STRM Admin

Security Threat Response Manager
STRM Administration Guide
Release 2008.3
Juniper Networks, Inc.

1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part Number: 530-028824-01, Revision 1
Copyright Notice
Copyright © 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper
Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this
document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks
assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves
the right to change, modify, transfer, or otherwise revise this publication without notice.
FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A
digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and
used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential
area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following
information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it
is not installed in accordance with NetScreen’s installation instructions, it may cause interference with radio and television reception. This equipment has
been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These
specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that
interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be
determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV
technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET
THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE
SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.
Configuring DSMs
Release 2008.3
Copyright © 2008, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Revision History
January 2009—Revision 1
The information in this document is current as of the date listed in the revision history.
2
CONTENTS
ABOUT THIS GUIDE

Audience 1
Conventions 1
Technical Documentation 1
Contacting Customer Support 2
1 MANAGING USERS
Managing Roles 3
Viewing Roles 3
Creating a Role 4
Editing a Role 8
Deleting a Role 9
Managing User Accounts 10
Creating a User Account 10
Editing a User Account 11
Disabling a User Account 12
Authenticating Users 12
2 MANAGING THE SYSTEM

Managing Your License Keys 17
Updating your License Key 17
Exporting Your License Key Information 19
Accessing the Embedded SNMP Agent 19
Configuring Access Settings 20
Configuring Firewall Access 20
STRMUpdating Your Host Set-up 22
Configuring Interface Roles 23
Changing Passwords 24
Updating System Time 25
3 SETTING UP STRM
Creating Your Network Hierarchy 29
Considerations 29
Defining Your Network Hierarchy 30
Scheduling Automatic Updates 34
Updating Your Files On-Demand 36
Configuring System Settings 37
Configuring System Notifications 42
Configuring the Console Settings 45
Starting and Stopping STRM 48
Resetting SIM 48
4 MANAGING AUTHORIZED SERVICES

Viewing Authorized Services 51
Adding an Authorized Service 52
Revoking Authorized Services 53
5 MANAGING BACKUP AND RECOVERY

Managing Backup Archives 55
Viewing Back Up Archives 55
Importing an Archive 56
Deleting a Backup Archive 57
Backing Up Your Information 58
Scheduling Your Backup 58
Initiating a Backup 60
Restoring Your Configuration Information 61
6 USING THE DEPLOYMENT EDITOR

About the Deployment Editor 64
Accessing the Deployment Editor 65
Using the Editor 65
Creating Your Deployment 67
Before you Begin 67
Editing Deployment Editor Preferences 68
Building Your Flow View 68
Adding STRM Components 69
Connecting Components 71
Connecting Deployments 72
Renaming Components 75
Building Your Event View 75
Adding Components 77
Connecting Components 79
Forwarding Normalized Events 79
Renaming Components 82
Managing Your System View 82
Setting Up Managed Hosts 83
Using NAT with STRM 89
Configuring a Managed Host 93
Assigning a Component to a Host 93
Configuring Host Context 94
Configuring STRM Components 97
Configuring a Flow Collector 97
Configuring a Flow Processor 101
Configuring a Classification Engine 107
Configuring an Update Daemon 109
Configuring a Flow Writer 111
Configuring an Event Collector 112
Configuring an Event Processor 113
Configuring the Magistrate 115
7 MANAGING FLOW SOURCES

About Flow Sources 117
NetFlow 117
sFlow 118
J-Flow 119
Packeteer 119
Flowlog File 120
Managing Flow Sources 120
Adding a Flow Source 120
Editing a Flow Source 122
Enabling/Disabling a Flow Source 123
Deleting a Flow Source 124
Managing Flow Source Aliases 124
Adding a Flow Source Alias 125
Editing a Flow Source Alias 125
Deleting a Flow Source Alias 126
8 OVERVIEW
About the Interface 127
Accessing the Administration Console 128
Using the Interface 128
Deploying Changes 129
9 MANAGING SENTRIES
About Sentries 131
Viewing Sentries 132
Editing Sentry Details 133
Managing Packages 138
Creating a Sentry Package 138
Editing a Sentry Package 140
Managing Logic Units 141
Creating a Logic Unit 141
Editing a Logic Unit 144
10 MANAGING VIEWS
Using STRM Views 145
About Views 145
About Global Views 146
Defining Unique Objects 147
Managing Ports View 148
Default Ports Views 148
Adding a Ports Object 148
Editing a Ports Object 150
Managing Application Views 152
Default Application Views 152
Adding an Applications Object 153
Editing an Applications Object 155
Managing Remote Networks View 157
Default Remote Networks Views 157
Adding a Remote Networks Object 157
Editing a Remote Networks Object 159
Managing Remote Services Views 160
Default Remote Services Views 160
Adding a Remote Services Object 161
Editing a Remote Services Object 162
Managing Collector Views 164
Adding a Flow Collector Object 164
Editing a Flow Collector Object 165
Managing Custom Views 167
About Custom Views 167
Editing Custom Views 176
Editing the Equation 177
Enabling and Disabling Views 178
Using Best Practices 180
11 CONFIGURING RULES
Viewing Rules 182
Enabling/Disabling Rules 183
Creating a Rule 183
Event Rule Tests 193
Offense Rule Tests 209
Copying a Rule 215
Deleting a Rule 215
Grouping Rules 216
Viewing Groups 216
Creating a Group 216
Editing a Group 218
Copying an Item to Another Group(s) 218
Deleting an Item from a Group 220
Assigning an Item to a Group 220
Editing Building Blocks 220
12 DISCOVERING SERVERS
13 FORWARDING SYSLOG DATA

Adding a Syslog Destination 225
Editing a Syslog Destination 226
Delete a Syslog Destination 227
A JUNIPER NETWORKS MIB
B ENTERPRISE TEMPLATE DEFAULTS

Default Sentries 241
Default Custom Views 249
IP Tracking Group 249
Threats Group 250
Attacker Target Analysis Group 254
Target Analysis Group 255
Policy Violations Group 256
ASN Source Group 257
ASN Destination Group 258
IFIndexIn Group 258
IFIndexOut Group 258
QoS Group 258
Flow Shape Group 258
Default Rules 259
Default Building Blocks 273
C UNIVERSITY TEMPLATE DEFAULTS

IP Tracking Group 297
Threats Group 298
Attacker Target Analysis Group 302
Target Analysis Group 303
Policy Violations Group 304
ASN Source Group 305
ASN Destination Group 306
IFIndexIn Group 306
IFIndexOut Group 306
QoS Group 306
Flow Shape Group 306
Default Rules 307
D VIEWING AUDIT LOGS

Logged Actions 337
Viewing the Log File 341
ABOUT THIS GUIDE
The STRM Administration Guide provides you with information for managing
STRM functionality requiring administrative access.
Audience This guide is intended for the system administrator responsible for setting up
STRM in your network. This guide assumes that you have STRM administrative
access and a knowledge of your corporate network and networking technologies.
Conventions Table 1 lists conventions that are used throughout this guide.
Table 1 Icons
Icon Type Description

Information note Information that describes important features or
instructions.
Caution Information that alerts you to potential loss of

data or potential damage to an application,
system, device, or network.
Warning Information that alerts you to potential personal
injury.
Technical You can access technical documentation, technical notes, and release notes
Documentation directly from the Juniper Customer Support web site at
https://www.juniper.net/suport. Once you access the Technical support web site,
locate the product and software release for which you require documentation.
Your comments are important to us. Please send your e-mail comments about this
guide or any of the Juniper Networks documentation to:
techpubs-comments@juniper.net.
Include the following information with your comments:

• Document title
• Page number

2 ABOUT THIS GUIDE
Contacting To help you resolve any issues that you may encounter when installing or
Customer Support maintaining STRM, you can contact Customer Support as follows:
• Open a support case using the Case Management link at
http://www.juniper.net/support.
• Call 1-888-314-JTAC (from the United States, Canada, or Mexico)
or1-408-745-9500 (from elsewhere).

1 MANAGING USERS
You can add or remove user accounts for all users that you want to access STRM.
Each user is associated with a role, which determines the privileges the user has
to functionality and information within STRM. You can also restrict or allow access
to areas of the network.
This chapter provides information on managing STRM users including:

• Managing Roles
• Managing User Accounts
• Authenticating Users
Managing Roles You must create a role before you can create user accounts. By default, STRM
provides a default administrative role, which provides access to all areas of STRM.
A user that is assigned administrative privileges (including the default
administrative role) cannot edit their own account. Another administrative user
must make any desired changes.
Using the Administration Console, you can:

• View existing user roles. See Viewing Roles.
• Create a role. See Creating a Role.
• Edit a role. See Editing a Role.
• Delete a role. See Deleting a Role.
Viewing Roles To view roles:

Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the User Roles icon.
The Manage Roles window appears.

4 MANAGING USERS
The Manage Roles window provides the following information:

Table 2-1 Manage Roles Parameters
Parameter Description
Role Specifies the defined user role.
Devices Specifies the devices you want this role to access. This
allows you to restrict or grant access for users assigned to
the role to view logs, events, and offense data received from
assigned security and network devices or device groups.
For non-administrative users, this column indicates a link
that allows an administrative user to edit the permissions for
the role. For more information on editing a user role, see
Editing a Role.
To view the list of devices that have been assigned to this
role, move your mouse over the text in the Devices column.
Associated Users Specifies the users associated with this role.
Action Allows you to edit or delete the user role.
Creating a Role To create a role:

The Manage User Roles window appears.
Step 3 Click Create Role.
The Manage Permissions window appears.

Managing Roles 5
Step 4 Enter values for the parameters. You must select at least one permission to
proceed.
Table 2-2 Create Roles Parameters
Role Name Specify the name of the role. The name can be up to 15
characters in length and must only contain integers and
letters.
Administrator Select the check box if you want to grant this user
administrative access to the STRM interface. Within the
administrator role, you can grant additional access to the
following:
• System Administrator - Select this check box if you
want to allow users access to all areas of STRM except
Views. Users with this access are not able to edit other
administrator accounts.
• Administrator Manager - Select this check box if you
want to allow users the ability to create and edit other
administrative user accounts. If you select this check box,
the System Administrator check box is automatically
selected.
• Views Administrator - Select this check box if you want
to allow users the ability to create, edit, or delete Views.
For example, the Application View and the Ports View.

6 MANAGING USERS
Table 2-2 Create Roles Parameters (continued)
Offense Management Select the check box if you want to grant this user access to
Offense Manager functionality. Within the Offense Manager
functionality, you can grant additional access to the
following:
• Assign Offenses to Users - Select the check box if you
want to allow users to assign offenses to other users.
• Customized Rule Creation - Select the check box if you
want to allow users to create custom rules.
For more information on the Offense Manager, see the
STRM Users Guide.
Event Viewer Select the check box if you want this user to have access to
the Event Viewer. Within the Event Viewer, you can also
grant users additional access to the following:
• User Defined Event Properties - Select the check box if
you want to allow users the ability to create user-defined
event properties.
• Event Search Restrictions Override - Select the check
box if you want to allow users the ability to override event
search restrictions.
• Customized Rule Creation functionality - Select the
check box if you want to allow users to create rules using
the Event Viewer.
For more information on the Event Viewer, see the STRM
Users Guide.
Asset Management Select the check box if you want to grant this user access to
Asset Management functionality. Within the Asset
Management functionality, you can grant additional access
to the following:
• Server Discovery - Select the check box if you want to
allow users the ability to discover servers.
• View VA Data - Select the check box if you want to allow
users access to vulnerability assessment data.
• Perform VA Scans - Select the check box if you want to
allows users to perform vulnerability assessment scans.

Managing Roles 7
Table 2-2 Create Roles Parameters (continued)
Network Surveillance Select the check box if you want to grant this user access to
Network Surveillance functionality. Within the Network
Surveillance functionality, you can grant additional access to
the following:
• View Flows - Select the check box if you want to allow
users access to content captured using the View Flows
function.
• View Flow Content - Select the check box if you want to
allow users access to data accessed through the View
Flow box.
• View Flows Restrictions Override - Select the check
box if you want to allow users the ability to override sentry
restrictions.
• Sentry Modification - Select the check box if you want to
allows users to modify existing sentries.
For more information, see the STRM Users Guide.
Reporting Select the check box if you want to grant this user access to
Reporting functionality. Within the Reporting functionality,
you can grant users additional access to the following:
• Distribute Reports via Email - Select the check box if
you want to allow users to distribute reports through
e-mail.
• Maintain Templates - Select the check box if you want to
allow users to maintain reporting templates.
For more information, see the STRM Users Guide.
Step 5 Click Next.

Step 6 Choose one of the following options:
a If you selected a role to include Event Viewer permissions role, go to Step 7.
b If you selected a role that does not include Event Viewer permissions, go to
Step 10.
The Select Device Objects window appears.

8 MANAGING USERS
Step 7 From the left panel, click a device or device group that you want users assigned to
this role to have access.
The selected device moves to the Selected Device Objects field.
Step 8 Repeat for all devices.
Step 9 Click Next.
Step 10 Click Return.
Step 11 Close the Manage Roles window.
The STRM Administration Console appears.
Step 12 From the menu, select Configurations > Deploy Configuration Changes.
Editing a Role To edit a role:

The Manage Role window appears.
Step 3 For the role you want to edit, click the edit icon.
The Permissions for Role window appears.
Step 4 Update the permissions (see Table 2-2), as necessary.
Step 5 Click Next.
The Select Device Objects window appears.

Managing Roles 9
Step 6 Update device permissions, as desired:

a To remove a device permission, select the device(s) in the Selected Device
Objects field that you want to remove. Click Remove Selected Devices.
b To add a device permission, select an object you want to add from the left
panel.
Step 7 Repeat for all devices you want to edit for this role.
Step 8 Click Next.
Step 10 Click Save.
Step 11 Close the Manage User Roles window.
Deleting a Role To delete a role:

The Manage Role window appears.
Step 3 For the role you want to delete, click the delete icon.
A confirmation window appears.
Step 4 Click Ok.

10 MANAGING USERS
Managing User You can create a STRM user account, which allows a user access to selected
Accounts network components using the STRM interface. You can also create multiple
accounts for your system that include administrative privileges. Only the main
administrative account can create accounts that have administrative privileges.
You can create and edit user accounts to access STRM including:
• Creating a User Account
• Editing a User Account
• Disabling a User Account
Creating a User To create an account for a STRM user:

Account
Step 2 Click the Users icon.
The Manage Users window appears.
Step 3 In the Manage Users area, click Add.
The User Details window appears.
Step 4 Enter values for the following parameters:
Table 2-3 User Details Parameters
Username Specify a username for the new user. The username must not
include spaces or special characters.
Password Specify a password for the user to gain access. The password
must be at least five characters in length.
Confirm Password Re-enter the password for confirmation.
Email Address Specify the user’s e-mail address.
Role Using the drop-down list box, select the role you want this user to
assume. For information on roles, see Managing Roles. If you
select Admin, this process is complete.
Step 5 Click Next.

Managing User Accounts 11

a If you selected Admin as the user role, go to Step 9.
b If you selected a non-administrative user role, go to Step 7.
The Selected Network Objects window appears.
Step 7 From the menu tree, select the network objects you want this user to be able to
monitor.
The selected network objects appear in the Selected Network Object panel.
a Click Deploy Now to deploy new user information immediately.
b Click Cancel to cancel all updates and return to the Manage Users window.
Step 9 Close the Manage Users window.
Editing a User To edit a user account:

Account
Step 3 In the Manage Users area, click the user account you want to edit.
Step 4 Update values (see Table 2-3), as necessary.

12 MANAGING USERS
Step 5 Click Next.

If you are editing a non-administrative user account, the Selected Network Objects
window appears. If you are editing an administrative user account, go to Step 9.
Step 6 From the menu tree, select the network objects you want this user to access.
The selected network objects appear in the Selected Network Object panel.
Step 7 For all network objects you want to remove access, select the object from the
Selected Network Objects panel. Click Remove.
a Click Deploy Now to deploy new user information immediately.
b Click Cancel to return to cancel all updates and return to the Manage Users
window.
Disabling a User To disable a user account:

Account
Step 3 In the Manage Users area, click the user account you want to disable.
Step 4 In the Role drop-down list box, select Disabled.
Step 5 Click Next.
The STRM Administration Console appears. This user no longer has access to the
STRM interface. If this user attempts to log in to STRM, the following message
appears: This account has been disabled.
Authenticating You can configure authentication to validate STRM users and passwords. STRM
Users supports the following user authentication types:
• System Authentication - Users are authenticated locally by STRM. This is the
default authentication type.
• RADIUS Authentication - Users are authenticated by a Remote Authentication
Dial-in User Service (RADIUS) server. When a user attempts to login, STRM
encrypts the password only, and forwards the username and password to the
RADIUS server for authentication.

