX - Uses direction when comparing flow records.
• XBX - Uses byte count when comparing records.
• XXP - Uses packet count when comparing records.
Flow Carry-over Specify the number of seconds before the end of an interval
Window that you want one-sided flows to be held over until the next
interval if the flow. This allows time for the inverse side of
the flow to arrive before being reported.
Parameter Description
Minimum Buffer Data Specify the minimum amount of data, in bytes, that you want
the Endace Dag Interface Card to receive before the
captured data is returned to the Flow Collector process. For
example, if this parameter is 0 and no data is available, the
Endace Dag Interface Card allows non-blocking behavior.
Maximum Wait Time Specify the maximum amount of time, in microseconds, that
you want the Endace Dag Interface Card to wait for the
minimum amount of data, as specified in the Minimum
Buffer Data parameter.
Polling Interval Specify the interval, in microseconds, that you want the
Endace Dag Interface Card to wait before checking for
additional data. A polling interval avoids excessive polling
traffic to the card and therefore conserves bandwidth and
processing time.
Configuring a Flow A Flow Processor collects and consolidates data from one or more Flow
Processor Collector(s). Flow Processors are located between the Classification Engine, Flow
Collectors, and other Flow Processors. You can connect multiple Flow Processors
in a series.
Superflows can last long periods of time, just like normal flows. STRM manages
superflows in the same manner as regular flows. Superflows are logged every
interval and detail the state of the flow during that time period. You can also
investigate flows using the Network Surveillance interface to further expand
superflows into more traditional flows, which allows for flexible analysis.
Some normally occurring network communications generate flows for which there
are no responses, such as web requests to a failed web server or to a host that is
down. One-sided flows are generally not a high risk threat and should not apply to
superflows. For this reason, there is a configurable threshold for superflow
generation, which a host has to breach before the flows are bundled into
superflows.
You can also configure branch filtering in the Flow Processor, which allows you to
distribute network processing across multiple Classification Engines. A branch
filter consists of a branch and a flow class definition. The branch filter configuration
controls which flows a component receives. When configuring branch filtering, you
must use groups located at the top of your network hierarchy. For the Flow
Processor, the branch filter specifies which flows the Flow Processor receives from
flow sources.
Parameter Description
Flow Processor Listen The Classification Engine connects to the Flow Processor to
Port accept flows through a TCP/IP link. Specify the port that the
Flow Processor monitors for incoming connections. The
default range is from 32000 to 65535.
Parameter Description
Flow Collectors When the Flow Processor starts, it attempts to establish a
link with one or more Flow Collector(s). If the Flow Collector
cannot be reached, the Flow Processor attempts to establish
the link periodically, until it succeeds. You can have multiple
Flow Collectors in your deployment and each Flow Collector
can be connected to a different time server. This parameter
also indicates whether the Flow Collector either is local or
remote.
Specifies the list of default Flow Collectors to which the Flow
Processor will connect. The information is entered in the
following format:
<hostname>:<port>:[L|R]
Where:
<hostname> is the hostname of the Flow Collector.
<port> is the port on which communications are established.
[L|R] indicates whether the Flow Collector is local (L) or
remote (R).
Where each Flow Collector is separated with a comma. The
default is localhost:32000.
Flow Processors Specifies the list of Flow Processors attached to this Flow
Processor. You can have multiple Flow Processors in your
deployment and each Flow Processor can be connected to a
different time server. This parameter also indicates whether
the Flow Processor is either local or remote. If a component
is identified as remote, any flows sent to the local Flow
Processor are tagged with local interval time. This parameter
is for information purposes only and is not amendable. The
values are entered in the following format:
<hostname>:<port>:[L|R]
Where:
<hostname> is the hostname of the Flow Processor.
<port> is the port on which communications are established.
[L|R] indicates whether the Flow Collector is local (L) or
remote (R).
Each Flow Processor is separated with a comma.
Parameter Description
Create Flow Bundles Specify one of the following options:
• Yes - Allows the Flow Processor to group flows that have
similar properties.
• No - Disables the bundling of flows
Maximum Number of Specify the maximum number of flows you want to send
Flows from the Flow Processor to the Classification Engines. If set
to 0, the number of flows is unlimited.
Time Difference for Specify the time difference threshold that determines if
Duplicate Flows duplicate flows are present, in microseconds. The default is
500000.
Type A Superflows Specify the threshold for type A superflows, which is one
host sending data to many hosts. A unidirectional flow that is
an aggregate of all flows that have the same protocol,
source bytes, source hosts, destination network, destination
port (TCP and UDP flows only), TCP flags (TCP flows only),
ICMP type, and code (ICMP flows only) but different
destination hosts.
Type B Superflows Specify the threshold for type B superflows, which is many
hosts sending data to one host. A unidirectional flow that is
an aggregate of all flows that have the same protocol,
source bytes, source packets, destination host, source
network, destination port (TCP and UDP flows only), TCP
flags (TCP flows only), ICMP type, and code (ICMP flows
only), but different source hosts.
Parameter Description
Type C Superflows Specify the threshold for type C superflows, which is one
host sending data to another host. A unidirectional flow that
is an aggregate of all non-ICMP flows that have the same
protocol, source host, destination host, source bytes,
destination bytes, source packets, and destination packets
but different source or destination ports.
IP Address(es) Range Specify an IP address or CIDR range to convert to another
Conversion IP address or CIDR range from the Flow Processor. This
allows STRM to identify data sources on networks with
similar IP addresses when a single Flow Processor is used
to process many data sources.
Enter the information in the following format:
<IP address>:<convert>
Where:
<IP address> specifies the IP address or CIDR range to be
converted.
<convert> specifies the desired conversion range.
This option is also available in the Flow Collector.
Maximum Content for A content filter controls where content is denied/allowed.
Destination STRM Apply filters in the following format:
Components
<CIDR>:<bytes of content>
Where:
<CIDR> specifies a CIDR range
<bytes of content> specifies how much content is allowed.
For example, 64 bytes of content or 128 bytes of content.
The filter is case sensitive. You must use either all
uppercase or lowercase characters.
For example:
If CIDR=10.100.100.0/24 and you want to allow 64 bytes of
content, enter:
10.100.100.0/24:64
If CIDR=10.100.100.0/24 and you want to deny the content,
enter:
10.100.100.0/24:0
If CIDR=10.100.100.0/24 and you want to allow content only
to this CIDR, enter:
default:0, 10.100.100.0/24:64
Parameter Description
Branch Filtering By default, branch filtering is disabled and all traffic is
forwarded to all Classification Engines. Filtering does not
begin unless the Flow Processor receives a branch filter
definition from the Classification Engine.
Specify the branch filter using the following syntax:
brc1,brc2,..,brc-N
Where:
brc-1,brc-2,....,brc-N specifies any branch of the local
network hierarchy. If a specified branch does not belong to
the network hierarchy, the branch is ignored.
For example:
ComputingServices,Manufacturing_facilites
Corporate_HQ,other
Recombine In some networks, traffic is configured to take alternate
Asymmetric Flows paths for inbound and outbound traffic. This is asymmetric
routing. You can combine flows received from either a single
or multiple Flow Collectors. However, if you want to combine
flows from multiple Flow Collectors, you must configure flow
sources in the Asymmetric Flow Source Interface(s)
parameters in the Flow Collector configuration. For more
information, see Configuring a Flow Collector.
Choose one of the following options:
• Yes - Asymmetric flows are combined.
• No - Asymmetric flows are not combined.
Ignore Asymmetric Specify whether you want to enable the creation of
Superflows superflows while asymmetric flows are enabled. The default
is Yes, which means superflows are created.
Enable Application Choose one of the following:
Mapping
• Yes - Application mapping is applied, as defined in your
mapping file. For more information, see the STRM Default
Application Configuration Guide. This is the default.
• No - Application mapping is not applied.
User Application Specify the name of the file that contains your custom
Mapping application mappings. For more information, see the STRM
Default Application Configuration Guide.
Block Content Choose one of the following options:
• Yes - All content captured in the flows is removed from
the Flow Processor.
• No - Content capture is not removed from flows.
Payload Modification Specify a string to which you want all content to be changed.
Configuring a The Classification Engine receives inputs from one or more Flow Processor(s),
Classification Engine classifies the flows into views and objects, and outputs the resulting database
entries and flow logs to the Update Daemon to be stored on disk. Using the
deployment map, you can either enable or disable views and configure a
Classification Engine.
To configure a Classification Engine:
Step 1 In either the Flow or System View, select the Classification Engine you want to
configure.
Step 2 From the menu, select Actions > Configure.
Note: You can also use the right mouse button (right-click) to access the Actions
menu items. The Classification Engine window appears.
Parameter Description
Classification Engine Specify the port that the Classification Engine monitors for
Server Listen Port incoming connections.The default range is from 32000 to
65535.
Flow Processor When the Classification Engine starts, it attempts to
Connections establish a TCP/IP communications link with one or more
Flow Processor(s) to retrieve flows. If the Flow Processors
cannot be reached, the Classification Engine attempts to
establish the link periodically until it succeeds. This
parameter is for information purposes only and is not
amendable.
Specifies the list of Flow Processor connections using the
following format:
<hostname>:<port>
The default is localhost:32001.
Each entry is separated with a comma.
Parameter Description
Update Daemon Specifies the hostname and port of the Update Daemon to
Connections which the Classification Engine sends data for storage. This
parameter is for information purposes only and is not
amendable. The information appears in the following format:
<hostname>:<port>
The default is localhost:32002.
Flow Writer connection Specifies the hostname and port of the Flow Writer that
sends the Classification Engine data for storage. This
parameter is for information purposes only and is not
amendable.
The information appears in the following format:
<hostname>:<port>
The default is localhost:32010.
Event Collector Specifies the hostname and port of the Event Collector that
Connections sends the Classification Engine data. This parameter is for
information purposes only and is not amendable.
Parameter Description
Forward Flow Data Specify one of the following options:
• Yes - Process view data only and does not forward flows.
This is the default.
• No - Process and forward all data.
Parameter Description
Process Defined Views If you are using a distributed processing Console, specify
Only the processing information. This requires each involved
managed host to have a list of views to process. For
assistance, contact Juniper Networks Customer Support.
Branch Filtering By default, branch filtering is disabled and all traffic is
forwarded to all Classification Engines. Filtering does not
begin unless the Flow Processor receives a branch filter
definition from the Classification Engine.
Specify the branch filter using the following syntax:
brc1,brc2,..,brc-N
Where:
brc-1,brc-2,....,brc-N specifies any branch of the local
network hierarchy. If a specified branch does not belong to
the network hierarchy, the branch is ignored.
For example:
ComputingServices,Manufacturing_facilites
Corporate_HQ,other
Network Object Limit Specify the maximum number of network objects you want
to allow.
Asset Profile Threshold Specify the maximum number of asset profiles you want to
monitor. The default is 25,000.
Remote Host Cache Specify the period of time, in seconds, that you want to
Clear Interval retain the log files, which are stored result of a remote view
lookup.
Configuring an Once the Classification Engine has processed the flows for an interval, the Update
Update Daemon Daemon stores the database and TopN data. Depending on the size of your
deployment, you may have multiple Update Daemons.
Step 3 For the Server listen port parameter, specify the Update Daemon listening port
values. Separate each entry with a comma. This port monitors requests from the
Classification Engine. The entered values must match the values configured for
the Classification Engine.
Step 4 In the toolbar, click Advanced to display advanced parameters.
The configuration parameters appear.
Parameter Description
Database Storage Specify the directory that you want to store the database
Location information. The default is /store/db.
TopN Database Specify the directory that you want to store the TopN
Storage Location database. The default is /store/STRM-tmp/topn.
Configuring a Flow Once the Classification Engine has processed the flows for an interval, the Flow
Writer Writer stores the flow and asset profile data. You can only have one Flow Writer
per host, which must be connected to the Classification Engine.
Parameter Description
Server listen port Specify the Flow Writer listening port values. Seperate each
entry with a comma. This port monitors requests from the
Classification Engine. The entered values must match the
values configured for the Classification Engine.
Parameter Description
Maximums Hosts Specify the maximum number of hosts you want the system
Count Before a Reset to store before all counters are reset. The lower the reset
threshold the more efficiency of disk space your system
offers, however, the query time may be extended.
Configuring an Event The Event Collector collects security events from various types of security devices
Collector in your network.
Parameter Description
Event Collector Server The Event Collector monitors at least one device per
Listen Port instance of the component.
Destination Event Specify the destination Event Processor for
Processor communications.
Listen Port Specifies the listening port for event forwarding.
Event Targets If the Event Collector includes an off-site target, this
parameter specifies the normalized event forwarding
device, separated by commas, using the following
format:
<device>:<type>
This parameter is for informational purposes only and is
not amendable.
Parameter Description
Receives Flow Context Specifies the first Event Collector installed in your
deployment. This parameter is for informational purposes
only and is not amendable.
Auto Detection Specify if you want the Event Collector to auto analyze and
Enabled accept traffic from previously unknown sensor devices. The
default is true, which means that the Event Collector detects
sensor devices in your network. Also, when set to True, the
appropriate firewall ports are opened to enable auto
detection to receive events. For more information on
configuring sensor devices, see the Managing Sensor
Devices Guide.
Configuring an Event The Event Processor processes flows collected from one or more Event
Processor Collector(s).
Parameter Description
Event Processor Server Specify the port that the Event Processor monitors for
Listen Port incoming connections. The default range is from 32000 to
65535.
Destination Magistrate Specifies the Magistrate to which events are sent.
This parameter is for informational purposes only and is
not amendable.
Classification Engines All Event Processors are connected to all Classification
Engines in your deployment. Specifies all Classification
Engines in your deployment.
This parameter is for informational purposes only and is
not amendable.
ESA Server Specifies the Event Statistical Aggregation (ESA) server to
which the Event Processor is connected.
This parameter is for informational purposes only and is
not amendable.
Parameter Description
Overflow Routing Specify the events per second threshold that the Event
Threshold Processor can manage events. Events over this
threshold are placed in the cache.
Path to Ariel Events Specify the location you want to store events. The
Database default is /store/ariel/events.
Path to Ariel Payloads Specify the location you want to store payload
Database information. The default is /store/ariel/payloads.
Configuring the The Magistrate component provides the core processing components of the SIM
Magistrate option.
Parameter Description
Magistrate Server Listen Specify the port that the Magistrate monitors for
Port incoming connections. The default range is 32000 to
65535.
ESA Server Specifies the Event Statistical Aggregation (ESA) server
to which the Magistrate is connected.
This parameter is for informational purposes only and is
not amendable.
Step 5 For the Overflow Routing Threshold, specify the events per second threshold
that the Magistrate can manage events. Events over this threshold are placed in
the cache. The default is 20000.
Step 6 Click Save.
The deployment editor appears.
About Flow STRM allows you to integrate internal and external flow sources:
Sources • Internal flow sources - Includes any additional hardware installed on a
managed host, such as a Network Interface Card (NIC). Depending on the
hardware configuration of your managed host, the options may include:
- Network interface card
- Endace Network Monitoring Interface Card.
• External flow sources - Configures an external flow source for the Flow
Collector. If your Flow Collector receives multiple flow sources, you can assign
each source a distinct name, providing the ability to distinguish one source of
external flow data from another when received on the same Flow Collector. To
assign names to multiple flow sources, you must configure the External Flow
Source Interface Name parameter in the Flow Collector component. External
flow sources may include:
- NetFlow
- sFlow
- J-Flow
- Packeteer
- Flowlog File
Once you configure an external flow source for NetFlow, you must:
• Make sure the appropriate firewall rules are configured. Note that if you change
your External Flow Source Monitoring Port parameter in the Flow Collector
configuration, you must also update your firewall access configuration.
• Make sure the appropriate ports are configured for your Flow Collector.
If you are using NetFlow version 9, make sure the NetFlow template from the
NetFlow source includes the following fields:
• FIRST_SWITCHED
• LAST_SWITCHED
• PROTOCOL
• IPV4_SRC_ADDR
• IPV4_DST_ADDR
• L4_SRC_PORT
• L4_DST_PORT
• IN_BYTES and/or OUT_BYTES
• IN_PKTS and/or OUT_BYTES
• TCP_FLAGS (TCP flows only)
sFlow A multi-vendor and end-user standard for sampling technology that provides
continuous monitoring of application level traffic flows on all interfaces
simultaneously. sFlow combines interface counters and flow samples into sFlow
datagrams that are sent across the network to an sFlow collector. STRM supports
sFlow versions 2, 4, and 5. Note that sFlow traffic is based on sampled data and,
therefore, may not represent all network traffic. For more information on sFlow, see
www.sflow.org.
sFlow uses a connection-less protocol (UDP). Once data is sent from a switch or
router, the sFlow record is purged. As UDP is used to send this information and
does not guarantee the delivery of data, sFlow records inaccurate recording and
Once you configure an external flow source for sFlow, you must:
• Make sure the appropriate firewall rules are configured.
• Make sure the appropriate ports are configured for your Flow Collector.
J-Flow A proprietary accounting technology used by Juniper® Networks that allows you to
collect IP traffic flow statistics. J-Flow enables you to export data to a UDP port on
a J-FLow collector. Using J-Flow, you can also enable J-Flow on a router or
interface to collect network statistics for specific locations on your network. Note
that J-Flow traffic is based on sampled data and, therefore, may not represent all
network traffic. For more information on J-Flow, see www.juniper.net.
J-Flow uses a connection-less protocol (UDP). Once data is sent from a switch or
router, the J-Flow record is purged. As UDP is used to send this information and
does not guarantee the delivery of data, J-Flow records inaccurate recording and
reduced alerting capabilities. This can result in inaccurate presentations of both
traffic volumes and bi-directional flows.
Once you configure an external flow source for J-Flow, you must:
• Make sure the appropriate firewall rules are configured.
• Make sure the appropriate ports are configured for your Flow Collector.
Packeteer Packeteer devices collect, aggregate, and store network performance data. Once
you configure an external flow source for Packeteer, you can send flow information
from a Packeteer device to STRM.
Packeteer uses a connection-less protocol (UDP). Once data is sent from a switch
or router, the Packeteer record is purged. As UDP is used to send this information
and does not guarantee the delivery of data, Packeteer records inaccurate
recording and reduced alerting capabilities. This can result in inaccurate
presentations of both traffic volumes and bi-directional flows.
Managing Flow For STRM appliances, STRM automatically adds default flow sources for the
Sources physical ports on the appliance. Also, STRM also includes a default NetFlow v5
flow source. If you have installed STRM on your own hardware, STRM attempts to
automatically detect and add default flow sources for any physical devices (such
as a NIC card). Also, once you assign a Flow Collector, STRM includes a default
NetFlow flow source.
Parameter Description
Build from existing flow Select the check box if you want to create this flow source
source using an existing flow source as a template. Once the
check box is selected, use the drop-down list box to select
the desired flow source and click Use as Template.
Flow Source Name Specify the name of the flow source. We recommend that
for an external flow source that is also a physical device,
use the device name as the flow source name. If the flow
source is not a physical device, make sure you use a
meaningful name. For example, if you want to use
NetFlow traffic, enter nf1.
Target Flow Collector Using the drop-down list box, select the Flow Collector
you want to use for this flow source.
Flow Source Type Using the drop-down list box, select the flow source type
for this flow source. The options are:
• Flowlog File
• JFlow
• Netflow v.1, v5, v7, or v9
• Network Interface
• Packeteer FDR
• SFlow v.2, v.4, or v5
Enable Asymmetric Flows In some networks, traffic is configured to take alternate
paths for inbound and outbound traffic. This is asymmetric
routing. Select the check box is you want to enable
asymmetric flows for this flow source.
a If you selected Flowlog File as the Flow Source Type, configure the Source File
Path, which is the source path location for the flow log file.
b If you selected JFlow, Netflow, Packeteer FDR, or sFlow as the Flow Source
Type, configure the following:
Table 8-2 External Flow parameters
Parameter Description
Monitoring Interface Using the drop-down list box, select the monitoring interface
you want to use for this flow source.
Monitoring Port Specify the port you want this flow source to use.
Enable Flow Select the check box to enable flow forwarding for this flow
Forwarding source. Once the check box is selected, the following
options appear:
• Forwarding Port - Specify the port you wish to forward
flows. The default is 1025.
• Forwarding Destinations - Specify the destinations you
wish to forward flows. You can add or remove addresses
from the list using the Add and Remove buttons.
c If you selected Network Interface as the Flow Source Type, configure the
following:
Table 8-3 Network Interface Parameters
Parameter Description
Device Using the drop-down list box, select the device interface you
want to assign to this flow source.
Note: You can only configure one device per Ethernet
Interface. Also, you cannot send different flow types to the
same port.
Filter String Specify the filter string for this flow source.
Step 4 Edit values, as necessary. For more information on values for flow source types,
see Adding a Flow Source.
Step 5 Click Save.
Step 6 From the Administration Console menu, select Configurations > Deploy
Configuration Changes.
Managing Flow You can configure a virtual name (or alias) for flow sources. You can identify
Source Aliases multiple sources being sent to the same Flow Collector, using the sources’ IP
address and virtual name. An alias allows a Flow Collector to uniquely identify and
process data sources being sent to the same port.
When a Flow Collector receives traffic from a device with an IP address but no
current alias, the Flow Collector attempts a reverse DNS lookup to determine the
hostname of the device. If the lookup is successful, the Flow Collector adds this
information to the database and includes this information is reported to all Flow
Collector in your deployment.
Note: Using the deployment editor, you can configure the Flow Collector to
automatically detect flow source aliases. For more information, see Chapter 6
Managing Flow Sources.
About the Interface You must have administrative privileges to access the Administration Console. The
STRM Administration Console provides access to following administrative
functionality:
• Manage users. See Chapter 1 Managing Users.
• Manage your network settings. See Chapter 2 Managing the System.
• Manage STRM settings. See Chapter 3 Setting Up STRM.
• Manage authorized services. See Chapter 4 Managing Authorized Services
• Backup and recover your data. See Chapter 5 Managing Backup and
Recovery.
• Manage your deployment views. See Chapter 6 Using the Deployment Editor.
• Manage flow sources. See Chapter 7 Managing Flow Sources.
• Configure sentries. See Chapter 9 Managing Sentries.
• Configure views. See Chapter 10 Managing Views.
• Configure syslog forwarding. See Chapter 13 Forwarding Syslog Data
All configuration updates using the Administration Console are saved to a staging
area. Once all changes are complete, you can deploy the configuration changes or
all configuration settings to the remainder of your deployment.
Accessing the You can access the STRM Administration Console through the main STRM
Administration interface. To access the Administration Console, click Config in the main STRM
Console interface. The Administration Console appears.
Using the Interface The Administration Console provides several tab and menu options that allow you
to configure STRM including:
• System Configuration - Provides access to administrative functionality, such
as, user management, automatic updates, license key, network hierarchy,
sentries, system settings, system notifications, authorized services, backup and
recovery, and Console configuration.
• Views Configuration - Provides access to STRM views.
• SIM Configuration - Provides access to scanners, sensor device
management, syslog forwarding, and reset the SIM model.
• Flow Configuration - Provides access to flow source configuration, such as
NetFlow.
Icon Description
Opens the deployment editor interface.
Deploying Changes Once you update your configuration settings using the Administration Console,
you must save those changes to the staging area. You must either manually
deploy all changes using the Deploy menu option or, upon exit, a window appears
prompting you to deploy changes before you exit. All deployed changes are then
enforced throughout your deployment.
Using the Administration Console menu, you can deploy changes as follows:
• Deploy All - Deploys all configuration settings to your deployment.
• Deploy Configuration Changes - Deploys any configuration changes from the
current session to your deployment.
Sentries provide an alerting function for your network. A sentry can monitor any
number of views and generate an alert when traffic in one of the monitored views
meets the specified criteria. A non-administrative user can create sentries,
however, only an administrative user can configure advanced sentries on a
system-wide basis.
About Sentries You can create sentries that perform actions when certain specified conditions are
met. These actions may include sending an e-mail notification or storing sentry
event information. You can also add sentry alerts for a specific traffic type.
You can save Packages and Logic Units for use with other sentries. For example, if
you create a DDoS package, you can create sentries at different locations in your
network using the DDoS package. Similarly, an administration user can create a
package for other non-administration users to use.
• Sentry - Specifies which network location you want the sentry to apply. The
network location component of the sentry can also specify any restrictions that
you want to enforce. The variables in the sentry component have priority over
the Package and Logic Unit variables. For example, you can configure a sentry
to monitor the accounting department network location between 8 am and 5
pm. However, you can also specify that you only want to be notified of any
misuse if the activity continues for more than 10 minutes.
If this is not the first time you have accessed the Sentries window, go to Step 4.
Step 3 Choose one of the following options:
a If you want to include default sentries in your sentry list, click Create Sentries.
If you want to use the default sentries, you must tune these sentries for your
system.
The default sentries that appear depend on the template chosen during the
installation process. For more information on the defaults, see:
- Enterprise Template - See Appendix B Enterprise Template Defaults.
- University Template - See Appendix C University Template Defaults
b If you do not want to include pre-configured sentries in your list, click Cancel.
The Sentries window appears.
Step 4 From the View By drop-down list box, select the desired view. The options are:
• Objects - View the available sentries or sentry components including:
- Sentry
- Package
- Logical Units
• Users - View the available sentries by the user who created the sentry.
Step 5 Select the sentry you want to view.
Parameter Description
Name Specifies the name of the configured item.
Owner Specifies the name of the user who created the sentry.
Action Provides one of the following options:
Allows you to edit the details. You can only edit sentries
that you have created.
Allows you delete the selected item. You can only delete
sentries that you have created.
Enabled Allows you to enable or disable the sentry. To enable the
sentry, select the check box. To disable the sentry, clear
the check box.
Parameter Description
Name Specify a name for this sentry.
Description Specify a description for this sentry. This description appears as
an annotation in the Offense Manager if this sentry results in an
offense being generated.
Minimum number Specify the minimum number of times, in flows, this activity must
of flows before occur before an event generates.
emitting events
Delay between Specify the number of seconds, after the first occurrence of this
emitting events event, before the next occurrence of this event. For example, if
you set the value to 3, an event generates after three seconds of
the first instance of the event.
Maximum emitted Specify the maximum number of times you want this event to
events per IP generate per IP address. For example, if you set the maximum
alerts to 2, only two alerts generate per event.
Is Enabled Select the check box to enable this sentry. Clear the check box to
disable the sentry.
Parameter Description
Options Select the check box if you want this event to be included with
other events to create an offense. Use the Address to mark as
the target drop-down list box to identify if you want the
destination or source IP address to be used as the target.
Note: This option only appears for a Security/Policy sentry.
Permissions Specify the users you want to allow access to edit this sentry.
Package Using the drop-down list box, select the sentry package you want
to apply to this sentry. To edit an existing package, click Edit or
to create a new package, click Create New. For more information
on sentry packages, see Managing Packages.
QRL Specifies the details of the current view for this sentry.
Parameter Description
Name Specify a name for this sentry.
Description Specify a description for this sentry. This description appears as
an annotation in the Offense Manager if this sentry results in an
offense being generated.
Minimum Specify the minimum number intervals this activity must occur
activations before before an alert generates.
alert
Delay between Specify the number of intervals after the first occurrence of this
alerts event, before the next occurrence of this event.
Maximum Specify the maximum number of times you want this event to
responses per generate a response.
events
Is Enabled Select the check box to enable this sentry. Clear the check box to
disable the sentry.
Weight Specify the weight of the object. The range is 1 to 100 and
indicates the importance of the object in the system.
Test as group Select the check box if you want all objects to add together to be
tested. Clear the check box if you want each object to be
evaluated separately.
Parameter Description
Restrictions Select the check box for one or more restrictions you want to
enforce for an active sentry including:
• Date is relevant - Select the check box to indicate that this
sentry must consider the date. When selected, date fields
appear. Enter the relevant dates you want this sentry to
monitor.
• Day of week is relevant - Select the check box to indicate
that this sentry must consider the day of the week. When
selected, day of the week fields appear. Using the drop-down
list boxes, select the relevant days you want this sentry to
consider.
• Time of day is relevant - Select the check box to indicate that
this sentry must consider time of day. When selected, time of
day fields appear. Using the drop-down list box, select the
time of day you want this sentry to consider.
Permissions Specify the users you want to allow access to edit this sentry.
Package Using the drop-down list box, select the sentry package you want
to apply to this sentry. To edit an existing package, click Edit or
to create a new package, click Create New. For more information
on sentry packages, see Managing Packages.
Responses Specify the method you want to be notified if this sentry
generates an event. The options are:
• Email
• Log - Sends event information to standard syslog on STRM
Console.
QRL Specifies the details of the current view for this sentry.
Step 7 Edit the variables, as necessary. The list of variables includes all configured values
for this sentry. Only the variables that apply to this sentry appear. When creating a
custom sentry, you can create your own variable.
Table 2-4 Default Variables
Parameter Description
$$Base Specify the current traffic level weight that you want to assign to
the current traffic levels against the learned behaviors and the
current trend. This variable is for behavioral sentries. The higher
the value indicates more weight on the previously recorded
value. When you configure a sentry, you must enter a value
between 0 to 100, however, when you view a sentry, this value
appears in decimal format as 0.01 to 1.
Parameter Description
$$Trend Specify the current traffic trend weight that you want to assign to
current traffic trends against the calculated behavior. This
variable is for behavioral sentries. The higher the value indicates
more weight on traffic trends than the calculated behavior. When
you configure a sentry, you must enter a value between 1 to 100,
however, when you view a sentry, this value appears in decimal
format as 0.01 to 1.
$$Season Specify the weight applied to the seasonal component of the
behavior sentry. The range is 1 to 100. This variable is for
behavioral sentries. When you configure a sentry, you must enter
a value between 1 to 100, however, when you view a sentry, this
value appears in decimal format as 0.01 to 1.
$$SeasonTime Specify the length of time, in seconds, you want this sentry to
consider a season. A season indicates the cycle of data, which
STRM uses to determine future data flow. This variable is for
behavioral sentries.
$$Scale Specify the alert sensitivity level for this alert. This level indicates
how far outside the predicted values before a violation generates.
A value of zero indicates the measured value cannot be outside
the predicted value and a value of 100 indicates the traffic is
more than four times larger than the predicted value. When you
configure a sentry, you must enter a value between 1 to 100,
however, when you view a sentry, this value appears in decimal
format as 0.01 to 1.
$$Counter Specify the layers you want this sentry to consider. This variable
is for all sentry types. The options include: in (bytes in), out (bytes
out), pin (packet in), pount (packet count), hlocal (host local),
hremote (host remote), plocal (packet local), premote (packet
remote), and count. Separate each entry with a colon.
$$AsSet Specify 0 if you want all objects to add together to be tested.
Specify 1 if you want each object to be evaluated seperately.
This variable is for all sentry types.
$$Value For each threshold, specify the number that must be exceeded
for this sentry to generate an alert. This variable is for all sentry
types.
$$Percent Specify the percentage change in behavior this view must
experience before the sentry generates an alert. This variable is
for anomaly sentries.
$$SmallWindow Specify an extended period of time you want to the system to
monitor flows in your network. This allows the system a basis of
comparison for traffic over an extended period of time. If the large
window and small window values exceed a certain threshold, the
sentry generates an alert. This variable is for anomaly sentries.
Parameter Description
$$LargeWindow Specify a period of time you want to the system to monitor flows
in your network. This allows the system a basis of comparison for
traffic over an smaller period of time. If the large window and
small window values exceed a certain threshold, the sentry
generates an alert.
$$Upperbound/ For each threshold, specify the number that must be exceeded
Lowerbound for this sentry to generate an alert. This variable is for threshold
sentries.
$$AutoLearnTime Specify the time stamp of the time when you want the system to
stop learning. This variable is for threshold sentries.
Managing Sentries contain packages. You can create packages to reuse with multiple
Packages sentries. Using a saved package allows you to apply the same objects to multiple
areas of your network. For example, you can create a package to monitor for
network misuse. You can use the saved package to apply the same objects to all
areas of your network.
You must apply a package to a sentry through the sentry panel. For more
information, see, Editing Sentry Details. By default, STRM does apply these
packages. You must apply these packages to the appropriate area of your network.
Parameter Description
Name Specify the name of the sentry package.
Description Specify a description for the sentry package.
Weight Specify the relative importance of this package. This determines
the ranking of the offense that appears in the Offense Manager.
Parameter Description
Components In the menu tree, select the components you want this package
to monitor. The added components appear under the Selected
Components column.
Permissions Specify the users you want to be able to use this package.
Categories For each event, you must select a high-level and low-level event
category. From the High-Level Category drop-down list box,
specify the high-level event category. Once you select the
high-level event category, the appropriate low-level event
categories appear.
Using the Low-Level Category, select the low-level event
category you want to apply to this event.
Note: For detailed information on high-level and low-level event
categories, see the Event Category Correlation Reference Guide.
Logic Unit Using the drop-down list box, select the Logic Unit you want to
apply to this sentry. To edit an existing Logic Unit, click Edit or to
create a new Logic Unit, click Create New. For more information
on sentry packages, see Managing Logic Units.
Variable Defaults Specifies the variable default values for this sentry package.
These values are overwritten by variables of the same name in
the sentry.
Managing Logic A Logic Unit determines if a violation has occurred and if an alert needs to be
Units generated. A Logic Unit contains the algorithm that a sentry uses to monitor your
network for suspicious behavior. You can use Logic Units to create custom
sentries. You must apply a Logic Unit to a package through the package panel. For
more information, see Managing Packages.
Parameter Action
Name Specify a name for this Logic Unit.
Description Specify a description for this Logic Unit,
Step 7 Create your own equation in the Equation field using JavaScript code. The entry
must include the following format:
var testObj = new CustomFunction( $$Counter,
other_custom_vars);
function test()
{
return testObj.test();
}
You can use all the functions available with JavaScript functionality as well as
the following functions:
Function Description
thresholdCheck Monitors policy and threshold objects. By default, this value
monitors each object separately. If you want to test objects as
group, you must add the value set. This function includes:
• components - String of component names from one or more
layers, separated by colons. For example, in:out.
• funcT - Instance of comparison object including above,
greatThanEq, below, lessThanEq, Eq, notEq, and range.
• isTotal - Set this function to 0 if you want to test objects
seperately. Set this function to 1 if you want to test all objects
as a group.
• time - Indicates time to make a comparison. If no time is
supplied, current time is used.
learnPolicy During the learning period, this function selects only object that
did not include traffic. The sentry then generates an alert on
those objects. This function includes:
• components - String of component names from one or more
layers, separated by colons. For example, in:out.
• lockTime - Indicates the time in which you want to stop the
learning process.
activityAnomaly Detects changes in the activity level for selected databases. This
function includes:
• largewindowsize - Specifies the time range for the large
observation window.
• smallwindowsize - Specifies the time range for small
observation window.
• percentrequired - Specifies the required percentage change
required before the sentry generates an alert.
• layer - Specifies the layer you want to monitor.
• type - Specifies the test objects as a group.
• intervalsize - Specifies the interval size, in seconds.
Step 8 Click Share Logic to access the Select Users window. This window allows you to
specify users you want to share this logic.
Step 9 Click Save.
You can display network traffic with many different views. A view represents traffic
activity on your network for a specific profile. The Local Network View has n-levels
of depth that is specific to your network hierarchy. All views, with the exception of
the Network View, have group levels and leaf object levels. You can also create
Custom Views to display the types of traffic you want to identify, monitor, and be
alerted to, when specific flows appear across your network.
Using STRM Views This section provides information regarding views including:
• About Views
• About Global Views
• Defining Unique Objects
About Views STRM includes default views that captures and displays your network activity.
Each view filters traffic and displays the data from many perspectives. You can use
these default views to display your network activity from various perspectives.
You can configure views with an identifiable color scheme. Each color appearing
on your graph represents the activity taking place on your network. Each color is
also displayed in the dynamic legend beside the graph. You can point your mouse
to the color on the legend to identify the traffic type.
Each view is assigned a weight. Configured for traffic alerting purposes, weight is
the numeric value assigned to a flow property. STRM adds the weight value to the
sentry flow property weight value and assigns a sequence of ranking events. An
alert may be signalled when STRM interprets the combination of the numerical
weight values. For more information on weights, see Chapter 9 Managing
Sentries.
You can create a Custom View to identify more complex traffic patterns. You must
configure Custom Views with equations that identify your network activity and
match the properties built into an equation. You can create Custom Views to:
• Identify protocol misuse from any geographic location.
• Identify traffic from partner sites using applications you have deemed
out-of-policy.
• Create an alternate network hierarchy.
You can also use equations to identify network traffic flows. When traffic flows
match the assigned property-set, STRM identifies and displays the traffic on the
graphs, enabling you to monitor and investigate the activity. An equation is
constructed from the following:
• Objects - Network objects that are currently present on your network. When
choosing an object, you can select the network object, or any one of the leaf
nodes that is associated with the object. The selected object (or leaf node)
becomes part of an equation.
• Elements - Tests of specific flow properties, such as, an IP address, protocol,
or byte count. This specifies the criteria the traffic flow must match to identify
traffic flows. Traffic flows matching the assigned criteria are displayed when
viewing the Custom View on the STRM graphs.
About Global Views You can access Global Views using the Global Views menu option in the Network
Surveillance interface. Configurable Global Views include:
• Local Networks View - Displays traffic by network objects.
• Ports View - Displays traffic originating from identified destination ports.
• Applications View - Displays traffic originating from the application layer by the
client connection and the server connection.
• Remote Networks View - Displays user defined traffic originating from named
remote networks.
• Remote Services View - Displays traffic originating from user defined network
ranges or, if desired, the Juniper Networks automatic update server.
• Collector View - Displays traffic seen by each Flow Collector
• Protocol - Displays traffic originating from protocol usage.
Note: For more information on default groups and objects, see the STRM Default
Application Configuration Guide.
You can edit several Global Views by adding objects to existing groups or
changing pre-existing properties to suit your environment. STRM does not allow
you to configure Geographic, or Protocol Views. Contact Juniper Networks
Customer Support for assistance.
Caution: You cannot move an existing object to another group (select a new group
and click Add Group), the object name moves from the existing group to the newly
selected group; however, when the configuration changes are deployed, the object
data stored in the database is lost and the object ceases to function. You must
create a new view and recreate the object (that exists with another group).
Defining Unique Some groups within views include objects that are unique to specific views. For
Objects example, InverseIsknown is unique to the Ports View. This group captures the
server traffic when displaying the client view, and displays client traffic when
displaying the server view.
Some groups within views, such as superflows, are for informational purposes only
and cannot be edited. However, you can create a Custom View based on an
existing view and configure the Custom View properties to resemble the groups
that cannot be edited. For more information, see Managing Custom Views.
Managing Ports Ports Views display traffic originating from identified destination ports. Using the
View Ports View, you can view traffic by port. This section provides information on
managing the Ports View including:
• Default Ports Views
• Adding a Ports Object
• Editing a Ports Object
Default Ports Views Ports View includes the following default groups:
Table 3-1 Ports Views
Parameter Description
Group Select the group for this object. Using the drop-down list box,
select a group or click Add Group to add a new group.
Name Specify object name.
Weight Specify the object weight or use the arrows to change the existing
numeric value. The range is 1 to 100.
Ports Specify the port number for the object or use the arrows to
change the existing numeric value. Click Add.
Description Specify a description for this object.
Color Specify a color for this object. Enter the RGB alpha-numeric
value or click Select Color to access the color palette.
Database Length Using the drop-down list box, select the database length.
Parameter Description
Name Specifies the name assigned to the object.
Weight Specifies the weight assigned to the object.
Color Specifies the color displayed when viewed on the graphs.
Actions Specifies the action available for each group including:
Open object properties window.
Parameter Description
Name Specifies the name assigned to the object.
Value Specifies ports assigned to this object.
Weight Specifies the weight assigned to the object.
Color Specifies the color displayed when viewed on the Network
Surveillance graphs.
Actions Specifies the actions available for each object including:
Edit view properties.
Delete object.
Step 4 From the Manage Group table, or from the tree menu, click the name of the object
you want to edit.
The Properties window appears.
Managing Application Views display traffic originating from the application server by the client
Application Views connection and the server connection. Using the Application Views, you can view
traffic by application identification. This section provides information on managing
Application Views including:
• Default Application Views
• Adding an Applications Object
• Editing an Applications Object
Sub-Component Description
Chat Specifies traffic originating from chat sources, such as AOL,
ICQ, IRC, MISN, and MSN.
ClientServer Specifies traffic originating from a client server such as
Meeting Maker, NetIQ, FIX, MATIP, or CVSup.
ContentDelivery Specifies traffic originating from content delivery applications,
such as, EntryPoint, BackWeb, or Webshots.
DataTransfer DataTransfer group displays traffic originating from data being
transferred from traffic of common file/data transfer protocols,
such as FTP, Misc-Transfer-Ports, NFS, NNTPNews, TFTP,
WindowsFileSharing, WindowsNetworkPorts, and XFER.
DataWarehousing Specifies traffic originating from database applications.
DirectoryServices Specifies traffic originating from directory services, such as
WINS, CRS, or RRP.
FilePrint Specifies traffic originating from file print applications, such as,
a printer or IPP.
Games Specifies traffic originating from game applications, such as,
Doom, Quake, Half-Life, or Kali.
Healthcare Specifies traffic originating from health care related
applications, such as, DICOM or HL7.
InnerSystem Specifies traffic originating from the STRM application, such
as, Common Ports, Flowgen, and UpdateDaemon.
InternetProtocol Specifies traffic originating from Internet protocol related
applications, such as, ActiveX or SOAP-HTTP.
Known_to_client_or_ When viewing client data, this group captures the server data.
server When viewing server data, this group captures the client data.
Legacy Specifies traffic originating from legacy applications, such as,
SNA, LAT, FNA, or SLP.
Mail Specifies all traffic originating from e-mail application traffic,
such as, ESMTP, IMAP, MISC-MAIL-Port, POP, POP-Port,
SMTP, and SMTP-Port.
Sub-Component Description
Misc Specifies identified miscellaneous application traffic, such as,
Appletalk-IP, Authentication, DHCP, DNS, DNS-Port,
ManagementService, Misc-Ports, MiscApp,
Network-Config-Ports, RPC, SNMP-Ports, Syslog, and Time.
Multimedia Specifies traffic originating from multimedia application traffic,
such as, WebEx, video frames, or Intellex.
NetworkManagement Specifies traffic originating from network management
application traffic, such as, ICMP, SMS, NetFlow, or flow
records.
No_Detect_Attempt Specifies traffic that is void of content within a packet.
P2P Specifies traffic originating from Peer-to-Peer (P2P)
application traffic, such as, BitTorent, Blubster, Common P2P
Port, DirectConnect, Gnutella, Kazaa, LimeWire, OpenNap,
Peerenabler, Piolet, and eDonkey.
Remote Access Specifies traffic originating from applications accessed
remotely, such as, CitrixICA, PCAnywhere, SSH, SSH Ports,
Telnet, Telnet-Port, and VNC.
RoutingProtocols Specifies traffic originating from routing protocols, such as,
RIP, ICMP, ICP, or AURP.
SecurityProtocol Specifies traffic originating from security protocols, such as,
SOCKS, L2TP, SWIPE, or DPA.
Streaming Specifies traffic originating from streaming applications, such
as, MicrosoftMediaServer, StreamingAudio, and
WindowsMediaPlayer.
Unknown_apps Specifies pre-defined flows classed as Unknown traffic.
VoIP Specifies traffic originating from Voice over IP (VoIP)
applications, such as, Skype, I-Phone, SIP, or Clarent-CC.
Web Specifies traffic originating from web applications, such as,
HTTP, JAVA, SecureWeb, WebFile, WebMedia, and Web
Port.
Note: The default views are automatically updated with the Automatic Update
function. For more information regarding automatic updates, see Scheduling
Automatic Updates.
Parameter Description
Group Select the group for this object. Using the drop-down list box,
select a group or click Add Group to add a new group.
Name Specify the name for the object.
Weight Specify the object weight or use the arrows to change the existing
numeric value. The range is 1 to 100.
AppsIDs Specify the application ID for the object or use the arrows to
change the existing numeric value. Click Add.
Note: The applications identification must be defined in the
mapping file before adding to this object. For more information on
the mapping file, see the STRM Default Application Configuration
Guide.
Description Specify a description for this object.
Color Specify a color for this object. Enter the RGB alpha-numeric
value or click Select Color to access the color palette.
Database Length Using the drop-down list box, select the database length.
Step 8 From the Administration Console menu, select Configuration > Deploy
Configuration Changes.
All changes are deployed.
Parameter Description
Name Specifies the name assigned to the group.
Weight Specifies the weight assigned to the object.
Color Specifies the color displayed when viewed on the Network
Surveillance graphs.
Actions Specifies the action available for each group including:
Open view properties window.
Parameter Description
Name Specifies the group name.
Value Specifies application IDs assigned to the group.
Weight Specifies the weight assigned to the object.
Color Specifies the color displayed when viewed on the Network
Surveillance graphs.
Actions Specifies the actions available for each object including:
Edit view properties.
Delete object.
Managing Remote Remote Networks View displays user traffic originating from named remote
Networks View networks. Using the Remote Networks View, you can view traffic by known remote
networks. This section provides information on managing the Remote Networks
View including:
• Default Remote Networks Views
• Adding a Remote Networks Object
• Editing a Remote Networks Object
Parameter Description
BOT Specifies traffic originating from BOT applications.
Bogon Specifies traffic originating from un-assigned IP addresses.
Note: Bogon reference: http://completewhois.com/bogons/
HostileNets Specifies the traffic originating from known hostile networks.
HostileNets has a set of 20 (Rank 1 to 20 inclusive) configurable
CIDR ranges.
Neighbours This group is blank by default. You must configure this group to
classify traffic originating from neighboring networks.
Superflows This group is non-configurable. A superflow is a flow that is an
aggregate of a number of flows that have a similar
pre-determined set of elements.
TrustedNetworks This group is blank by default. You must configure this group to
classify traffic originating from trusted networks.
Note: Groups and objects that include superflows are for informational purposes
only and cannot be edited. Groups and objects that include bogons are configured
by the Automatic Update function.
Parameter Description
Group Select the group for this object. Using the drop-down list box,
select a group or click Add Group to add a new group.
Name Specify the name for the object.
Weight Specify the object weight or use the arrows to change the
existing numeric value. The range is 1 to 100.
IP/CIDR(s) Specify the IP address or CIDR range for the object. Click Add.
Description Specify a description for the object.
Color Specify a color for this object. Enter the RGB alpha-numeric
value or click Select Color to access the color palette.
Database Length Using the drop-down list box, select the database length.
Parameter Description
Name Specifies the name assigned to the view.
Weight Specifies the weight assigned to the object.
Color Specifies the color displayed when viewed on the Network
Surveillance graphs.
Actions Specifies the action available for each group including:
Open view properties window.
Parameter Description
Name Specifies the name assigned to the object.
Value Specifies ports assigned to this object.
Weight Specifies the weight assigned to the object.
Color Specifies the color displayed when viewed on the Network
Surveillance graphs.
Actions Specifies the actions available for each object including:
Edit view properties.
Delete object.
Managing Remote Remote Services Views display traffic originating from user defined network
Services Views ranges, or, if desired the Juniper Networks automatic update server. Using the
Remote Services Views, you can view remote service providers. This section
provides information on managing the Remote Services Views including:
• Default Remote Services Views
• Adding a Remote Services Object
• Editing a Remote Services Object
Default Remote Remote Services view includes the following default groups:
Services Views
Table 3-13 Remote Services - Manage Group Parameters
Parameter Description
IRC_Servers Specifies traffic originating from addresses commonly known to
produce superflows.
Porn Specifies traffic originating from addresses commonly known to
contain explicit pornographic material.
Proxies Specifies traffic originating from commonly known open proxy
servers.
Parameter Description
Reserved_IP_ Specifies traffic originating from reserved IP address ranges.
Ranges
Spam Specifies traffic originating from addresses commonly known to
produce SPAM or unwanted e-mail.
Spy_Adware Specifies traffic originating from addresses commonly known to
contain spyware or adware.
Superflows Specifies traffic originating from addresses commonly known to
produce superflows.
Warez Specifies traffic originating from addresses commonly known to
contain pirated software.
Parameter Description
Group Select the group for this object. Using the drop-down list box,
select a group or click Add Group to add a new group.
Name Specify the name for the object.
Weight Specify the object weight or use the arrows to change the existing
numeric value. The range is 1 to 100.
IP/CIDR(s) Specify the IP address/CIDR range for the object. Click Add.
Color Specify a color for this object. Enter the RGB alpha-numeric
value or click Select Color to access the color palette.
Database Length Using the drop-down list box, select the database length.
Parameter Description
Name Specifies the name assigned to the group.
Weight Specifies the weight assigned to the object.
Color Specifies the color displayed when viewed on the Network
Surveillance graphs.
Actions Specifies the action available for each group including:
Open view properties window.
Parameter Description
Name Specifies the name assigned to the object.
Value Specifies ports assigned to this object.
Weight Specifies the weight assigned to the object.
Color Specifies the color displayed when viewed on the Network
Surveillance graphs.
Actions Specifies the actions available for each object including:
Edit view properties.
Delete object.
Step 9 From the Administration Console menu, select Configuration > Deploy
Configuration Changes.
All changes are deployed.
Managing Collector The Collector Views display traffic seen from the Flow Collector and provides the
Views AllCollectors group. This group specifies the traffic originating from all Flow
Collectors that reside on your network.
This section provides information on configuring the Flow Collector view including:
• Adding a Flow Collector Object
• Editing a Flow Collector Object
Parameter Description
Group Select the group for this object. Using the drop-down list box,
select a group or click Add Group to add a new group.
Name Specify the name for the object.
Weight Specify the object weight or use the arrows to change the existing
numeric value. The range is 1 to 100.
Parameter Description
Collector ID Using the drop-down list box, select the Flow Collector you want
to use as the source.
Color Specify a color for this object. Enter the RGB alpha-numeric value
or click Select Color to access the color palette.
Database Length Using the drop-down list box, select the database length.
Parameter Description
Name Specifies the name assigned to the group.
Weight Specifies the weight assigned to the object.
Color Specifies the color displayed when viewed on the Network
Surveillance graphs.
Actions Specifies the action available for each group including:
Open view properties window.
Parameter Description
Name Specifies the name assigned to the object.
Value Specifies ports assigned to this object.
Weight Specifies the weight assigned to the object.
Color Specifies the color displayed when viewed on the Network
Surveillance graphs.
Actions Specifies the actions available for each object including:
Edit view properties.
Delete object.
Managing Custom Custom Views uniquely identify specific traffic flows, such as SSH traffic on a
Views non-standard port, or traffic originating from another country. Each Custom View
object must be configured with an equation, which creates a set of properties that
applies a filter for each network flow.
Custom Views provide you with several advantages. For example, you can use
Custom Views for the following scenarios:
• Define a view to isolate and display traffic relevant to your enterprise.
• Rebuild any default view and configure to suit your enterprise.
• Use a view to remap data in different ways.
• Use a view for an alternate network hierarchy
• Apply Other traffic in a view for reporting purposes.
• Apply the Boolean Logic to the Equation Editor when creating a view.
• Classification Engine can interpret the view information as RPN.
• Build a Custom View object to detect the following sequence:
- Src (source) sends a Syn (synchronize) packet to a Dst
- Dst (destination) sends back an Ack (acknowledge) packet
- Src (source) sends a Syn-Ack (synchronize-acknowledge) or a Syn-Rst
(synchronize-reset) packet to the Dst (destination)
- The initial packet cannot have an empty payload
About Custom Views Custom Views includes the following default groups:
• IP Tracking Group
• Threats Group
• Attacker Target Analysis Group
• Target Analysis Group
• Policy Violations Group
• ASN Source
• ASN Destination
• IFIndex In
• IFIndex Out
• QoS
• FlowShape
The objects for the IP Tracking, Threats, Attacker Target Analysis, Target Analysis,
and Policy Violations groups depend on the template chosen during the installation
process. For more information on the defaults, see:
• Enterprise Template - See Appendix B Enterprise Template Defaults.