• TACACS Authentication - Users are authenticated by a Terminal Access

Controller Access Control System (TACACS) server. When a user attempts to
login, STRM encrypts the username and password, and forwards this
information to the TACACS server for authentication.
• LDAP/ Active Directory - Users are authenticated by a Lightweight Directory
Access Protocol (LDAP) server using Kerberos.
If you want to configure RADIUS, TACACS, or LDAP/Active Directory as the

authentication type, you must:
• Configure the authentication server before you configure authentication in
STRM.
• Make sure the server has the appropriate user accounts and privilege levels to
communicate with STRM. See your server documentation for more information.
• Make sure the time of the authentication server is synchronized with the time of
the STRM server. For more information on setting STRM time, see Chapter 3
Setting Up STRM.
• Make sure all users have appropriate user accounts and roles in STRM to allow
authentication with the third-party servers.
Once authentication is configured and a user enters an invalid username and

password combination, a message appears indicating the login was invalid. If the
user attempts to access the system multiple times using invalid information, the
user must wait the configured amount of time before attempting to access the
system again. For more information on configuring Console settings for
authentication, see Chapter 3 Setting Up STRM - Configuring the Console
Settings. An administrative user can always access STRM through a third-party
authentication module or by using the local STRM Admin password.
To configure authentication:
Step 2 Click the Authentication icon.
The Authentication window appears.
Step 3 From the Authentication Module drop-down list box, select the authentication type
you want to configure.
Step 4 Configure the selected authentication type:
a If you selected System Authentication, go to Step 5

14 MANAGING USERS
b If you selected RADIUS Authentication, enter values for the following

parameters:
Table 2-4 RADIUS Parameters
RADIUS Server Specify the hostname or IP address of the RADIUS server.
RADIUS Port Specify the port of the RADIUS server.
Authentication Specify the type of authentication you want to perform. The
Type options are:
• CHAP (Challenge Handshake Authentication Protocol) -
Establishes a Point-to-Point Protocol (PPP) connection
between the user and the server.
• MSCHAP (Microsoft Challenge Handshake Authentication
Protocol) - Authenticates remote Windows workstations.
• ARAP (Apple Remote Access Protocol) - Establishes
authentication for AppleTalk network traffic.
• PAP (Password Authentication Protocol) - Sends clear text
Shared Secret Specify the shared secret that STRM uses to encrypt RADIUS
passwords for transmission to the RADIUS server.
c If you selected TACACS Authentication, enter values for the following

parameters:
Table 2-5 TACACS Parameters
TACACS Server Specify the hostname or IP address of the TACACS server.
TACACS Port Specify the port of the TACACS server.
Authentication Specify the type of authentication you want to perform. The
Type options are:
• ASCII
• PAP (Password Authentication Protocol) - Sends clear text
• CHAP (Challenge Handshake Authentication Protocol) -
Establishes a PPP connection between the user and the
server.
• MSCHAP (Microsoft Challenge Handshake Authentication
Protocol) - Authenticates remote Windows workstations.
• MSCHAP2 - (Microsoft Challenge Handshake Authentication
Protocol version 2)- Authenticates remote Windows
workstations using mutual authentication.
• EAPMD5 (Extensible Authentication Protocol using MD5
Protocol) - Uses MD5 to establish a PPP connection.
Shared Secret Specify the shared secret that STRM uses to encrypt TACACS
passwords for transmission to the TACACS server.

d If you selected LDAP/ Active Directory, enter values for the following
parameters:
Table 2-6 LDAP/ Active Directory Parameters
Server URL Specify the URL used to connect to the LDAP server. For
example, ldap://<host>:<port>
LDAP Context Specify the LDAP context you want to use, for example,
DC=Q1LABS,DC=INC.
LDAP Domain Specify the domain you want to use, for example q1labs.inc
Step 5 Click Save.

This chapter provides information for managing your system including:

• Managing Your License Keys
• Accessing the Embedded SNMP Agent
• Configuring Access Settings
Managing Your For your STRM Console, a default license key provides you access to the interface
License Keys for 5 weeks. You must manage your license key using the System Management
window in the STRM Administration Console. This interface provides the status of
the license key for each system (host) in your deployment including:
• Valid - The license key is valid.
• Expired - The license key has expired. To update your license key, see
Updating your License Key.
• Override Console License - This host is using the Console license key. You
can use the Console key or apply a license key for this system. If you want to
use the Console license for any system in your deployment, click Default
License in the Manage License window. The license for that system will default
to the Console license key.
This section provides information on managing your license keys including:

• Updating your License Key
• Exporting Your License Key Information
Updating your For your STRM Console, a default license key provides you access to the interface
License Key for 5 weeks. Choose one of the following options for assistance with your license
key:
• For a new or updated license key, please contact your local sales
representative.
• For all other technical issues, please contact Juniper Networks Customer
Support.
If you log in to STRM and your Console license key has expired, you are
automatically directed to the System Management window. You must update the

license key before you can continue. However, if one of your non-Console systems
includes an expired license key, a message appears when you log in indicating a
system requires a new license key. You must navigate to the System Management
window to update that license key.
To update your license key:

Step 2 Click the System Management icon.
The System Management window appears providing a list of all hosts in your
deployment.
Step 3 For the host that on which you want to update the license key, click the value that
appears in the License column.
Note: If you update the license key for your Console, all systems in your
deployment default to the Console license key at that time.
The Current License Details window appears.
Step 4 Click Browse beside the New License Key File and locate the license key.
Step 5 Once you locate and select the license key, click Open.
The Current License Details window appears.
Step 6 Click Save.
A message appears indicating the license key was successfully updated.

Accessing the Embedded SNMP Agent 19
Note: If you want to revert back to the previous license key, click Revert to
Deployed. If you revert to the license key used by the STRM Console system,
click Revert to Console.
Step 7 Close the license key window.
The Administration Console appears.
Step 8 From the menu, select Configurations > Deploy All.
The license key information is updated in your deployment.
Exporting Your To export your license key information for all systems in your deployment:
License Key
Information
The System Management window appears providing a list of all hosts in your
deployment.
Step 3 Click Export Licenses.

The export window appears.
Step 4 Select one of the following options:
• Open - Opens the license key data in an Excel spreadsheet.
• Save - Allows you to save the file to your desktop.
Step 5 Click OK.
Accessing the To access the SNMP agent:

Embedded SNMP
Agent
The System Management window appears.

Step 3 In the View Agent column, click View Agent for the SNMP agent you want to
access.
The SNMP Agent appears.
Configuring The System Configuration tab provides access to the web-based system
Access Settings administration interface, which allows you to configure firewall rules, interface
roles, passwords, and system time. This section includes:
• Firewall access. See Configuring Firewall Access.
• Update your host set-up. See STRMUpdating Your Host Set-up.
• Configure the interface roles for a host. See Configuring Interface Roles.
• Change password to a host. See Changing Passwords.
• Update the system time. See Updating System Time.
Configuring Firewall You can configure local firewall access to enable communications between
Access devices and STRM. Also, you can define access to the web-based system
administration interface.
To enable STRM managed hosts to access specific devices or interfaces:

Step 3 For the host you want to configure firewall access, click Manage System.
Step 4 Log-in to the System Administration interface. The default is:
Username: root
Password: <your root password>
Note: The username and password are case sensitive.
Step 5 From the menu, select Managed Host Config > Local Firewall.
The Local Firewall window appears.

Step 6 In the Device Access box, you must include any STRM systems you want to have
access to this managed host. Only managed hosts listed will have access. For
example, if you enter one IP address, only that one IP address will be granted
access to the managed host. All other managed hosts are blocked.
To configure access:
a In the IP Address field, enter the IP address of the managed host you want to
have access.
b From the Protocol list box, select the protocol you want to enable access for the
specified IP address and port:
- UDP - Allows UDP traffic.
- TCP - Allows TCP traffic.
- Any - Allows any traffic.
c In the Port field, enter the port on which you want to enable communications.
Note: If you change your External Flow Source Monitoring Port parameter in the
QFlow Configuration, you must also update your firewall access configuration.
d Click Allow.
Step 7 In the System Administration Web Control box, enter the IP address of managed
hosts that you want to allow access to the web-based system administration
interface in the IP Address field. Only IP addresses listed will have access to the
interface. If you leave the field blank, all IP addresses will have access. Click
Allow.
Note: Make sure you include the IP address of your client desktop you want to
access the interface. Failing to do so may affect connectivity.

Step 8 Click Apply Access Controls.

Step 9 Wait for the interface to refresh before continuing.
STRMUpdating Your You can use the web-based system administration interface to configure the mail
Host Set-up server you want STRM to use, the global password for STRM configuration, and
the IP address for the STRM Console:
To configure your host set-up:

Step 3 For the host you want to update your host set-up, click Manage System.
Username: root
Step 5 From the menu, select Managed Host Config > STRM Setup.
The STRM Setup window appears.
Step 6 You must enable communications between the STRM Console and the current
host. In the Enter the IP address of the STRM console field, enter the IP address
of the managed host operating the STRM Console.
Step 7 In the Mail Server field, specify the address for the mail server you want STRM to
use. STRM uses this mail server to distribute alerts and event messages. To use
the mail server provided with STRM, enter localhost.

Step 8 In the Enter the global configuration password, enter the password you want to
use to access the host. Confirm the entered password.
Note: The global configuration password must be the same throughout your
deployment. If you edit this password, you must also edit the global configuration
password on all systems in your deployment.
Step 9 In the Enter the web address of the console field, enter the IP address of the
managed host operating the STRM Console.
Step 10 Click Apply Configuration.
Configuring Interface You can assign specific roles to the network interfaces on each managed host.
Roles
To assign roles:
Step 3 For the host you want to configure interface roles, click Manage System.
Username: root
Step 5 From the menu, select Managed Host Config > Network Interfaces.
The Network Interfaces window appears with a list of each interface on your
managed host.
Note: For assistance with determining the appropriate role for each interface,
please contact Juniper Networks Customer Support.

Step 6 For each interface listed, select the role you want to assign to the interface using
the Role list box.
Step 7 Click Save Configuration.
Step 8 Wait for the interface to refresh before continuing.
Changing Passwords To change the passwords:

Step 3 For the host you want to change passwords, click Manage System.
Username: root
Step 5 From the menu, select Managed Host Config > Root Password.
The Root Passwords window appears.
Step 6 Update the passwords and confirm:

Note: Make sure you record the entered values.
• New Root Password - Specify the root password necessary to access the
web-based system administration interface.
• Confirm New Root Password - Re-enter the password for confirmation.
Step 7 Click Update Password.

Updating System You are able to change the time for the following options:
Time • System time
• Hardware time
• Time Zone
• Time Server
Note: All system time changes must be made within the System Time window. You
must change the system time information on the host operating the Console only.
The change is then distributed to all managed hosts in your deployment.
You can configure time for your system using one of the following methods:
• Configuring Your Time Server Using RDATE
• Configuring Time Settings For Your System
Configuring Your Time Server Using RDATE

To update the time settings using RDATE:
Step 3 For the host on which you want to configure time, click Manage System.
Username: root
Step 5 From the menu, select Managed Host Config > System Time.
The System Time window appears.
Caution: The time settings window is divided into four sections. You must save
each setting before continuing. For example, when you configure System Time,
you must click Apply within the System Time section before continuing.

Step 6 In the Time Zone box, select the time zone in which this managed host is located
using the Change timezone to list box. Click Save.
Step 7 In the Time Server box, you must specify the following options:
• Timeserver hostnames or addresses - Specify the time server hostname or
IP address.
• Set hardware time too - Select the check box if you want to set the hardware
time as well.
• Synchronize on schedule? - Specify one of the following options:
- No - Select the option if you do not want to synchronize the time specified in
the Run at selected time below options. Go to Step 8.
- Yes - Select the option if you want to synchronize the time. See options
below.
• Simple Schedule - Specify if you want the time update to occur at a specific
time. If not, select the Run at times selected below option.
• Times and dates are selected below - Specify the time you want the time
update to occur.
Step 8 Click Sync and Apply.

Configuring Time Settings For Your System

To update the time settings for your system:
Step 3 For the host on which you want to configure time, click Manage System.
Username: root
Step 5 From the menu, select Managed Host Config > System Time.
The System Time window appears.
Caution: The time settings window is divided into four sections. You must save
each setting before continuing. For example, when you configure System Time,
you must click Apply within the System Time section before continuing.

Step 6 In the Time Zone box, select the time zone in which this managed host is located
using the Change timezone to list box. Click Save.
Step 7 In the System Time box, you must specify the current date and time you want to
assign to the managed host. Click Apply.
If you want to set the System Time to the same as the Hardware time, click Set
system time to hardware time.
Step 8 In the Hardware Time box, you must specify the current date and time you want to
assign to the managed host. Click Save.
If you want to set the System Time to the same as the Hardware time, click Set
hardware time to system time.

3 SETTING UP STRM
This chapter provides information on setting up STRM including:

• Creating Your Network Hierarchy
• Scheduling Automatic Updates
• Configuring System Settings
• Configuring System Notifications
• Configuring the Console Settings
• Starting and Stopping STRM
• Resetting SIM
Creating Your STRM uses the network hierarchy to understand your network traffic and provide
Network Hierarchy you with the ability to view network activity for your entire deployment.
When you develop your network hierarchy, you should consider the most effective
method for viewing network activity. Note that the network you configure in STRM
does not have to resemble the physical deployment of your network. STRM
supports any network hierarchy that can be defined by a range of IP addresses.
You can create your network based on many different variables, including
geographical or business units.
Considerations Consider the following when defining your network hierarchy:

• Group together systems and user groups that have similar behavior. This
provides you with a clear view of your network.
• Create multiple top-level groups if your deployment is processing more than
600,000 flows.
• Organize your systems/network by role or similar traffic patterns. For example,
mail servers, departmental users, labs, development groups, or geographically
disperse locations. This allows you to differentiate network behavior and
enforce network management security policies.
• Do not group together servers that have unique behavior with other servers on
your network. For example, placing a unique server alone provides the server
greater visibility in STRM allowing you to enact specific policies.

30 SETTING UP STRM
• Within a group, place servers with high volumes of traffic, such as mail servers,
at the top of the group. This provides you a clear visual representation when a
discrepancy occurs. We recommend that you extend this practice to all views.
• Combine multiple Classless Inter-Domain Routings (CIDRs) or subnets into a
single network/group to conserve disk space. For example:
Group Description IP Address

1 Marketing 10.10.5.0/24
2 Sales 10.10.8.0/21
3 Database Cluster 10.10.1.3/32
10.10.1.4/32
10.10.1.5/32
Note: We recommend that you do not configure a network group with more than 15
objects. This may cause you difficulty in viewing detailed information for each
group.
You may also want to define an all encompassing group so when you define new
networks, the appropriate policies and behavioral monitors are applied. For
example:
Group Subgroup IP Address

Cleveland Cleveland misc 10.10.0.0/16
Cleveland Cleveland Sales 10.10.8.0/21
Cleveland Cleveland Marketing 10.10.1.0/24
If you add a new network to the above example, such as 10.10.50.0/24, which is
an HR department, the traffic appears as Cleveland-based and any policies or
sentries applied to the Cleveland group is applied by default.
Defining Your To define your network hierarchy:

Network Hierarchy
Step 2 Click the Network Hierarchy icon.
The Network Views window appears.

Step 3 From the menu tree, select the areas of the network you want to add a network
component.
The Manage Group window appears for the selected network component.
Step 4 Click Add.
The Add Network Object window appears.
Step 5 Enter your network object values:
Table 4-1 Add New Object Parameters
Parameter Action
Group Specify the group for the new network object. Click Add Group
to specify the group.
Name Specify the name for the object.
Weight Specify the weight of the object. The range is 0 to 100 and
indicates the importance of the object in the system.
IP/CIDR(s) Specify the CIDR range(s) for this object. For more information
on CIDR values, see Accepted CIDR Values.
Description Specify a description for this network object.
Color Specify a color for this object.
Database Length Specify the database length.

32 SETTING UP STRM
Step 6 Click Save.

Step 7 Repeat for all network objects.
Step 8 Click Re-Order.
The Reorder Group window appears.
Step 9 Order the network objects in the desired order.
Step 10 Click Save.
Note: We recommend adding key servers as individual objects and grouping other
major but related servers into multi-CIDR objects.
Accepted CIDR Values

The following table provides a list of the CIDR values that STRM accepts:
Table 4-2 Accepted CIDR Values
CIDR Number of
Length Mask Networks Hosts
/1 128.0.0.0 128 A 2,147,483,392
/2 192.0.0.0 64 A 1,073,741,696
/3 224.0.0.0 32 A 536,870,848
/4 240.0.0.0 16 A 268,435,424
/5 248.0.0.0 8A 134,217,712
/6 252.0.0.0 4A 67,108,856
/7 254.0.0.0 2A 33,554,428
/8 255.0.0.0 1A 16,777,214
/9 255.128.0.0 128 B 8,388,352
/10 255.192.0.0 64 B 4,194,176
/11 255.224.0.0 32 B 2,097,088
/12 255.240.0.0 16 B 1,048,544
/13 255.248.0.0 8B 524,272
/14 255.252.0.0 4B 262,136
/15 255.254.0.0 2B 131,068
/16 255.255.0.0 1B 65,534
/17 255.255.128.0 128 C 32,512
/18 255.255.192.0 64 C 16,256
/19 255.255.224.0 32 C 8,128
/20 255.255.240.0 16 C 4,064
/21 255.255.248.0 8C 2,032
/22 255.255.252.0 4C 1,016
/23 255.255.254.0 2C 508

Table 4-2 Accepted CIDR Values (continued)
CIDR Number of
Length Mask Networks Hosts
/24 255.255.255.0 1C 254
/25 255.255.255.128 2 subnets 124
/26 255.255.255.192 4 subnets 62
/27 255.255.255.224 8 subnets 30
/28 255.255.255.240 16 subnets 14
/29 255.255.255.248 32 subnets 6
/30 255.255.255.252 64 subnets 2
/31 255.255.255.254 none none
/32 255.255.255.255 1/256 C 1
For example, a network is called a supernet when the prefix boundary contains
fewer bits than the network's natural (such as, classful) mask. A network is called a
subnet when the prefix boundary contains more bits than the network's natural
mask:
• 209.60.128.0 is a class C network address with a natural mask of /24.
• 209.60.128.0 /22 is a supernet that yields:
209.60.128.0 /24
209.60.129.0 /24
209.60.130.0 /24
209.60.131.0 /24
• 192.0.0.0 /25
Subnet Host Range
0 192.0.0.1-192.0.0.126
1 192.0.0.129-192.0.0.254
• 192.0.0.0 /26
Subnet Host Range
0 192.0.0.1 - 192.0.0.62
1 192.0.0.65 - 192.0.0.126
2 192.0.0.129 - 192.0.0.190
3 192.0.0.193 - 192.0.0.254
• 192.0.0.0 /27
Subnet Host Range
0 192.0.0.1 - 192.0.0.30
1 192.0.0.33 - 192.0.0.62

34 SETTING UP STRM
2 192.0.0.65 - 192.0.0.94
3 192.0.0.97 - 192.0.0.126
4 192.0.0.129 - 192.0.0.158
5 192.0.0.161 - 192.0.0.190
6 192.0.0.193 - 192.0.0.222
7 192.0.0.225 - 192.0.0.254
Scheduling STRM uses system configuration files to provide useful characterizations of

Automatic Updates network data flows. You can update your configuration files automatically or
manually using the STRM interface to make sure your configuration files contain
the latest network security information. The updates, located on the Technical
support web site, include threats, vulnerabilities, and geographic information from
various security-related web sites. The managed host must be connected to the
Internet to receive the updates.
Note: We do not guarantee the accuracy of the third-party information contained

on the above-mentioned web sites.
STRM allows you to either replace your existing configuration files or integrate the
updates with your existing files to maintain the integrity of your current
configuration and information.
You can also update the configuration files for all systems in your STRM
deployment. However, the views must be currently created in your deployment
editor. For more information on, see Chapter 6 Using the Deployment Editor.
Caution: Failing to build your deployment map before you configure automatic or
manual updates results in your remote systems not being updated.
Scheduling To schedule automatic updates:

Automatic Updates
Step 2 Click the Auto Update icon.
The Auto-Update Configuration window appears.