• University Template - See Appendix C University Template Defaults.
STRM detects the ASN and IFIndex values from network flows. When STRM
detects ASN or IFIndex values in a flow, STRM creates a new object in the
respective group. For example, if STRM detects an ASN 238 flow within the source
traffic, the object ASN238 is created in the ASNSource group. However, for STRM
to detect and create objects for ASN and IFIndex values in a flow, you must enable
the respective views. Fore more information on enabling views, see Enabling and
Disabling Views
STRM also detects Quality of Service (QoS) values from your network flows. QoS
provides priority for traffic enabling your network to provide various levels of
service for flows. QoS provides the following basic levels of service:
• Best Effort - This level of service does not guarantee delivery. The delivery of
the flow is considered best effort.
• Differentiated Service - Certain flows are granted priority over other flows.
This priority is granted by classification of traffic.
• Guaranteed Service - This level of service guarantees the reservation of
network resources for certain flows.
Parameter Description
Name Specify a name for the new view.
Description Specify a description for the new view.
Step 7 From the Manage Group Window, select the view and click Add Equation.
The Properties window appears.
Parameter Description
Group Using the drop-down list box, select the group you want to add
the object. Click Add Group.
Name Specify the name for the object.
Weight Specify the object weight or use the arrows to change the existing
numeric value. The range is 1 to 100.
Color Specify a color for this object. Enter the RGB alpha-numeric
value or click Select Color to access the color palette.
Database Length Using the drop-down list box, select the database length.
Equation Click Equation Editor to specify your equation for this object.
Step 10 From the Objects box, select the view you want to assign.
Step 11 From the Elements panel, select an element and enter the parameter values to
configure the element. See Table 3-22.
The element is assigned to the selected object. This creates the first instance on
the Equation Editor.
Step 12 Select another object from the Objects box and assign an associated element.
By default, the objects are joined with the AND operator.
Step 13 Continue selecting the objects and assigning elements until you have completed
your equation. Click Save.
Note: If you want to calculate two values before STRM adds the next consecutive
object, insert brackets around the values. For more information on operators, see
Editing the Operators.
You equation should resemble this window:
Parameter Description
Count Element Type
Name Specify the element name.
Object Using the drop-down list box, select the targeted traffic flow. Options
include: Src (source), Dst (destination), Local, Remote, and Total.
Note: When ports are counted, the number of unique destination ports
is returned.
Parameter Using the drop-down list box, select the parameter you are testing.
Options include: Bytes, Packets, and ContentLength.
Test Using the drop-down list box, select how to test the numeric value.
Options include: Above, Below, and Equals.
Value Enter a numeric value for the option you have selected. The number of
bytes, number of packets or the content length. This value is based on
a flow stats record reported in a single interval.
Using the drop-down list box, select the byte size unit of measurement.
Options include: K (kilobyte), M (megabyte), G (gigabyte, and T
(terabyte). Click Add.
Protocol Element Type
Parameter Description
Name Specify the element name.
Protocol Specify the protocol identification number. You must enter the protocol
number and not the name. Click Add.
Note: For a list of default protocol identification numbers, see STRM
Default Application Configuration Guide.
Super Flow Count Element Type
Name Specify the element name.
Unit Using the drop-down list box, select the element unit. Options include:
Hosts and Ports.
Test Using the drop-down list box, select how to test the numeric Super
Flow Count value. Options include: Above, Below, and Equals.
Value Enter the number of hosts or ports. Click Add.
Flow Stat Element Type
Name Specify the element name.
Object Using the drop-down list box, select the targeted traffic flow. Options
include: Src (Source), Dst (Destination), Local, Remote, and Total.
Unit Using the drop-down list box, select the element unit. The unit is
specific to the stats record in one interval. Options include:
BytesPacketRatio, PacketArrivalRate, ByteArrivalRate, ByteRatio, and
PacketRatio.
Test Using the drop-down list box, select how to test the numeric Flow Stat
value. Options include: Above, Below, and Equals.
Value Specify the numeric value of unit measurements. Click Add.
Content Element Type
Name Specify the element name.
Object Using the drop-down list box, select the targeted traffic flow. Options
include: Src (Source), Dst (Destination), Local, Remote, and Total.
Note: Only the content that is captured is counted.
Value Enter the content string. Click Add.
Flags Element Type
Name Specify the element name.
Object Using the drop-down list box, select the targeted traffic flow. Options
include: Src (Source), Dst (Destination), Local, Remote, and Total.
Parameter Description
Value Enter the character that represents the TCP/IP flags element type you
want to add. STRM accepts the following:
A, ACK - (Acknowledge) - Receiver sends an acknowledgement that
equals the senders sequence.
S, SYN - (Synchronize) - Agreement on sequence numbers during
session setup. Sequence numbers are random.
F, FIN - (Finish) - Sender has no more data to send.
R, RST - (Reset) - Instantaneous abort in both directions. This is an
abnormal session disconnection.
P, PSH - (Push) - Forces data delivery without waiting for buffers to fill.
The data will also be delivered to the application on the receiving end
without buffering.
U, Urg - (Urgent) - Indicates the packet data should be processed as
soon as possible.
7 - Illegal flag that represents the seventh bit of the TCP flag field.
Typically, this flag is not used in normal operations and may be used by
malicious users.
8 - Illegal flag that represents the eight bit of the TCP flag field.
Typically, this flag is not used in normal operations and may be used by
malicious users.
Click Add.
Note: The order in which you enter the TCP/IP Flags is not important;
however, when viewing content capture, STRM displays the flags in the
following order: FSRPAU78
Flow Properties Element Type
Name Specify the element name.
Parameter Description
Property Using the drop-down list box, select the flow property. Options include:
• ClassL2L - Traffic between two local objects on your network.
• ClassL2R - Traffic between one local object and one remote object.
• ClassOther - Traffic between hosts not defined in your network.
• SuperFlow - Flow of traffic that is an aggregate of the number of
flows that have a similar predetermined set of elements, such as
protocol, source bytes, source packets, source host, or destination
network. In some cases, other properties may be similar, such as
destination ports, TCP/IP flags, ICMP types, and code; however, the
destination hosts can differ.
• SuperFlowTypeA - SuperFlow identified as one host destined to
many host.
• SuperFlowTypeB - SuperFlow identified as many hosts destined to
one host.
• SuperFlowTypeC - SuperFlow identified as one host to one host.
• StealthPorts - Traffic located outside the normal application ports.
• SrcLocal - Traffic originating from a local source.
• DstLocal - Traffic originating from a remote network destined for
your network.
• NoAppDetect - Traffic with zero application detection that may be
caused by not enough payload; or, traffic originating from ICMP
messages.
• UnknownApp - Non-defined application traffic.
• FlowShapeInOnly - Traffic or flows destined in the network (from
the Flowtype View).
• FlowShapeOutOnly - Traffic or flows destined out from the network
(from the Flowtype View).
Click Add.
Port Element Type
Name Specify the element name.
Object Using the drop-down list box, select the targeted traffic flow. Options
include: Src (Source), Dst (Destination), Local, Remote, and Total.
Value Specify the port number. Click Add.
CIDR Element Type
Name Specify the element name.
Object Using the drop-down list box, select the targeted traffic flow. Options
include: Src (Source), Dst (Destination), Local, Remote, and Total.
Value Enter the IP address or CIDR range. Click Add.
Application ID Element Type
Name Specify the element name.
Parameter Description
Value Specify the application identification number. Click Add.
Collector Element Type
Name Specify the element name.
Property Using the drop-down list box, select the element property. Options
include: CollectorID and CollectorInterface.
Value Specify the user-defined Flow Collector Identification or Collector
Interface name. Click Add.
Date Element Type
Name Specify the element name.
Test Using the drop-down list box, select when to test the value. Options
include: After and Before.
Value Click the Calendar icon and select a date. Click Add. The value default
is the current date.
Time Element Type
Name Specify the element name.
Test Using the drop-down list box, select when to test the value. Options
include: After and Before.
Value Using the drop-down list box, select the hour and minutes. Click Add.
Day Element Type
Name Specify the element name.
Type Using the drop-down list box, select the amount of time. Options
include: Week and Month.
Value Specify the day of the week or enter the month. Click Add.
Flow Length Element Type
Name Specify the element name.
Test Using the drop-down list box, select how to test the numeric Flow
Length value based on a single flow stat record. Options include:
Above, Below, and Equals.
Value Specify the numeric value for the precise flow length. Click Add.
ICMP Element Type
Name Specify the element name.
Property Using the drop-down list box, select the ICMP Type property. Options
include: Type and Code.
Value Specify the numeric value for the ICMP Type or Code. Click Add.
Note: For a list of STRM default ICMP Types or Codes, see the STRM
Default Application Configuration Guide; or, for a reference on the
current RFC Standards, go to:
http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/icmp-code.ht
ml
Parameter Description
Flow Context Property
Name Specify the element name.
Property Using the drop-down list box, select the flow text property. Options
include: PortIsNew, TargetIsSrc, AttackerIsSrc, TargetIsDst,
AttackerIsDst, TargetIsKnownLocal, AttackerIsKnownLocal,
TargetIsLocal, AttackerIsLocal, TargetPort, AttackerPort, BeforeEvent,
and AfterEvent.
Click Add.
Flow Context Target Port
Name Specify the element name.
Port Specify the port number. Click Add.
Interface Index (ifIndex)
Name Specify the element name.
Direction Specifies the direction of the traffic. The options are Input or Output.
Value Specify the numeric value for the ifIndex. Click Add.
Quality of Service
Name Specify the element name.
Side Using the drop-down list box, select the targeted traffic flow. Options
include: Src (Source), Dst (Destination), Local, or Remote.
Field Using the drop-down list box, select the Quality of Service (QoS) field
you want to test. Options include: IP_Precedence, Type of Service
(TOS), Differentiated Service Code Point (DSCP), or Explicit
Congestion Notification (ECN).
Test Using the drop-down list box, select how to test the QoS value. Options
include: Above, Below, and Equals.
Value Specify the numeric value for the QoS. Click Add.
Editing the Equation You can change how an equation is calculated, see Editing the Equation. The Drop
Area of the Equation Editor features a drag and drop method of changing how the
equation is calculated.
Enabling and You can enable or disable views using the Administration Console. Disabling views
Disabling Views saves processing power on large structured networks. Depending on your current
network activity, or the type of traffic you are monitoring traffic, some views may be
of more value than others during specific times.
Step 3 Using the drop-down list box, select one of the following for each view:
Parameter Description
Enabled Using the drop-down list box, select Enabled to enable this view.
This enables the Classification Engine, data collection, data
storage, graphing capabilities, and enables access from the
interface.
Virtual Using the drop-down list box, select Virtual to allow the
Classification Engine to classify each flow. This enables the
Classification Engine to classify the flows; however, this disables
data collection, data storage, graphing capabilities, and removes
the view from the interface. Objects in a virtual view can still be
referenced in a Custom View equation. Also, a Security/Policy
sentry applied to a virtual view will generate events, as
necessary.
To enable access from the interface, select Enabled.
Note: Selecting the Virtual mode can save processing power on
your system.
Parameter Description
Disabled Using the drop-down list box, select Disabled to disable the view.
This disables the Classification Engine, data collection, data
storage, graphing capabilities, and removes the view from the
interface. To enable access from the interface, select Enabled.
Note: Selecting the Disabled mode can save processing power
on your system.
Step 4 From the Administration Console menu, select Configurations > Deploy
Configuration Changes.
Using Best Given the complexities and network resources required for STRM in large
Practices structured networks, we recommend the following best practices:
• Disable views you are not required to access and display. Disabling views
requires fewer CPU cycles and will not impact processing power in large
structured networks.
• Bundle objects and use the Network Surveillance interface to analyze your
network data. Fewer objects create less I/O to your disk.
- Bundled flows include bi-directional traffic with single source and destination
hosts, multiple source and destination ports.
- All original flows are sent but marked as a bundle.
- One Flow Bundle record is sent every interval.
- Classify processes only the bundle and not the flows.
• Typically, no more than 200 objects per view (for standard system
requirements). More objects may impact your processing power when
investigating your traffic.
Rules match events or offenses by performing a series of tests. If all the conditions
of a test are true, the rule generates a response. Using the Offense Manager, you
can configure rules or building blocks. Building blocks are rules without a
response. Possible responses to a rule include:
• Create an offense.
• Generate a response to an external system (syslog or SNMP).
• Send an e-mail.
• Block the incident.
• System notifications using the Dashboard
The tests in each rule can also reference other building blocks and rules. You do
not need to create rules in any specific order since the system will check for
dependencies each time a new rule is added, edited, or deleted. If a rule that is
referenced by another rule is deleted or disabled, a warning appears and action is
not taken.
A user with non-administrative access can create rules for areas of the network
that they have access. You must have the appropriate role access to manage
rules.
The default rules that appear depends on the template chosen during the
installation process. For more information on the defaults, see:
• Enterprise Template - See Appendix B Enterprise Template Defaults.
• University Template - See Appendix C University Template Defaults.
Note: If you do not want to view the Welcome to the Custom Rules Wizard window
again, select the Skip this page when running the rules wizard check box.
Parameter Description
Severity Select the check box if you want this rule to set or
adjust severity to the configured level. Once
selected, you can configure the desired level.
Credibility Select the check box if you want this rule to set or
adjust credibility to the configured level. Once
selected, you can configure the desired level.
Relevance Select the check box if you want this rule to set or
adjust relevance to the configured level. Once
selected, you can configure the desired level.
Parameter Description
Ensure the detected event is Select the check box if you want the event to be
part of an offense. forwarded to the Magistrate component. If no
offense has been created in the Offense Manager, a
new offense is created. If an offense exist, this event
will be added.
If you select the check box, the following options
appear:
• Include detected events from this attacker
from this point forward, for second(s), in the
offense - Select the check box and configure the
number of seconds you want to include detected
events from the attacker in the Offense Manager.
• Perform realtime flow analysis on flows
between the attacker and target for
seconds(s) - Select the check box and configure
the number of seconds you want to perform
realtime flow analysis on flows between the
attacker and this target.
Drop the detected event Select the check box to force an event, which would
normally be sent to the Magistrate component be
sent to the Aerial database for reporting or
searching. This event does not appear in the
Offense Manager.
Dispatch New Event Select the check box to dispatch a new event in
addition to the original event, which will be
processed like all other events in the system.
The Dispatch New Event parameters appear when
you select the check box. By default, the check box
is clear.
Event Name Specify the name of the event you want to display in
the Offense Manager.
Event Description Specify a description for the event. The description
appears in the Annotations of the event details.
Parameter Description
Offense Naming Select one of the following options:
• This information should contribute to the
name of the associated offense(s) - Select this
option if you want the Event Name information to
contribute to the name of the offense(s).
• This information should set or replace the
name of the associated offense(s) - Select this
option if you want the configured Event Name to
be the name of the offense(s).
• This information should not contribute to the
naming of the associated offense(s) - Select
this option if you do not want the Event Name
information to contribute to the name of the
offense(s).
Severity Specify the severity for the event. The range is 1
(lowest) to 10 (highest) and the default is 1. The
Severity appears in the Annotation of the event
details.
Credibility Specify the credibility of the event. The range is 1
(lowest) to 10 (highest) and the default is 10.
Credibility appears in the Annotation of the event
details.
Relevance Specify the relevance of the event. The range is 1
(lowest) to 10 (highest) and the default is 1.
Relevance appears in the Annotation of the event
details.
High-Level Category Specify the high-level event category you want this
rule to use when processing events.
For more information on event categories, see the
Event Category Correlation Reference Guide.
Low-Level Category Specify the low-level event category you want this
rule to use when processing events.
For more information on event categories, see the
Event Category Correlation Reference Guide.
Ensure the Select the check box if you want, as a result of this
dispatched event is rule, the event is forwarded to the Magistrate
part of an offense component. If no offense has been created in the
Offense Manager, a new offense is created. If an
offense exist, this event will be added.
If you select the check box, the following option
appears:
Include detected events from this attacker from
this point forward, for second(s), in the offense -
Select the check box and configure the number of
seconds you want to include detected events from
the attacker in the Offense Manager.
Parameter Description
Action Name Specify the name of the Resolver Action you want to
deploy for the event.
Action Duration Specify the days, minutes, and hours you want to
Resolver Action to be active. Select the Indefinite
check box if you want to specify an indefinite time
period.
Allowed Resolution Select the All Resolver Types check box if you want
Methods the event to be resolved, if available. You can also
select the check box(es) of the Resolver Types you
want to resolve events.
Blocking Rule Specify the blocking rules you want to apply to this
event. The list contains all blocking options available
for the selected Resolver Type. The possible options
include:
• Source to all
• Source to destination
• Source to destination on detected port
• Destination to all
• Destination to source
• Destination to all on detected port
• All source and destination traffic
Email Select the check box to display the email options. By
default, the check box is clear.
Enter e-mail address Specify the e-mail address(es) to send notification if
to notify the event generates. Separate multiple e-mail
addresses using a comma.
Parameter Description
SNMP Trap This parameter only appears when the SNMP
Settings parameters are configured in the STRM
System Management window. For more information,
see Chapter 3 Setting Up STRM.
Select the check box to send an SNMP trap.
For an event rule, the SNMP trap output includes
system time, the trap OID, and the notification data,
as defined by the Juniper Networks MIB. For more
information on the Juniper Networks MIB, see
Appendix A Juniper Networks MIB.
For example, the SNMP notification may resemble:
"Wed Sep 28 12:20:57 GMT 2005, STRM
Custom Rule Engine Notification - Rule
'SNMPTRAPTest' Fired. 172.16.20.98:0
-> 172.16.60.75:0 1, Event Name: ICMP
Destination Unreachable Communication
with Destination Host is
Administratively Prohibited, QID:
1000156, Category: 1014, Notes:
Offense description"
Send to SysLog Select the check box if you want to log the event. By
default, the check box is clear.
For example, the syslog output may resemble:
Sep 28 12:39:01 localhost.localdomain
ECS: Rule 'Name of Rule' Fired:
172.16.60.219:12642 ->
172.16.210.126:6666 6, Event Name:
SCAN SYN FIN, QID: 1000398, Category:
1011, Notes: Event description
Notify Select the check box if you want events that
generate as a result of this rule to appear in the
System Notifications item in the Dashboard.
For more information on the Event Viewer and the
Dashboard, see the STRM Users Guide.
Response Limiter Specify the frequency you want this rule to respond.
Enable Rule Select the check box to enable this rule. By default,
the check box is selected.
Parameter Description
Name Select the check box to display Name options.
New Offense Name Specify the name you want to assign to the offense.
Parameter Description
Offense Annotation Specify the offense annotation you want to appear in
the Offense Manager.
Offense Name Select one of the following options:
• This information should contribute to the
name of the associated offense(s) - Select this
option if you want the Event Name information to
contribute to the name of the offense(s).
• This information should set or replace the
name of the associated offense(s) - Select this
option if you want the configured Event Name to
be the name of the offense(s).
Action Name Specify the name of the Resolver Action you want to
deploy for the event.
Action Duration Specify the days, minutes, and hours you want to
Resolver Action to be active. Select the Indefinite
check box if you want to specify an indefinite time
period.
Allowed Resolution Select the All Resolver Types check box if you want
Methods the event to be resolved, if available. You can also
select the check box(es) of the Resolver Types you
want to resolve events.
Blocking Rule Specify the blocking rules you want to apply to this
event. The list contains all blocking options available
for the selected Resolver Type. The possible options
include:
• Source to all
• Source to destination
• Source to destination on detected port
• Destination to all
• Destination to source
• Destination to all on detected port
• All source and destination traffic
Email Select the check box to display the email options. By
default, the check box is clear.
Enter e-mail address Specify the e-mail address(es) to send notification if
to notify the event generates. Separate multiple e-mail
addresses using a comma.
Parameter Description
SNMP Trap This parameter only appears when the SNMP
Enabled parameter is enabled in the STRM System
Management window. For more information, see
Chapter 3 Setting Up STRM.
Select the check box to send an SNMP trap.
For an offense rule, the SNMP trap output includes
system time, the trap OID, and the notification data,
as defined by the Juniper Networks MIB. For more
information on the Juniper Networks MIB, see
Appendix A Juniper Networks MIB.
For example, the SNMP notification may resemble:
"Wed Sep 28 12:20:57 GMT 2005, STRM
Custom Rule Engine Notification - Rule
'SNMPTRAPTest' Fired. 172.16.20.98:0
-> 172.16.60.75:0 1, Event Name: ICMP
Destination Unreachable Communication
with Destination Host is
Administratively Prohibited, QID:
1000156, Category: 1014, Notes:
Offense description"
Send to SysLog Select the check box if you want to log the offense.
By default, the check box is clear.
For example, the syslog output may resemble:
Sep 28 12:30:29 localhost.localdomain
ECS: Offense CRE Rule SYSLOGTest fired
on offense #59
Notify Select the check box if you want offenses that
generate as a result of this rule to appear in the
System Notifications item in the Dashboard.
For more information on the Offense Manager and
the Dashboard, see the STRM Users Guide.
Response Limiter Specify the frequency you want this rule to respond
for each offense that the rules matches.
Enable Rule Select the check box to enable this rule. By default,
the check box is selected.
Event Rule Tests This section provides information on the tests you can apply to the rules including:
• Network Property Tests
• Event Property Tests
• IP/Port Tests
• Function Tests
• Host Profile Tests
• Date/Time Tests
• Device Tests
IP/Port Tests
The IP/Port tests include:
Table 4-5 IP / Port Test Group
Function Tests
The function tests include:
Table 4-6 Functions Group
Date/Time Tests
The date and time tests include:
Table 4-8 Date/Time Tests
Device Tests
The device tests include:
Table 4-9 Device Tests
Offense Rule Tests This section provides information on the tests you can apply to the rules including:
• IP/Port Tests
• Host Profile Tests
• Date/Time Tests
• Device Tests
• Offense Property Tests
IP/Port Tests
The IP/Port tests include:
Table 4-10 IP/Port Test Group
Function Tests
The function tests include:
Table 4-11 Offense Function Group
Date/Time Tests
The date and time tests include:
Table 4-13 Date/Time Tests
Device Tests
The device tests include:
Table 4-14 Device Tests
Grouping Rules You can now group and view your rules and building blocks based on your chosen
criteria. Categorizing your rules or building blocks into groups allows you to
efficiently view and track your rules. For example, you can view all rules related to
compliance. By default, the Rules interface displays all rules and building blocks.
As you create new rules, you have a choice whether you want to assign the rule to
an existing group. For information on assigning a group to a using the rule wizard,
see Creating a Rule.
Note: You must have administrative access to create, edit, or delete groups. For
more information on user roles, see Chapter 1 Managing Users.
This sections provides information on grouping rules and building blocks including:
• Viewing Groups
• Creating a Group
• Editing a Group
• Copying an Item to Another Group(s)
• Deleting an Item from a Group
• Assigning an Item to a Group
Step 4 From the menu tree, select the group under which you want to create a new group.
Note: Once you create the group, you can drag and drop menu tree items to
change the organization of the tree items.
Step 5 Click New Group.
The Group Properties window appears.
Step 4 From the menu tree, select the group you want to edit.
Step 5 Click Edit.
The Group Properties window appears.
Step 6 Update values for the parameters, as necessary:
• Name - Specify the name you want to assign to the new group. The name may
be up to 255 characters in length.
• Description - Specify a description you want to assign to this group. The
description may be up to 255 characters in length.
Step 7 Click Ok.
Step 8 If you want to change the location of the group, click the new group and drag the
folder to the desired location in your menu tree.
Step 9 Close the Groups window.
Copying an Item to Using the groups functionality, you can copy a rule or building block to one or many
Another Group(s) groups. To copy a rule or building block:
Step 1 Click the Offense Manager tab.
The Offense Manager interface appears.
Step 2 In the navigation menu, click Rules.
Step 4 From the menu tree, select the rule or building block you want to copy to another
group.
Step 5 Click Copy.
The Choose Group window appears.
Step 6 Select the check box for the group(s) to which you want to copy the rule or building
block.
Step 7 Click Copy.
Step 8 Close the Groups window.
Editing Building Building blocks allow you to re-use specific rule tests in other rules. For example,
Blocks you can save a building block that excludes the IP addresses of all mail servers in
your deployment from the rule.
The default building blocks depend on the template chosen during the installation
process. For more information on the defaults, see:
• Enterprise Template - See Appendix B Enterprise Template Defaults.
• University Template - See Appendix C University Template Defaults.
The Server Discovery function uses STRM’s Asset Profile database to discover
different server types based on port definitions, then allows you to select which
servers should be added to a server-type building block. This feature makes the
discovery and tuning process simpler and faster by allowing a quick mechanism to
insert servers into building blocks.
The Server Discovery function is based on server-type building blocks. Ports are
used to define the server type so that the server-type building block essentially
functions as a port-based filter when searching the Asset Profile database.
To discover servers:
Step 1 Click the Assets tab.
The Assets window appears.
Step 2 In the navigation menu, click Server Discovery.
The Server Discovery panel appears.
Step 3 From the Server Type drop-down list box, select the server type you want to
discover.
Step 4 Select the option to determine the servers you want to discover including:
• All - Search all servers in your deployment with the currently selected Server
Type.
• Assigned - Search servers in your deployment that have been previously
assigned to the currently selected Server Type.
• Unassigned - Search servers in your deployment that have not been
previously assigned.
Step 5 From the Network drop-down list box, select the network you want to search.
Step 6 Click Discover Servers.
The discovered servers appear.
Step 7 In the Matching Servers table, select the check box(es) of all servers you want to
assign to the server role.