Step 3 In the Update Method list box, select the method you want to use for updating your
files:
• Auto Integrate - Integrates the new configuration files with your existing files to
maintain the integrity of your information.
• Auto Update - Replaces your existing configuration files with the new
configuration files.
Step 4 By default, all views are updated. To prevent views from being updated, select the
check box(es) in the Protected Views section for the views you do not want to
update with the new configuration files. The configuration files for the selected
views are not updated.
Step 5 Schedule automatic updates:
a Select the Schedule Autoupdates check box to enable automatic updates
based on the frequency configured in the next step.
b In the Frequency list boxes, select the frequency of the automatic updates. You
must select the frequency (Monthly, Daily, Weekly), date, and time. You must
select the Schedule Autoupdates check box to save the configured frequency.
Otherwise, the frequency defaults to weekly.
Step 6 Click Save.
The updates are enforced through your deployment.
Note: STRM automatic updates are not enforced through your deployment
automatically. After each automatic update, you must log in to STRM and from the

36 SETTING UP STRM
Administration Console menu, select Configurations > Deploy Configuration

Changes.
Updating Your Files You can update your files, whenever necessary, using the Auto-Update window.
On-Demand
To update your files:
Step 2 Click the Auto Update icon.
The Auto-Update Configuration window appears.
Step 3 In the Update Method list box, select the method you want to use for updating your
files:
• Auto Integrate - Integrates the new configuration files with your existing files to
maintain the integrity of your information.
• Auto Update - Replaces your existing configuration files with the new
configuration files.
Step 4 In the Protected views section, select the check box(s) for the views you do not
want to update with the new configuration files. The configuration files for the
selected views are not updated.
Step 5 Click Save and Update Now.
Your views are updated.
The updates are enforced through your deployment.

Configuring Using the Administration Console, you can configure the system, database, and
System Settings sentry settings.
To configure system settings:

Step 2 Click the System Settings icon.
The System Settings window appears.
Step 3 Enter values for the parameters:
Table 4-3 System Settings Parameters
Settings
Administrative Email Specify the e-mail address of the designated system
Address administrator. The default is root@localhost.
Alert Email From Address Specify the e-mail address from which you want to
receive e-mail alerts.
Resolution Interval Length Specify the interval length, in minutes. The default is 1
minute.
Delete Root Mail Root mail is the default location for host context
messages. Specify one of the following:
• Yes - Delete the local administrator e-mail. This is the
default.
• No - Do not delete local administrator e-mail.
Temporary Files Specify the time period the system stores temporary files.
Retention Period The default is 6 hours.
Asset Profile Reporting Specify the interval, in seconds, that the database stores
Interval new asset profile information. The default is 900 seconds.
Asset Profile Views Specify the views you want the system to use when
accumulating asset profile data.
VIS passive Asset Profile Specify the interval, in seconds, that the database stores
Interval all passive asset profile information. The default is 86,400
seconds.
Audit Log Enable Enables or disables the ability to collect audit logs. You
can view audit log information using the Event Viewer.
The default is Yes.
TNC Recommendation Trusted Network Computing (TNC) recommendations
Enable enable you to restrict or deny access to the network
based on user name or other credentials. Specify one of
the following:
• Yes - Enables the TNC recommendation functionality.
• No - Disables the TNC recommendation functionality.

38 SETTING UP STRM
Table 4-3 System Settings Parameters (continued)
Coalescing Events Enables or disables the ability for a sensor device to
coalesce (bundle) events. This value applies to all sensor
devices. However, if you want to alter this value for a
specific sensor device, edit the Coalescing Event
parameter in the sensor device configuration. For more
information, see the Managing Sensor Devices Guide.
The default is Yes.
Store Event Payload Enables or disables the ability for a sensor device to store
event payload information. This value applies to all sensor
devices. However, if you want to alter this value for a
specific sensor device, edit the Event Payload parameter
in the sensor device configuration. For more information,
see the Managing Sensor Devices Guide.
The default is Yes.
Global Iptables Access Specify the IP address of a non-Console system that does
not have IP tables configuration to which you want to
enable direct access. To enter multiple systems, enter a
comma-separated list of IP addresses.
Dynamic Custom View Specify the interval period, in seconds, you want to deploy
Deploy Interval changes for any dynamic custom view, such as, ASN or
ifIndex Views. When the Classification Engine collects
dynamic view information and reports this information to
configuration services, this is the interval that
configuration services component deploys the changes.
The default is 15 seconds.
Database Settings
User Data Files Specify the location of the user profiles. The default is
/store/users.
Database Storage Specify the location of the database files. The default
Location location is /store/db.
Sentry Database Location Specify the location of the sentry database. The default is
/store/sentry/db.
Network View Graph Using the drop-down list box, select the period of time you
Retention Period want to store the network view graph information. The
default is 4 weeks.
All Views - Group Using the drop-down list box, select the period of time you
Database Retention want to store the group views information. The default is 1
Period week.
All Views - Object Using the drop-down list box, select the period of time you
Database Retention want to store the object views information. The default is 1
Period week.
Offense Retention Period Using the drop-down list box, select the period of time you
want to retain offense information. The default is 3 days.

Identity History Retention Using the drop-down list box, select the length of time you
Period want to store asset profile history records. The default is 1
week.
Attacker History Retention Specify the amount of time that you want to store the
Period attacker history. The default is 6 months.
Ariel Database Settings
Flow Data Storage Specify the location that you want to store the flow log
Location information. The default location is /store/ariel/flows.
Flow Data Retention Specify the period of time you want to store flow data. The
Period default is 1 week.
Asset Profile Storage Specify the location that you want to store the asset
Location profile storage location. The default location is
/store/ariel/hprof.
Asset Profile Retention Specify the period of time, in days, that you want to store
Period the asset profile information. The default is 30 days.
Device Log Storage Specify the location that you want to store the device log
Location information. The default location is /store/ariel/events.
Device Log Data Specify the amount of time that you want to store the
Retention Period device log data. The default is 30 days.
Custom View Retention Specify the amount of time, in seconds, that you want to
Period store custom view information. The default is 259,2000
seconds.
Maximum Real Time Specify the maximum number of results you want to view
Results in the Event Viewer and Flow Viewer. The default is
10,000.
Reporting Max Matched Specify the maximum number of results you want a report
Results to return. This value applies to the search results in the
Event Viewer and Flow Viewer. The default is 1,000,000.
Command Line Max Specify the maximum number of results you want the
Matched Results command line to return. The default is 0.
Web Execution Time Limit Specify the maximum amount of time, in seconds, you
want a query in the interface to process before a time-out
occurs. This value applies to the search results in the
Event Viewer and Flow Viewer. The default is 600
seconds.
Reporting Execution Time Specify the maximum amount of time, in seconds, you
Limit want a reporting query to process before a time-out
occurs. The default is 57,600 seconds.
Command Line Execution Specify the maximum amount of time, in seconds, you
Time Limit want a query in the command line to process before a
time-out occurs. The default is 0 seconds.
Flow Log Hashing Enables or disables the ability for STRM to store a hash
file for every stored flow log file. The default is No.

40 SETTING UP STRM
Event Log Hashing Enables or disables the ability for STRM to store a hash
file for every stored event log file. The default is No.
Hashing Algorithm You can use a hashing algorithm for database storage
and encryption. You can use one of the following hashing
algorithms:
• Message-Digest Hash Algorithm - Transforms digital
signatures into shorter values called Message-Digests
(MD).
• Secure Hash Algorithm (SHA) Hash Algorithm -
Standard algorithm that creates a larger (60 bit) MD.
Specify the log hashing algorithm you want to use for your
deployment. The options are:
• MD2 - Algorithm defined by RFC 1319.
• MD5 - Algorithm defined by RFC 1321.
• SHA-1 - Default. Algorithm defined by Secure Hash
Standard (SHS), NIST FIPS 180-1.
• SHA-256 - Algorithm defined by the draft Federal
Information Processing Standard 180-2, SHS.
SHA-256 is a 255-bit hash algorithm intended for 128
bits of security against security attacks.
SHA-384 is a bit hash algorithm is provided by
truncating the SHA-512 output.
SHA-512 is a bit hash algorithm intended to provide
256 bits of security.
Sentry Settings
Alert Directory Specify the location you want to store active alerts for
each user. The default is /store/sentry/alerts.
Default Sentry Scripts Specify the default sentry scripts you want to execute.
The default is /opt/STRM/triggerbin/system.js
List of Sentry Scripts Specify the sentry scripts you want to execute, in the
order of execution. Separate each entry with a comma.
The default is system.js,activity_anomaly.js,
learn_policy.js,threshold.js,behavioral.js.
Sentry Properties Specify the sentry properties location. The default is
/store/sentry/persistent_properties.xml
Sentry Response Queue Specify the sentry response queue file. The default is
/store/sentry/response_queue.xml.
Sentry Database Location Specify the location of the sentry database. The default is
/store/sentry/qc_persistentstorage.

Transaction Sentry Settings
Transaction Max Time A transaction sentry detects unresponsive applications
Limit using transaction analysis. If an unresponsive application
is detected, the transaction sentry attempts to return the
application to a functional state.
Using the drop-down list box, select the length of time you
want the system to check for transactional issues in the
database. The default is 10 minutes.
Resolve Transaction on Using the drop-down list box, select whether you want the
Non-Encrypted Host transaction sentry to resolve all erroneous conditions
detected on the Console or non-encrypted managed
hosts.
If you select No, the conditions are detected and logged
but you must manually intervene and correct the error.
The default is Yes.
Resolve Transaction on Using the drop-down list box, select whether you want the
Encrypted Host transaction sentry to resolve all erroneous conditions
detected on the encrypted managed host.
If you select No, the conditions are detected and logged
but you must manually intervene and correct the error.
The default is Yes.
SNMP Settings
Enable Enables or disables Simple Network Management
Protocol (SNMP) responses in the STRM custom rules
engine. The default is No, which means you do not want
to accept events using SNMP.
Destination Host Specify the IP address to which you want to send SNMP
notifications.
Destination Port Specify the port to which you want to send SNMP
notifications. The default is 162.
Community (V2) Specify the SNMP community, such as public. This
parameter only applies if you are using SNMPv2.
User Name Specify the name of the user you want to access SNMP
related properties.
Security Level Specify the security level for SNMP. The options are:
• NOAUTH_NOPRIV - Indicates no authorization and no
privacy. This the default.
• AUTH_NOPRIV - Indicates authorization is permitted
but no privacy.
• AUTH_PRIV - Allows authorization and privacy.
Authentication Protocol Specify the algorithm you want to use to authenticate
SNMP traps.

42 SETTING UP STRM
Authentication Password Specify the password you want to use to authenticate
SNMP.
Privacy Protocol Specify the protocol you want to use to decrypt SNMP
traps.
Privacy Password Specify the password used to decrypt SNMP traps.
Embedded SNMP Agent Settings
Enabled Enables or disables access to data from the SNMP Agent
using SNMP requests. The default is No.
Community String Specify the SNMP community, such as public. This
parameter only applies if you are using SNMPv2 and
SNMPv3.
IP Access List Specify the systems that can access data from the SNMP
agent using SNMP request. If the Enabled option is set to
Yes, this option is enforced.
Step 4 Click Save.

Step 5 From the menu, select Configurations > Deploy All.
Configuring You can configure system performance alerts for thresholds using the STRM
System Administration Console. This section provides information for configuring your
Notifications system thresholds.
To configure system thresholds:

Step 2 Click the Global System Notifications icon.
The Global System Notifications window appears.
Step 3 Enter values for the parameters. For each parameter, you must select the following
options:
• Enabled - Select the check box to enable the option.
• Respond if value is - Specify one of the following options:
- Greater Than - An alert occurs if the parameter value exceeds the
configured value.
- Less Than - An alert occurs if the parameter value is less than the
configured value.
• Resolution Message - Specify a description of the preferred resolution to the
alert.

Configuring System Notifications 43
Table 4-4 System Thresholds Parameters
User CPU usage Specify the threshold percentage of user CPU usage.
Nice CPU usage Specify the threshold percentage of user CPU usage at
the nice priority.
System CPU usage Specify the threshold percentage of CPU usage while
operating at the system level.
Idle CPU usage Specify the threshold percentage of idle CPU time.
Percent idle time Specify the threshold percentage of idle time.
Run queue length Specify the threshold number of processes waiting for
run time.
Number of processes in Specify the threshold number of processes in the
the process list process list.
System load over 1 Specify the threshold system load average over the last
minute minute.
System load over 5 Specify the threshold system load average over the last 5
minutes minutes.
System load over 15 Specify the threshold system load average over the last
minutes 15 minutes.
Kilobytes of memory free Specify the threshold amount, in kilobytes, of free
memory.
Kilobytes of memory used Specify the threshold amount, in kilobytes, of used
memory. This does not consider memory used by the
kernel.
Percentage of memory Specify the threshold percentage of used memory.
used
Kilobytes of cached swap Specify the threshold amount of memory, in kilobytes,
memory shared by the system.
Kilobytes of buffered Specify the threshold amount of memory, in kilobytes,
memory used as a buffer by the kernel.
Kilobytes of memory used Specify the threshold amount of memory, in kilobytes,
for disc cache used to cache data by the kernel.
Kilobytes of swap memory Specify the threshold amount of free swap memory, in
free kilobytes.
Kilobytes of swap memory Specify the threshold amount, in kilobytes, of used swap
used memory.
Percentage of swap used Specify the threshold percentage of used swap space.
Number of interrupts per Specify the threshold number of received interrupts per
second second.
Received packets per Specify the threshold number of packets received per
second second.
Transmitted packets per Specify the threshold number of packets transmitted per
second second.

44 SETTING UP STRM
Table 4-4 System Thresholds Parameters (continued)
Received bytes per Specify the threshold number of bytes received per
second second.
Transmitted bytes per Specify the threshold number of bytes transmitted per
second second.
Received compressed Specify the threshold number of compressed packets
packets received per second.
Transmitted compressed Specify the threshold number of compressed packets
packets transmitted per second.
Received multicast Specify the threshold number of received Multicast
packets packets per second.
Receive errors Specify the threshold number of corrupt packets received
per second.
Transmit errors Specify the threshold number of corrupt packets
transmitted per second.
Packet collisions Specify the threshold number of collisions that occur per
second while transmitting packets.
Dropped receive packets Specify the threshold number of received packets that
are dropped per second due to a lack of space in the
buffers.
Dropped transmit packets Specify the threshold number of transmitted packets that
are dropped per second due to a lack of space in the
buffers.
Transmit carrier errors Specify the threshold number of carrier errors that occur
per second while transmitting packets.
Receive frame errors Specify the threshold number of frame alignment errors
that occur per second on received packets.
Receive fifo overruns Specify the threshold number of First In First Out (FIFO)
overrun errors that occur per second on received
packets.
Transmit fifo overruns Specify the threshold number of First In First Out (FIFO)
overrun errors that occur per second on transmitted
packets.
Transactions per second Specify the threshold number of transfers per second
sent to the system.
Sectors written per Specify the threshold number of sectors transferred to or
second from the system
Step 4 Click Save.


Configuring the The STRM Console provides the interface for STRM. The Console provides real
Console Settings time views, reports, alerts, and in-depth investigation of flows for network traffic
and security threats. You can also manage the Console to manage distributed
STRM deployments.
You can access the Console from a standard web browser. When you access the
system, a prompt appears for a user name and password, which must be
configured in advance by the STRM administrator. STRM supports the following
web browsers:
• Internet Explorer 6.0 or 7.0
• Mozilla Firefox 3.0
To configure STRM Console settings:

Step 2 Click the Console icon.
The STRM Console Settings window appears.
Table 4-5 STRM Console Management Parameters
Console Settings

46 SETTING UP STRM
Table 4-5 STRM Console Management Parameters (continued)
ARP - Safe Interfaces Specify the interface you want to be excluded from ARP
resolution activities.
Enable 3D graphs in the Using the drop-down list box, select one of the following:
user interface
• Yes - Displays Flow Viewer, Event Viewer, and
Dashboard graphics in 3-dimensional format.
• No - Displays Flow Viewer, Event Viewer, and
Dashboard graphics in 2-dimensional format.
Authentication Settings
Persistent Session Specify the length of time, in days, that a user system will
Timeout (in days) be persisted, in days. The default is 0, which disables this
features and the remember me option upon login.
Maximum Login Failures Specify the number of times a login attempt may fail. The
default is 5.
Login Failure Attempt Specify the length of time during which a maximum login
Window (in minutes) failures may occur before the system is locked. The
default is 10 minutes.
Login Failure Block Time Specify the length of time that the system is locked if the
(in minutes) the maximum login failures value is exceeded. The
default is 30 minutes.
Login Host Whitelist Specify a list of hosts who are exempt from being locked
out of the system. Enter multiple entries using a
comma-separated list.
Inactivity Timeout (in Specify the amount of time that a user will be
minutes) automatically logged out of the system if no activity
occurs.
Login Message File Specify the location and name of a file that includes
content you want to appear on the STRM login window.
This file may be in text or HTML format and the contents
of the file appear below the current log in window.