Note: If you want to modify the search criteria, click either Edit Port or Edit
Definition. The Rules Wizard appears. For more information on the rules wizard,
see Chapter 11 Configuring Rules.
Step 8 Click Approve Selected Servers.
STRM allows you to forward received log data to other products. You can forward
syslog data (raw log data) received from devices as well as STRM normalized
event data. You can forward data on a per Event Collector/ Event Processor basis
and you can configure multiple forwarding destinations. Also, STRM ensures that
all data that is forwarded is unaltered.
Note: For assistance with the Juniper Networks MIB, please contact Juniper
Networks Customer Support.
strmLocalHostAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "IP address of the local machine where the
notification originated"
::= { strmTrapInfo 1 }
strmTimeString OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..64))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Time offense was created or time the event rule
fired. Example 'Mon Apr 28 10:14:49 GMT 2008'"
::= { strmTrapInfo 2 }
strmTimeInMillis OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Time offense was created or time the event rule
fired in milliseconds"
::= { strmTrapInfo 3 }
---
--- Offense Properties
---
strmOffenseID OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS accessible-for-notifySTATUS current
DESCRIPTION "Offense ID"
::= { strmTrapInfo 4 }
strmOffenseDescription OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Description of the Offense"
::= { strmTrapInfo 6 }
strmOffenseLink OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "HTTP link to the offense"
::= { strmTrapInfo 7 }
strmMagnitude OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
STATUS current
DESCRIPTION "Top 5 Attackers by Magnitude(comma separated)"
STRM Administration Guide
243
::= { strmTrapInfo 15 }strmTopAttackerIP OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Top Attacker IPs"
::= { strmTrapInfo 16 }
strmTop5AttackerUsernames OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Top 5 Attackers by Magnitude(comma separated)"
::= { strmTrapInfo 48 }
strmTopAttackerUsername OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..32))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Top Attacker IPs"
::= { strmTrapInfo 49 }
strmAttackerNetworks OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Attacker Networks(comma separated)"
::= { strmTrapInfo 17 }
---
--- Target Properties
---
strmTargetIP OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS accessible-for-notify
STRM Administration Guide
244 JUNIPER NETWORKS MIB
STATUS current
DESCRIPTION "Target IP"
::= { strmTrapInfo 18 }
strmTargetUserName OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..64))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Target's User Name"
::= { strmTrapInfo 19 }
strmTargetCount OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Total Number of Targets"
::= { strmTrapInfo 20 }
strmTop5TargetIPs OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Top 5 Target IPs by Magnitude"
::= { strmTrapInfo 21 }
strmTopTargetIP OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Top Target"
::= { strmTrapInfo 22 }
strmTop5TargetUsernames OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Top 5 Target Usernames by Magnitude"
::= { strmTrapInfo 50 }
STRM Administration Guide
245
strmTopTargetUsername OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..32))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Top Target"
::= { strmTrapInfo 51 }
strmTargetNetworks OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Target Networks(comma separated)"
::= { strmTrapInfo 23 }
---
--- Category properties
---
strmCategoryCount OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Total Number of Categories"
::= { strmTrapInfo 24 }
strmTop5Categories OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Top 5 Categories(comma separated)"
::= { strmTrapInfo 25 }
strmTopCategory OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..64))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Top Category"
::= { strmTrapInfo 26 }
STRM Administration Guide
246 JUNIPER NETWORKS MIB
strmCategoryID OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Category ID of Event that triggered the Event CRE
Rule"
::= { strmTrapInfo 27 }
strmCategory OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..64))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Category of the Event that triggered the Event CRE
Rule"
::= { strmTrapInfo 28 }
---
--- Annontation Properties
---
strmAnnotationCount OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Total Number of Annotations"
::= { strmTrapInfo 29 }
strmTopAnnotation OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Top Annotation"
::= { strmTrapInfo 30 }
---
--- Rule Properties
---
strmRuleCount OBJECT-TYPE
STRM Administration Guide
247
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Total Number of Rules contained in the Offense"
::= { strmTrapInfo 31 }
strmRuleNames OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Names of the Rules that contributed to the
Offense(comma separated)"
::= { strmTrapInfo 32 }
strmRuleID OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "ID of the Rule that was triggered in the CRE"
::= { strmTrapInfo 33 }
strmRuleName OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..256))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Name of the Rules that was triggered in the CRE"
::= { strmTrapInfo 34 }
strmRuleDescription OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Description/Notes of the Rules that was triggered
in the CRE"
::= { strmTrapInfo 35 }
STRM Administration Guide
248 JUNIPER NETWORKS MIB
---
--- Event Properties
---
strmEventCount OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Total Number of Events contained in the Offense"
::= { strmTrapInfo 36 }
strmEventID OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "ID of the Event that triggered the Event CRE Rule"
::= { strmTrapInfo 37 }
strmQid OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "QID of the Event that triggered the Event CRE Rule"
::= { strmTrapInfo 38 }
strmEventName OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..256))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Name of the Event that triggered the Event CRE
Rule"
::= { strmTrapInfo 39 }
strmEventDescription OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Description/Notes of the Event that triggered the
Event CRE Rule"
STRM Administration Guide
249
::= { strmTrapInfo 40 }
---
--- IP Properties
---
strmSourceIP OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Source IP of the Event that triggered the Event CRE
Rule"
::= { strmTrapInfo 41 }
strmSourcePort OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Source Port of the Event that triggered the Event
CRE Rule"
::= { strmTrapInfo 42 }
strmDestinationIP OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Destination IP of the Event that triggered the
Event CRE Rule"
::= { strmTrapInfo 43 }
strmDestinationPort OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Destination Port of the Event that triggered the
Event CRE Rule"
::= { strmTrapInfo 44 }
strmProtocol OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Protocol of the Event that triggered the Event CRE
Rule"
::= { strmTrapInfo 45 }
strmAttackerPort OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Source Port of the Event that triggered the Event
CRE Rule"
::= { strmTrapInfo 46 }
strmTargetPort OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Destination Port of the Event that triggered the
Event CRE Rule"
::= { strmTrapInfo 47 }
---
--- STRM Trap Notifications
--- .2636.7.0.*
---
strmEventCRENotification NOTIFICATION-TYPE
OBJECTS {
strmLocalHostAddress,
strmTimeString,
strmRuleName,
strmRuleDescription,
strmAttackerIP,
strmAttackerPort,
strmAttackerUserName,
strmAttackerNetworks,
strmTargetIP,
strmTargetPort,
strmTargetUserName,
strmTargetNetworks,
strmProtocol,
strmQid,
strmEventName,
strmEventDescription,
STRM Administration Guide
251
strmCategory
}
STATUS current
DESCRIPTION "Event CRE Notification"
::= { strmTrap 1 }
strmOffenseCRENotification NOTIFICATION-TYPE
OBJECTS {
strmLocalHostAddress,
strmTimeString,
strmRuleName,
strmRuleDescription,
strmOffenseID,
strmOffenseDescription,
strmOffenseLink,
strmMagnitude,
strmSeverity,
strmCreditibility,
strmRelevance,
strmEventCount,
strmCategoryCount,
strmTop5Categories,
strmAttackerIP,
strmAttackerUserName,
strmAttackerNetworks,
strmAttackerCount,
strmTop5AttackerIPs,
strmTargetIP,
strmTargetUserName,
strmTargetNetworks,
strmTargetCount,
strmTop5TargetIPs,
strmRuleCount,
strmRuleNames,
strmAnnotationCount,
strmTopAnnotation.1,
strmTopAnnotation.2,
strmTopAnnotation.3,
STRM Administration Guide
252 JUNIPER NETWORKS MIB
strmTopAnnotation.4,
strmTopAnnotation.5,
}
STATUS current
DESCRIPTION "Offense CRE Notification"
::= { strmTrap 2 }
END
Default Sentries The default sentries for the Enterprise template include:
Table B-1 Default Sentries
Sentry Description
Behavior - Flow Count Monitors the number of flows on your network and
Behavior Change alerts when a change is detected. By default, this
activity must occur 10 times before an alert generates.
Behavior - Host Count Learns the number of local and remote active hosts in
Behavior Change the network over a weekly period. If the number of
hosts increases dramatically outside the projected
behavior for at least 5 intervals, an event generates.
Behavior - Threat Traffic Detects a behavioral change, within the last 5
Packet Rate Behavior minutes, in the packet rate of traffic considered to be
Change threatening, compared to what has been learned over
the past weeks. This may indicate an attack is in
progress. By default, the minimum number of times, in
flows, this activity must occur before an event
generates is 5.
DoS - External - Distributed Detects a large number of hosts (100,000) sending
DoS Attack (High Number of identical, non-responsive packets to a single target. In
Hosts) this case, the target is treated as the attacker in the
Offense Manager.
DoS - External - Distributed Detects a low number of hosts (500) sending identical,
DoS Attack (Low Number of non-responsive packets to a single target. In this
Hosts) case, the target is treated as the attacker in the
Offense Manager.
Sentry Description
DoS - External - Distributed Detects a medium number of hosts (5,000) sending
DoS Attack (Medium Number identical, non-responsive packets to a single target. In
of Hosts) this case, the target is treated as the attacker in the
Offense Manager.
DoS - External - Flood Attack Detects flood attacks above 100,000 packets per
(High) second. This activity may indicate a serious attack.
DoS - External - Flood Attack Detects flood attacks above 5,000 packets per
(Medium) second. This activity typically indicates a serious
attack.
DoS - External - Flood Attack Detects flood attacks above 500 packets per second.
(Low) This activity may indicate an attack.
DoS - External - Potential Detects flows that appear to be an ICMP Denial of
ICMP DoS Service (DoS) attack attempt.
DoS - External - Potential Detects flows that appear to be a TCP DoS attack
TCP DoS attempt.
DoS - External - Potential Detects flows that appear to be a UDP DoS attack
UDP DoS attempt.
DoS - External - Potential Detects a low number of hosts sending identical,
Unresponsive Service or non-responsive packets to a single target.
Distributed DoS
DoS - Internal - Distributed Detects a large number of hosts (100,000) sending
DoS Attack (High Number of identical, non-responsive packets to a single target. In
Hosts) this case, the target is treated as the attacker in the
Offense Manager.
DoS - Internal - Distributed Detects a low number of hosts (500) sending identical,
DoS Attack (Low Number of non-responsive packets to a single target. In this
Hosts) case, the target is treated as the attacker in the
Offense Manager.
DoS - Internal - Distributed Detects a medium number of hosts (5,000) sending
DoS Attack (Medium Number identical, non-responsive packets to a single target. In
of Hosts) this case, the target is treated as the attacker in the
Offense Manager.
DoS - Internal - Flood Attack Detects flood attacks above 5,000 packets per
(Medium) second. This activity typically indicates a serious
attack.
Dos - Internal - Flood Attack Detects flood attacks above 100,000 packets per
(High) section. This activity typically indicates a serious
attack.
DoS - Internal - Flood Attack Detects flood attacks above 500 packets per second.
(Low) This activity may indicate an attack.
DoS - Internal - Potential Detects flows that appear to be an ICMP Denial of
ICMP DoS Service (DoS) attack attempt.
DoS - Internal - Potential Detects flows that appear to be a TCP DoS attack
TCP DoS attempt.
Sentry Description
DoS - Internal - Potential Detects flows that appear to be a UDP DoS attack
UDP DoS attempt.
DoS - Internal - Potential Detects a low number of hosts sending identical,
Unresponsive Service or non-responsive packets to a single target.
Distributed DoS
Policy-External - Large Detects a possible information leak.
Outbound File Transfer
Local Host Count Change Detects scanning activity or a worm infection.
Malware - External - Client Detects a host attempting to connect to a DNS server
Based DNS Activity to the that is not defined as a local network. With the
Internet exception of your DNS servers or other hosts
specifically configured to communicate with external
DNS servers, this is suspicious activity and may be
the sign of a bot net connection. If this is a false
positive, add the external DNS server to the BB DNS
Servers building block in custom rules. By default, this
sentry generates an event 30 seconds after the first
instance of the event.
Malware - External Detects an IP address being communicated that was
Communication with BOT a control channel for a BOTNET. The local machine
Control Channel may be infected with a bot and should be investigated.
Policy - External - Clear Text Detects flows to or from the Internet where the
Application Usage application types use clear text passwords. This many
include application such as Telnet, FTP, and POP.
Policy - External - Hidden Detects an FTP server on a non-standard port. The
FTP Server default port for FTP is TCP port 21. Detecting FTP on
other ports may indicate an exploited host, where the
attacker has installed this server to provide backdoor
access to the host.
Policy - Internal - Clear Text Detects flows to or from the Internet where the
Application Usage application types use clear text passwords. This many
include application such as Telnet, FTP, and POP.
Policy - Internal - Hidden FTP Detects an FTP server on a non-standard port. The
Server default port for FTP is TCP port 21. Detecting FTP on
other ports may indicate an exploited host, where the
attacker has installed this server to provide backdoor
access to the host.
Policy - External - IM/Chat Detects an excessive amount of IM/Chat traffic from a
single source. By default, the minimum number of
times, in flows, this activity must occur before an event
generates is 20.
Policy - External - IRC Detects a local host issuing an excessive number of
Connections IRC connections to the Internet. By default, the
minimum number of times, in flows, this activity must
occur before an event generates is 20.
Sentry Description
Policy - Local P2P Server Detects local hosts operating as a Peer-to-Peer (P2P)
Detected server. This indicates a violation of local network
policy and may indicate illegal activities, such as,
copyright infringement.
Policy - External - Long Detects a flow communicating to or from the Internet
Duration Flow Detected with a sustained duration of more than 48 hours. This
is not typical behavior for most applications. We
recommend that you investigate the host for potential
malware infections. By default, this parameter is set to
3,600 seconds, which means that an event generates
after 3,600 seconds of the first instance of the event.
Policy - External - P2P Detects Peer-to-Peer (P2P) communications.
Communications Detected
Policy - External - Possible Detects possible tunneling, which can indicate a
Tunneling bypass of policy, or an infected system.
Policy - External - Remote Detects the Microsoft Remote Desktop Protocol from
Desktop Access from the the Internet to a local host. Most companies consider
Internet this a violation of corporate policy. If this is normal
activity on your network, you should remove this
sentry.
Policy - External - SMTP Mail Detects an internal host sending a large number of
Sender SMTP flows from the same source to the Internet, in
one interval. This may indicate a mass mailing, worm,
or spam relay is present. By default, the minimum
number of times, in flows, this activity must occur
before an event generates is 10.
Policy - External - SSH or Detects an SSH or Telnet server on a non-standard
Telnet Detected on port. The default port for SSH and Telnet servers is
Non-Standard Ports TCP port 22 and 23. Detecting SSH or Telnet
operating on other ports may indicate an exploited
host, where the attacker has installed these servers to
provide backdoor access to the host.
Policy - Internal - SSH or Detects an SSH or Telnet server on a non-standard
Telnet Detected on port. The default port for SSH and Telnet servers is
Non-Standard Ports TCP port 22 and 23. Detecting SSH or Telnet
operating on other ports may indicate an exploited
host, where the attacker has installed these servers to
provide backdoor access to the host.
Policy - External - Usenet Detects flows to or from a Usenet server. It is
Usage uncommon for legitimate business communications to
use Usenet or NNTP services. The hosts involved
may be violating corporate policy.
Policy - External - VNC Detects VNC (a remote desktop access application)
Access From the Internet to a from the Internet to a local host. Many companies
Local Host consider this an policy issue that should be
addressed. If this is normal activity on your network,
remove this sentry.
Sentry Description
Recon - External - ICMP Detects a host scanning more than 100,000 hosts per
Scan (High) minute using ICMP. This indicates a host performing
reconnaissance activity at an extremely high rate. This
is typical of a worm infection or a standard scanning
application.
Recon - External - ICMP Detects a host scanning more than 500 hosts per
Scan (Low) minute using ICMP. This may indicate a host
configured for network management or normal server
behavior on a busy internal network. However,
typically client hosts in your network should not be
exhibiting this behavior for long periods of time. If this
behavior continues for long periods of time, this may
indicate classic behavior of worm activity. We
recommend that you check the host for infection or
malware installation.
Recon - External - ICMP Detects a host scanning more the 5,000 hosts per
Scan (Medium) minute using ICMP. This indicates a host performing
reconnaissance activity at a high rate. This is typical of
a worm infection or a host configured for network
management purposes.
Recon - External - Potential Detects a host sending identical packets to a number
Network Scan of hosts that have not responded. This may indicate a
host configured for network management or normal
server behavior on a busy internal network. However,
client hosts in your network should not be exhibiting
this behavior for long periods of time.
Recon - External - Scanning Detects a host performing reconnaissance activity at
Activity (High) an extremely high rate (100,000 hosts per minute),
which is typical of a worm infection or a scanning
application.
Recon - External - Scanning Detects a host performing reconnaissance activity at a
Activity (Low) rate of 500 hosts per minute. This may indicate a host
configured for network management or normal server
behavior on a busy internal network. However,
typically client hosts in your network should not be
exhibiting this behavior for long periods of time. If this
behavior continues for long periods of time, this may
indicate classic behavior of worm activity. We
recommend that you check the host for infection or
malware installation.
Recon - External - Scanning Detects a host performing reconnaissance activity at a
Activity (Medium) high rate (5,000 hosts per minute), which is typical of a
worm infection or a scanning application. This activity
may also indicate network management hosts or even
busy servers on internal networks.
Sentry Description
Recon - Internal - ICMP Scan Detects a host scanning more than 100,000 hosts per
(High) minute using ICMP. This indicates a host performing
reconnaissance activity at an extremely high rate. This
is typical of a worm infection or a standard scanning
application.
Recon - Internal - ICMP Scan Detects a host scanning more than 500 hosts per
(Low) minute using ICMP. This may indicate a host
configured for network management or normal server
behavior on a busy internal network. However,
typically client hosts in your network should not exhibit
this behavior for long periods of time. If this behavior
continues for long periods of time, this may indicate
classic behavior of worm activity. We recommend that
you check the host for infection or malware
installation.
Recon - Internal - ICMP Scan Detects a host scanning more the 5,000 hosts per
(Medium) minute using ICMP. This indicates a host performing
reconnaissance activity at a high rate. This is typical of
a worm infection or a host configured for network
management purposes.
Recon - Internal - Potential Detects a host sending identical packets to a number
Network Scan of hosts that have not responded. This may indicate a
host configured for network management or normal
server behavior on a busy internal network. However,
client hosts in your network should not be exhibiting
this behavior for long periods of time.
Recon - Internal - Scanning Detects a host performing reconnaissance activity at
Activity (High) an extremely high rate (100,000 hosts per minute),
which is typical of a worm infection or a scanning
application.
Recon - Internal - Scanning Detects a host performing reconnaissance activity at a
Activity (Low) rate of 500 hosts per minute. This may indicate a host
configured for network management or normal server
behavior on a busy internal network. However,
typically client hosts in your network should not exhibit
this behavior for long periods of time. If this behavior
continues for long periods of time, this may indicate
classic behavior of worm activity. We recommend that
you check the host for infection or malware
installation.
Recon - Internal - Scanning Detects a host performing reconnaissance activity at a
Activity (Medium) high rate (5,000 hosts per minute), which is typical of a
worm infection or a scanning application. This activity
may also indicate network management hosts or even
busy servers on internal networks.
Sentry Description
Suspicious - Internal - Detects an excessive rate (more than 1,000) of
Outbound Unidirectional inbound unidirectional (local host not responding)
Flows Threshold flows within the last 5 minutes. This may indicate a
scan is in progress, worms, DoS attack, or issues with
your network configuration. By default, this activity
must occur 5 times before an alert generates.
Suspicious- External - Detects an excessive rate of outbound unidirectional
Outbound Unidirectional (remote host not responding) flows within 5 minutes.
Flows Threshold By default, this activity must occur 5 times before an
alert generates.
Suspicious - External - Detects an excessive rate (more than 1,000) of
Inbound Unidirectional Flows inbound unidirectional (local host not responding)
Threshold flows within the last 5 minutes. This may indicate a
scan is in progress, worms, DoS attack, or issues with
your network configuration. By default, this activity
must occur 5 times before an alert generates.
Suspicious - External - Detects an excessive number of ICMP flows from one
Anomalous ICMP Flows source IP address, where the applied ICMP types and
codes are considered abnormal when seen entering
or leaving the network. By default, the minimum
number of times, in flows, this activity must occur
before an event generates is 15.
Suspicious - External - Invalid Detects flows that appear to have improper flag
TCP Flag usage combinations. This may indicate various troubling
behaviors, such as OS detection, DoS attacks, or
even forms of reconnaissance. By default, the
minimum number of times, in flows, this activity must
occur before an event generates is 10.
Suspicious - External - Port 0 Detects flows whose destination or source ports are 0.
Flows Detected This may be considered suspicious.
Suspicious - External - Detects flows that indicate a host is attempting to
Rejected Communication establish connections to other hosts but is being
Attempts refused or is responding with packets containing no
payload. By default, the minimum number of times, in
flows, this activity must occur before an event
generates is 15.
Suspicious - External - Detects excessive unidirectional ICMP traffic from a
Unidirectional ICMP Detected single source. This may indicate an attempt to
enumerate hosts on the network or other serious
network issues. By default, the minimum number of
times, in flows, this activity must occur before an event
generates is 15.
Suspicious - External - Detects excessive unidirectional ICMP responses
Unidirectional ICMP from a single source. This may indicate an attempt to
Responses Detected enumerate hosts on the network, or can be an
indicator of other serious network issues. By default,
the minimum number of times, in flows, this activity
must occur before an event generates is 15.
Sentry Description
Suspicious - External - Detects flows that indicate a host is sending an
Unidirectional TCP Flows excessive quantity (at least 15) of unidirectional flows.
These types of flows may be considered normal,
however, client workstations and other devices,
should not be seen emitting large quantities of such
flows, and therefore should be considered suspicious.
Suspicious - External - Detects an excessive number of UDP, non-TCP, or
Unidirectional UDP or Misc ICMP from a single source. By default, the minimum
Flows number of times, in flows, this activity must occur
before an event generates is 20.
Suspicious - External - Detects suspicious IRC traffic.
Suspicious IRC Traffic
Suspicious - Internal - Detects an excessive number of ICMP flows from one
Anomalous ICMP Flows source IP address, where the applied ICMP types and
codes are considered abnormal when seen entering
or leaving the network. By default, the minimum
number of times, in flows, this activity must occur
before an event generates is 15.
Suspicious - Internal - Invalid Detects flows that appear to have improper flag
TCP Flag usage combinations. This may indicate various troubling
behaviors, such as OS detection, DoS attacks, or
even forms of reconnaissance. By default, the
minimum number of times, in flows, this activity must
occur before an event generates is 10.
Suspicious - Internal - Port 0 Detects flows whose destination or source ports are 0.
Flows Detected This may be considered suspicious.
Suspicious - Internal - Detects flows that indicate a host is attempting to
Rejected Communication establish connections to other hosts but is being
Attempts refused or is responding with packets containing no
payload. By default, the minimum number of times, in
flows, this activity must occur before an event
generates is 15.
Suspicious - Internal - Detects excessive unidirectional ICMP traffic from a
Unidirectional ICMP Detected single source. This may indicate an attempt to
enumerate hosts on the network or other serious
network issues. By default, the minimum number of
times, in flows, this activity must occur before an event
generates is 15.
Suspicious - Internal - Detects excessive unidirectional ICMP responses
Unidirectional ICMP from a single source. This may indicate an attempt to
Responses Detected enumerate hosts on the network, or can be an
indicator of other serious network issues. By default,
the minimum number of times, in flows, this activity
must occur before an event generates is 15.
Sentry Description
Suspicious - Internal - Detects flows that indicate a host is sending an
Unidirectional TCP Flows excessive quantity (at least 15) of unidirectional flows.
These types of flows may be considered normal,
however, client workstations and other devices,
should not be seen emitting large quantities of such
flows, and therefore should be considered suspicious.
Suspicious - Internal - Detects an excessive number of UDP, non-TCP, or
Unidirectional UDP or Misc ICMP from a single source. By default, the minimum
Flows number of times, in flows, this activity must occur
before an event generates is 20.
Default Custom This section provides the default custom views for the Enterprise template
Views including:
• IP Tracking Group
• Threats Group
• Attacker Target Analysis Group
• Target Analysis Group
• Policy Violations Group
• ASN Source Group
• ASN Destination Group
• IFIndexIn Group
• IFIndexOut Group
• QoS Group
• Flow Shape Group
IP Tracking Group Pre-configured groups that specify traffic flows from your local and remote IP
addresses including:
Table B-2 Custom Views - IP Tracking View
IP Tracking
Group Group Objects
Locals Specifies traffic flows originating from specific local IP addresses
or CIDR ranges. Configure to specify traffic flows for your local IP
addresses.
Remotes Specifies traffic flows originating from specific remote IP
addresses or CIDR ranges. Configure to specify traffic flows for
your remote IP addresses.
Threats Group Pre-configured groups that specify traffic flows from suspicious IP addresses,
protocols, server ports, and network sweeps including:
Table B-3 Custom Views - Threats View
Group Objects
Exceptions This group includes:
Network_Management_Hosts - Defines network management
servers or other system responsible for reconnaissance, SNMP,
large numbers of ICMP requests, or other attacks, such as, traffic
on your network such as vulnerability assessment (VA) scanners.
Group Objects
DoS The Denial of Service (DoS) group includes:
• Inbound_Flood_NoResponse_High - Defines a remote
source sending packets, which are not being responded to, at
a rate greater than 100,000 packets per second.
• Inbound_Flood_NoResponse_Medium - Defines a remote
source sending packets, which are not being responded to, at
a rate greater than 5,000 packets per second.
• Inbound_Flood_NoResponse_Low - Defines a remote
source sending packets, which are not being responded to, at
a rate greater than 500 packets per second.
• Outbound_Flood_NoResponse_High - Defines a local
source sending packets, which are not being responded to, at
a rate greater than 100,000 packets per second.