Table 4-5 STRM Console Management Parameters (continued)
Event Permission Using the drop-down list box, specify the level of network
Precedence permissions you want to assign users. This affects the
events that appear in the Event Viewer. The options
include:
• Network Only - A user must have access to either the
source network or the destination network of the event
to have the event appear in the Event Viewer.
• Devices Only - A user must have access to either the
device or device group that created the event to have
the event appear in the Event Viewer.
• Networks and Devices - A user must have access to
both the source or the destination network and the
device or device group to have an event appear in the
Event Viewer.
• None - All events appear in the Event Viewer. Any
user with Event Viewer role permissions are able to
view all events.
Note: For more information on managing users, see
Chapter 1 Managing Users.
DNS Settings
Enable DNS Lookups for Enable or disable the ability for STRM to search for DNS
Asset Profiles information in asset profiles. When enabled, this
information is available using the right-mouse button
(right-click) on the IP address or host name located in the
Host Name (DNS Name) field in the asset profile. The
default is False.
Enable DNS Lookups for Enable or disable the ability for STRM to search for host
Host Identity identity information. When enabled, this information is
available using the right-mouse button (right-click) on any
IP address or asset name in the interface. The default is
True.
WINS Settings
WINS Server Specify the location of the Windows Internet Naming
Server (WINS) server.
Reporting Settings
Report Retention Period Specify the period of time, in days, that you want the
system to maintain reports. The default is 30 days.
Data Export Settings
Include Header in CSV Specify whether you want to include a header in a CSV
Exports export file.
Maximum Simultaneous Specify the maximum number of exports you want to
Exports occur at one time.
Step 4 Click Save.

48 SETTING UP STRM
Step 5 From the Administration Console menu, select Configurations > Deploy
Configuration Changes.
Starting and To start, stop, or restart STRM:

Stopping STRM
Step 1 In the main STRM interface, click Config.
Step 2 From the System menu, select one of the following options:
a STRM Start
b STRM Stop
c STRM Restart
Resetting SIM Using the Administration Console, you can reset the SIM module, which allows you
to remove all offenses, attackers, and target information from the database and the
disk. This option is useful after tuning your deployment to avoid receiving any
additional false positive information.
To reset the SEM module:

Step 1 In the Administration Console, click the SIM Configuration tab.
The SIM Configuration panel appears.
Step 2 Click the Clean SIM Model icon.
The Reset SIM Data Module window appears.
Step 3 Read the information in the window.

Step 4 Select one of the following options:
• Soft Clean - Closes all offenses in the database.

Resetting SIM 49
• Hard Clean - Closes all active SIM data including offenses, targets and
attackers.
Step 5 If you want to continue, select the Are you sure you want to reset the data
model? check box.
Step 6 Click Proceed.
A message appears indicating that the SIM reset process has started. This
process may take several minutes, depending on the amount of data in your
system.
Step 7 Once the SIM reset process is complete, reset your browser.
Note: If you attempt to navigate to other areas of the user interface during the SIM
reset process, an error message appears.

You can configure authorized services in the Administration Console to

pre-authenticate a customer support service for your STRM deployment.
Authenticating a customer support service allows the service to connect to your
STRM interface and either dismiss or update notes to an offense using a web
service. You can add or revoke an authorized service at any time.
Note: To access the authorized services functionality, a user role must exist with
only the Offense Management check box selected. The Assign Offenses to Users
and the Customized Rule Creation check boxes must be clear. For more
information on creating user roles, see Chapter 4 Managing Users.
This chapter provides information for managing authorized services including:

• Viewing Authorized Services
• Adding an Authorized Service
• Revoking Authorized Services
Viewing Authorized To view authorized services for your STRM deployment:

Services
Step 2 Click the Authorized Services icon.
The Manage Authorized Services window appears providing the following
information:
Table 5-1 Manage Authorized Services Parameters
Service Name Specifies the name of the authorized service.
Authorized By Specifies the name of the user or administrator that
authorized the addition of the service.
Authentication Token Specifies the token associated with this authorized service.
User Role Specifies the user role associated with this authorized
service.

Table 5-1 Manage Authorized Services Parameters (continued)
Created Specifies the date that this authorized service was created.
Expired Specifies the date and time that the authorized service will
expire. Also, this field indicates when a service has expired.
Step 3 To select a token from an authorized service, select the appropriate authorized
service. The token appears in the Selected Token field in the top bar. This allows
you to copy the desired token into your third-party application to authenticate with
STRM
Adding an To add an authorized service:

Authorized Service
The Manage Authorized Services window appears.
Step 3 Click Add Authorized Service.
The Add Authorized Service window appears.
Table 5-2 Add Authorized Services Parameters
Service Name Specify a name for this authorized service. The name can be
up to 255 characters in length.
User Role Using the drop-down list box, select the user role you want to
assign to this authorized service. The user roles assigned to
an authorized service determines the functionality in the
STRM interface this service can access.
Expiry Date Specify a date you want this service to expire or select the No
Expiry check box if you do not want this service to expire. By
default, the authorized service if valid for 30 days.

Revoking Authorized Services 53
Step 5 Click Create Service.

A confirmation message appears. This message contains a token field that you
must copy into your third-party application to authenticate with STRM. For more
information about setting up your third-party application to integrate with STRM,
contact your system administrator.
Revoking To revoke an authorized service:

Authorized
Services
The Manage Authorized Services window appears.
Step 3 Select the service you want to revoke.
Step 4 Click Revoke Authorization.
Step 5 Click Ok.

5 MANAGING BACKUP AND
RECOVERY
Using the Administration Console, you can backup and recover configuration
information and data for STRM. You can backup and recover the following
information for your system:
• License key information
• Sentry configuration
• Rules configuration
• Configuration database information
• User profile information
• Views configuration
This chapter provides information on managing backup and recover of including:

• Managing Backup Archives
• Backing Up Your Information
• Restoring Your Configuration Information
Managing Backup Using the Administration Console, you can:

Archives • View your successful backup archives. See Viewing Back Up Archives.
• Import an archive file. See Importing an Archive.
• Delete an archive file. See Deleting a Backup Archive.
Viewing Back Up To view all successful backups:

Archives
Step 2 Click the Backup Recovery icon.
The Backup Archives window appears.

The list of archives includes backup files that exist in the database. If a backup file
is deleted, it is removed from the disk and from the database. Also, the entry is
removed from this list and an audit event is generated to indicate the removal.
If a backup is in progress, a status window appears to indicate the duration of the
current backup, which user/process initiated the backup, and provides you with the
option to cancel the backup.
Each archive file includes the data from the previous day.
The Backup Archives window provides the following information for each backup
archive.
Table 6-1 Backup Archive Window Parameters
Host Specifies the host that initiated the backup process.
Name Specifies the name of the backup archive. To download the
backup file, click the name of the backup.
Type Specifies the type of backup. The options are:
• db (database)
• config (configuration data)
• data (events, flows, and asset profile information)
Size Specifies the size of the archive file.
Time Initiated Specifies the time that the backup file was created.
Duration Specifies the time to complete the backup process.
Initialized By Specifies whether the backup file was created by a user or
through a scheduled process.
Importing an Archive To import a STRM backup archive file:


Managing Backup Archives 57
Step 3 In the Upload Archive field, click Browse.

The File Upload window appears.
Step 4 Select the archive file you want to upload. Click Open.
Step 5 Click Upload.
Deleting a Backup To delete a backup archive:

Archive
Note: To delete a backup archive file, the backup archive file and the Host Context
component must reside on the same system. The system must also be in
communication with the Console.
Step 3 Select the archive you want to delete.

Step 4 Click Delete.
Step 5 A confirmation window appears.
Step 6 Click Ok.

Backing Up Your You can backup your configuration information and data using the Backup
Information Recovery Configuration window. You can backup your configuration information
using a manual process. Also, you can also backup your configuration information
and data using a scheduled process. By default, STRM creates a backup archive
of your configuration information every night at midnight and the backup includes
configuration and/or data from the previous day. This section provides on both
methods of backing up your data including:
• Scheduling Your Backup
• Initiating a Backup
Scheduling Your To schedule your backup process:

Backup
To configure your backup settings:
Step 3 Click Configure.
The Backup Recovery Configuration window appears.
Table 6-2 Backup Recovery Configuration Parameters
General Backup Configuration

Backing Up Your Information 59
Table 6-2 Backup Recovery Configuration Parameters (continued)
Backup Specifies the location you want to store your backup file. This
Repository Path path must exist before the backup process is initiated. If this path
does not exist, the backup process aborts. The default is
/store/backup.
Note: If you modify this path, make sure the new path is valid on
every system in your deployment.
Backup Retention Specify the length of time, in days, that you want to maintain
Period backup files. The default is 2 days.
Note: This period of time only affects backup files generated as a
result of a scheduled process. Manually initiated backup
processes are not affected by this value.
Nightly Backup Select one of the following options:
Schedule
• No Nightly Backups - Disables the creation of a backup
archive on a daily basis.
• Configuration Backup Only - Enables the creation of a daily
backup at midnight that includes configuration information
only.
• Configuration and Data Backups - Enables the creation of a
daily backup at midnight that includes configuration
information and data. If you select the Configuration and Data
Backups option, you can select the hosts you want to backup.
This option backs up all database table information including:
- Offenses (including targets and attacker information)
- Asset data
- Categories
- Vulnerability data.
Once you select the host, you can select one of the following
options: Event Data, Flow Data, and Asset Profile Data.
Configuration Only Backup
Backup Time Limit Specify the length of time, in minutes, that you want to allow the
backup to process.
Backup Priority Specify the level of importance (low, medium, high) you want the
system to place on the configuration information backup process
compared to other processes.
Data Backup
Backup Time Limit Specify the length of time, in minutes, that you want to allow the
(min) backup to process.
Backup Priority Specify the level of importance (low, medium, high) you want the
system to place on the data backup process compared to other
processes.
Step 5 Click Save.

Step 6 From the Administration Console menu, select Configurations > Deploy All.
Initiating a Backup To manually initiate a backup:

Step 3 Click On Demand Backup.

The Create a Backup window appears.

• Name - Specify a unique name you want to assign to this backup file. The name
must be a maximum of 100 alphanumeric characters. Also, the name may
contain following characters: underscore (_), dash (-), or period (.).
• Description - Specify a description for this backup. The name can be up to 255
characters in length.
Step 5 Click Run Backup.
Step 6 Click OK.

Restoring Your Configuration Information 61
Restoring Your You can restore configuration information from existing backup archives using the
Configuration Restore Backup window. Note the following requirements when you are restoring
Information configuration information:
• You can only restore a backup archive created within the same release of
software. For example, if you are running STRM 6.1.2, the backup archive must
of been created in STRM 6.1.2. You can not restore configuration information
archived in a previous release.
• Each backup archive includes IP address information of the system from which
the backup archive was created. The IP address of the system on which you
want to restore the information must match the IP address of the backup
archive. If the IP addresses do not match, the restore process will fail.
To restore your configuration information using a backup archive:

Note: If the deployment you are restoring includes non-Console systems, make
sure you re-add the managed hosts to your deployment and deploy all changes
before you initiate the restore process.
Step 3 Select the archive you want to restore.
Step 4 Click Restore.
The Restore a Backup window appears.
Step 5 To restore specific items in the archive:

a Clear the All Items check box.
b The list of archived items appears.
c Select the check box for each item you want to restore.
Step 6 Click Restore.
Step 7 Click Ok.
The restore process begins. This process may take an extended period of time.

Note: The restore process only restores your configuration information. For
assistance in restoring your data, contact Juniper Networks Customer Support.

The deployment editor allows you to manage the individual components of your
STRM, and SIM deployment. Once you configure your Flow, Event, and System
Views, you can access and configure the individual components of each managed
host.
Note: The Deployment Editor requires Java Runtime Environment. Download

JRE5.0 at www.java.sun.com. Also, If you are using the Firefox browser, you must
configure your browser to accept Java Network Language Protocol (JNLP) files.
Caution: Many third-party web browsers that use the Internet Explorer engine,
such as Maxthon or MyIE, install components that may be incompatible with the
STRM Administration Console. You must disable any third-party web browsers
installed on your system. For further assistance, please contact customer support.
If you want to access the STRM Administration Console from behind a proxy
server or firewall, you must configure the appropriate proxy settings on your
desktop. This allows the software to automatically detect the proxy settings from
your browser. To configure the proxy settings, open the Java configuration located
in your Control Panel and configure the IP address of your proxy server. For more
information on configuring proxy settings, see your Microsoft documentation.
This chapter provides information on managing your views including:

• About the Deployment Editor
• Editing Deployment Editor Preferences
• Building Your Flow View
• Building Your Event View
• Managing Your System View
• Configuring STRM Components

About the You can access the deployment editor using the STRM Administration Console.
Deployment Editor You can use the deployment editor to create your deployment, assign connections,
and configure each component.
The deployment editor provides the following views of your deployment:

• Flow View - Allows you to create a view that outlines how flows are processed
in your deployment by allocating and connecting flow-based components, for
example, connecting a Flow Collector to a Flow Processor.
• System View - Allows you to assign software components, such as a Flow
Collector, to systems (managed hosts) in your deployment. The System View
includes all managed hosts in your deployment. A managed host is a system in
your deployment that has STRM software installed. By default, the System
View also includes the Host Context component, which monitors all STRM
components to ensure that each component is operating as expected.
• Event View - Allows you to create a view for your SIM components including
Event Processor, Event Collector, and Magistrate components.
Each view is divided into two panels.
In the Flow View, the left panel provides a list of components that you can add to
your view and the right panel provides the existing view of your deployment.
In the Event View, the left panel provides a list of SIM components you can add to
the view and the right panel provides an existing view of your SIM deployment.
In the System View, the left panel provides a list of managed hosts, which you can
view and configure. The deployment editor polls your deployment for updates to

managed hosts. If the deployment editor detects a change to a managed host in

your deployment, a message appears notifying you of the change. For example, if
you remove a managed host, a message appears indicating that the assigned
components to that host must be re-assigned to another host. Also, if you add a
managed host to your deployment, the deployment editor displays a message
indicating that the managed host has been added.
Accessing the In the Administration Console, click the deployment editor icon. The
Deployment Editor deployment editor appears. Once you update your configuration settings using the
deployment editor, you must save those changes to the staging area. You must
either manually deploy all changes using the Administration Console Deploy menu
option or, upon exiting the Administration Console, a window appears prompting
you to deploy changes before you exit. All deployed changes are then enforced
throughout your deployment.
Using the Editor The deployment editor provides you with several menu and toolbar options when
configuring your views including:
• Menu Options
• Toolbar Options
Menu Options
The menu options that appear depend on the selected component in your view.
Table 7-1 provides a list of the menu options and the component for which they
appear.
Table 7-1 Deployment Editor Menu Options
Menu Option Sub Menu Option Description

File Save to staging Saves deployment to the staging area.
Save and close Save deployment to the staging area and
closes the deployment editor.
Open staged Opens a deployment that was previously
deployment saved to the staging area.
Open production Opens a deployment that was previously
deployment saved.
Close current Closes the current deployment.
deployment
Revert Reverts current deployment to the
previously saved deployment.
Edit Preferences Opens the preferences window.
Close editor Closes the deployment editor.
Edit Delete Deletes a component, host, or connection.
Actions Add a managed host Opens the Add a Managed Host wizard.

Table 7-1 Deployment Editor Menu Options (continued)
Menu Option Sub Menu Option Description

Manage NATed Opens the Manage NATed Networks
Networks window, which allows you to manage the list
of NATed networks in your deployment.
Rename component Renames an existing component.
This option is only available when a
component is selected.
Configure Configure a STRM components.
This option is only available when a Flow
Collector, Flow Processor, Classification
Engine, Event Collector, Event Processor,
Magistrate, or Update Daemon is selected.
Assign Assigns a component to a managed host.
Magistrate, or Update Daemon is selected.
Unassign Unassigns a component from a managed
host. This option is only available when the
selected component has a managed host
running a compatible version of STRM
software.
or Update Daemon is selected.
Help Help and Support Opens user documentation.
Toolbar Options
The toolbar options include:
Table 7-2 Toolbar Options
Icon Description
Saves deployment to the staging area and closes the deployment editor.
Opens current production deployment.
Opens a deployment that was previously saved to the staging area.
Discards recent changes and reloads last saved model.

Table 7-2 Toolbar Options (continued)
Icon Description
Deletes selected item from the deployment view.
This option is only available when the selected component has a managed
host running a compatible version of STRM software.
Opens the Add a Managed Host wizard, which allows you to add a
managed host to your deployment.
Opens the Manage NATed Networks window, which allows you to manage
the list of NATed networks in your deployment.
Resets the zoom to the default.
Zoom in.
Zoom out.
Creating Your To create your deployment, you must:

Deployment
Step 1 Build your Flow View. See Building Your Flow View.
Step 2 Build your System View. See Managing Your System View.
Step 3 Configure added components. See Configuring STRM Components.
Step 4 Build your Event View. See Building Your Event View.
Step 5 Configure SIM components. See Configuring STRM Components.
Step 6 Stage the deployment. From the deployment editor menu, select File > Save to
Staging.
Step 7 Deploy all configuration changes. From the Administration Console menu, select
Configurations > Deploy All.
For more information on the Administration Console, see Chapter 8 Overview.
Before you Begin Before you begin, you must:

• Install all necessary hardware and STRM software.
• Install Java Runtime Environment. You can download Java version 1.5.0_12 at
the following web site: http://java.com/en/download/index.jsp
• If you are using the Firefox browser, you must configure your browser to accept
Java Network Language Protocol (JNLP) files.
• Plan your STRM deployment including the IP addresses and login information
for all devices in your STRM deployment.

Note: If you require assistance with the above, please contact Juniper Networks
Customer Support.
Editing Deployment To edit the deployment editor preferences:

Editor Preferences
Step 1 From the deployment editor main menu, select File > Edit Preferences.
The Deployment Editor Setting window appears.

• Presence Poll Frequency - Specify how often, in milliseconds, that the
managed host monitors your deployment for updates, for example, a new or
updated managed host.
• Zoom Increment - Specify the increment value when the zoom option is
selected. For example. 0.1 indicates 10%.
Step 3 Close the window
The Deployment Editor appears.
Building Your Flow The Flow View allows you to create and manage the flow-based software
View components of your STRM deployment, for example, a Flow Collector or Flow
Processor. If you are using a STRM appliance, a default Flow View appears with
the appropriate components. You can edit or update the view, as necessary.
To build your Flow View, you must:

Step 1 Add STRM components to your view. See Adding STRM Components.
Step 2 Connect the added components. See Connecting Components.
Step 3 Connect the deployments, if necessary. See Connecting Deployments.
Step 4 Rename the components so each component has a unique name. See Renaming
Components
Once you have completed building your Flow View, you can use the Event View to
manage your SIM components. See Building Your Event View.

Adding STRM You can add the following STRM components to your Flow View:
Components • Flow Collector - Collects data from devices and various live and recorded
feeds.
• Flow Processor - Collects and consolidates data from one or more Flow
Collector(s).
• Classification Engine - Receives input from one or more Flow Processor(s) as
well as classifies and accumulates statistical data on flows.
• Update Daemon - Stores TopN and database data once the Classification
Engine has processed the flows for an interval.
• Flow Writer - Stores the flow and asset profile data once the Classification
Engine has processed the flows for an interval.
Note: The procedures in the section provide information on adding STRM

components using the Flow View. You can also add components using the System
View. For information on the System View, see Managing Your System View.
To add STRM components to your Flow View:

Step 1 In the deployment editor, click the Flow View tab.
The Flow View appears.
Step 2 In the Flow Components panel, select a component you want to add to your
deployment.
The Adding a New Component Wizard appears.

Step 3 Enter a unique name for the component you want to add. The name can be up to
15 characters in length and may include underscores or hyphens. Make sure you
record the assigned name and Click Next.
Note: If the message “There are no hosts to which you can assign this
component.” appears, your deployment does not include hosts with the capabilities
to support the selected component or the host already has a full compliment of
components installed.
The Assign Component window appears.
Step 4 From the Select a host drop-down list box, select the managed host to which you
want to assign the new component. Click Next.
The component ready to be added window appears.
Step 5 Click Finish.

The component appears in your Flow View.

Step 6 Repeat for each component you want to add to your view.
Step 7 From the menu, select File > Save to staging.
Connecting Once you add all the necessary components in your Flow View, you must connect
Components them together. The Flow View only allows you to connect appropriate components
together. For example, you can connect a Flow Processor to a Flow Collector and
not an Update Daemon.
To connect components:
Step 1 In the Flow View, select the component for which you want to establish a
connection.
Step 2 From the menu, select Actions > Add Connection.
Note: You can also use the right mouse button (right-click) to access the Actions
menu item.
An arrow appears in your map.
Step 3 Drag the end of the arrow to the component on which you want to establish a
connection. You can only connect appropriate components, for example, you can
connect a Classification Engine to an Update Daemon. Table 7-3 provides a list of
components you are able to connect.
Table 7-3 Component Connections
You can connect a... To

Flow Collector Flow Processor
Flow Processor Flow Processor
Classification Engine
Off-site Target
Off-site Source
Classification Engine Update Daemon
Flow Writer - Multiple Classification Engines may be
connected to a single Flow Writer.
The arrow connects the two components.

Step 4 Repeat for all remaining components in your deployment that you want to establish
a connection.
Step 5 From the menu, select File > Save to Staging.

Connecting You can connect deployments in your network to allow deployments to share flow
Deployments data. To connect your deployments, you must configure an off-site Flow Processor
(target) in your current deployment and the associated off-site Flow Processor in
the receiving deployment (source). You can add the following components to your
Flow View:
• Off-site Source - Indicates an off-site Flow Processor from which you want to
receive data. The source must be configured with appropriate permissions to
send flows to the off-site target.
• Off-site Target - Indicates an off-site Flow Processor to which you want to send
data.
Note: The procedures in the section provide information on adding flow sources
using the Flow View. You can also add sources using the System View. For
information on the System View, see Managing Your System View.
Figure 7-1 shows an example of connecting two deployments, A and B. In this

example, deployment B wants to receive flows from deployment A. To connect
these deployments, you must configure deployment A with an off-site target to
provide the IP address of the managed host that includes Flow Processor B. You
must then connect Flow Processor A to the off-site target. In deployment B, you
must configure an off-site source with the IP address of the managed host that
includes Flow Processor A and the port to which Flow Processor A is monitoring.
If you want to disconnect the off-site source, you must remove the connections
from both deployments. From deployment A, you must remove the off-site target
and in deployment B, you must remove the off-site source.
If you want to enable encryption between deployments, you must enable

encryption on both off-site source and target. Also, you must ensure both the
off-site source and target include the public keys to ensure appropriate access. For
example, in the example below, if you want to enable encryption between the
off-site source and Flow Processor B, you must copy the public key (located at
/root/.ssh/id_rsa.pub) from the Flow Processor to the off-site source (copy the file
to /root/.ssh/authorized_keys).
Note: To enable encryption between two managed hosts, each managed host
must be running at least STRM 5.1.

Figure 7-1 Example of Connecting Deployments
To connect your deployments:

Step 1 In the deployment editor, click the Flow View tab.
The Flow View appears.
Step 2 In the Flow Components panel, select either Add Off-site Source or Add Off-site
Target.

Step 3 Specify a unique name for the source or target. The name can be up to 15
characters in length and may include underscores or hyphens. Click Next.
The flow source/target information window appears.

• Enter a name for the off-site host - Specify the name of the off-site host. The
name can be up to 15 characters in length and may include underscores or
hyphens.
• Enter the IP address of the server - Specify the IP address of the managed
host to which you want to connect.
• Enter port of managed host - Specify the off-site managed host port number.

• Encrypt traffic from off-site source - Select the check box if you want to
encrypt traffic from an off-site source. To enable encryption, you must select
this check box on the associated off-site source and target. For more
information regarding encryption, see Managing Your System View.
Step 5 Click Next.
Step 7 Repeat for all remaining off-site sources and targets.
Step 8 From the main menu, select File > Save to staging.
Note: If you update your Flow Processor configuration or the monitoring ports, you
must manually update your source and target configurations to maintain the
connection between deployments.
Renaming You may want to rename a component in your view to uniquely identify
Components components through your deployment.
To rename a component:
Step 1 Select the component you want to rename.
Step 2 From the menu, select Actions > Rename component.
menu items.
The Rename component window appears.
Step 3 Enter a new name for the component. The name must be alphanumeric with no
special characters.
Step 4 Click Ok.
Building Your The Event View allows you to create and manage the SIM components for your
Event View deployment including:
• Event Collector - Collects security events from various types of security
devices in your network. The Event Collector gathers events from local, remote,
and device sources. The Event Collector then normalizes the events and sends
the information to the Event Processor. The Event Collector also bundles all
virtually identical events to conserve system usage.
• Event Processor - An Event Processor processes flows collected from one or
more Event Collector(s). The events are bundled once again to conserve
network usage. Once received, the Event Processor correlates the information

from STRM and distributes to the appropriate area, depending on the type of
event. The Event Processor also includes information gathered by STRM to
indicate any behavioral changes or policy violations for that event. Rules are
then applied to the events that allow the Event Processor to process according
to the configured rules. Once complete, the Event Processor sends the events
to the Magistrate.
You must connect the Event Processor to a Classification Engine or another
Event Processor in your deployment. The Classification Engine is responsible
for sending the latest event information to the Event Processor. See Figure 7-2
for an example.
• Magistrate - The Magistrate component provides the core processing
components of SIM. You can add one Magistrate component for each
deployment. The Magistrate provides views, reports, alerts, and analysis of
network traffic and security events. The Magistrate processes the event against
the defined custom rules to create an offense. If no custom rules exist, the
Magistrate uses the default rules to process the event. An offense is an event
that has been processed through STRM using multiple inputs, individual
events, and events combined with analyzed behavior and vulnerabilities.
Magistrate prioritizes the offenses and assigns a magnitude value based on
several factors, including number of events, severity, relevance, and credibility.
Once processed, Magistrate also produces a list for each attacker, which
provides you with a list of attackers for each event. Once the Magistrate
establishes the magnitude for an event, the Magistrate provides multiple
options for resolution.
By default, the Event View includes a Magistrate component. Figure 7-2 shows an
example of STRM deployment that includes the SIM components. The example
shows that the Event Processor is connected to the Classification Engine, which
allows for the exchange of flow information.

Figure 7-2 Example of SIM Components in your STRM Deployment
To build your Event View, you must:

Step 1 Add SIM components to your view. See Adding Components.
Step 2 Connect the components. See Connecting Components.
Step 3 Forward normalized events. See Forwarding Normalized Events.
Step 4 Rename the components so each component has a unique name. See Renaming
Components.
Adding Components To add components to your Event View:

Step 1 In the deployment editor, click the Event View tab.
The Event View appears.
Step 2 In the Event Tools panel, select a component you want to add to your deployment.

Step 3 Enter a unique name for the component you want to add. The name can be up to
15 characters in length and may include underscores or hyphens. Click Next.
The Assign Component window appears.
Step 4 From the Select a host to assign to list box, select a managed host to which you
want to assign the new component. Click Next.
Step 6 Repeat for each component you want to add to your view.

Connecting Once you add all the necessary components in your Event View, you must connect
Components them together. The Event View only allows you to connect appropriate components
together. For example, you can connect an Event Collector to an Event Processor
and not a Magistrate component.
To connect components:
Step 1 In the Event View, select the component for which you want to establish a
connection.
Step 2 From the menu, select Actions > Add Connection.
Note: You can also use the right mouse button (right-click) to access the Action
menu item.
An arrow appears in your map.
Step 3 Drag the end of the arrow to the component on which you want to establish a
connection. You can only connect appropriate components, for example, you can
connect an Event Collector to an Event Processor. Table 7-4 provides a list of
components you are able to connect.
Table 7-4 Component Connections
You can connect a... To

Event Processor Magistrate
Event Collector Event Processor
The arrow connects the two components.

Step 4 Repeat for all remaining components that you want to establish a connection.
Forwarding To forward normalized events, you must configure an off-site Event Collector
Normalized Events (target) in your current deployment and the associated off-site Event Collector in
the receiving deployment (source).
You can add the following components to your Event View:

• Off-site Source - Indicates an off-site Event Collector from which you want to
receive data. The source must be configured with appropriate permissions to
send events to the off-site target.
• Off-site Target - Indicates an off-site Event Collector to which you want to send
data.
For example, if you want to forward normalized events between two deployments
(A and B), where deployment B wants to receive events from deployment A you
must configure deployment A with an off-site target to provide the IP address of the
managed host that includes Event Collector B. You must then connect Event
Collector A to the off-site target. In deployment B, you must configure an off-site
source with the IP address of the managed host that includes Event Collector A
and the port to which Event Collector A is monitoring.

If you want to disconnect the off-site source, you must remove the connections
from both deployments. From deployment A, you must remove the off-site target
and in deployment B, you must remove the off-site source.
If you want to enable encryption between deployments, you must enable

encryption on both off-site source and target. Also, you must ensure both the
off-site source and target include the public keys to ensure appropriate access. For
example, in the example below, if you want to enable encryption between the
off-site source and Event Collector B, you must copy the public key (located at
/root/.ssh/id_rsa.pub) from the Event Collector to the off-site source (copy the file
to /root/.ssh/authorized_keys).
Event Collector A Off-site Event Collector B

Source
Event Processor Event Processor
Off-site
Target
Magistrate Magistrate
Figure 7-3 Example of Connecting Deployments
To forward normalized events:

Step 1 In the deployment editor, click the Event View tab.
The Event View appears.
Step 2 In the Components panel, select either Add Off-site Source or Add Off-site
Target.

Step 3 Specify a unique name for the source or target. The name can be up to 15
characters in length and may include underscores or hyphens. Click Next.
The event source/target information window appears.

• Enter a name for the off-site host - Specify the name of the off-site host. The
name can be up to 15 characters in length and may include underscores or
hyphens.
• Enter the IP address of the server - Specify the IP address of the managed
host to which you want to connect.
• Encrypt traffic from off-site source - Select the check box if you want to
encrypt traffic from an off-site source. To enable encryption, you must select
this check box on the associated off-site source and target.

Step 5 Click Next.

Step 7 Repeat for all remaining off-site sources and targets.
Note: If you update your Event Collector configuration or the monitoring ports, you
must manually update your source and target configurations to maintain the
connection between deployments.
Renaming You may want to rename a component in your view to uniquely identify
Components components through your deployment.
To rename a component:
Step 1 Select the component you want to rename.
Step 2 From the menu, select Actions > Rename Component.
menu items.
The Rename component window appears.
Step 3 Enter a new name for the component. The name must be alphanumeric with no
special characters.
Step 4 Click Ok.
Managing Your The System View allows you to manage all managed hosts in your network. A
System View managed host is a component in your network that includes STRM software. If you
are using a STRM appliance, the components for that appliance model appear. If
your STRM software is installed on your own hardware, the System View includes
a Host Context component. The System View allows you to select which
component(s) you want to run on each managed host.
Using the System View, you can:

• Set up managed hosts in your deployment. See Setting Up Managed Hosts.
• Use STRM with NATed networks in your deployment. See Using NAT with
STRM.
• Update the managed host port configuration. See Configuring a Managed Host.
• Assign a component to a managed host. See Assigning a Component to a
Host.

• Configure Host Context. See Configuring Host Context.
Setting Up Managed Using the deployment editor you can manage all hosts in your deployment
Hosts including:
• Add a managed host to your deployment. See Adding a Managed Host.
• Edit an existing managed host. See Editing a Managed Host.
• Remove a managed host. See Removing a Managed Host.
When adding a managed host, you can also enable encryption between managed
hosts running at least STRM 5.1. The deployment editor determines the version of
STRM software running on a managed host. You can only add a managed host to
your deployment when the managed host is running a compatible version of STRM
software. For more information, contact Juniper Networks Customer Support.
You also can not assign or configure components on a non-Console managed host
when the STRM software version is incompatible with the software version that the
Console is running. If a managed host has previously assigned components and is
running an incompatible software version, you can still view the components,
however, you are not able to update or delete the components.
Note: To enable encryption between two managed hosts, each managed host
must be running at least STRM 5.1.
Encryption provides greater security for all STRM traffic between managed hosts.
To provide enhanced security, STRM also provides integrated support for
OpenSSh and attachmateWRQ® Reflection SSH software. Reflection SSH
software provides a FIPS 140-2 certified encryption solution. When integrated with
STRM, Reflection SSH provides secure communication between STRM
components. For information on Reflection SSH, see the following web site:
www.wrq.com/products/reflection/ssh
Note: You must have Reflection SSH installed on each managed host you want to
encrypt using Reflection SSH. Also, Reflection SSH is not compatible with other
SSH software, such as, Open SSH.
Since encryption occurs between managed hosts in your deployment, your

deployment must consist of more than one managed host before encryption is
possible. Encryption is enabled using SSH tunnels (port forwarding) initiated from
the client. A client is the system that initiates a connection in a client/server
relationship. When encryption is enabled for a managed host, encryption tunnels
are created for all client applications on a managed host to provide protected
access to the respective servers. If you enable encryption on a non-Console
managed host, encryption tunnels are automatically created for databases and
other support service connections to the Console.
Figure 7-4 shows the flow of traffic within a STRM deployment including flows, flow
context, and event traffic. The figure also displays the client/server relationships

within the deployment. When enabling encryption on a managed host, the

encryption SSH tunnel is created on the client’s host. For example, if you enable
encryption for the Event Collector in the below deployment, the connection
between the Event Processor and Classification Engine as well as the connection
between the Event Processor and Magistrate would be encrypted. The below
graphic also displays the client/server relationship between the Console and the
Ariel database. When you enable encryption on the Console, an encryption tunnel
is used when performing event searches through the Offense Manager.
Note: Enabling encryption reduces the performance of a managed host by at least

50%.
Figure 7-4 Encryption Tunnels
Adding a Managed Host

To add a managed host:
Note: Before you add a managed host, make sure the managed host includes
STRM software.
Step 1 From the menu, select Actions > Add a managed host.
The Add new host wizard appears.

Step 2 Click Next.

The Enter the host’s IP window appears.

• Enter the IP of the server or appliance to add - Specify the IP address of the
host you want to add to your System View.
• Enter the root password of the host - Specify the root password for the host.
• Confirm the root password of the host - Specify the password again, for
confirmation.
• Host is NATed - Select the check box if you want to use an existing Network
Address Translation (NAT) on this managed host. For more information on NAT,
see Using NAT with STRM.

Note: If you want to enable NAT for a managed host, the NATed network must be
using static NAT translation. For more information on using NAT, see Using NAT
with STRM.
• Enable Encryption - Select the check box if you want to create an encryption
tunnel for the host. To enable encryption between two managed hosts, each
managed host must be running at least STRM 5.1.
If you selected the Host is NATed check box, the Configure NAT settings window
appears. Go to Step 4. Otherwise, go to Step 5.
Step 4 To select a NATed network, enter values for the following parameters:
• Enter public IP of the server or appliance to add - Specify the public IP
address of the managed host. The managed host uses this IP address to
communicate with another managed host that belongs to a different network
using NAT.
• Select NATed network - Using the drop-down list box, select network you want
this managed host to use.
Note: For information on managing your NATed networks, see Using NAT with
STRM.
Step 5 Click Next.
Note: If your deployment included undeployed changes, a window appears
enabling you to deploy all changes.
The System View appears with the host in the Managed Hosts panel.
Editing a Managed Host

To edit an existing managed host:
Step 1 Click the System View tab.
Step 2 Use the right mouse button (right-click) on the managed host you want to edit and
select Edit Managed Host.
The Edit a managed host wizard appears.
Note: This option is only available when the selected component has a managed

Step 3 Click Next.