• Outbound_Flood_NoResponse_Medium - Defines a local
source sending packets, which are not being responded to, at
a rate greater than 500 packets per second.
• Outbound_Flood_NoResponse_Low - Defines a local
source sending packets, which are not being responded to, at
a rate greater than 500 packets per second.
• Multihost_Attack_High - Defines a scan of more than
100,000 hosts per minute.
• Multihost_Attack_Medium - Defines a scan of more than
5,000 hosts per minute.
• Multihost_Attack_Low - Defines a scan of more than 500
hosts per minute.
• Potential_TCP_DoS - Detects TCP Syn flood flows with a
packet arrival rate of more then 300 packets per second and
have lasted for at least 5 seconds. This may indicate an
attempted TCP DoS attack.
• Potential_UDP_DoS - Detects UDP Flows with a packet
arrival rate of more then 750 packets per second and have
lasted for at least 3 seconds. This may indicate an attempted
ICMP DoS attack.
• Potential_ICMP_DoS - Detects ICMP flows with a packet
arrival rate of more then 300 packets per second and have
lasted for at least 2 seconds. This may indicate an attempted
ICMP DoS attack.
• Potential_Multihost_Attack - Detects type B superflows.
This may indicate a service failure or an attack.
Group Objects
Scanning This scanning group includes:
• ICMPScan_High - Detects a host sending ICMP packets to
more than 100,000 hosts more minute.
• ICMPScan_Medium - Detects a host sending ICMP packets
to more than 5,000 hosts more minute.
• ICMPScan_Low - Detects a host sending ICMP packets to
more than 500 hosts more minute.
• Scan_High - Defines a scan of more than 100,000 hosts per
minute.
• Scan_Medium - Defines a scan of more than 5,000 hosts per
minute.
• Scan_Low - Defines a scan of more than 500 hosts per
minute.
• Empty_Responsive_Flows_High - Defines traffic with more
than 100,000 packets per second that contain little, if any,
payload. These can be the result of scans where the target
responds to the attack.
• Empty_Responsive_Flows_Medium - Defines traffic with
more than 5,000 packets per second that contain little, if any,
payload. These can be the result of scans where the target
responds to the attack.
• Empty_Responsive_Flows_Low - Defines traffic with more
than 500 packets per second that contain little, if any, payload.
These can be the result of scans where the target responds to
the attack.
• Potential_Scan - Defines a type A superflow. This may
indicate a host performing scanning activity.
PortScans This PortScans group includes:
• Host_Scans - Detects a host attempting to make multiple
connections, using TCP, to another host targeting multiple
unique ports.
• UDPPortScan - Detects a host attempting to make multiple
connections, using UDP, to another host targeting multiple
unique ports.
Group Objects
Suspicious_IP_ This group includes:
Protocol_Usage
• Illegal_TCP_Flag_Combination - Detects flows with illegal
TCP flag combinations. This may indicate malicious activity,
such as port scanning or operating system detection.
• Suspicious_ICMP_Type_Code - Detects flows entering or
leaving your network from the Internet, using ICMP types or
codes generally accepted to be suspicious or malicious. For
more information, see http://techrepublic.com.com
/5100-1035_11-5087087.html
• TCP_UDP_Port_0 - Detects flows with a source or destination
port of 0. This is illegal according to Internet RFCs and should
be considered malicious.
• Unidirectional_TCP_Flows - Detects unidirectional TCP
flows. This may indicate application failures to connect to a
service, but an indicate other issues if the quantity or rate of
these flows is high.
• Unidirectional_ICMP_Reply - Detects unidirectional ICMP
replies or unreachable flows. This may be expected network
behavior, however, an excessive quantity may indicate that a
host is scanning the network attempting to enumerate hosts.
• Unidirectional_ICMP_Flows - Detects unidirectional ICMP
flows. This may be expected network behavior, however, an
excessive quantity of these flows from a single source may
indicate a host scanning the network attempting to enumerate
hosts.
• Unidirectional_UDP_And_Misc_Flows - Detects
unidirectional UDP (or other flows not including TCP or ICMP)
flows. This may be expected network behavior, however, an
excessive quantity should be considered suspicious.
• Zero_Payload_Bidirectional_Flows - Detects flows that
contain small amounts (if any) payload. This may be the result
of scans where the target responds with reset packets.
• Long_Duration_Flow - Detects a flow communicating to or
from the Internet with a sustained duration of more than 48
hours. This is not typical behavior for most applications. We
recommend that you investigate the host for potential malware
infections.
• Large_DNS_Packets - Detects UDP DNS packets that are
larger than 1K in size.
• Large_ICMP_Packets - Detects ICMP packets that are larger
than 1K in size.
Group Objects
Remote_Access_ This group includes:
Violation
• Hidden_Telnet_SSH - Detects flows where the application
type is Telnet or SSH but the destination server port is not one
of the common ports for this application. This may indicate that
a system has been altered to provide a backdoor for
unauthorized access.
• Hidden_FTP - Detects flows to a local host where the
application type is FTP but the destination server port is not
one of the common ports of this application. This may indicate
that the server is hosting illegal data, such as pirated
applications or other media.
• Remote_Desktop_Access_From_Internet - Detects Remote
Desktop Protocol (RDP) access to the local network from the
Internet. If you want to allow this activity on your network,
delete this view. Otherwise, you should consider this activity
suspicious and we recommend investigating the accessed
server.
• VNC_Activity_From_Internet - Detects Virtual Network
Computing (VNC) access to the local network from the
Internet. If you want to allow this activity on your network,
delete this view. Otherwise, you should consider this activity
suspicious and we recommend investigating the accessed
server.
Suspicious_IRC Detects suspicious IRC activity.
Attacker Target Pre-configured groups that specify traffic flows from attackers, responses, and
Analysis Group events including:
Table B-4 Custom Views - AttackerTargetAnalysis
Group Objects
AttackResponse This group includes:
Analysis
• Target_Did_Not_Respond - The network flow that appears to
have carried the attack event that triggered this analysis
indicates that the target host did not respond to the attack.
• Target_Responded - The network flow analysis indicates a
target responded to the event from the attacker, and therefore
increases the likelihood the attacker was successful.
Group Objects
PeripheralComms This group includes:
Analysis
• Activity_Before_Event - The network flow analysis indicates
a target and attacker were communicating prior to the event
that generated this analysis. This can indicate a false positive,
or that this attacker is concentrating on breaking this host.
Many typical attacks fire an exploit at the target with little or no
prior host investigation.
• Activity_After_Event - The network flow analysis indicates a
target and attacker were communicating after the event that
triggered this analysis. This can indicate a false positive if the
attacker/target were also seen communicating before the
event, and the device emitting these events has a high false
positive rate. Conversely, if this is a serious event and the
device is credible, it can indicate a successful attack has
occurred.
• Target_Initiating_Comms_To_Attacker - The network flow
analysis indicates a target was seen initiating connections
back to the attacker before or after the event. This may
indicate that the attacker has successfully forced the target to
communicate with the attacker, bypassing firewall rules.
Target Analysis Pre-configured groups that specify traffic flows from back door entries, scanning
Group behaviors, malicious software (malware), spam relay including:
Table B-5 Custom Views - TargetAnalysis
Group Objects
BotNetAnalysis BotNet_Connect - The network flow analysis indicates a target
host is connected to IRC servers on the Internet. This may
indicate the attacker has installed an IRC Bot on the target
requesting the target to connect to an IRC Channel, which is
controlled by the attacker, to wait for further instructions. Large
numbers of such exploited machines form a BotNet and can be
used by the attacker to coordinate large scale Distributed Denial
of Service attacker (DDoS).
MalwareAnalysis Malware_Server_Connection - Network flow analysis indicates
a target is aggressively attempting (and failing) to connect to
many other hosts on the network (or Internet). This behavior is
seen in the presence of security events aimed at this host, and
therefore is possible the attacker has infected the target with a
worm, or other hostile malware, and it is attempting to spread
from this host.
Group Objects
PeripheralComms This group includes:
Analysis
• Service_Unresponsive_After_Attack - The network flow
analysis indicates that the service on the target that was
attacked is unresponsive to other hosts on the network. This
may indicate that the attack has intentionally, or inadvertently
stopped the service running on this host.
• Spam_Relay_Possible - The network flow analysis indicates
that a target is accepting and servicing SMTP mail server
connections. Given this activity is occurring in the presence of
security events targeting this host, it is possible the attacker
has installed an SMTP server to operate as a spam relay. If
this target is a mail server, this behavior is to be expected.
• Outbound_Mail_Relay_Possible - The network flow analysis
indicates that a target is sending mail to SMTP servers on the
Internet. Given this activity is occurring in the presence of a
security event targeting this host, it is possible the attacker has
installed mass mailing malware on the target. This behavior is
also to be expected if the target is a known mail server.
Policy Violations Pre-configured groups that specify traffic flows from your internal and external
Group policies, such as mail policies, web polices, P2P, games, applications, and
compliance policies including:
Table B-6 Custom Views - PolicyViolations
Group Objects
Mail_Policy_ This group includes:
Violation
• Outbound_Mail_Sender - Detects flows sent from local hosts
to the Internet on port 25 (SMTP) or detected with the SMTP
application signature. This may indicate hosts violating
network mail policy, or that a host is infected with a mass
mailing agent. We recommend updating this equation to not
include network mail servers.
• Remote_Connection_to_Internal_Mail_Server - Detects
bidirectional flows inbound into the local network on port 25
(SMTP). This indicates communication with a local SMTP
server. Additionally, such servers may be the result of an
infected host, which is inadvertently running a SPAM relay.
We recommend updating this equation to not include network
mail servers.
Group Objects
IRC_IM_Policy_ This group includes:
Violation
• IRC_Connection_to_Internet - Detects bidirectional flows
from local client hosts to the Internet on common IRC port or
detected though an application signature. This indicates an
active IRC connection. This can simply be a user disregarding
corporate policy, or can indicate a host that has been exploited
and is connected to an IRC botnet. IRC botnets are used to
remotely control exploited hosts to perform DoS attacks and
other illegal activities.
• IM_Communications - Detects bidirectional flows from client
hosts on the network indicating the use of common Instant
Messaging clients (IM), such as MSN.
Remote_Access_ Remote_Access_Shell - Detects bidirectional flows, where
Policy_Violation remote hosts were connecting to local remote access servers.
Detection of any of the following access technologies include:
Citrix, PCAnywhere, SSH, Telnet, or VNC.
P2P_ This group includes:
Policy_Violation
• Local_P2P__Server - Detects flows indicating a P2P server is
operating on the local network. This can be in violation of local
network policy.
• Local_P2P_Client - Detects flows indicating a P2P client is
operating on the local network. This can be in violation of local
network policy.
Application_ This group includes:
Policy_Violation
• NNTP_to_Internet - Detects flows indicating an NNTP news
client is operating on the local network. This may be in
violation of local network policy.
• Unknown_Local_Service - Detects an active service on a
local host.
Compliance_ This group includes:
Policy_Violations
• Clear_Text_Application_Usage - Detects flows where the
application types use clear text passwords. Applications that
usage for this view include Telnet, FTP, and POP. We
recommend that you tune this view to add or remove
additional applications.
• Large_Outbound_Transfer - Detects large outbound file
transfers.
ASN Source Group STRM detects the ASN values from network flows. When STRM detects a ASN
source values in a flow, STRM creates a new object in the ASN Source group. For
example, if STRM detects an ASN 238 flow within the source traffic, the object
ASN238 is created in the ASNSource group.
ASN Destination STRM detects the ASN values from network flows. When STRM detects a ASN
Group destination values in a flow, STRM creates a new object in the ASN destination
group. For example, if STRM detects an ASN 238 flow within the destination traffic,
the object ASN238 is created in the ASNDestination group.
IFIndexIn Group STRM detects the IFIndex values from network flows. When STRM detects
IFIndex values in a flow, STRM creates a new object in the respective group.
IFIndexOut Group STRM detects the IFIndex values from network flows. When STRM detects
IFIndex values in a flow, STRM creates a new object in the respective group.
Rule
Rule Group Type Enabled Description
Default-Response- Response Offense False Reports any offense matching the severity,
E-mail: Offense E-mail credibility, and relevance minimums to e-mail.
Sender You must configure the e-mail address. You can
limit the number of e-mails sent by tuning the
severity, credibility, and relevance limits. Also,
this rule only sends one e-mail every hour, per
offense.
Default-Response- Response Offense False Reports any offense matching the severity,
Sylog: Offense credibility, or relevance minimum to syslog.
SYSLOG Sender
Default-Rule-Anomaly: Anomaly Event False Monitors devices for high event rates. Typically,
Devices with High Event the default threshold is low for most networks
Rates and we recommend that you adjust this value
before enabling this rule. To configure which
devices will be monitored, edit the
Default-BB-DeviceDefinition: Devices to Monitor
for High Event Rates building block.
Default-Rule-Anomaly: Anomaly Event False Reports when connections are bridged across
DMZ Jumping your network’s Demilitarized Zone (DMZ).
Default-Rule-Anomaly: Anomaly Event False Reports when connections are bridged across
DMZ Reverse Tunnel your network’s DMZ through a reverse tunnel.
Default-Rule-Anomaly: Anomaly Event True Reports an excessive number of successful
Excessive Database database connections.
Connections
Default-Rule- Anomaly Event False Reports excessive firewall accepts across
Anomaly: Excessive multiple hosts. More than 100 events were
Firewall Accepts Across detected across at least 100 unique destination
Multiple Hosts IP addresses in 5 minutes.
Rule
Rule Group Type Enabled Description
Default-Rule- Anomaly Event True Reports excessive firewall denies from a single
Anomaly: Excessive host. Detects more than 400 firewall deny
Firewall Denies from attempts from a single source to a single
Single Source destination within 5 minutes.
Default-Rule- Anomaly Event True Reports a flow communicating to or from the
Anomaly: Long Duration Internet with a sustained duration of more than
Flow 48 hours. This is not typical behavior for most
applications. We recommend that you
investigate the host for potential malware
infections.
Default-Rule- Anomaly Event False Reports an event that was targeting or sourced
Anomaly: Potential from a honeypot or tarpit defined address.
Honeypot Access Before enabling this rule, you must configure the
Default-BB-HostDefinition: Honeypot like
addresses building block and create the
appropriate sentry from the Network
Surveillance interface.
Default-Rule- Anomaly Event False Reports a host emitting events at a rate greater
Anomaly: Rate Analysis than normal. This may be normal, but in some
Marked Events cases can be an early warning sign that the host
has changed behavior. We recommend that you
perform an event search and/or flow search to
determine if the host is exhibiting other
suspicious activity.
Default-Rule- Anomaly Event False Reports successful logins or access from an IP
Anomaly: Remote address known to be in a country that does not
Access from Foreign have remote access right. Before you enable
Country this rule, we recommend that you configure the
Default-BB-CategoryDefinition: Countries with
no Remote Access building block.
Default-Rule-Anomaly: Anomaly Event False Reports when the MAC address of a single IP
Single IP with Multiple address changes multiple times over a period of
MAC Addresses time.
Default-Rule- Authentication Event True Reports a host login message from a disabled
Authentication: Login user account. If the user is no longer a member
Failure to Disabled of the organization, we recommend that you
Account investigate any other received authentication
messages from the same user.
Default-Rule- Authentication Event True Reports a host login failure message from an
Authentication: Login expired user account known. If the user is no
Failure to Expired longer a member of the organization, we
Account recommend that you investigate any other
received authentication messages.
Default-Rule - Authentication Event True Reports authentication failures on the same
Authentication: Login source IP address more than three times, across
Failures Across Multiple more than three destination IP addresses within
Hosts 10 minutes.
Rule
Rule Group Type Enabled Description
Default-Rule- Authentication Event True Reports multiple log in failures to a single host,
Authentication: Login followed by a successful log in to the host.
Failures Followed By
Success
Default-Rule- Authentication, Event True Reports a successful log in to a host after
Authentication: Login Compliance reconnaissance has been performed against
Successful After Scan this network.
Attempt
Default-Rule- Authentication Event True Reports multiple log in failures to a VoIP PBX.
Authentication: Multiple
VoIP Login Failures
Default-Rule- Authentication Event True Reports when a source IP address causes an
Authentication: authentication failure event at least seven times
Repeated Login to a single destination within 5 minutes.
Failures, Single Host
Default-Rule-Botnet: Botnet,Exploit Event False Reports a host connecting or attempting to
Potential Botnet connect to a DNS server on the Internet. This
Connection (DNS) may indicate a host connecting to a Botnet. The
host should be investigated for malicious code.
Do not enable this rule until you have tuned the
Default-BB-HostDefinition: DNS Servers building
block.
Note: Laptops that include wireless adapters
may cause this rule to generate alerts since the
laptops may attempt to communicate with
another IDPs DNS server. If this occurs, define
the ISPs DNS server in the
Default-BB-HostDefinition: DNS Servers building
block.
Default-Rule-Botnet: Botnet Event True Reports a host connecting or attempting to
Potential Botnet connect to an IRC server on the Internet. This
Connection (IRC) may indicate a host connecting to a Botnet. The
host should be investigated for malicious code.
Default-Rule-Botnet: Botnet Event True Reports exploit attacks on events. Enable this
Potential Botnet Events rule if you want all events categorized as
Become Offenses exploits to create an offense.
Default-Rule-Category Category Event True Reports events in different Access Denied
Definitions: Access Definition categories.
Denied
Default-Rule-Category Category Event True Reports all Session Closed events by
Definitions: Session Definition, categories.
Closed Malware
Default-Rule-Category Category Event True Reports all Session Opened events by
Definitions: Session Definition, categories.
Opened Malware
Rule
Rule Group Type Enabled Description
Default-Rule-Category Category Event True Reports all virus detection events.
Definitions: Virus Definition,
Detected Malware
Default-Rule-Category Category Event True Reports VPN events that are considered Denied
Definitions: VPN Access Definition Access events.
Denied
Default-Rule-Category Category Event True Reports database events indicate denied access
Definitions: Database Definition activities.
Access Denied
Default-Rule-Category Category Event True Reports database events that indicate permitted
Definitions: Database Definition access.
Access Permitted
Default-Rule-Category Category Event True Rule detects events that may indicate a system
Definitions: System Definitions error or failure.
Errors and Failures
Default-Rule-Category Category Event True Reports VPN events that indicate permitted
Definitions: VPN Access Definition access.
Accepted
Default-Rule- Compliance Event False Reports compliance-based events, such as,
Compliance: clear text passwords.
Compliance Events
Become Offenses
Default-Rule- Compliance Event False Reports excessive authentication failures to a
Compliance: Excessive compliance server within 10 minutes.
Failed Logins to
Compliance IS
Default-Rule-Database: Compliance, Event True Reports when a configuration modification is
Attempted Configuration Database attempted to a database server from a remote
Modification by a remote network.
host
Default-Rule-Database: Compliance, Event True Reports when several authentications to a
Concurrent Logins from Database database server occur across many remote IP
Multiple Locations addresses.
Default-Rule-Database: Compliance, Event True Reports when there are failures followed by the
Failures Followed by Database addition or change of a user account.
User Changes
Default-Rule-Database: Compliance, Event True Monitors changes to groups on a database
Groups changed from Database when the change is initiated from a remote
Remote Host network.
Default-Rule-Database: Compliance, Event True Reports when there are multiple database
Multiple Database Database failures followed by a success within a short
Failures Followed by period of time.
Success
Default-Rule-Database: Compliance, Event True Increases the severity of a failed login attempt to
Remote Login Failure Database a database from a remote network.
Rule
Rule Group Type Enabled Description
Default-Rule-Database: Compliance, Event True Reports when a successful authentication
Remote Login Success Database occurs to a database server from a remote
network.
Default-Rule-Database: Compliance, Event True Reports when changes to user privileges occurs
User Rights Changed Database to a database from a remote network.
from Remote Host
Default-Rule-DDoS D\DoS Event True Reports network Distributed Denial of Service
Attack Detected (DDoS) attacks on a system.
Default-Rule-DDoS: D\DoS Event True Reports when offenses are created for
DDoS Events with High DoS-based events with high magnitude.
Magnitude Become
Offenses
Default-Rule-Device Device Event True Reports all access, authentication, and audit
Definition: Access/ Definition devices.
Authentication/Audit
Default-Rule-Device Device Event True Reports all antivirus services on the system.
Definition: AntiVirus Definition
Default-Rule-Device Device Event True Reports all application and OS devices on the
Definition: Application Definition network.
Default-Rule-Device Device Event True Reports all firewall (FW), routers, and switches
Definition: FW/Router/ Definition on the network.
Switch
Default-Rule-Device Device Event True Reports all IDS and IPS devices on the network.
Definition: IDS/IPS Definition
Default-Rule-Device Device Event True Reports all VPNs on the network.
Definition:VPN Definition
Default-Rule-DoS: D\DoS Event True If a low rate flow-based DoS attack is detected,
Decrease Magnitude of this rule decreases the magnitude of the current
Low Rate Attacks event.
Default-Rule-DoS: DoS D/DoS Event False Reports when DoS attack events are identified
Events from Darknet on Darknet network ranges.
Default-Rule-DoS: DoS D\DoS Event True Rule forces the creation of an offense for DoS
Events with High based events with a high magnitude.
Magnitude Become
Offenses
Default-Rule-DoS: D\DoS Event True If a high rate flow-based DoS attack is detected,
Increase Magnitude of this rule increases the magnitude of the current
High Rate Attacks event.
Default-Rule-DoS: D\DoS Event True Reports network Denial of Service (DoS) attacks
Network DoS Attack on a system.
Detected
Default-Rule-DoS: D\DoS Event True Reports a DoS attack against a local target that
Service DoS Attack is known to exist and the target port is open.
Detected
Rule
Rule Group Type Enabled Description
Default-Rule-Exploit:All Exploit Event False Reports exploit attacks on events. By default,
Exploits Become this rule is disabled. Enable this rule if you want
Offenses all events categorized as exploits to create an
offense.
Default-Rule-Exploit: Exploit Event False Reports when exploit or attack events are
Attack followed by followed by typical responses, which may
Attack Response indicate a successful attack.
Default-Rule-Exploit: Exploit Event False Reports an attack from a local host where the
Attacker Vulnerable to attacker has at least one vulnerability. It is
any Exploit possible the attacker was a target in an earlier
offense.
Default-Rule-Exploit: Exploit Event False Reports an attack from a local host where the
Attacker Vulnerable to attacker is vulnerable to the attack being used. It
this Exploit is possible that the attacker was a target in an
earlier offense.
Default-Rule-Exploit: Exploit Event False Reports an exploit or attack type activity from a
Exploit Followed by source IP address followed by suspicious
Suspicious Host Activity account activity on the destination host within 15
minutes.
Default-Rule-Exploit: Exploit Event True Reports a source IP address generating multiple
Exploit/Malware Events (at least 5) exploits or malicious software
Across Multiple Targets (malware) events in the last 5 minutes. These
events are not targeting hosts that are
vulnerable and may indicate false positives
generating from a device.
Default-Rule-Exploit: Exploit Event True Rule forces the creation of offenses for
Exploits Events with exploit-based events with a high magnitude.
High Magnitude
Become Offenses
Default-Rule-Exploit: Exploit Event False Reports when exploit or attack events are
Exploits Followed by followed by firewall accept events, which may
Firewall Accepts indicate a successful attack.
Default-Rule-Exploit: Exploit Event True Reports a target attempting to be exploited using
Multiple Exploit Types multiple types of attacks from one or more
Against Single Target attackers.
Default-Rule-Exploit: Exploit Event False Reports when an attacker attempts multiple
Multiple Vector Attacker attack vectors. This may indicate an attacker
specifically targeting an asset.
Default-Rule-Exploit: Exploit Event False Reports multiple failed logins to your VoIP
Potential VoIP Toll hardware followed by sessions being opened. At
Fraud least 3 events were detected within 30 seconds.
This action could indicate that illegal users are
executing VoIP sessions on your network.
Default-Rule-Exploit: Exploit Event True Reports reconnaissance followed by an exploit
Recon followed by from the same source IP address to the same
Exploit destination port within 1 hour.
Rule
Rule Group Type Enabled Description
Default-Rule-Exploit: Exploit Event True Reports an attack against a vulnerable local
Target Vulnerable to target, where the target is known to exist, and
Detected Exploit the host is vulnerable to the attack.
Default-Rule-Exploit: Exploit Event True Reports an attack against a vulnerable local
Target Vulnerable to target, where the target is known to exist, and
Detected Exploit on a the host is vulnerable to the attack on a different
Different Port port.
Default-Rule-Exploit: Exploit Event False Reports an attack against a vulnerable local
Target Vulnerable to target, where the target is known to exist, and
Different Exploit than the host is vulnerable to some attack but not the
Attempted on Attacked one being attempted.
Port
Default-Rule-False False Positive Event True Reports events that include false positive rules
Positive: False Positive and building blocks, such as,
Rules and Building Default-BB-FalsePositive: Windows Server
Blocks False Positive Events. Events that match the
above conditions are stored but also dropped. If
you add any new building blocks or rules to
remove events from becoming offenses, you
must add these new rules or building blocks to
this rule.
Default-Rule-Malware: Malware Event False Enable this rule if you want all events
Treat Backdoor, Trojans categorized as backdoor, viruses, and trojans to
and Virus Events as create an offense.
Offenses
Default-Rule-Malware: Malware Event False Enable this rule if you want all events
Treat Key Loggers as categorized as key loggers to create offenses.
Offenses
Default-Rule- Malware Event False Reports non-spyware malware attacks on
Malware: Treat events. Enable this rule if you want all events
Non-Spyware Malware categorized as malware to create an offense.
as Offenses
Default-Rule- Malware Event False Reports spyware and/or a virus on events.
Malware: Treat Spyware Enable this rule if you want all events
and Virus as Offenses categorized as Virus or Spyware to create an
offense.
Default-Rule-Malware: Malware, Policy Event False Reports malware being sent from local hosts.