The attributes window appears.
Step 4 Edit the following values, as necessary:

• Host is NATed - Select the check box if you want to use existing Network
Address Translation (NAT) on this managed host. For more information on NAT,
see Using NAT with STRM.
using static NAT translation. For more information on using NAT, see Using NAT
with STRM.

• Enable Encryption - Select the check box if you want to create an encryption
tunnel for the host. To enable encryption between two managed hosts, each
managed host must be running at least STRM 5.1.
If you selected the Host is NATed check box, the Configure NAT settings window
appears. Go to Step 5. Otherwise, go to Step 6.
• Enter public IP of the server or appliance to add - Specify the public IP
using NAT.
Note: For information on managing your NATed networks, see Using NAT with
STRM.
Step 6 Click Next.
The System View appears with the updated host in the Managed Hosts panel.
Removing a Managed Host

You can only remove non-Console managed hosts from your deployment. You can
not remove a managed host that is hosting the STRM Console.
To remove a managed host:

Step 2 Use the right mouse button (right-click) on the managed host you want to delete
and select Remove host.
Note: This option is only available when the selected component has a managed
Step 3 Click Ok.

Using NAT with Network Address Translation (NAT) translates an IP address in one network to a
STRM different IP address in another network. NAT provides increased security for your
deployment since requests are managed through the translation process and
essentially hides internal IP address.
Before you enable NAT for a STRM managed host, you must set-up your NATed
networks using static NAT translation. This ensures communications between
managed hosts that exist within different NATed networks. For example, in
Figure 7-5 the QFlow 1101 in Network 1 has an internal IP address of
10.100.100.0. When the QFlow 1101 wants to communicate with the Event
Collector in Network 2, the NAT router translates the IP address to 192.15.2.1.
NAT
Router
.1
00 19
2.
.1
15
00
.2
.1
.1
Network 1
10
Network 2
QFlow 1101
Event Collector
Classification Engine
Event Collector
Update Daemon Magistrate
Figure 7-5 Using NAT with STRM
Note: Your static NATed networks must be set-up and configured on your network
before you enable NAT using STRM. For more information, see your network
administrator.
You can add a non-NATed managed host using inbound NAT for the public IP
address and dynamic for outbound NAT but are located on the same switch as the
Console or managed host. However, you must configure the managed host to use
the same IP address for the public and private IP addresses.
When adding or editing a managed host, you can enable NAT for that managed
host. You can also use the deployment editor to manage your NATed networks
including:
• Adding a NATed Network to STRM
• Editing a NATed Network
• Deleting a NATed Network From STRM
• Changing the NAT Status for a Managed Host

Adding a NATed Network to STRM

To add a NATed network to your STRM deployment:
Step 1 In the deployment editor, click the NATed networks icon.
Note: You can also use the Actions > Managed NATed Networks menu option to
access the Managed NATed Networks window.
The Manage NATed Networks window appears.
Step 2 Click Add.

The Add New Nated Network window appears.
Step 3 Enter a name of a network you want to use for NAT.

Step 4 Click Ok.
Step 5 Click Ok.
Step 6 Click Yes.
Editing a NATed Network

To edit a NATed network:
Note: You can also use the Actions > Managed NATed Networks menu option
to access the Managed NATed Networks window.

Step 2 Select the NATed network you want to edit and click Edit.
The Edit NATed Network window appears.
Step 3 Update the name of the network you want to use for NAT.
Step 4 Click Ok.
Step 5 Click Ok.
Step 6 Click Yes.
Deleting a NATed Network From STRM

To delete a NATed network from your deployment:
Note: You can also use the Actions > Managed NATed Networks menu option to
access the Managed NATed Networks window.
Step 2 Select the NATed network you want to delete.
Step 4 Click Ok.
Step 5 Click Yes.

Changing the NAT Status for a Managed Host

To change your NAT status for a managed host, make sure you update the
managed host configuration within STRM before you update the device. This
prevents the host from becoming unreachable and allows you to deploy changes
to that host.
To change the status of NAT (enable or disable) for an existing managed host:
Step 1 In the deployment editor, click the System View tab.
Step 2 Use the right mouse button (right-click) on the managed host you want to edit and
select Edit Managed Host.
The Edit a managed host wizard appears.
Step 3 Click Next.
The networking and tunneling attributes window appears.
Step 4 Choose one of the following:
a If you want to enable NAT for the managed host, select the check box. Go to
Step 5
using static NAT translation.
b If you want to disable NAT for the managed host, clear the check box. Go to
Step 6
• Change public IP of the server or appliance to add - Specify the public IP
using NAT.
• Manage NATs List - Update the NATd network configuration. For more
information see, Using NAT with STRM.
Step 6 Click Next.
The System View appears with the updated host in the Managed Hosts panel.
Note: Once you change the NAT status for an existing managed host error
messages may appear. Ignore all error messages.
Step 8 Update the configuration for the device (firewall) to which the managed host is
communicating.
Step 9 From the STRM Administration Console menu, select Configurations > Deploy
All.

Configuring a To configure a managed host:

Managed Host
Step 1 From the System View, use the right mouse button (right-click) on the managed
host you want to configure and select Configure.
The Configure host window appears.

• Minimum port allowed - Specify the minimum port for which you want to
establish communications.
• Maximum port allowed - Specify the maximum port for which you want to
establish communications.
• Ports to exclude - Specify the port you want to exclude from communications.
You can enter multiple ports you want to exclude. Separate multiple ports using
a comma.
Step 3 Click Save.
Assigning a You can assign the STRM components added in the Flow or Event Views to the
Component to a Host managed hosts in your deployment. This section provides information on assigning
a component to a host using the System View, however, you can also assign
components to a host in the Flow or Event Views.
To assign a host:
Step 2 From the Managed Host list, select the managed host to which you want to assign
a STRM component.
The System View of the host appears.
Step 3 Select the component you want to assign to a managed host.
Step 4 From the menu, select Actions > Assign.
menu items.
The Assign Component wizard appears.

Step 5 From the Select a host drop-down list box, select the host that you want to assign
to this component. Click Next.
Note: The drop-down list box only displays managed hosts that are running a
compatible version of STRM software.
Configuring Host The Host Context component monitors all STRM components to make sure that
Context each component is operating as expected.
To configure Host Context:

Step 1 In the Deployment Editor, click the System View tab.
The System View appears.
Step 2 Select the Managed Host that includes the Host Context you want to configure.
Step 3 Select the Host Context component.
Step 4 From the menu, select Actions > Configure.
menu item.
The Host Context Configuration window appears.

Table 7-5 Host Context Parameters
Disk Usage Sentinal Settings
Warning Threshold When the configured threshold of disk usage is exceeded,
an e-mail is sent to the administrator indicating the current
state of disk usage. The default is 0.75, therefore, when disk
usage exceeds 75%, an e-mail is sent indicating that disk
usage is exceeding 75%. If disk usage continues to increase
above the configured threshold, a new e-mail is sent after
every 5% increase in usage. By default, Host Context
monitors the below partitions for disk usage:
• /
• /store
• /store/tmp
Specify the desired warning threshold for disk usage.
Note: Notification e-mails are send to the Administrative
Email Address and are sent from the Alert Email From
Address, which is configured in the System Settings. For
more information, see Chapter 3 Setting Up STRM.
Shutdown Threshold When the system exceeds the shutdown threshold, all
STRM processes are stopped. An e-mail is sent to the
administrator indicating the current state of the system. The
default is 0.95, therefore, when disk usage exceeds 95%, all
STRM processes stop.
Specify the shutdown threshold.

Table 7-5 Host Context Parameters (continued)
Recovery Threshold Once the system has exceeded the shutdown threshold,
disk usage must fall below the recovery threshold before
STRM processes are restarted. The default is 0.90,
therefore, processes will not be restarted until the disk usage
is below 90%.
Specify the recovery threshold.
Inspection Interval Specify the frequency, in milliseconds, that you want to
determine disk usage.
SAR Sentinel Settings
inspect SAR output. The default is 300,000 ms.
Alert Interval Specify the frequency, in milliseconds, that you want to be
notified that the thresholds have been exceeded. The default
is 7,200,000 ms.
Time Resolution Specify the time, in seconds, that you want the SAR
inspection to be engaged. The default is 60 seconds.
Log Monitor Settings
monitor the log files. The default is 60,000 ms.
Monitored SYSLOG Specify a filename for the SYSLOG file. The default is
File Name /var/log/STRM.error.
Alert Size Specify the maximum number of lines you want to monitor
from the log file. The default is 1000.
Step 6 Click Save.

The System View appears.

Configuring STRM This section provides information on configuring STRM components and includes:
Components • Configuring a Flow Collector
• Configuring a Flow Processor
• Configuring a Classification Engine
• Configuring an Update Daemon
• Configuring a Flow Writer
• Configuring an Event Collector
• Configuring an Event Processor
• Configuring the Magistrate
Configuring a Flow The Flow Collector collects data from devices and various live and recorded feeds,
Collector such as, network taps, span/mirror ports, NetFlow, and STRM flow logs. The Flow
Collector then groups related individual packets into a flow. A flow starts when the
Flow Collector detects the first packet with a unique source IP address, destination
IP address, source port, and destination port as well as other specific protocol
options, which may determine the start of a communication. Each additional packet
is evaluated and counts of bytes and packets are added to the statistical counters
in the flow record. At the end of an interval a status record of the flow is sent to a
Flow Processor and statistical counters for the flow are reset. A flow ends when no
activity for the flow is seen within the configured period of time.
Flow reporting generates records of all the active or expired flows during a
specified period of time. STRM defines these flows as a communication session
between two pairs of unique IP address/ports that use the same protocol. If the
protocol does not support port-based connections, STRM combines all packets
between the two hosts into a single flow record. However, a Flow Collector does
not record flows until a connection is made to another STRM component and data
is retrieved.
To configure a Flow Collector:

Step 1 In either the Flow or System View, select the Flow Collector you want to configure.
menu items.
The QFlow Configuration window appears.

Table 7-6 Flow Collector Parameters
Server Listen Port The Flow Collector passes data to the next component
in the process. Once the link is established, all collected
data is passed for further processing.
Specify the port that the Flow Collector monitors for
incoming Flow Processor connections.
The default range is from 32000 to 65535.
Flow Collector ID In larger installations, several Flow Collectors can be
installed throughout the deployment. As several Flow
Collectors can function simultaneously, you must
provide each Flow Collector a unique name. You can
use that name to determine where data is originating
from in the Collector View, if configured.
Specify the Flow Collector ID.
Maximum Content Capture Flow Collectors capture a configurable number of bytes
at the start of each flow. Transferring large amounts of
content across the network may affect network and
STRM performance. On managed hosts where the Flow
Collectors are located on close high-speed links, you
can increase the content capture length.
Specify the capture length, in bytes, to attach to a flow.
A value of 0 disables content capture. The default is 64
bytes.
Note: Increasing content capture length will increase
disk storage requirements for recommended disk
allotment.

Table 7-6 Flow Collector Parameters (continued)
Alias Autodetection Specify one of the following options:
• Yes - Allows the Flow Collector to detect external flow
source aliases. When a Flow Collector receives traffic
from a device with an IP address but no current alias,
the Flow Collector attempts a reverse DNS lookup to
determine the hostname of the device. If the lookup is
successful, the Flow Collector adds this information
to the database and reports this information to all
Flow Collector in your deployment.
• No - Disables the Flow Collector from detecting
external flow sources aliases.
For more information on flow sources, see Chapter 7
Managing Flow Sources.
Step 4 In the toolbar, click Advanced to display the advanced parameters.

The advanced configuration parameters appear.
Step 5 Enter values for the parameters, as necessary:
Table 7-7 Flow Collector Parameters
Maximum Data Specify the amount of bytes/packets you want the Flow
Capture/Packet Collector to capture.
Time Synchronization Specify the IP address or hostname of the time server.
Server IP Address
Time Synchronization Specify the length of time you want the managed host to
Timeout Period continue attempting to synchronize the time before timing
out. The default is 15 minutes.

Endace DAG Interface Specify the Endace Network Monitoring Interface card
Card Configuration parameters. For more information, see the Technical
support web site or contact Juniper Networks Customer
Support.
Flow Buffer Size Specify the amount of memory, in MB, that you want to
reserve for flow storage. The default is 400 MB.
Maximum Number of Specify the maximum number of flows you want to send
Flows from the Flow Collector to Flow Processors.
Remove duplicate flows Enables or disables the ability to remove duplicate flows.
External Flow Specify the method you want to use to remove duplicate
De-duplication method external flow sources (de-duplication). Options include:
• Source - Compares originating flow sources. This
method of removing duplicate external flows compares
the IP address of the device that exported the current
external flow record to that of the IP address of the
device that exported the first external record of the
particular flow. If the IP addresses do not match the
current external flow record is discarded.
• Record - Compares individual external flow records. This
method of removing duplicate external flows logs a list of
every external flow record detected by a particular device
and compares each subsequent record to that list. If the
current record is found in the list, that record is discarded.
External flow record This parameter is only valid if you configure the External
comparison mask Flow De-duplication method parameter to Record.
Specify the external flow record fields you want to use to
remove duplicate flows. Valid options include: D (Direction),
B (ByteCount), or P (PacketCount). Possible combinations
of the options include:
• DBP - Uses direction, byte count, and packet count when
comparing flow records.
• XBP - Uses byte count and packet count when
comparing flow records.
• DXP - Uses direction and packet count when comparing
flow records.
• DBX - Uses direction and byte count when comparing
flow records.
• DXX - Uses direction when comparing flow records.
• XBX - Uses byte count when comparing records.
• XXP - Uses packet count when comparing records.
Flow Carry-over Specify the number of seconds before the end of an interval
Window that you want one-sided flows to be held over until the next
interval if the flow. This allows time for the inverse side of
the flow to arrive before being reported.

Minimum Buffer Data Specify the minimum amount of data, in bytes, that you want
the Endace Dag Interface Card to receive before the
captured data is returned to the Flow Collector process. For
example, if this parameter is 0 and no data is available, the
Endace Dag Interface Card allows non-blocking behavior.
Maximum Wait Time Specify the maximum amount of time, in microseconds, that
you want the Endace Dag Interface Card to wait for the
minimum amount of data, as specified in the Minimum
Buffer Data parameter.
Polling Interval Specify the interval, in microseconds, that you want the
Endace Dag Interface Card to wait before checking for
additional data. A polling interval avoids excessive polling
traffic to the card and therefore conserves bandwidth and
processing time.
Step 6 Click Save.

The deployment editor appears.
Step 7 Repeat for all Flow Collectors in your deployment you want to configure.
Configuring a Flow A Flow Processor collects and consolidates data from one or more Flow
Processor Collector(s). Flow Processors are located between the Classification Engine, Flow
Collectors, and other Flow Processors. You can connect multiple Flow Processors
in a series.
A Flow Processor removes duplicate flows and creates superflows (aggregate

flows) before the flows reach the main Classification Engine. A superflow is
multiple flows with the same properties combined into one flow, which details
one-sided communications and security events, such as scanning and attacks,
without losing the information stored in the thousands of individual flows created
by an infected host or attacker. The flow contains only the communications that
received no response. Valid communications from the attacking or infected hosts
are stored in the flow logs. Using superflows, STRM is able to scale to larger
environments and manage large attacks without overloading.
Superflows can last long periods of time, just like normal flows. STRM manages
superflows in the same manner as regular flows. Superflows are logged every
interval and detail the state of the flow during that time period. You can also
investigate flows using the Network Surveillance interface to further expand
superflows into more traditional flows, which allows for flexible analysis.
Some normally occurring network communications generate flows for which there
are no responses, such as web requests to a failed web server or to a host that is
down. One-sided flows are generally not a high risk threat and should not apply to
superflows. For this reason, there is a configurable threshold for superflow
generation, which a host has to breach before the flows are bundled into
superflows.

You can also configure branch filtering in the Flow Processor, which allows you to
distribute network processing across multiple Classification Engines. A branch
filter consists of a branch and a flow class definition. The branch filter configuration
controls which flows a component receives. When configuring branch filtering, you
must use groups located at the top of your network hierarchy. For the Flow
Processor, the branch filter specifies which flows the Flow Processor receives from
flow sources.
To configure a Flow Processor:

Step 1 In either the Flow or System View, select the Flow Processor you want to
configure.
menu items.
The Flow Processor window appears.
Table 7-8 Flow Processor Parameters
Flow Processor Listen The Classification Engine connects to the Flow Processor to
Port accept flows through a TCP/IP link. Specify the port that the
Flow Processor monitors for incoming connections. The
default range is from 32000 to 65535.

Table 7-8 Flow Processor Parameters (continued)
Flow Collectors When the Flow Processor starts, it attempts to establish a
link with one or more Flow Collector(s). If the Flow Collector
cannot be reached, the Flow Processor attempts to establish
the link periodically, until it succeeds. You can have multiple
Flow Collectors in your deployment and each Flow Collector
can be connected to a different time server. This parameter
also indicates whether the Flow Collector either is local or
remote.
Specifies the list of default Flow Collectors to which the Flow
Processor will connect. The information is entered in the
following format:
<hostname>:<port>:[L|R]
Where:
<hostname> is the hostname of the Flow Collector.
<port> is the port on which communications are established.
[L|R] indicates whether the Flow Collector is local (L) or
remote (R).
Where each Flow Collector is separated with a comma. The
default is localhost:32000.
Flow Processors Specifies the list of Flow Processors attached to this Flow
Processor. You can have multiple Flow Processors in your
deployment and each Flow Processor can be connected to a
different time server. This parameter also indicates whether
the Flow Processor is either local or remote. If a component
is identified as remote, any flows sent to the local Flow
Processor are tagged with local interval time. This parameter
is for information purposes only and is not amendable. The
values are entered in the following format:
<hostname>:<port>:[L|R]
Where:
<hostname> is the hostname of the Flow Processor.
<port> is the port on which communications are established.
[L|R] indicates whether the Flow Collector is local (L) or
remote (R).
Each Flow Processor is separated with a comma.
Step 4 In the toolbar, click Advanced to display advanced parameters.

The configuration parameters appear.

Table 7-9 Flow Processor Parameters
Create Flow Bundles Specify one of the following options:
• Yes - Allows the Flow Processor to group flows that have
similar properties.
• No - Disables the bundling of flows
Maximum Number of Specify the maximum number of flows you want to send
Flows from the Flow Processor to the Classification Engines. If set
to 0, the number of flows is unlimited.
Time Difference for Specify the time difference threshold that determines if
Duplicate Flows duplicate flows are present, in microseconds. The default is
500000.
Type A Superflows Specify the threshold for type A superflows, which is one
host sending data to many hosts. A unidirectional flow that is
an aggregate of all flows that have the same protocol,
source bytes, source hosts, destination network, destination
port (TCP and UDP flows only), TCP flags (TCP flows only),
ICMP type, and code (ICMP flows only) but different
destination hosts.
Type B Superflows Specify the threshold for type B superflows, which is many
hosts sending data to one host. A unidirectional flow that is
an aggregate of all flows that have the same protocol,
source bytes, source packets, destination host, source
network, destination port (TCP and UDP flows only), TCP
flags (TCP flows only), ICMP type, and code (ICMP flows
only), but different source hosts.

Type C Superflows Specify the threshold for type C superflows, which is one
host sending data to another host. A unidirectional flow that
is an aggregate of all non-ICMP flows that have the same
protocol, source host, destination host, source bytes,
destination bytes, source packets, and destination packets
but different source or destination ports.
IP Address(es) Range Specify an IP address or CIDR range to convert to another
Conversion IP address or CIDR range from the Flow Processor. This
allows STRM to identify data sources on networks with
similar IP addresses when a single Flow Processor is used
to process many data sources.
Enter the information in the following format:
<IP address>:<convert>
Where:
<IP address> specifies the IP address or CIDR range to be
converted.
<convert> specifies the desired conversion range.
This option is also available in the Flow Collector.
Maximum Content for A content filter controls where content is denied/allowed.
Destination STRM Apply filters in the following format:
Components
<CIDR>:<bytes of content>
Where:
<CIDR> specifies a CIDR range
<bytes of content> specifies how much content is allowed.
For example, 64 bytes of content or 128 bytes of content.
The filter is case sensitive. You must use either all
uppercase or lowercase characters.
For example:
If CIDR=10.100.100.0/24 and you want to allow 64 bytes of
content, enter:
10.100.100.0/24:64
If CIDR=10.100.100.0/24 and you want to deny the content,
enter:
10.100.100.0/24:0
If CIDR=10.100.100.0/24 and you want to allow content only
to this CIDR, enter:
default:0, 10.100.100.0/24:64

Branch Filtering By default, branch filtering is disabled and all traffic is
forwarded to all Classification Engines. Filtering does not
begin unless the Flow Processor receives a branch filter
definition from the Classification Engine.
Specify the branch filter using the following syntax:
brc1,brc2,..,brc-N
Where:
brc-1,brc-2,....,brc-N specifies any branch of the local
network hierarchy. If a specified branch does not belong to
the network hierarchy, the branch is ignored.
For example:
ComputingServices,Manufacturing_facilites
Corporate_HQ,other
Recombine In some networks, traffic is configured to take alternate
Asymmetric Flows paths for inbound and outbound traffic. This is asymmetric
routing. You can combine flows received from either a single
or multiple Flow Collectors. However, if you want to combine
flows from multiple Flow Collectors, you must configure flow
sources in the Asymmetric Flow Source Interface(s)
parameters in the Flow Collector configuration. For more
information, see Configuring a Flow Collector.
Choose one of the following options:
• Yes - Asymmetric flows are combined.
• No - Asymmetric flows are not combined.
Ignore Asymmetric Specify whether you want to enable the creation of
Superflows superflows while asymmetric flows are enabled. The default
is Yes, which means superflows are created.
Enable Application Choose one of the following:
Mapping
• Yes - Application mapping is applied, as defined in your
mapping file. For more information, see the STRM Default
Application Configuration Guide. This is the default.
• No - Application mapping is not applied.
User Application Specify the name of the file that contains your custom
Mapping application mappings. For more information, see the STRM
Default Application Configuration Guide.
Block Content Choose one of the following options:
• Yes - All content captured in the flows is removed from
the Flow Processor.
• No - Content capture is not removed from flows.
Payload Modification Specify a string to which you want all content to be changed.
Step 6 Click Save.


Step 7 Repeat for all Flow Processors in your deployment you want to configure.
Configuring a The Classification Engine receives inputs from one or more Flow Processor(s),
Classification Engine classifies the flows into views and objects, and outputs the resulting database
entries and flow logs to the Update Daemon to be stored on disk. Using the
deployment map, you can either enable or disable views and configure a
Classification Engine.
To configure a Classification Engine:
Step 1 In either the Flow or System View, select the Classification Engine you want to
configure.
menu items. The Classification Engine window appears.
Table 7-10 Classification Engine Parameters
Classification Engine Specify the port that the Classification Engine monitors for
Server Listen Port incoming connections.The default range is from 32000 to
65535.
Flow Processor When the Classification Engine starts, it attempts to
Connections establish a TCP/IP communications link with one or more
Flow Processor(s) to retrieve flows. If the Flow Processors
cannot be reached, the Classification Engine attempts to
establish the link periodically until it succeeds. This
parameter is for information purposes only and is not
amendable.
Specifies the list of Flow Processor connections using the
following format:
<hostname>:<port>
The default is localhost:32001.
Each entry is separated with a comma.

Table 7-10 Classification Engine Parameters (continued)
Update Daemon Specifies the hostname and port of the Update Daemon to
Connections which the Classification Engine sends data for storage. This
amendable. The information appears in the following format:
<hostname>:<port>
Flow Writer connection Specifies the hostname and port of the Flow Writer that
sends the Classification Engine data for storage. This
amendable.
The information appears in the following format:
<hostname>:<port>
Event Collector Specifies the hostname and port of the Event Collector that
Connections sends the Classification Engine data. This parameter is for
information purposes only and is not amendable.

Table 7-11 Classification Engine Parameters
Forward Flow Data Specify one of the following options:
• Yes - Process view data only and does not forward flows.
This is the default.
• No - Process and forward all data.

Table 7-11 Classification Engine Parameters (continued)
Process Defined Views If you are using a distributed processing Console, specify
Only the processing information. This requires each involved
managed host to have a list of views to process. For
assistance, contact Juniper Networks Customer Support.
Branch Filtering By default, branch filtering is disabled and all traffic is
forwarded to all Classification Engines. Filtering does not
begin unless the Flow Processor receives a branch filter
definition from the Classification Engine.
Specify the branch filter using the following syntax:
brc1,brc2,..,brc-N
Where:
brc-1,brc-2,....,brc-N specifies any branch of the local
network hierarchy. If a specified branch does not belong to
the network hierarchy, the branch is ignored.
For example:
ComputingServices,Manufacturing_facilites
Corporate_HQ,other
Network Object Limit Specify the maximum number of network objects you want
to allow.
Asset Profile Threshold Specify the maximum number of asset profiles you want to
monitor. The default is 25,000.
Remote Host Cache Specify the period of time, in seconds, that you want to
Clear Interval retain the log files, which are stored result of a remote view
lookup.
Step 6 Click Save.

The deployment map appears.
Step 7 Repeat for all Classification Engines in your deployment you want to configure.
Configuring an Once the Classification Engine has processed the flows for an interval, the Update
Update Daemon Daemon stores the database and TopN data. Depending on the size of your
deployment, you may have multiple Update Daemons.
To configure an Update Daemon:

Step 1 In either the Flow or System View, select the Update Daemon you want to
configure.
menu items.
The Update Daemon Configuration window appears.

Step 3 For the Server listen port parameter, specify the Update Daemon listening port
values. Separate each entry with a comma. This port monitors requests from the
Classification Engine. The entered values must match the values configured for
the Classification Engine.
Table 7-12 Update Daemon Parameters
Database Storage Specify the directory that you want to store the database
Location information. The default is /store/db.
TopN Database Specify the directory that you want to store the TopN
Storage Location database. The default is /store/STRM-tmp/topn.
Step 6 Click Save.

Step 7 Repeat for all Update Daemons in your deployment you want to configure.

Configuring a Flow Once the Classification Engine has processed the flows for an interval, the Flow
Writer Writer stores the flow and asset profile data. You can only have one Flow Writer
per host, which must be connected to the Classification Engine.
To configure a Flow Writer:

Step 1 In either the Flow or System View, select the Flow Writer you want to configure.
menu items.
The Flow Writer Configuration window appears.
Table 7-13 Flow Writer Parameters
Server listen port Specify the Flow Writer listening port values. Seperate each
entry with a comma. This port monitors requests from the
Classification Engine. The entered values must match the
values configured for the Classification Engine.

The advanced configuration parameter appear.
Table 7-14 Flow Writer Advanced Parameters
Maximums Hosts Specify the maximum number of hosts you want the system
Count Before a Reset to store before all counters are reset. The lower the reset
threshold the more efficiency of disk space your system
offers, however, the query time may be extended.
Step 6 Click Save.

Configuring an Event The Event Collector collects security events from various types of security devices
Collector in your network.
To configure an Event Collector:

Step 1 From either the Event View or System View, select the Event Collector you want to
configure.
menu items.
The Event Collector Configuration window appears.
Table 7-15 Event Collector Parameters
Event Collector Server The Event Collector monitors at least one device per
Listen Port instance of the component.
Destination Event Specify the destination Event Processor for
Processor communications.
Listen Port Specifies the listening port for event forwarding.
Event Targets If the Event Collector includes an off-site target, this
parameter specifies the normalized event forwarding
device, separated by commas, using the following
format:
<device>:<type>
This parameter is for informational purposes only and is
not amendable.

The advanced configuration parameter appear.

Table 7-16 Event Collector Advanced Parameters
Receives Flow Context Specifies the first Event Collector installed in your
deployment. This parameter is for informational purposes
only and is not amendable.
Auto Detection Specify if you want the Event Collector to auto analyze and
Enabled accept traffic from previously unknown sensor devices. The
default is true, which means that the Event Collector detects
sensor devices in your network. Also, when set to True, the
appropriate firewall ports are opened to enable auto
detection to receive events. For more information on
configuring sensor devices, see the Managing Sensor
Devices Guide.
Step 6 Click Save.

Step 7 Repeat for all Event Collectors in your deployment you want to configure.
Configuring an Event The Event Processor processes flows collected from one or more Event
Processor Collector(s).
To configure an Event Processor:

Step 1 From either the Event View or System View, select the Event Processor you want
to configure.
menu items.
The Event Processor Configuration window appears.

Table 7-17 Event Processor Parameters
Event Processor Server Specify the port that the Event Processor monitors for
Listen Port incoming connections. The default range is from 32000 to
65535.
Destination Magistrate Specifies the Magistrate to which events are sent.
not amendable.
Classification Engines All Event Processors are connected to all Classification
Engines in your deployment. Specifies all Classification
Engines in your deployment.
not amendable.
ESA Server Specifies the Event Statistical Aggregation (ESA) server to
which the Event Processor is connected.
not amendable.

Step 5 Enter values for the parameters, as necessary:

Table 7-18 Event Processor Parameters
Overflow Routing Specify the events per second threshold that the Event
Threshold Processor can manage events. Events over this
threshold are placed in the cache.
Path to Ariel Events Specify the location you want to store events. The
Database default is /store/ariel/events.
Path to Ariel Payloads Specify the location you want to store payload
Database information. The default is /store/ariel/payloads.
Step 6 Click Save.

Step 7 Repeat for all Event Processors in your deployment you want to configure.
Configuring the The Magistrate component provides the core processing components of the SIM
Magistrate option.
To configure the Magistrate component:

Step 1 From either the Event View or System View, select the Magistrate component you
want to configure.
menu items.
The Magistrate Configuration window appears.
Table 7-19 Magistrate Parameters
Magistrate Server Listen Specify the port that the Magistrate monitors for
Port incoming connections. The default range is 32000 to
65535.
ESA Server Specifies the Event Statistical Aggregation (ESA) server
to which the Magistrate is connected.
not amendable.


Step 5 For the Overflow Routing Threshold, specify the events per second threshold
that the Magistrate can manage events. Events over this threshold are placed in
the cache. The default is 20000.
Step 6 Click Save.

This chapter provides information on managing flows sources in your deployment

including:
• About Flow Sources
• Managing Flow Sources
• Managing Flow Source Aliases
About Flow STRM allows you to integrate internal and external flow sources:
Sources • Internal flow sources - Includes any additional hardware installed on a
managed host, such as a Network Interface Card (NIC). Depending on the
hardware configuration of your managed host, the options may include:
- Network interface card
- Endace Network Monitoring Interface Card.
• External flow sources - Configures an external flow source for the Flow
Collector. If your Flow Collector receives multiple flow sources, you can assign
each source a distinct name, providing the ability to distinguish one source of
external flow data from another when received on the same Flow Collector. To
assign names to multiple flow sources, you must configure the External Flow
Source Interface Name parameter in the Flow Collector component. External
flow sources may include:
- NetFlow
- sFlow
- J-Flow
- Packeteer
- Flowlog File
NetFlow A proprietary accounting technology developed by Cisco Systems® Inc. that

monitors traffic flows through a switch or router, interprets the client, server,
protocol, and port used, counts the number of bytes and packets, and sends that
data to a NetFlow collector. The process of sending data from NetFlow is often
referred to as a NetFlow Data Export (NDE). You can configure STRM to accept
NDE's and thus become a NetFlow collector. STRM supports NetFlow versions 1,

5, 7, and 9. For more information on NetFlow, see www.cisco.com. While NetFlow

expands the amount of the network that is monitored, the following details some
NetFlow limitations including:
• NetFlow classifies only application traffic from the TCP port (for example, HTTP
on port 80). This layer 4 analysis of traffic does not consider the actual layer 7
identification of application traffic that is available in STRM.
• NetFlow uses a connection-less protocol (UDP) to deliver NDEs. Once an NDE
is sent from a switch or router, the NetFlow record is purged. As UDP is used to
send this information and does not guarantee the delivery of data, NetFlow
records inaccurate recording and reduced alerting capabilities. This can result
in inaccurate presentations of both traffic volumes and bi-directional flows.
Once you configure an external flow source for NetFlow, you must:
• Make sure the appropriate firewall rules are configured. Note that if you change
your External Flow Source Monitoring Port parameter in the Flow Collector
configuration, you must also update your firewall access configuration.
• Make sure the appropriate ports are configured for your Flow Collector.
If you are using NetFlow version 9, make sure the NetFlow template from the
NetFlow source includes the following fields:
• FIRST_SWITCHED
• LAST_SWITCHED
• PROTOCOL
• IPV4_SRC_ADDR
• IPV4_DST_ADDR
• L4_SRC_PORT
• L4_DST_PORT
• IN_BYTES and/or OUT_BYTES
• IN_PKTS and/or OUT_BYTES
• TCP_FLAGS (TCP flows only)
sFlow A multi-vendor and end-user standard for sampling technology that provides
continuous monitoring of application level traffic flows on all interfaces
simultaneously. sFlow combines interface counters and flow samples into sFlow
datagrams that are sent across the network to an sFlow collector. STRM supports
sFlow versions 2, 4, and 5. Note that sFlow traffic is based on sampled data and,
therefore, may not represent all network traffic. For more information on sFlow, see
www.sflow.org.
sFlow uses a connection-less protocol (UDP). Once data is sent from a switch or
router, the sFlow record is purged. As UDP is used to send this information and
does not guarantee the delivery of data, sFlow records inaccurate recording and

About Flow Sources 119
reduced alerting capabilities. This can result in inaccurate presentations of both

traffic volumes and bi-directional flows.
Once you configure an external flow source for sFlow, you must:
• Make sure the appropriate firewall rules are configured.
J-Flow A proprietary accounting technology used by Juniper® Networks that allows you to
collect IP traffic flow statistics. J-Flow enables you to export data to a UDP port on
a J-FLow collector. Using J-Flow, you can also enable J-Flow on a router or
interface to collect network statistics for specific locations on your network. Note
that J-Flow traffic is based on sampled data and, therefore, may not represent all
network traffic. For more information on J-Flow, see www.juniper.net.
J-Flow uses a connection-less protocol (UDP). Once data is sent from a switch or
router, the J-Flow record is purged. As UDP is used to send this information and
does not guarantee the delivery of data, J-Flow records inaccurate recording and
reduced alerting capabilities. This can result in inaccurate presentations of both
traffic volumes and bi-directional flows.
Once you configure an external flow source for J-Flow, you must:
Packeteer Packeteer devices collect, aggregate, and store network performance data. Once
you configure an external flow source for Packeteer, you can send flow information
from a Packeteer device to STRM.
Packeteer uses a connection-less protocol (UDP). Once data is sent from a switch
or router, the Packeteer record is purged. As UDP is used to send this information
and does not guarantee the delivery of data, Packeteer records inaccurate
recording and reduced alerting capabilities. This can result in inaccurate
presentations of both traffic volumes and bi-directional flows.
To configure Packeteer as an external flow source, you must:

• Make sure that you configure Packeteer devices to export flow detail records
and configure the Flow Collector as the destination for the data export.
• Make sure the class IDs from the Packeteer devices will automatically be
detected by the Flow Collector.
• For additional information on mapping Packeteer applications into STRM, see
the Mapping Packeteer Applications into STRM Technical Note available on
Technical support web site.