Local Host Sending
Malware
Default-Rule-Network Network Event True Reports events that are considered
Definition: Local to Local Definition Local-to-Local (L2L).
Default-Rule-Network Network Event True Reports events that are considered
Definition: Local to Definition Local-to-Remote (L2R).
Remote
Rule
Rule Group Type Enabled Description
Default-Rule-Network Network Event True Reports events that are considered
Definition: Remote to Definition Remote-to-Local (R2L).
Local
Default-Rule-Policy: Policy Event False Reports Instant Messenger traffic or any event
Create Offenses for All categorized as Instant Messenger traffic where
Instant Messenger the source is local and the destination is remote.
Traffic
Default-Rule-Policy: Policy Event False Reports P2P traffic or any event categorized as
Create Offenses for All P2P.
P2P Usage
Default-Rule-Policy: Policy Event False Reports policy events. By default, this rule is
Create Offenses for All disabled. Enable this rule if you want all events
Policy Events categorized as policy to create an offense.
Default-Rule-Policy: Policy Event False Reports any traffic that contains illicit materials
Create Offenses for All or any event categorized as Porn. By default,
Porn Usage this rule is disabled. Enable this rule if you want
all events categorized as Porn to create an
offense.
Default-Rule-Policy: Policy Event False Rule acts as a warning that the asset in which an
Host has SANS Top 20 event identifies is vulnerable to a vulnerability
Vulnerability identified in the SANS Top 20 Vulnerabilities.
(www.sans.org/top20/)
Default-Rule-Policy: Policy Event True Reports local Peer-to-Peer (P2P) traffic or any
Local P2P Server event categorized as P2P. More than 10 hosts
Detected were detected connecting to a local host that
appears to be operating as a P2P server.
Default-Rule-Policy: Policy Event False Reports when a new host has been discovered
New Host Discovered on the network.
Default-Rule-Policy: Policy Event False Reports when an existing host has a newly
New Service discovered service.
Discovered
Default-Rule-Policy: Policy Event False Rule identifies potential tunneling that can be
Potential Tunneling used to bypass policy or security controls.
Default-Rule-Policy: Policy Event False Reports potential file uploads to a local web
Upload to Local server. To edit the details of this rule, edit the
WebServer Default-BB-CategoryDefinition: Upload to Local
WebServer building block.
Default-Rule-Recon: Recon Event True Reports an aggressive scan from a local source
Aggressive Local IP address, scanning other local or remote IP
Scanner Detected addresses. More than 400 targets received
reconnaissance or suspicious events in less
than 2 minutes. This may indicate a manually
driven scan, an exploited host searching for
other targets, or a worm is present on the
system.
Rule
Rule Group Type Enabled Description
Default-Rule-Recon: Recon Event True Reports an aggressive scan from a remote
Aggressive Remote source IP address, scanning other local or
Scanner Detected remote IP addresses. More than 50 targets
received reconnaissance or suspicious events in
less than 3 minutes. This may indicate a
manually driven scan, an exploited host
searching for other targets, or a worm on a
system.
Default-Rule-Recon: Recon Event True Reports excessive attempts, from local hosts, to
Excessive Firewall access the firewall and access is denied. More
Denies From Local than 40 attempts are detected across at least 40
Hosts destination IP addresses in 5 minutes.
Default-Rule-Recon: Recon Event True Reports excessive attempts, from remote hosts,
Excessive Firewall to access the firewall and access is denied.
Denies From Remote More than 40 attempts are detected across at
Hosts least 40 destination IP addresses in 5 minutes.
Default-Rule-Recon: Recon Event True Reports a single source IP address scanning
Host Port Scan more than 50 ports in under 3 minutes.
Detected by Local Host
Default-Rule-Recon: Recon Event True Reports when more than 400 ports were
Host Port Scan scanned from a single source IP address in
Detected by Remote under 2 minutes.
Host
Default-Rule-Recon: Recon Event True If a high rate flow-based scanning attack is
Increase Magnitude of detected, this rule increases the magnitude of
High Rate Scans the current event.
Default-Rule-Recon: Recon Event True If a medium rate flow-based scanning attack is
Increase Magnitude of detected, this rule increases the magnitude of
Medium Rate Scans the current event.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local LDAP Server reconnaissance or suspicious connections on
Scanner common LDAP ports to more than 60 hosts in 10
minutes.
Default-Rule-Recon: Recon Event True Reports a scan from a local host against other
Local Database local or remote targets. At least 30 host were
Scanner scanned in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local DHCP Scanner reconnaissance or suspicious connections on
common DHCP ports to more than 60 hosts in
10 minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local DNS Scanner reconnaissance or suspicious connections on
common DNS ports to more than 60 hosts in 10
minutes.
Rule
Rule Group Type Enabled Description
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local FTP Scanner reconnaissance or suspicious connections on
common FTP ports to more than 30 hosts in 10
minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local Game Server reconnaissance or suspicious connections on
Scanner common game server ports to more than 60
hosts in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local ICMP Scanner reconnaissance or suspicious connections on
common ICMP ports to more than 60 hosts in 10
minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local IM Server reconnaissance or suspicious connections on
Scanner common IM server ports to more than 60 hosts
in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local IRC Server reconnaissance or suspicious connections on
Scanner common IRC server ports to more than 10 hosts
in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local Mail Server reconnaissance or suspicious connections on
Scanner common mail server ports to more than 60 hosts
in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local P2P Server reconnaissance or suspicious connections on
Scanner common Peer-to-Peer (P2P) server ports to
more than 60 hosts in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local Proxy Server reconnaissance or suspicious connections on
Scanner common proxy server ports to more than 60
hosts in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local RPC Server reconnaissance or suspicious connections on
Scanner common RPC server ports to more than 60
hosts in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a scan from a local host against other
Local Scanner Detected hosts or remote targets. At least 60 hosts were
scanned within 20 minutes. This activity was
using a protocol other than TCP, UDP, or ICMP.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local SNMP Scanner reconnaissance or suspicious connections on
common SNMP ports to more than 60 hosts in
10 minutes.
Rule
Rule Group Type Enabled Description
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local SSH Server reconnaissance or suspicious connections on
Scanner common SSH ports to more than 30 hosts in 10
minutes.
Default-Rule-Recon: Recon Event False Reports when various suspicious or
Local Suspicious Probe reconnaissance events have been detected
Events Detected from the same local source IP address to more
than 5 destination IP address in 4 minutes. This
can indicate various forms of host probing, such
as Nmap reconnaissance, which attempts to
identify the services and operation systems of
the target.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local TCP Scanner reconnaissance or suspicious connections on
common TCP ports to more than 60 hosts in 10
minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local UDP Scanner reconnaissance or suspicious connections on
common UDP ports to more than 60 hosts in 10
minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local Web Server reconnaissance or suspicious connections on
Scanner common local web server ports to more than 60
hosts in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local Windows Server reconnaissance or suspicious connections on
Scanner to Internet common Windows server ports to more than 60
hosts in 10 minutes.
Default-Rule-Recon: Recon Event True Reports on events that are detected by the
Local Windows Server system and when the attack context is
Scanner Local-to-Local (L2L).
Default-Rule-Recon: Recon Event False Adds an additional event into the event stream
Recon Followed by when a host that has been performing
Accept reconnaissance also has a firewall accept
following the reconnaissance activity.
Default-Rule-Recon: Recon Event True Reports a scan from a remote host against other
Remote Database local or remote targets. At least 30 hosts were
Scanner scanned in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote DHCP Scanner reconnaissance or suspicious connections on
common DHCP ports to more than 30 hosts in
10 minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Remote DNS Scanner reconnaissance or suspicious connections on
common DNS ports to more than 60 hosts in 10
minutes.
Rule
Rule Group Type Enabled Description
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote FTP Scanner reconnaissance or suspicious connections on
common FTP ports to more than 30 hosts in 10
minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote Game Server reconnaissance or suspicious connections on
Scanner common game server ports to more than 30
hosts in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote ICMP Scanner reconnaissance or suspicious connections on
common ICMP ports to more than 60 hosts in 10
minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Local IM Server reconnaissance or suspicious connections on
Scanner common IM server ports to more than 60 hosts
in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Local IRC Server reconnaissance or suspicious connections on
Scanner common IRC server ports to more than 10 hosts
in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a scan from a remote host against other
Remote LDAP Server local or remote targets. At least 30 hosts were
Scanner scanned in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote Mail Server reconnaissance or suspicious connections on
Scanner common mail server ports to more than 30 hosts
in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote P2P Server reconnaissance or suspicious connections on
Scanner common Peer-to-Peer (P2P) server ports to
more than 60 hosts in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote Proxy Server reconnaissance or suspicious connections on
Scanner common proxy server ports to more than 30
hosts in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote RPC Server reconnaissance or suspicious connections on
Scanner common RPC server ports to more than 30
hosts in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a scan from a remote host against other
Remote Scanner hosts or remote targets. At least 60 hosts were
Detected scanned within 20 minutes. This activity was
using a protocol other than TCP, UDP, or ICMP.
Default-Rule-Recon: Recon Event True Reports scans from a remote host against local
Remote SNMP Scanner or remote targets. At least 30 hosts were
scanned in 10 minutes.
Rule
Rule Group Type Enabled Description
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote SSH Server reconnaissance or suspicious connections on
Scanner common SSH ports to more than 30 hosts in 10
minutes.
Default-Rule-Recon: Recon Event False Reports various suspicious or reconnaissance
Remote Suspicious events from the same remote source IP address
Probe Events Detected to more then 5 destination IP addresses in 4
minutes. This may indicate various forms of host
probing, such as Nmap reconnaissance that
attempts to identify the services and operating
system of the targets.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote TCP Scanner reconnaissance or suspicious connections on
common TCP ports to more than 60 hosts in 10
minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote UDP Scanner reconnaissance or suspicious connections on
common UDP ports to more than 60 hosts in 10
minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote Web Server reconnaissance or suspicious connections on
Scanner common local web server ports to more than 60
hosts in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote Windows reconnaissance or suspicious connections on
Server Scanner common Windows server ports to more than 60
hosts in 10 minutes.
Default-Rule-Recon: Recon Event True Reports merged reconnaissance events
Single Merged Recon generated by some devices. This rule causes all
Events these events to create an offense. All devices of
this type and their categories should be added to
the Default-BB-ReconDetected: Devices which
Merge Recon into Single Events building block.
Default-Rule-Suspicious Event False Rule identifies events that have common internal
Activity: Common only ports, communicating outside of the local
Non-Local to Remote network.
Ports
Default-Rule-Suspicious Anomaly Event False Reports events that are involved with known
Activity: Communication hostile networks.
with Known Hostile
Networks
Default-Rule-Suspicious Anomaly Event False Reports events that are involved with networks
Activity: Communication identified as possible sites that may involve data
with Known Online loss.
Services
Rule
Rule Group Type Enabled Description
Default-Rule-Suspicious Anomaly Event False Reports events that are involved with networks
Activity: Communication that are defined as networks you wish to
with Known Watched monitor.
Networks
Default-Rule-Suspicious Compliance Event False Reports assets that appear to be customer
Activity: Consumer grade equipment.
Grade Equipment
Default-Rule-System- Event True Rule ensures that notification events shall be
Notification sent to the notification framework.
Default-Rule-System: System Event True Creates an offense when an event matches a
100% Accurate Events 100% accurate signature for successful
comprises.
Default-Rule-System: System Event False Reports when STRM detects critical event.
Critical System Events
Default-Rule-System: System Event False Reports when an event source has not sent an
Device Stopped event to the system in over 1 hour. Edit this rule
Sending Events to add devices you want to monitor.
Default-Rule-System: System Event False Reports when STRM detects events that
Host Based Failures indicate failures within services or hardware.
Default-Rule-System: System Event True Loads BBs that need to be run to assist with
Load Building Blocks reporting. This rule has no actions or responses.
Default-Rule-Recon: System Event False Reports when as source has 10 system errors
Multiple System Errors within 3 minutes.
Default-Rule- Compliance Event False Reports when a vulnerability is discovered on a
Vulnerabilities: local host.
Vulnerability Reported
by Scanner
Default-Rule-Worms Worm Event True Reports a local host sending more than 20
Detection: Local Mass SMTP flows in 1 minute. This may indicate a
Mailing Host Detected host being used as a spam relay or infected with
a form of mass mailing worm.
Default-Rule-Worms Worm Event True Reports a local host generating reconnaissance
Detection: Possible or suspicious events across a large number of
Local Worm Detected hosts (greater than 300) in 20 minutes. This may
indicate the presence of a worm on the network
or a wide spread scan.
Default-Rule-Worms Worm Event True Reports exploits or worm activity on a system for
Detection: Worm local-to-local or local-to-remote traffic.
Detected (Events)
Default Building Default building blocks for the Enterprise template include:
Blocks
Table B-10 Default Building Blocks
Default Sentries The default sentries for the University template include:
Table C-1 Default Sentries
Sentry Description
Behavior - Flow Count Monitors the number of flows on your network and
Behavior Change alerts when a change is detected. By default, this
activity must occur 10 times before an alert generates.
Behavior - Host Count Learns the number of local and remote active hosts in
Behavior Change the network over a weekly period. If the number of
hosts increases dramatically outside the projected
behavior for at least 5 intervals, an event generates.
Behavior - Threat Traffic Detects a behavioral change, within the last 5
Packet Rate Behavior minutes, in the packet rate of traffic considered to be
Change threatening, compared to what has been learned over
the past weeks. This may indicate an attack is in
progress. By default, the minimum number of times, in
flows, this activity must occur before an event
generates is 5.
Suspicious - Internal - Detects an excessive rate (more than 1,000) of
Inbound Unidirectional Flows inbound unidirectional (local host not responding)
Threshold flows within the last 5 minutes. This may indicate a
scan is in progress, worms, DoS attack, or issues with
your network configuration. By default, this activity
must occur 5 times before an alert generates.
DoS - External - Distributed Detects a large number of hosts (100,000) sending
DoS Attack (High Number of identical, non-responsive packets to a single target. In
Hosts) this case, the target is treated as the attacker in the
Offense Manager.
Sentry Description
DoS - External - Distributed Detects a low number of hosts (500) sending identical,
DoS Attack (Low Number of non-responsive packets to a single target. In this
Hosts) case, the target is treated as the attacker in the
Offense Manager.
DoS - External - Distributed Detects a medium number of hosts (5,000) sending
DoS Attack (Medium Number identical, non-responsive packets to a single target. In
of Hosts) this case, the target is treated as the attacker in the
Offense Manager.
DoS - External - Flood Attack Detects flood attacks above 100,000 packets per
(High) second. This activity may indicate a serious attack.
DoS - External - Flood Attack Detects flood attacks above 5,000 packets per
(Medium) second. This activity typically indicates a serious
attack.
DoS - External - Flood Attack Detects flood attacks above 500 packets per second.
(Low) This activity may indicate an attack.
DoS - External - Potential Detects flows that appear to be an ICMP Denial of
ICMP DoS Service (DoS) attack attempt.
DoS - External - Potential Detects flows that appear to be a TCP DoS attack
TCP DoS attempt.
DoS - External - Potential Detects flows that appear to be a UDP DoS attack
UDP DoS attempt.
DoS - External - Potential Detects a low number of hosts sending identical,
Unresponsive Service or non-responsive packets to a single target. In this
Distributed DoS case, the target is treated as the attacker in the
Offense Manager.
Suspicious - Internal - Detects an excessive rate (more than 1,000) of
Inbound Unidirectional Flows inbound unidirectional (local host not responding)
Threshold flows within the last 5 minutes. This may indicate a
scan is in progress, worms, DoS attack, or issues with
your network configuration. By default, this activity
must occur 5 times before an alert generates.
DoS - Internal - Distributed Detects a large number of hosts (100,000) sending
DoS Attack (High Number of identical, non-responsive packets to a single target. In
Hosts) this case, the target is treated as the attacker in the
Offense Manager.
DoS - Internal - Distributed Detects a low number of hosts (500) sending identical,
DoS Attack (Low Number of non-responsive packets to a single target. In this
Hosts) case, the target is treated as the attacker in the
Offense Manager.
DoS - Internal - Distributed Detects a medium number of hosts (5,000) sending
DoS Attack (Medium Number identical, non-responsive packets to a single target. In
of Hosts) this case, the target is treated as the attacker in the
Offense Manager.
DoS - Internal - Flood Attack Detects flood attacks above 100,000 packets per
(High) second. This activity may indicate a serious attack.
Sentry Description
DoS - Internal - Flood Attack Detects flood attacks above 5,000 packets per
(Medium) second. This activity typically indicates a serious
attack.
DoS - Internal - Flood Attack Detects flood attacks above 500 packets per second.
(Low) This activity may indicate an attack.
DoS - Internal - Potential Detects flows that appear to be an ICMP Denial of
ICMP DoS Service (DoS) attack attempt.
DoS - Internal - Potential Detects flows that appear to be a TCP DoS attack
TCP DoS attempt.
DoS - Internal - Potential Detects flows that appear to be a UDP DoS attack
UDP DoS attempt.
DoS - Internal - Potential Detects a low number of hosts sending identical,
Unresponsive Service or non-responsive packets to a single target.
Distributed DoS
Malware - External - Client Detects a host attempting to connect to a DNS server
Based DNS Activity to the that is not defined as a local network. With the
Internet exception of your DNS servers or other hosts
specifically configured to communicate with external
DNS servers, this is suspicious activity and may be
the sign of a bot net connection. If this is a false
positive, add the external DNS server to the BB DNS
Servers building block in custom rules. By default, this
sentry generates an event 30 seconds after the first
instance of the event.
Malware - External Detects an IP address being communicated with was
Communication with BOT a control channel for a BOTNET. The local machine
Control Channel may be infected with a bot and should be investigated.
Policy - External - Clear Text Detects flows to or from the Internet where the
Application Usage application types use clear text passwords. This many
include application such as Telnet, FTP, and POP.
Policy - External - Hidden Detects an FTP server on a non-standard port. The
FTP Server default port for FTP is TCP port 21. Detecting FTP on
other ports may indicate an exploited host, where the
attacker has installed this server to provide backdoor
access to the host.
Policy - Internal - Clear Text Detects flows to or from the Internet where the
Application Usage application types use clear text passwords. This many
include application such as Telnet, FTP, and POP.
Policy - Internal - Hidden FTP Detects an FTP server on a non-standard port. The
Server default port for FTP is TCP port 21. Detecting FTP on
other ports may indicate an exploited host, where the
attacker has installed this server to provide backdoor
access to the host.
Sentry Description
Policy - External - IM/Chat Detects an excessive amount of IM/Chat traffic from a
single source. By default, the minimum number of
times, in flows, this activity must occur before an event
generates is 20.
Policy - External - IRC Detects a local host issuing an excessive number of
Connections IRC connections to the Internet. By default, the
minimum number of times, in flows, this activity must
occur before an event generates is 20.
Policy - Local P2P Server Detects local hosts operating as a Peer-to-Peer (P2P)
Detected server. This indicates a violation of local network
policy and may indicate illegal activities, such as,
copyright infringement.
Policy - External - Long Detects a flow communicating to or from the Internet
Duration Flow Detected with a sustained duration of more than 48 hours. This
is not typical behavior for most applications. We
recommend that you investigate the host for potential
malware infections. By default, this parameter is set to
3600 seconds, which means that an event generates
after 3600 seconds of the first instance of the event.
Policy - External - P2P Detects Peer-to-Peer (P2P) communications.
Communications Detected
Policy - External - Possible Detects possible tunneling, which can indicate a
Tunneling bypass of policy, or an infected system.
Policy - External - Remote Detects the Microsoft Remote Desktop Protocol from
Desktop Access from the the Internet to a local host. Most companies consider
Internet this a violation of corporate policy. If this is normal
activity on your network, you should remove this
sentry.
Policy - External - SMTP Mail Detects an internal host sending a large number of
Sender SMTP flows from the same source to the Internet, in
one interval. This may indicate a mass mailing, worm,
or spam relay is present. By default, the minimum
number of times, in flows, this activity must occur
before an event generates is 10.
Policy - External - SSH or Detects an SSH or Telnet server on a non-standard
Telnet Detected on port. The default port for SSH and Telnet servers is
Non-Standard Ports TCP port 22 and 23. Detecting SSH or Telnet
operating on other ports may indicate an exploited
host, where the attacker has installed these servers to
provide backdoor access to the host.
Policy - Internal - SSH or Detects an SSH or Telnet server on a non-standard
Telnet Detected on port. The default port for SSH and Telnet servers is
Non-Standard Ports TCP port 22 and 23. Detecting SSH or Telnet
operating on other ports may indicate an exploited
host, where the attacker has installed these servers to
provide backdoor access to the host.
Sentry Description
Policy - External - Usenet Detects flows to or from a Usenet server. It is
Usage uncommon for legitimate business communications to
use Usenet or NNTP services. The hosts involved
may be violating corporate policy.
Policy - External - VNC Detects VNC (a remote desktop access application)
Access From the Internet to a from the Internet to a local host. Many companies
Local Host consider this an policy issue that should be
addressed. If this is normal activity on your network,
remove this sentry.
Policy - P2P Policy Threshold Detects more than 100 KB/s of Peer-to-Peer (P2P)
traffic within 5 minutes.
Recon - External - ICMP Detects a host scanning more than 100,000 hosts per
Scan (High) minute using ICMP. This indicates a host performing
reconnaissance activity at an extremely high rate. This
is typical of a worm infection or a standard scanning
application.
Recon - External - ICMP Detects a host scanning more than 500 hosts per
Scan (Low) minute using ICMP. This may indicate a host
configured for network management or normal server
behavior on a busy internal network. However,
typically client hosts in your network should not be
exhibiting this behavior for long periods of time. If this
behavior continues for long periods of time, this may
indicate classic behavior of worm activity. We
recommend that you check the host for infection or
malware installation.
Recon - External - ICMP Detects a host scanning more the 5,000 hosts per
Scan (Medium) minute using ICMP. This indicates a host performing
reconnaissance activity at a high rate. This is typical of
a worm infection or a host configured for network
management purposes.
Recon - External - Potential Detects a host sending identical packets to a number
Network Scan of hosts that have not responded. This may indicate a
host configured for network management or normal
server behavior on a busy internal network. However,
client hosts in your network should not be exhibiting
this behavior for long periods of time.
Recon - External - Scanning Detects a host performing reconnaissance activity at
Activity (High) an extremely high rate (100,000 hosts per minute),
which is typical of a worm infection or a scanning
application.
Sentry Description
Recon - External - Scanning Detects a host performing reconnaissance activity at a
Activity (Low) rate of 500 hosts per minute. This may indicate a host
configured for network management or normal server
behavior on a busy internal network. However,
typically client hosts in your network should not be
exhibiting this behavior for long periods of time. If this
behavior continues for long periods of time, this may
indicate classic behavior of worm activity. We
recommend that you check the host for infection or
malware installation.
Recon - External - Scanning Detects a host performing reconnaissance activity at a
Activity (Medium) high rate (5,000 hosts per minute), which is typical of a
worm infection or a scanning application. This activity
may also indicate network management hosts or even
busy servers on internal networks.
Recon - Internal - ICMP Scan Detects a host scanning more than 100,000 hosts per
(High) minute using ICMP. This indicates a host performing
reconnaissance activity at an extremely high rate. This
is typical of a worm infection or a standard scanning
application.
Recon - Internal - ICMP Scan Detects a host scanning more than 500 hosts per
(Low) minute using ICMP. This may indicate a host
configured for network management or normal server
behavior on a busy internal network. However,
typically client hosts in your network should not exhibit
this behavior for long periods of time. If this behavior
continues for long periods of time, this may indicate
classic behavior of worm activity. We recommend that
you check the host for infection or malware
installation.
Recon - Internal - ICMP Scan Detects a host scanning more the 5,000 hosts per
(Medium) minute using ICMP. This indicates a host performing
reconnaissance activity at a high rate. This is typical of
a worm infection or a host configured for network
management purposes.
Recon - Internal - Potential Detects a host sending identical packets to a number
Network Scan of hosts that have not responded. This may indicate a
host configured for network management or normal
server behavior on a busy internal network. However,
client hosts in your network should not be exhibiting
this behavior for long periods of time.
Recon - Internal - Scanning Detects a host performing reconnaissance activity at
Activity (High) an extremely high rate (100,000 hosts per minute),
which is typical of a worm infection or a scanning
application.
Sentry Description
Recon - Internal - Scanning Detects a host performing reconnaissance activity at a
Activity (Low) rate of 500 hosts per minute. This may indicate a host
configured for network management or normal server
behavior on a busy internal network. However,
typically client hosts in your network should not exhibit
this behavior for long periods of time. If this behavior
continues for long periods of time, this may indicate
classic behavior of worm activity. We recommend that
you check the host for infection or malware
installation.
Recon - Internal - Scanning Detects a host performing reconnaissance activity at a
Activity (Medium) high rate (5,000 hosts per minute), which is typical of a
worm infection or a scanning application. This activity
may also indicate network management hosts or even
busy servers on internal networks.
Suspicious - External - Detects an excessive number of ICMP flows from one
Anomalous ICMP Flows source IP address, where the applied ICMP types and
codes are considered abnormal when seen entering
or leaving the network. By default, the minimum
number of times, in flows, this activity must occur
before an event generates is 40.
Suspicious - External - Invalid Detects flows that appear to have improper flag
TCP Flag usage combinations. This may indicate various troubling
behaviors, such as OS detection, DoS attacks, or
even forms of reconnaissance. By default, the
minimum number of times, in flows, this activity must
occur before an event generates is 10.
Suspicious - External - Port 0 Detects flows whose destination or source ports are 0.
Flows Detected This may be considered suspicious.
Suspicious - External - Detects flows that indicate a host is attempting to
Rejected Communication establish connections to other hosts but is being
Attempts refused or is responding with packets containing no
payload. By default, the minimum number of times, in
flows, this activity must occur before an event
generates is 40.
Suspicious - External - Detects excessive unidirectional ICMP traffic from a
Unidirectional ICMP Detected single source. This may indicate an attempt to
enumerate hosts on the network or other serious
network issues. By default, the minimum number of
times, in flows, this activity must occur before an event
generates is 40.
Suspicious - External - Detects excessive unidirectional ICMP responses
Unidirectional ICMP from a single source. This may indicate an attempt to
Responses Detected enumerate hosts on the network, or can be an
indicator of other serious network issues. By default,
the minimum number of times, in flows, this activity
must occur before an event generates is 40.
Sentry Description
Suspicious - External - Detects flows that indicate a host is sending an
Unidirectional TCP Flows excessive quantity (at least 40) of unidirectional flows.
These types of flows may be considered normal,
however, client workstations and other devices,
should not be seen emitting large quantities of such
flows, and therefore should be considered suspicious.
Suspicious - Internal - Detects an excessive number of ICMP flows from one
Anomalous ICMP Flows source IP address, where the applied ICMP types and
codes are considered abnormal when seen entering
or leaving the network. By default, the minimum
number of times, in flows, this activity must occur
before an event generates is 40.
Suspicious - Internal - Invalid Detects flows that appear to have improper flag
TCP Flag usage combinations. This may indicate various troubling
behaviors, such as OS detection, DoS attacks, or
even forms of reconnaissance. By default, the
minimum number of times, in flows, this activity must
occur before an event generates is 10.
Suspicious - External - Detects an excessive rate of outbound unidirectional
Outbound Unidirectional (remote host not responding) flows within 5 minutes.
Flows Threshold
Suspicious - Internal - Port 0 Detects flows whose destination or source ports are 0.
Flows Detected This may be considered suspicious.
Suspicious - Internal - Detects flows that indicate a host is attempting to
Rejected Communication establish connections to other hosts but is being
Attempts refused or is responding with packets containing no
payload. By default, the minimum number of times, in
flows, this activity must occur before an event
generates is 40.
Suspicious - Internal - Detects excessive unidirectional ICMP traffic from a
Unidirectional ICMP Detected single source. This may indicate an attempt to
enumerate hosts on the network or other serious
network issues. By default, the minimum number of
times, in flows, this activity must occur before an event
generates is 40.
Suspicious - Internal - Detects excessive unidirectional ICMP responses
Unidirectional ICMP from a single source. This may indicate an attempt to
Responses Detected enumerate hosts on the network, or can be an
indicator of other serious network issues. By default,
the minimum number of times, in flows, this activity
must occur before an event generates is 40.
Suspicious - Internal - Detects flows that indicate a host is sending an
Unidirectional TCP Flows excessive quantity (at least 40) of unidirectional flows.
These types of flows may be considered normal,
however, client workstations and other devices,
should not be seen emitting large quantities of such
flows, and therefore should be considered suspicious.
Sentry Description
Excessive Unidirectional Detects an excessive number of UDP, non-TCP, or
UDP or Misc Flows ICMP from a single source. By default, the minimum
number of times, in flows, this activity must occur
before an event generates is 80.
Default Custom This section provides the default custom views for the Enterprise template
Views including:
• IP Tracking Group
• Threats Group
• Attacker Target Analysis Group
• Target Analysis Group
• Policy Violations Group
• ASN Source Group
• ASN Destination Group
• IFIndexIn Group
• IFIndexOut Group
• QoS Group
• Flow Shape Group
IP Tracking Group Pre-configured groups that specify traffic flows from your local and remote IP
addresses including:
Table C-2 Custom Views - IP Tracking View
IP Tracking
Group Group Objects
Locals Specifies traffic flows originating from specific local IP addresses
or CIDR ranges. Configure to specify traffic flows for your local IP
addresses.
Remotes Specifies traffic flows originating from specific remote IP
addresses or CIDR ranges. Configure to specify traffic flows for
your remote IP addresses.
Threats Group Pre-configured groups that specify traffic flows from suspicious IP addresses,
protocols, server ports, and network sweeps including:
Table C-3 Custom Views - Threats View
Group Objects
Exceptions This group includes:
Network_Management_Hosts - Defines network management
servers or other system responsible for reconnaissance, SNMP,
large numbers of ICMP requests, or other attacks, such as, traffic
on your network such as vulnerability assessment (VA) scanners.
Group Objects
DoS The Denial of Service (DoS) group includes:
• Inbound_Flood_NoResponse_High - Defines a remote
source sending packets, which are not being responded to, at
a rate greater than 100,000 packets per second.
• Inbound_Flood_NoResponse_Medium - Defines a remote
source sending packets, which are not being responded to, at
a rate greater than 5,000 packets per second.
• Inbound_Flood_NoResponse_Low - Defines a remote
source sending packets, which are not being responded to, at
a rate greater than 500 packets per second.
• Outbound_Flood_NoResponse_High - Defines a local
source sending packets, which are not being responded to, at
a rate greater than 100,000 packets per second.
• Outbound_Flood_NoResponse_Medium - Defines a local
source sending packets, which are not being responded to, at
a rate greater than 500 packets per second.
• Outbound_Flood_NoResponse_Low - Defines a local
source sending packets, which are not being responded to, at
a rate greater than 500 packets per second.
• Multihost_Attack_High - Defines a scan of more than
100,000 hosts per minute.
• Multihost_Attack_Medium - Defines a scan of more than
5,000 hosts per minute.
• Multihost_Attack_Low - Defines a scan of more than 500
hosts per minute.
• Potential_TCP_DoS - Detects TCP Syn flood flows with a
packet arrival rate of more then 300 packets per second and
have lasted for at least 5 seconds. This may indicate an
attempted TCP DoS attack.
• Potential_UDP_DoS - Detects UDP Flows with a packet
arrival rate of more then 750 packets per second and have
lasted for at least 3 seconds. This may indicate an attempted
ICMP DoS attack.
• Potential_ICMP_DoS - Detects ICMP flows with a packet
arrival rate of more then 300 packets per second and have
lasted for at least 2 seconds. This may indicate an attempted
ICMP DoS attack.
• Potential_Multihost_Attack - Detects type B superflows.
This may indicate a service failure or an attack.
Group Objects
Scanning This scanning group includes:
• ICMPScan_High - Detects a host sending ICMP packets to
more than 100,000 hosts more minute.
• ICMPScan_Medium - Detects a host sending ICMP packets
to more than 5,000 hosts more minute.
• ICMPScan_Low - Detects a host sending ICMP packets to
more than 500 hosts more minute.
• Scan_High - Defines a scan of more than 100,000 hosts per
minute.
• Scan_Medium - Defines a scan of more than 5,000 hosts per
minute.
• Scan_Low - Defines a scan of more than 500 hosts per
minute.
• Empty_Responsive_Flows_High - Defines traffic with more
than 100,000 packets per second that contain little, if any,
payload. These can be the result of scans where the target
responds to the attack.
• Empty_Responsive_Flows_Medium - Defines traffic with
more than 5,000 packets per second that contain little, if any,
payload. These can be the result of scans where the target
responds to the attack.
• Empty_Responsive_Flows_Low - Defines traffic with more
than 500 packets per second that contain little, if any, payload.
These can be the result of scans where the target responds to
the attack.
• Potential_Scan - Defines a type A superflow. This may
indicate a host performing scanning activity.
PortScans This PortScans group includes:
• Host_Scans - Detects a host attempting to make multiple
connections, using TCP, to another host targeting multiple
unique ports.
• UDPPortScan - Detects a host attempting to make multiple
connections, using UDP, to another host targeting multiple
unique ports.
Group Objects
Suspicious_IP_ This group includes:
Protocol_Usage
• Illegal_TCP_Flag_Combination - Detects flows with illegal
TCP flag combinations. This may indicate malicious activity,
such as port scanning or operating system detection.
• Suspicious_ICMP_Type_Code - Detects flows entering or
leaving your network from the Internet, using ICMP types or
codes generally accepted to be suspicious or malicious. For
more information, see http://techrepublic.com.com
/5100-1035_11-5087087.html
• TCP_UDP_Port_0 - Detects flows with a source or destination
port of 0. This is illegal according to Internet RFCs and should
be considered malicious.
• Unidirectional_TCP_Flows - Detects unidirectional TCP
flows. This may indicate application failures to connect to a
service, but an indicate other issues if the quantity or rate of
these flows is high.
• Unidirectional_ICMP_Reply - Detects unidirectional ICMP
replies or unreachable flows. This may be expected network
behavior, however, an excessive quantity may indicate that a
host is scanning the network attempting to enumerate hosts.
• Unidirectional_ICMP_Flows - Detects unidirectional ICMP
flows. This may be expected network behavior, however, an
excessive quantity of these flows from a single source may
indicate a host scanning the network attempting to enumerate
hosts.
• Unidirectional_UDP_And_Misc_Flows - Detects
unidirectional UDP (or other flows not including TCP or ICMP)
flows. This may be expected network behavior, however, an
excessive quantity should be considered suspicious.
• Zero_Payload_Bidirectional_Flows - Detects flows that
contain small amounts (if any) payload. This may be the result
of scans where the target responds with reset packets.
• Long_Duration_Flow - Detects a flow communicating to or
from the Internet with a sustained duration of more than 48
hours. This is not typical behavior for most applications. We
recommend that you investigate the host for potential malware
infections.
• Large_DNS_Packets - Detects UDP DNS packets that are
larger than 1K in size.
• Large_ICMP_Packets - Detects ICMP packets that are larger
than 1K in size.
Group Objects
Remote_Access_ This group includes:
Violation
• Hidden_Telnet_SSH - Detects flows where the application
type is Telnet or SSH but the destination server port is not one
of the common ports for this application. This may indicate that
a system has been altered to provide a backdoor for
unauthorized access.
• Hidden_FTP - Detects flows to a local host where the
application type is FTP but the destination server port is not
one of the common ports of this application. This may indicate
that the server is hosting illegal data, such as pirated
applications or other media.
• Remote_Desktop_Access_From_Internet - Detects Remote
Desktop Protocol (RDP) access to the local network from the
Internet. If you want to allow this activity on your network,
delete this view. Otherwise, you should consider this activity
suspicious and we recommend investigating the accessed
server.
• VNC_Activity_From_Internet - Detects Virtual Network
Computing (VNC) access to the local network from the
Internet. If you want to allow this activity on your network,
delete this view. Otherwise, you should consider this activity
suspicious and we recommend investigating the accessed
server.
Suspicious_IRC Detects suspicious IRC activity.
Attacker Target Pre-configured groups that specify traffic flows from attackers, responses, and
Analysis Group events including:
Table C-4 Custom Views - AttackerTargetAnalysis
Group Objects
AttackResponse This group includes:
Analysis
• Target_Did_Not_Respond - The network flow that appears to
have carried the attack event that triggered this analysis
indicates that the target host did not respond to the attack.
• Target_Responded - The network flow analysis indicates a
target responded to the event from the attacker, and therefore
increases the likelihood the attacker was successful.
Group Objects
PeripheralComms This group includes:
Analysis
• Activity_Before_Event - The network flow analysis indicates
a target and attacker were communicating prior to the event
that triggered this analysis. This can indicate a false positive,
or that this attacker is concentrating on breaking this host.
Many typical attacks fire an exploit at the target with little or no
prior host investigation.
• Activity_After_Event - The network flow analysis indicates a
target and attacker were communicating after the event that
triggered this analysis. This can indicate a false positive if the
attacker/target were also seen communicating before the
event, and the device emitting these events has a high false
positive rate. Conversely, if this is a serious event and the
device is credible, it can indicate a successful attack has
occurred.
• Target_Initiating_Comms_To_Attacker - The network flow
analysis indicates a target was seen initiating connections
back to the attacker before or after the event. This can
sometimes indicate the attacker has been able to force the
target to communicate back to the attacker, therefore
bypassing some firewall rules.
Target Analysis Pre-configured groups that specify traffic flows from back door entries, scanning
Group behaviors, malicious software (malware), spam relay including:
Table C-5 Custom Views - TargetAnalysis
Group Objects
BotNetAnalysis BotNet_Connect - The network flow analysis indicates a target
host is connected to IRC servers on the Internet. This may
indicate the attacker has installed an IRC Bot on the target and
instructed the target to connect to an IRC Channel that is under
the control and await instructions. Large numbers of such
exploited machines form a BotNet and can be used by the
attacker to coordinate large scale Distributed Denial of Service
attacker (DDoS).
MalwareAnalysis Malware_Server_Connection - Network flow analysis indicates
a target is aggressively attempting (and failing) to connect to
many other hosts on the network (or Internet). This behavior is
being seen in the presence of security events aimed at this host,
and therefore is possible the attacker has infected the target with
a worm, or other hostile malware, and it is attempting to spread
from this host.
Group Objects
PeripheralComms This group includes:
Analysis
• Service_Unresponsive_After_Attack - The network flow
analysis indicates that the service on the target that was
attacked is unresponsive to other hosts on the network. This
may indicate that the attack has intentionally, or inadvertently
crashed the service running on this host.
• Spam_Relay_Possible - The network flow analysis indicates
that a target is accepting and servicing SMTP mail server
connections. Given this activity is occurring in the presence of
security events targeting this host, it is possible the attacker
has installed an SMTP server to operate as a spam relay. If
this target is a mail server, this behavior is to be expected.
• Outbound_Mail_Relay_Possible - The network flow analysis
indicates that a target is sending mail to SMTP servers on the
Internet. Given this activity is occurring in the presence of a
security event targeting this host, it is possible the attacker has
installed mass mailing malware on the target. This behavior is
also to be expected if the target is a known mail server.
Policy Violations Pre-configured groups that specify traffic flows from your internal and external
Group policies, such as mail policies, web polices, P2P, games, applications, and
compliance policies including:
Table C-6 Custom Views - PolicyViolations
Group Objects
Mail_Policy_ This group includes:
Violation
• Outbound_Mail_Sender - Detects flows sent from local hosts
to the Internet on port 25 (SMTP) or detected with the SMTP
application signature. This may indicate hosts violating
network mail policy, or that a host is infected with a mass
mailing agent. We recommend updating this equation to not
include network mail servers.
• Remote_Connection_to_Internal_Mail_Server - Detects
bidirectional flows inbound into the local network on port 25
(SMTP). This indicates communication with a local SMTP
server. Additionally, such servers may be the result of an
infected host which is inadvertently running a SPAM relay. We
recommend updating this equation to not include network mail
servers.
Group Objects
IRC_IM_Policy_ This group includes:
Violation
• IRC_Connection_to_Internet - Detects bidirectional flows
from local client hosts to the Internet on common IRC port or
detected though an application signature. This indicates an
active IRC connection. This can simply be a user disregarding
corporate policy, or can indicate a host that has been exploited
and is connected to an IRC botnet. IRC botnets are used to
remotely control exploited hosts to perform DoS attacks and
other illegal activities.
• IM_Communications - Detects bidirectional flows from client
hosts on the network indicating the use of common Instant
Messaging clients (IM), such as MSN.
Remote_Access_ Remote_Access_Shell - Detects bidirectional flows, where
Policy_Violation remote hosts were connecting to local remote access servers.
Detection of any of the following access technologies include:
Citrix, PCAnywhere, SSH, Telnet, or VNC.
P2P_ This group includes:
Policy_Violation
• Local_P2P__Server - Detects flows indicating a P2P server is
operating on the local network. This can be in violation of local
network policy.
• Local_P2P_Client - Detects flows indicating a P2P client is
operating on the local network. This can be in violation of local
network policy.
Application_ This group includes:
Policy_Violation
• NNTP_to_Internet - Detects flows indicating an NNTP news
client is operating on the local network. This may be in
violation of local network policy.
• Unknown_Local_Service - Detects an active service on a
local host.
Compliance_ This group includes:
Policy_Violations
• Clear_Text_Application_Usage - Detects flows where the
application types use clear text passwords. Applications that
usage for this view include Telnet, FTP, and POP. We
recommend that you tune this view to add or remove
additional applications.
• Large_Outbound_Transfer - Detects large outbound file
transfers.
ASN Source Group STRM detects the ASN values from network flows. When STRM detects a ASN
source values in a flow, STRM creates a new object in the ASN Source group. For
example, if STRM detects an ASN 238 flow within the source traffic, the object
ASN238 is created in the ASNSource group.
ASN Destination STRM detects the ASN values from network flows. When STRM detects a ASN
Group destination values in a flow, STRM creates a new object in the ASN destination
group. For example, if STRM detects an ASN 238 flow within the destination traffic,
the object ASN238 is created in the ASNDestination group.
IFIndexIn Group STRM detects the IFIndex values from network flows. When STRM detects
IFIndex values in a flow, STRM creates a new object in the respective group.
IFIndexOut Group STRM detects the IFIndex values from network flows. When STRM detects
IFIndex values in a flow, STRM creates a new object in the respective group.
Rule
Rule Group Type Enabled Description
Default-Response- Response Offense False Reports any offense matching the severity,
E-mail: Offense E-mail credibility, and relevance minimums to e-mail.
Sender You must configure the e-mail address. You can
limit the number of e-mails sent by tuning the
severity, credibility, and relevance limits. Also,
this rule only sends one e-mail every hour, per
offense.
Default-Response- Response Offense False Reports any offense matching the severity,
Sylog: Offense credibility, or relevance minimum to syslog.
SYSLOG Sender
Default-Rule-Anomaly: Anomaly Event False Monitors devices for high event rates. Typically,
Devices with High Event the default threshold is low for most networks
Rates and we recommend that you adjust this value
before enabling this rule. To configure which
devices will be monitored, edit the
Default-BB-DeviceDefinition: Devices to Monitor
for High Event Rates building block.
Default-Rule-Anomaly: Anomaly Event False Reports when connections are bridged across
DMZ Jumping your network’s Demilitarized Zone (DMZ).
Default-Rule-Anomaly: Anomaly Event True Reports an excessive number of successful
Excessive Database database connections.
Connections
Default-Rule- Anomaly Event False Reports excessive firewall accepts across
Anomaly: Excessive multiple hosts. More than 100 events were
Firewall Accepts Across detected across at least 100 unique destination
Multiple Hosts IP addresses in 5 minutes.
Default-Rule- Anomaly Event True Reports excessive firewall denies from a single
Anomaly: Excessive host. Detects more than 400 firewall deny
Firewall Denies from attempts from a single source to a single
Single Source destination within 5 minutes.
Rule
Rule Group Type Enabled Description
Default-Rule- Anomaly Event False Reports a flow communicating to or from the
Anomaly: Long Duration Internet with a sustained duration of more than
Flow 48 hours. This is not typical behavior for most
applications. We recommend that you
investigate the host for potential malware
infections.
Default-Rule- Anomaly Event False Reports an event that was targeting or sourced
Anomaly: Potential from a honeypot or tarpit defined address.
Honeypot Access Before enabling this rule, you must configure the
Default-BB-HostDefinition: Honeypot like
addresses building block and create the
appropriate sentry from the Network
Surveillance interface.
Default-Rule- Anomaly Event False Reports a host emitting events at a rate greater
Anomaly: Rate Analysis than normal. This may be normal, but in some
Marked Events cases can be an early warning sign that the host
has changed behavior. We recommend that you
perform an event search and/or flow search to
determine if the host is exhibiting other
suspicious activity.
Default-Rule- Anomaly Event False Reports successful logins or access from an IP
Anomaly: Remote address known to be in a country that does not
Access from Foreign have remote access right. Before you enable
Country this rule, we recommend that you configure the
Default-BB-CategoryDefinition: Countries with
no Remote Access building block.
Default-Rule- Authentication Event True Reports a host login message from a disabled
Authentication: Login user account. If the user is no longer a member
Failure to Disabled of the organization, we recommend that you
Account investigate any other received authentication
messages from the same user.
Default-Rule- Authentication Event False Reports a host login failure message from an
Authentication: Login expired user account known. If the user is no
Failure to Expired longer a member of the organization, we
Account recommend that you investigate any other
received authentication messages.
Default-Rule - Authentication Event True Reports authentication failures on the same
Authentication: Login source IP address more than three times, across
Failures Across Multiple more than three destination IP addresses within
Hosts 10 minutes.
Default-Rule- Authentication Event True Reports multiple log in failures to a single host,
Authentication: Login followed by a successful log in to the host.
Failures Followed By
Success
Rule
Rule Group Type Enabled Description
Default-Rule- Authentication, Event True Reports on events detected by the system when
Authentication: Login Compliance at least one of the configured rules is detected
Successful After Scan with the same source IP address followed by
Attempt successful authentication with the same IP
address, within 30 minutes.
Default-Rule- Authentication Event True Reports multiple log in failures to a VoIP PBX.
Authentication: Multiple
VoIP Login Failures
Default-Rule- Authentication Event True Reports when a source IP address causes an
Authentication: authentication failure event at least seven times
Repeated Login to a single destination within 5 minutes.
Failures, Single Host
Default-Rule-Botnet: Botnet,Exploit Event False Reports a host connecting or attempting to
Potential Botnet connect to a DNS server on the Internet. This
Connection (DNS) may indicate a host connecting to a Botnet. The
host should be investigated for malicious code.
Do not enable this rule until you have tuned the
Default-BB-HostDefinition: DNS Servers building
block.
Note: Laptops that include wireless adapters
may cause this rule to generate alerts since the
laptops may attempt to communicate with
another IDPs DNS server. If this occurs, define
the ISPs DNS server in the
Default-BB-HostDefinition: DNS Servers building
block.
Default-Rule-Botnet: Botnet Event False Reports a host connecting or attempting to
Potential Botnet connect to an IRC server on the Internet. This
Connection (IRC) may indicate a host connecting to a Botnet. The
host should be investigated for malicious code.
Default-Rule-Botnet: Botnet Event True Reports exploit attacks on events. Enable this
Potential Botnet Events rule if you want all events categorized as
Become Offenses exploits to create an offense.
Default-Rule-Category Category Event True Reports events in different Access Denied
Definitions: Access Definition categories.
Denied
Default-Rule-Category Category Event True Reports all Session Closed events by
Definitions: Session Definition, categories.
Closed Malware
Default-Rule-Category Category Event True Reports all Session Opened events by
Definitions: Session Definition, categories.
Opened Malware
Default-Rule-Category Category Event True Reports all virus detection events.
Definitions: Virus Definition,
Detected Malware
Rule
Rule Group Type Enabled Description
Default-Rule-Category Category Event True Reports events that may indicate a system error
Definitions: System Definitions or failure.
Errors and Failures
Default-Rule-Category Category Event True Reports VPN events that are considered Denied
Definitions: VPN Access Definition Access events.
Denied
Default-Rule-Category Category Event True Reports database events indicate denied access
Definitions: Database Definition activities.
Access Denied
Default-Rule-Category Category Event True Reports database events that indicate permitted
Definitions: Database Definition access.
Access Permitted
Default-Rule-Category Category Event True Reports VPN events that indicate permitted
Definitions: VPN Access Definition access.
Accepted
Default-Rule- Compliance Event False Reports compliance-based events, such as,
Compliance: clear text passwords.
Compliance Events
Become Offenses
Default-Rule- Compliance Event False Reports excessive authentication failures to a
Compliance: Excessive compliance server within 10 minutes.
Failed Logins to
Compliance IS
Default-Rule-Database: Database, Event False Reports when a configuration modification is
Attempted Configuration Compliance attempted to a database server from a remote
Modification by a remote network.
host
Default-Rule-Database: Database, Event True Reports when several authentications to a
Concurrent Logins from Compliance database server occur across many remote IP
Multiple Locations addresses.
Default-Rule-Database: Database, Event True Reports when there are failures followed by the
Failures Followed by Compliance addition or change of a user account.
User Changes
Default-Rule-Database: Database, Event True Monitors changes to groups on a database
Groups changed from Compliance when the change is initiated from a remote
Remote Host network.
Default-Rule-Database: Database, Event True Reports when there are multiple database
Multiple Database Compliance failures followed by a success within a short
Failures Followed by period of time.
Success
Default-Rule-Database: Database, Event True Increases the severity of a failed login attempt to
Remote Login Failure Compliance a database from a remote network.
Default-Rule-Database: Database, Event True Reports when a successful authentication
Remote Login Success Compliance occurs to a database server from a remote
network.
Rule
Rule Group Type Enabled Description
Default-Rule-Database: Database, Event True Reports when changes to user privileges occurs
User Rights Changed Compliance to a database from a remote network.
from Remote Host
Default-Rule-DDoS D\DoS Event False Reports network Distributed Denial of Service
Attack Detected (DDoS) attacks on a system.
Default-Rule-Device Device Event True Reports all access, authentication, and audit
Definitions: Access/ Definition devices.
Authentication/Audit
Default-Rule-Device Device Event True Reports all antivirus services on the system.
Definitions: AntiVirus Definition
Default-Rule-Device Device Event True Reports all application and OS devices on the
Definitions: Application Definition network.
Default-Rule-Device Device Event True Reports all databases on the system.
Definitions: Database Definition
Default-Rule-Device Device Event True Reports all firewall (FW), routers, and switches
Definitions: FW/Router/ Definition on the network.
Switch
Default-Rule-Device Device Event True Reports all IDS and IPS devices on the network.
Definitions: IDS/IPS Definition
Default-Rule-Device Device Event True Reports all VPNs on the network.
Definitions:VPN Definition
Default-Rule-DoS: D\DoS Event True If a low rate flow-based DoS attack is detected,
Decrease Magnitude of this rule decreases the magnitude of the current
Low Rate Attacks event.
Default-Rule-DoS: DoS D/DoS Event False Reports when DoS attack events are identified
Events from Darknet on Darknet network ranges.
Default-Rule-DDoS: D\DoS Event False Reports when offenses are created for
DDoS Events with High DoS-based events with high magnitude.
Magnitude Become
Offenses
Default-Rule-DoS: D\DoS Event True If a low rate flow-based DoS attack is detected,
Decrease Magnitude of this rule decreases the magnitude of the current
Low Rate Attacks event.
Default-Rule-DoS: DoS D\DoS Event True Rule forces the creation of an offense for DoS
Events with High based events with a high magnitude.
Magnitude Become
Offenses
Default-Rule-DoS: D\DoS Event True If a high rate flow-based DoS attack is detected,
Increase Magnitude of this rule increases the magnitude of the current
High Rate Attacks event.
Default-Rule-DoS: D\DoS Event True Reports network Denial of Service (DoS) attacks
Network DoS Attack on a system.
Detected
Rule
Rule Group Type Enabled Description
Default-Rule-DoS: D\DoS Event True Reports a DoS attack against a local target that
Service DoS Attack is known to exist and the target port is open.
Detected
Default-Rule-Exploit: All Exploit Event False Reports exploit attacks on events. By default,
Exploits Become this rule is disabled. Enable this rule if you want
Offenses all events categorized as exploits to create an
offense.
Default-Rule-Exploit: Exploit Event False Reports an attack from a local host where the
Attacker Vulnerable to attacker has at least one vulnerability. It is
any Exploit possible the attacker was a target in an earlier
offense.
Default-Rule-Exploit: Exploit Event False Reports when exploit or attack events are
Attack followed by followed by typical responses, which may
Attack Response indicate a successful attack.
Default-Rule-Exploit: Exploit Event False Reports an attack from a local host where the
Attacker Vulnerable to attacker is vulnerable to the attack being used. It
this Exploit is possible that the attacker was a target in an
earlier offense.
Default-Rule-Exploit: Exploit Event False Reports an exploit or attack type activity from a
Exploit Followed by source IP address followed by suspicious
Suspicious Host Activity account activity on the destination host within 15
minutes.
Default-Rule-Exploit: Exploit Event True Reports a source IP address generating multiple
Exploit/Malware Events (at least 5) exploits or malicious software
Across Multiple Targets (malware) events in the last 5 minutes. These
events are not targeting hosts that are
vulnerable and may indicate false positives
generating from a device.
Default-Rule-Exploit: Exploit Event False Rule forces the creation of offenses for
Exploits Events with exploit-based events with a high magnitude.
High Magnitude
Become Offenses
Default-Rule-Exploit: Exploit Event False Reports when exploit or attack events are
Exploits Followed by followed by firewall accept events, which may
Firewall Accepts indicate a successful attack.
Default-Rule-Exploit: Exploit Event True Reports a target attempting to be exploited using
Multiple Exploit Types multiple types of attacks from one or more
Against Single Target attackers.
Default-Rule-Exploit: Exploit Event False Reports when an attacker attempts multiple
Multiple Vector Attacker attack vectors. This may indicate an attacker
specifically targeting an asset.
Default-Rule-Exploit: Exploit Event False Reports multiple failed logins to your VoIP
Potential VoIP Toll hardware followed by sessions being opened. At
Fraud least 3 events were detected within 30 seconds.
This action could indicate that illegal users are
executing VoIP sessions on your network.
Rule
Rule Group Type Enabled Description
Default-Rule-Exploit: Exploit Event True Reports reconnaissance followed by an exploit
Recon followed by from the same source IP address to the same
Exploit destination port within 1 hour.
Default-Rule-Exploit: Exploit Event True Reports an attack against a vulnerable local
Target Vulnerable to target, where the target is known to exist, and
Detected Exploit the host is vulnerable to the attack.
Default-Rule-Exploit: Exploit Event True Reports an attack against a vulnerable local
Target Vulnerable to target, where the target is known to exist, and
Detected Exploit on a the host is vulnerable to the attack on a different
Different Port port.
Default-Rule-Exploit: Exploit Event False Reports an attack against a vulnerable local
Target Vulnerable to target, where the target is known to exist, and
Different Exploit than the host is vulnerable to some attack but not the
Attempted on Attacked one being attempted.
Port
Default-Rule-False False Positive Event True Reports events that include false positive rules
Positive: False Positive and building blocks, such as,
Rules and Building Default-BB-FalsePositive: Windows Server
Blocks False Positive Events. Events that match the
above conditions are stored but also dropped. If
you add any new building blocks or rules to
remove events from becoming offenses, you
must add these new rules or building blocks to
this rule.
Default-Rule-Malware: Malware Event False Enable this rule if you want all events
Treat Backdoor, Trojans categorized as backdoor, viruses, and trojans to
and Virus Events as create an offense.
Offenses
Default-Rule-Malware: Malware, Policy Event False Reports malware being sent from local hosts.
Local Host Sending
Malware
Default-Rule-Malware: Malware Event False Enable this rule if you want all events
Treat Key Loggers as categorized as key loggers to create offenses.
Offenses
Default-Rule- Malware Event False Reports non-spyware malware attacks on
Malware: Treat events. Enable this rule if you want all events
Non-Spyware Malware categorized as malware to create an offense.
as Offenses
Default-Rule- Malware Event False Reports spyware and/or a virus on events.
Malware: Treat Spyware Enable this rule if you want all events
and Virus as Offenses categorized as Virus or Spyware to create an
offense.
Default-Rule-Network Network Event True Reports events that are considered
Definition: Local to Local Definition Local-to-Local (L2L).
Rule
Rule Group Type Enabled Description
Default-Rule-Network Network Event True Reports events that are considered
Definition: Local to Definition Local-to-Remote (L2R).
Remote
Default-Rule-Network Network Event True Reports events that are considered
Definition: Remote to Definition Remote-to-Local (R2L).
Local
Default-Rule-Policy: Policy Event False Reports Instant Messenger traffic or any event
Create Offenses for All categorized as Instant Messenger traffic where
Instant Messenger the source is local and the destination is remote.
Traffic
Default-Rule-Policy: Policy Event False Reports P2P traffic or any event categorized as
Create Offenses for All P2P.
P2P Usage
Default-Rule-Policy: Policy, Event False Reports policy events. By default, this rule is
Create Offenses for All Compliance disabled. Enable this rule if you want all events
Policy Events categorized as policy to create an offense.
Default-Rule-Policy: Policy Event False Reports any traffic that contains illicit materials
Create Offenses for All or any event categorized as Porn. By default,
Porn Usage this rule is disabled. Enable this rule if you want
all events categorized as Porn to create an
offense.
Default-Rule-Policy: Policy Event False Rule acts as a warning that the asset in which an
Host has SANS Top 20 event identifies is vulnerable to a vulnerability
Vulnerability identified in the SANS Top 20 Vulnerabilities.
(www.sans.org/top20/)
Default-Rule-Policy: Policy Event False Reports local Peer-to-Peer (P2P) traffic or any
Local P2P Server event categorized as P2P. More than 10 hosts
Detected were detected connecting to a local host that
appears to be operating as a P2P server.
Default-Rule-Policy: Policy Event False Reports when a new host has been discovered
New Host Discovered on the network.
Default-Rule-Policy: Authentication, Event False Reports when a new host has been discovered
New Host Discovered in Compliance in the DMZ.
DMZ
Default-Rule-Policy: Policy Event False Reports when an existing host has a newly
New Service discovered service.
Discovered
Default-Rule-Policy: Policy Event False Rule identifies potential tunneling that can be
Potential Tunneling used to bypass policy or security controls.
Default-Rule-Policy: Authentication, Event False Reports when a new service has been
New Service Compliance discovered in the DMZ.
Discovered in DMZ
Rule
Rule Group Type Enabled Description
Default-Rule-Policy: Policy Event False Reports potential file uploads to a local web
Upload to Local server. To edit the details of this rule, edit the
WebServer Default-BB-CategoryDefinition: Upload to Local
WebServer building block.
Default-Rule-Recon: Recon Event True Reports an aggressive scan from a local source
Aggressive Local IP address, scanning other local or remote IP
Scanner Detected addresses. This may indicate a manually driven
scan, an exploited host searching for other
targets, or a worm is present on the system.
Default-Rule-Recon: Recon Event True Reports an aggressive scan from a remote
Aggressive Remote source IP address, scanning other local or
Scanner Detected remote IP addresses. This may indicate a
manually driven scan, an exploited host
searching for other targets, or a worm on a
system.
Default-Rule-Recon: Recon Event True Reports excessive attempts, from a local host, to
Excessive Firewall access the firewall and access is denied. More
Denies From Local Host than 40 attempts are detected across at least 40
destination IP addresses in 5 minutes.
Default-Rule-Recon: Recon Event True Reports excessive attempts, from a remote host,
Excessive Firewall to access the firewall and access is denied.
Denies From Remote More than 40 attempts are detected across at
Host least 40 destination IP addresses in 5 minutes.
Default-Rule-Recon: Recon Event True Reports a single source IP address scanning
Host Port Scan more than 50 ports in under 3 minutes.
Detected by Local Host
Default-Rule-Recon: Recon Event True Reports when more than 50 ports were scanned
Host Port Scan from a single source IP address in under 3
Detected by Remote minutes.
Host
Default-Rule-Recon: Recon Event True If a high rate flow-based scanning attack is
Increase Magnitude of detected, this rule increases the magnitude of
High Rate Scans the current event.
Default-Rule-Recon: Recon Event True If a medium rate flow-based scanning attack is
Increase Magnitude of detected, this rule increases the magnitude of
Medium Rate Scans the current event.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local LDAP Server reconnaissance or suspicious connections on
Scanner common LDAP ports to more than 60 hosts in 10
minutes.
Default-Rule-Recon: Recon Event True Reports a scan from a local host against other
Local Database local or remote targets. At least 30 host were
Scanner scanned in 10 minutes.
Rule
Rule Group Type Enabled Description
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local DHCP Scanner reconnaissance or suspicious connections on
common DHCP ports to more than 60 hosts in
10 minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local DNS Scanner reconnaissance or suspicious connections on
common DNS ports to more than 60 hosts in 10
minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local FTP Scanner reconnaissance or suspicious connections on
common FTP ports to more than 30 hosts in 10
minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local Game Server reconnaissance or suspicious connections on
Scanner common game server ports to more than 60
hosts in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local ICMP Scanner reconnaissance or suspicious connections on
common ICMP ports to more than 60 hosts in 10
minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local IM Server reconnaissance or suspicious connections on
Scanner common IM server ports to more than 60 hosts
in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local IRC Server reconnaissance or suspicious connections on
Scanner common IRC server ports to more than 10 hosts
in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local Mail Server reconnaissance or suspicious connections on
Scanner common mail server ports to more than 60 hosts
in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local P2P Server reconnaissance or suspicious connections on
Scanner common Peer-to-Peer (P2P) server ports to
more than 60 hosts in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local Proxy Server reconnaissance or suspicious connections on
Scanner common proxy server ports to more than 60
hosts in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local RPC Server reconnaissance or suspicious connections on
Scanner common RPC server ports to more than 60
hosts in 10 minutes.
Rule
Rule Group Type Enabled Description
Default-Rule-Recon: Recon Event True Reports a scan from a local host against other
Local Scanner Detected hosts or remote targets. At least 60 hosts were
scanned within 10 minutes. This activity was
using a protocol other than TCP, UDP, or ICMP.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local SNMP Scanner reconnaissance or suspicious connections on
common SNMP ports to more than 60 hosts in
10 minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local SSH Server reconnaissance or suspicious connections on
Scanner common SSH ports to more than 30 hosts in 10
minutes.
Default-Rule-Recon: Recon Event False Reports when various suspicious or
Local Suspicious Probe reconnaissance events have been detected
Events Detected from the same local source IP address to more
than 5 destination IP address in 4 minutes. This
can indicate various forms of host probing, such
as Nmap reconnaissance, which attempts to
identify the services and operation systems of
the target.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local TCP Scanner reconnaissance or suspicious connections on
common TCP ports to more than 60 hosts in 10
minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local UDP Scanner reconnaissance or suspicious connections on
common UDP ports to more than 60 hosts in 10
minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local Web Server reconnaissance or suspicious connections on
Scanner common local web server ports to more than 60
hosts in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local Windows Scanner reconnaissance or suspicious connections on
to Internet the same source IP address more than 5 times,
across more than 60 destination IP address(es)
within 20 minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local Windows Server reconnaissance or suspicious connections on
Scanner common Windows server ports with the same
source IP address more than 5 times, across
more than 200 destination IP address(es) within
20 minutes.
Rule
Rule Group Type Enabled Description
Default-Rule-Recon: Recon Event False Adds an additional event into the event stream
Recon Followed by when a host that has been performing
Accept reconnaissance also has a firewall accept
following the reconnaissance activity.
Default-Rule-Recon: Recon Event True Reports a scan from a remote host against other
Remote Database local or remote targets. At least 30 hosts were
Scanner scanned in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote DHCP Scanner reconnaissance or suspicious connections on
common DHCP ports to more than 30 hosts in
10 minutes.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Remote DNS Scanner reconnaissance or suspicious connections on
common DNS ports to more than 60 hosts in 10
minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote FTP Scanner reconnaissance or suspicious connections on
common FTP ports to more than 30 hosts in 10
minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote Game Server reconnaissance or suspicious connections on
Scanner common game server ports to more than 30
hosts in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote ICMP Scanner reconnaissance or suspicious connections on
common ICMP ports to more than 60 hosts in 10
minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Local IM Server reconnaissance or suspicious connections on
Scanner common IM server ports to more than 60 hosts
in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Local IRC Server reconnaissance or suspicious connections on
Scanner common IRC server ports to more than 10 hosts
in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a scan from a remote host against other
Remote LDAP Server local or remote targets. At least 30 hosts were
Scanner scanned in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote Mail Server reconnaissance or suspicious connections on
Scanner common mail server ports to more than 30 hosts
in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote P2P Server reconnaissance or suspicious connections on
Scanner common Peer-to-Peer (P2P) server ports to
more than 60 hosts in 10 minutes.
Rule
Rule Group Type Enabled Description
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote Proxy Server reconnaissance or suspicious connections on
Scanner common proxy server ports to more than 30
hosts in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote RPC Server reconnaissance or suspicious connections on
Scanner common RPC server ports to more than 30
hosts in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a scan from a remote host against other
Remote Scanner hosts or remote targets. At least 60 hosts were
Detected scanned within 20 minutes. This activity was
using a protocol other than TCP, UDP, or ICMP.
Default-Rule-Recon: Recon Event True Reports scans from a remote host against local
Remote SNMP Scanner or remote targets. At least 30 hosts were
scanned in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote SSH Server reconnaissance or suspicious connections on
Scanner common SSH ports to more than 30 hosts in 10
minutes.
Default-Rule-Recon: Recon Event False Reports various suspicious or reconnaissance
Remote Suspicious events from the same remote source IP address
Probe Events Detected to more then 5 destination IP addresses in 4
minutes. This may indicate various forms of host
probing, such as Nmap reconnaissance that
attempts to identify the services and operating
system of the targets.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote TCP Scanner reconnaissance or suspicious connections on
common TCP ports to more than 60 hosts in 10
minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote UDP Scanner reconnaissance or suspicious connections on
common UDP ports to more than 60 hosts in 10
minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote Web Server reconnaissance or suspicious connections on
Scanner common local web server ports to more than 60
hosts in 10 minutes.
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote Windows reconnaissance or suspicious connections on
Server Scanner common Windows server ports to more than 60
hosts in 10 minutes.
Rule
Rule Group Type Enabled Description
Default-Rule-Recon: Recon Event True Reports merged reconnaissance events
Single Merged Recon generated by some devices. This rule causes all
Events these events to create an offense. All devices of
this type and their categories should be added to
the Default-BB-ReconDetected: Devices which
Merge Recon into Single Events building block.
Default-Rule-System- Event True Rule ensures that notification events shall be
Notification sent to the notification framework.
Default-Rule-System: System Event True Creates an offense when an event matches a
100% Accurate Events 100% accurate signature for successful
comprises.
Default-Rule-System: System Event False Reports when STRM detects critical event.
Critical System Events
Default-Rule-System: System Event False Reports when an event source has not sent an
Device Stopped event to the system in over 1 hour. Edit this rule
Sending Events to add devices you want to monitor.
Default-Rule-System: System Event False Reports when STRM detects events that
Host Based Failures indicate failures within services or hardware.
Default-Rule-System: System Event True Loads BBs that need to be run to assist with
Load Building Blocks reporting. This rule has no actions or responses.
Default-Rule-Recon: System Event False Reports when as source has 10 system errors
Multiple System Errors within 3 minutes.
Default-Rule-Vulnerabili Compliance Event False Reports when a vulnerability is discovered on a
ties: Vulnerability local host.
Reported by Scanner
Default-Rule-Worms Worms Event False Reports a local host sending more than 20
Detection: Local Mass SMTP flows in 1 minute. This may indicate a
Mailing Host Detected host being used as a spam relay or infected with
a form of mass mailing worm.
Default-Rule-Worms Worms Event True Reports a local host generating reconnaissance
Detection: Possible or suspicious events across a large number of
Local Worm Detected hosts (greater than 300) in 20 minutes. This may
indicate the presence of a worm on the network
or a wide spread scan.
Default-Rule-Worms Worms Event True Reports exploits or worm activity on a system for
Detection: Worm local-to-local or local-to-remote traffic.
Detected (Events)
Default Building Default building blocks for the University template include:
Blocks
Table C-10 Default Building Blocks
Changes made by STRM users are recorded in the audit logs. You can view the
audit logs to monitor changes to STRM and the users performing those changes.
All audit logs are stored in plain text and are archived and compressed once the
audit log file reaches a size of 200 MB. The current log file is named audit.log.
Once the file reaches a size of 200 MB, the file is compressed and renamed as
follows: audit.1.gz, audit.2.gz, etc with the file number incrementing each
time a log file is archived. STRM stores up to 50 archived log files.
Logged Actions STRM logs the following categories of actions in the audit log file:
Table D-1 Logged Actions
Category Action
User Authentication Log in to STRM.
User Authentication Log out of STRM.
Administrator Authentication Log in to the STRM Administration Console.
Administrator Authentication Log out of the STRM Administration Console.
Session Authentication Create a new administration session.
Terminate an administration session.
Deny an invalid authentication session.
Expire a session authentication.
Create an authentication session.
Terminate an authentication session.
Category Action
User Authentication Ariel Deny a login attempt.
Add an Ariel property.
Delete an Ariel property.
Edit an Ariel property.
Add an Ariel property extension.
Delete an Ariel property extension.
Edit an Ariel property extension.
Root Login Log in to STRM, as root.
Log out of STRM, as root.
Rules Add a rule.
Delete a rule.
Edit a rule.
Sentry Add a sentry.
Edit a sentry.
Delete a sentry.
Edit a sentry package.
Edit sentry logic.
User Accounts Add an account.
Edit an account.
Delete an account.
User Roles Add a role.
Edit a role.
Delete a role.
Sensor Devices Add a sensor device.
Edit a sensor device.
Delete a sensor device.
Add a sensor device group.
Edit a sensor device group.
Delete a sensor device group.
Edit the DSM parsing order.
Category Action
Sensor Device Extension Add an sensor device extension.
Edit the sensor device extension.
Delete a sensor device extension.
Upload a sensor device extension.
Upload a sensor device extension successfully.
Upload an invalid sensor device extension.
Download a sensor device extension.
Report a sensor device extension.
Modify a sensor devices association to a device or
device type.
Protocol Configuration Add a protocol configuration.
Delete a protocol configuration.
Edit a protocol configuration.
Flow Sources Add a flow source.
Edit a flow source.
Delete a flow source.
Offense Manager Hide an offense.
Close an offense.
Close all offenses.
TNC Recommendations Create a recommendation.
Edit a recommendation.
Delete a recommendation.
Syslog Forwarding Add a syslog forwarding.
Delete a syslog forwarding.
Edit a syslog forwarding.
Reports Add a template.
Delete a template.
Edit a template.
Execute a template.
Delete a report.
Groups Add a group.
Delete a group.
Edit a group.
Category Action
Backup and Recovery Edit the configuration.
Initiate the backup.
Complete the backup.
Fail the backup.
Delete the backup.
Synchronize the backup.
Cancel the backup.
Initiate the restore.
Upload a backup.
Upload an invalid backup.
Delete the backup.
Purge the backup.
VIS Discover a new host.
Discover a new operating system.
Discover a new port.
Discover a new vulnerability.
Scanner Add a scanner.
Delete a scanner.
Edit a scanner.
Scanner Schedule Add a schedule.
Edit a schedule.
Delete a schedule.
SIM Clean a SIM model.
Asset Delete all assets.
QIDmap Add a QID map entry.
Edit a QID map entry.
Ariel Properties Add a custom event property.
Edit a custom event property.
Delete a custom property.
Ariel Property Extensions Add a custom event property expression.
Edit a custom event property expression.
Delete a custom event property expression.
Installation Install a .rpm package, such as a DSM update.
License Add a license key.
Edit a license key.
343
configuring 107
coalescing events 38
command line max matched results 39
components 97
connecting 71
connecting deployments 72
console
settings 45
content capture 98
content filter 105
conventions 1
Custom Views
about 167
Attacker Target Analysis Group 254, 302
creating 168
editing 176
equation
editing 177
equation editor 170
IP Tracking 249, 297
managing 167
operators
editing 178
Policy Violations Group 256, 304
Target Analysis Group 255, 303
Threats Group 250, 298
customer support
contacting 2
D
database settings 38
database storage location 38
delete root mail 37
deploying changes 129
deployment editor 63
about 63
accessing 65
creating your deployment 67
event view 75
flow view 68
preferences 68
requirements 67
system view 82
toolbar 66
using 65
deployment STRM components 97
344
deployments
connecting 72
device access 20
device management 23
discover servers 223
dynamic custom view deploy interval 38
E
element types 171
enabling and disabling views 178
encryption 72, 75, 80, 81, 83
enterprise template 241
building blocks
default 273, 321
rules
default 259
equation editor 170
element type 171
equations
editing 177
elements 146
objects 146
Event Collector
about 75
configuring 112
Event Processor
about 75
configuring 113
event rule 182
about 182
data/time tests 208
device tests 209
event property tests 195
host profile tests 205
IP/port tests 198
network property tests 193
test 193
event view
about 64
adding components 77
building 75
connecting components 79
renaming components 82
event viewer role 6
external flow sources 117
345
F
firewall access 20
flow configuration 120
Flow Processor
configuring 101
flow source
about 117
adding 120
alias 124
adding 125
deleting 126
editing 125
deleting 124
editing 122
enabling/disabling 123
external 117
internal 117
managing 117
virtual name 124
flow view
about 64
adding components 69
building 68
components 69, 72, 79
connecting components 71
renaming components 75
Flow Writer
configuring 111
flowlog file 120
functions 181
G
global IPtables access 38
H
hashing
alogrithm 40
event log 40
flow log 39
hlocal 137
host
adding 84
host context 64, 94
hremote 137
I
interface roles 23
internal flow sources 117
346
IP range conversion 105
J
JavaScript 142
J-Flow 119
L
LDAP/Active directory 13
license key
exporting 19
managing 17
logic unit 131, 141
M
Magistrate
about 76
configuring 115
managed host
adding 84
assigning components 93
editing 86
removing 88
set-up 22
maximum real-time results 39
MIB 229
N
NAT
editing 90
enabling 88
removing 91
using with STRM 89
NetFlow 97, 117
Network Address Translation. See NAT
network hierarchy
creating 29
network surveillance role 7
network taps 97
network view graph retention period 38
NTP 27
O
offense management role 6
offense rule
about 182
date/time tests 211
device tests 212
host profile tests 210
IP/port tests 209
offense property tests 212
347
off-site source 73, 80
off-site target 73, 80
operators
editing 178
P
package 131, 138
creating 138
Packeteer 119
passwords
changing 24
pin 137
plocal 137
ports view 148
pount 137
Q
QFlow Collector
configuring 97
QFlow ID 98
R
RADIUS authentication 12
RDATE 25
recovery 55
reporting max matched results 39
reset SIM 19, 48
resolution interval length 37
restarting STRM 48
retention period
asset profile 39
attacker history 39
custom view 39
device log data 39
flow data 39
identity history 39
offense 38
views
group 38
object 38
role 3
administrator 5
asset management 6
creating 4
editing 8
event viewer 6
managing 3
network surveillance 7
348
offense management 6
reporting 7
rules 181
copying 215
creating 183
deleting 215
enabling/disabling 183
group 216
assigning 220
copying 218
create 216
deleting 220
editing 218
viewing 182
S
scripts
default sentry 40
list of sentry 40
sentry 131
about 131
database location 40
editing 133
enterprise
defaults 241
logic unit 131
creating 141
editing 144
package 131
creating 138
editing 140
managing 138
properties 40
response queue 40
university
defaults 289
variables 136
viewing 132
sentry database location 38
sentry layers 137
sentry settings 40
servers
discovering 223
services
authorized 51
sFlow 118
349
SIM
reset 19, 48
SNMP
embedded SNMP agent settings 42
SNMP agent
accessing 19
SNMP settings 41
source
off-site 72, 73, 79, 80
starting STRM 48
stopping STRM 48
storage 110
storage location
asset profile 39
device log 39
flow data 39
store event payload 38
STRM components 97
superflows 101, 104
syslog
forwarding 225
adding 225
deleting 227
editing 226
system authentication 12
system settings 37
configuring 37
system thresholds 42
system time 25
system view
about 64
adding a host 84
assigning components 93
Host Context 94
managed host 93
managing 82
T
TACACS authentication 13
target
off-site 72, 73, 79, 80
templates 132
enterprise 241
university 289
temporary files retention period 37
tests
350
about 181
thresholds 42
time 25
time limit
command like execution 39
reporting execution 39
web execution 39
TNC recommendation 37
transaction sentry 41
U
university template 289
Update Daemon
configuring 109
user
authentication 12
creating account 10
editing account 11, 12
managing 3
roles 3
user accounts
managing 10
user data files 38
V
views
applications object
editing 155
Applications View 152
adding 153
best practices 180
Custom Views 167
defining unique groups and objects 147
enable and disable 178
ports 148
ports object
adding 148
editing 150
Ports View 148
QFlow Collector object
adding 164
QFlow Collectors 164
Remote Networks 157
Remote Networks object
adding 157
editing 159
Remote Services 160
351
Remote Services object
adding 161
editing 162
VIS passive host profile interval 37
352