Flowlog File A file generated from the STRM flow logs.
Managing Flow For STRM appliances, STRM automatically adds default flow sources for the
Sources physical ports on the appliance. Also, STRM also includes a default NetFlow v5
flow source. If you have installed STRM on your own hardware, STRM attempts to
automatically detect and add default flow sources for any physical devices (such
as a NIC card). Also, once you assign a Flow Collector, STRM includes a default
NetFlow flow source.

• Adding a Flow Source
• Editing a Flow Source
• Enabling/Disabling a Flow Source
• Deleting a Flow Source
Adding a Flow To add a flow source:

Source
Step 1 In the Administration Console, click the Flow Configuration tab.
The Flow Configuration panel appears.
Step 2 Click the Manage Flow Sources icon.
The Flow Source window appears.
Step 3 Click Add.

The Add Flow Source window appears.

Table 8-1 Add Flow Source
Build from existing flow Select the check box if you want to create this flow source
source using an existing flow source as a template. Once the
check box is selected, use the drop-down list box to select
the desired flow source and click Use as Template.
Flow Source Name Specify the name of the flow source. We recommend that
for an external flow source that is also a physical device,
use the device name as the flow source name. If the flow
source is not a physical device, make sure you use a
meaningful name. For example, if you want to use
NetFlow traffic, enter nf1.
Target Flow Collector Using the drop-down list box, select the Flow Collector
you want to use for this flow source.
Flow Source Type Using the drop-down list box, select the flow source type
for this flow source. The options are:
• Flowlog File
• JFlow
• Netflow v.1, v5, v7, or v9
• Network Interface
• Packeteer FDR
• SFlow v.2, v.4, or v5
Enable Asymmetric Flows In some networks, traffic is configured to take alternate
paths for inbound and outbound traffic. This is asymmetric
routing. Select the check box is you want to enable
asymmetric flows for this flow source.

a If you selected Flowlog File as the Flow Source Type, configure the Source File
Path, which is the source path location for the flow log file.
b If you selected JFlow, Netflow, Packeteer FDR, or sFlow as the Flow Source
Type, configure the following:
Table 8-2 External Flow parameters
Monitoring Interface Using the drop-down list box, select the monitoring interface
you want to use for this flow source.
Monitoring Port Specify the port you want this flow source to use.
Enable Flow Select the check box to enable flow forwarding for this flow
Forwarding source. Once the check box is selected, the following
options appear:
• Forwarding Port - Specify the port you wish to forward
flows. The default is 1025.
• Forwarding Destinations - Specify the destinations you
wish to forward flows. You can add or remove addresses
from the list using the Add and Remove buttons.
c If you selected Network Interface as the Flow Source Type, configure the
following:
Table 8-3 Network Interface Parameters
Device Using the drop-down list box, select the device interface you
want to assign to this flow source.
Note: You can only configure one device per Ethernet
Interface. Also, you cannot send different flow types to the
same port.
Filter String Specify the filter string for this flow source.
Step 6 Click Save.

Editing a Flow To edit a flow source:

Source
Step 2 Click the Manage Flow Sources icon.

Step 3 Click Edit.

The Edit Flow Source window appears.
Step 4 Edit values, as necessary. For more information on values for flow source types,
see Adding a Flow Source.
Step 5 Click Save.
Enabling/Disabling a To enable or disable a flow source:

Flow Source
Step 2 Click the Manage Flow Source icon.
Step 3 Select the flow source you want to enable or disable.

Step 4 Click Enable/Disable.

The Enabled column indicates if the flow source is enabled or disabled. If the flow
source was previously disabled, the column now indicates True to indicate the flow
source is now enabled. If the flow source was previously enabled, the column now
indicates False to indicate the flow source is now disabled.
Deleting a Flow To delete a flow source:

Source
Step 2 Click the Manage Flow Source icon.
Step 3 Select the flow source you want to delete.
Step 5 Click Ok.
Managing Flow You can configure a virtual name (or alias) for flow sources. You can identify
Source Aliases multiple sources being sent to the same Flow Collector, using the sources’ IP
address and virtual name. An alias allows a Flow Collector to uniquely identify and
process data sources being sent to the same port.
When a Flow Collector receives traffic from a device with an IP address but no
current alias, the Flow Collector attempts a reverse DNS lookup to determine the
hostname of the device. If the lookup is successful, the Flow Collector adds this
information to the database and includes this information is reported to all Flow
Collector in your deployment.
Note: Using the deployment editor, you can configure the Flow Collector to
automatically detect flow source aliases. For more information, see Chapter 6
Managing Flow Sources.

• Adding a Flow Source Alias
• Editing a Flow Source Alias
• Deleting a Flow Source Alias

Managing Flow Source Aliases 125
Adding a Flow To add a flow source alias:

Source Alias
Step 2 Click the Manage Flow Source Aliases icon.
The Flow Source Alias window appears.
Step 3 Click Add.
The Flow Source Alias Management window appears.

• IP - Specify the IP address of the flow source alias.
• Name - Specify the name of the flow source alias.
Step 5 Click Save.
Editing a Flow To edit a flow source alias:

Source Alias
The Flow Source Alias window appears.
Step 3 Select the flow source alias you want to edit.
Step 4 Click Edit.
The Flow Source Alias Management window appears.
Step 5 Update values, as necessary.
Step 6 Click Save.

Deleting a Flow To delete a flow source alias:

Source Alias
The Flow Source Aliases window appears.
Step 3 Select the flow source alias you want to delete.
Step 5 Click Ok.

8 OVERVIEW
This chapter provides an overview of the STRM Administration Console and

STRM administrative functionality including:
• About the Interface
• Accessing the Administration Console
• Using the Interface
• Deploying Changes
About the Interface You must have administrative privileges to access the Administration Console. The
STRM Administration Console provides access to following administrative
functionality:
• Manage users. See Chapter 1 Managing Users.
• Manage your network settings. See Chapter 2 Managing the System.
• Manage STRM settings. See Chapter 3 Setting Up STRM.
• Manage authorized services. See Chapter 4 Managing Authorized Services
• Backup and recover your data. See Chapter 5 Managing Backup and
Recovery.
• Manage your deployment views. See Chapter 6 Using the Deployment Editor.
• Manage flow sources. See Chapter 7 Managing Flow Sources.
• Configure sentries. See Chapter 9 Managing Sentries.
• Configure views. See Chapter 10 Managing Views.
• Configure syslog forwarding. See Chapter 13 Forwarding Syslog Data
All configuration updates using the Administration Console are saved to a staging
area. Once all changes are complete, you can deploy the configuration changes or
all configuration settings to the remainder of your deployment.

128 OVERVIEW
Accessing the You can access the STRM Administration Console through the main STRM
Administration interface. To access the Administration Console, click Config in the main STRM
Console interface. The Administration Console appears.
Using the Interface The Administration Console provides several tab and menu options that allow you
to configure STRM including:
• System Configuration - Provides access to administrative functionality, such
as, user management, automatic updates, license key, network hierarchy,
sentries, system settings, system notifications, authorized services, backup and
recovery, and Console configuration.
• Views Configuration - Provides access to STRM views.
• SIM Configuration - Provides access to scanners, sensor device
management, syslog forwarding, and reset the SIM model.
• Flow Configuration - Provides access to flow source configuration, such as
NetFlow.
The Administration Console also includes several menu options including:

Table 1-1 Administrative Console Menu Options
Menu Option Sub-Menu Description

File Close Closes the Administration Console.
Configurations Deployment Editor Opens the deployment editor
interface.
Deploy Configuration Deploys any configuration changes
Changes from the current session to your
deployment.
Deploy All Deploys all configuration settings to
your deployment.
System System Start Starts the STRM application.

Deploying Changes
129
Table 1-1 Administrative Console Menu Options (continued)
Menu Option Sub-Menu Description

System Stop Stops the STRM application.
System Restart Restarts the STRM application.
Help Help Contents Opens user documentation.
About Displays version information.
The Administration Console provides several toolbar options including:

Table 1-2 Administration Console Toolbar Options
Icon Description
Opens the deployment editor interface.
Deploys all changes made through the Administration Console.
Deploying Changes Once you update your configuration settings using the Administration Console,
you must save those changes to the staging area. You must either manually
deploy all changes using the Deploy menu option or, upon exit, a window appears
prompting you to deploy changes before you exit. All deployed changes are then
enforced throughout your deployment.
Using the Administration Console menu, you can deploy changes as follows:
• Deploy All - Deploys all configuration settings to your deployment.
• Deploy Configuration Changes - Deploys any configuration changes from the
current session to your deployment.

9 MANAGING SENTRIES
Sentries provide an alerting function for your network. A sentry can monitor any
number of views and generate an alert when traffic in one of the monitored views
meets the specified criteria. A non-administrative user can create sentries,
however, only an administrative user can configure advanced sentries on a
system-wide basis.
Note: For information on creating sentries using the Network Surveillance

interface, see the STRM Users Guide.
This chapter provides information on managing STRM sentries including:

• About Sentries
• Viewing Sentries
• Editing Sentry Details
• Managing Packages
• Managing Logic Units
About Sentries You can create sentries that perform actions when certain specified conditions are
met. These actions may include sending an e-mail notification or storing sentry
event information. You can also add sentry alerts for a specific traffic type.
You can save Packages and Logic Units for use with other sentries. For example, if
you create a DDoS package, you can create sentries at different locations in your
network using the DDoS package. Similarly, an administration user can create a
package for other non-administration users to use.
Sentries contain the following components:

• Logic Unit - Includes specific algorithm used to test objects. The Logic Unit
contains the default variables for the sentry.
• Package - Contains the view objects (default variables) that are forwarded to
the Logic Unit and default variables to be used by the sentry. All variables in the
Package configuration have priority over the Logic Unit variables. The objects
are created from any defined STRM view, with the exception of the main
network view. For example, a package may contain all applications that you
want to monitor for inappropriate use.

132 MANAGING SENTRIES
• Sentry - Specifies which network location you want the sentry to apply. The
network location component of the sentry can also specify any restrictions that
you want to enforce. The variables in the sentry component have priority over
the Package and Logic Unit variables. For example, you can configure a sentry
to monitor the accounting department network location between 8 am and 5
pm. However, you can also specify that you only want to be notified of any
misuse if the activity continues for more than 10 minutes.
Viewing Sentries To view the default or deployed sentries:

Step 2 Click the Sentries icon.
If this is the first time you have accessed the Sentries window, the Sentry
Initialization window appears. Go to Step 3.
If this is not the first time you have accessed the Sentries window, go to Step 4.
a If you want to include default sentries in your sentry list, click Create Sentries.
If you want to use the default sentries, you must tune these sentries for your
system.
The default sentries that appear depend on the template chosen during the
installation process. For more information on the defaults, see:
- Enterprise Template - See Appendix B Enterprise Template Defaults.
- University Template - See Appendix C University Template Defaults
b If you do not want to include pre-configured sentries in your list, click Cancel.
The Sentries window appears.
Step 4 From the View By drop-down list box, select the desired view. The options are:
• Objects - View the available sentries or sentry components including:
- Sentry
- Package
- Logical Units
• Users - View the available sentries by the user who created the sentry.
Step 5 Select the sentry you want to view.

Table 2-1 provides the details of the Sentry List window:

Table 2-1 Sentry List
Name Specifies the name of the configured item.
Owner Specifies the name of the user who created the sentry.
Action Provides one of the following options:
Allows you to edit the details. You can only edit sentries
that you have created.
Allows you delete the selected item. You can only delete
sentries that you have created.
Enabled Allows you to enable or disable the sentry. To enable the
sentry, select the check box. To disable the sentry, clear
the check box.
Editing Sentry To edit an existing sentry:

Details
Note: You must create a sentry using the Sentry Wizard. For more information,
see the STRM Users Guide.
Step 1 In the STRM interface, click Config.

Step 2 Click the System Configuration tab.
Step 4 From the View By drop-down list box, select Object.
The Sentry Objects menu tree appears.
Step 5 For the sentry you want to edit, click the icon.
The Edit panel appears. The below window shows an example of the parameters
available for a Security/Policy sentry.

Step 6 Update values for the parameters, as necessary:

a If you are editing a Security/Policy sentry:
Table 2-2 Edit Security/Policy Sentry
Name Specify a name for this sentry.
Description Specify a description for this sentry. This description appears as
an annotation in the Offense Manager if this sentry results in an
offense being generated.
Minimum number Specify the minimum number of times, in flows, this activity must
of flows before occur before an event generates.
emitting events
Delay between Specify the number of seconds, after the first occurrence of this
emitting events event, before the next occurrence of this event. For example, if
you set the value to 3, an event generates after three seconds of
the first instance of the event.
Maximum emitted Specify the maximum number of times you want this event to
events per IP generate per IP address. For example, if you set the maximum
alerts to 2, only two alerts generate per event.
Is Enabled Select the check box to enable this sentry. Clear the check box to
disable the sentry.

Table 2-2 Edit Security/Policy Sentry (continued)
Options Select the check box if you want this event to be included with
other events to create an offense. Use the Address to mark as
the target drop-down list box to identify if you want the
destination or source IP address to be used as the target.
Note: This option only appears for a Security/Policy sentry.
Permissions Specify the users you want to allow access to edit this sentry.
Package Using the drop-down list box, select the sentry package you want
to apply to this sentry. To edit an existing package, click Edit or
to create a new package, click Create New. For more information
on sentry packages, see Managing Packages.
QRL Specifies the details of the current view for this sentry.
b If you are editing a Behavior, Anomaly, or Threshold sentry:

Table 2-3 Edit Behavior, Anomaly, or Threshold Sentry
Name Specify a name for this sentry.
Description Specify a description for this sentry. This description appears as
an annotation in the Offense Manager if this sentry results in an
offense being generated.
Minimum Specify the minimum number intervals this activity must occur
activations before before an alert generates.
alert
Delay between Specify the number of intervals after the first occurrence of this
alerts event, before the next occurrence of this event.
Maximum Specify the maximum number of times you want this event to
responses per generate a response.
events
Is Enabled Select the check box to enable this sentry. Clear the check box to
disable the sentry.
Weight Specify the weight of the object. The range is 1 to 100 and
indicates the importance of the object in the system.
Test as group Select the check box if you want all objects to add together to be
tested. Clear the check box if you want each object to be
evaluated separately.

Table 2-3 Edit Behavior, Anomaly, or Threshold Sentry (continued)
Restrictions Select the check box for one or more restrictions you want to
enforce for an active sentry including:
• Date is relevant - Select the check box to indicate that this
sentry must consider the date. When selected, date fields
appear. Enter the relevant dates you want this sentry to
monitor.
• Day of week is relevant - Select the check box to indicate
that this sentry must consider the day of the week. When
selected, day of the week fields appear. Using the drop-down
list boxes, select the relevant days you want this sentry to
consider.
• Time of day is relevant - Select the check box to indicate that
this sentry must consider time of day. When selected, time of
day fields appear. Using the drop-down list box, select the
time of day you want this sentry to consider.
Permissions Specify the users you want to allow access to edit this sentry.
Package Using the drop-down list box, select the sentry package you want
to apply to this sentry. To edit an existing package, click Edit or
to create a new package, click Create New. For more information
on sentry packages, see Managing Packages.
Responses Specify the method you want to be notified if this sentry
generates an event. The options are:
• Email
• Log - Sends event information to standard syslog on STRM
Console.
QRL Specifies the details of the current view for this sentry.
Step 7 Edit the variables, as necessary. The list of variables includes all configured values
for this sentry. Only the variables that apply to this sentry appear. When creating a
custom sentry, you can create your own variable.
Table 2-4 Default Variables
$$Base Specify the current traffic level weight that you want to assign to
the current traffic levels against the learned behaviors and the
current trend. This variable is for behavioral sentries. The higher
the value indicates more weight on the previously recorded
value. When you configure a sentry, you must enter a value
between 0 to 100, however, when you view a sentry, this value
appears in decimal format as 0.01 to 1.

Table 2-4 Default Variables (continued)
$$Trend Specify the current traffic trend weight that you want to assign to
current traffic trends against the calculated behavior. This
variable is for behavioral sentries. The higher the value indicates
more weight on traffic trends than the calculated behavior. When
you configure a sentry, you must enter a value between 1 to 100,
however, when you view a sentry, this value appears in decimal
format as 0.01 to 1.
$$Season Specify the weight applied to the seasonal component of the
behavior sentry. The range is 1 to 100. This variable is for
behavioral sentries. When you configure a sentry, you must enter
a value between 1 to 100, however, when you view a sentry, this
value appears in decimal format as 0.01 to 1.
$$SeasonTime Specify the length of time, in seconds, you want this sentry to
consider a season. A season indicates the cycle of data, which
STRM uses to determine future data flow. This variable is for
behavioral sentries.
$$Scale Specify the alert sensitivity level for this alert. This level indicates
how far outside the predicted values before a violation generates.
A value of zero indicates the measured value cannot be outside
the predicted value and a value of 100 indicates the traffic is
more than four times larger than the predicted value. When you
configure a sentry, you must enter a value between 1 to 100,
however, when you view a sentry, this value appears in decimal
format as 0.01 to 1.
$$Counter Specify the layers you want this sentry to consider. This variable
is for all sentry types. The options include: in (bytes in), out (bytes
out), pin (packet in), pount (packet count), hlocal (host local),
hremote (host remote), plocal (packet local), premote (packet
remote), and count. Separate each entry with a colon.
$$AsSet Specify 0 if you want all objects to add together to be tested.
Specify 1 if you want each object to be evaluated seperately.
This variable is for all sentry types.
$$Value For each threshold, specify the number that must be exceeded
for this sentry to generate an alert. This variable is for all sentry
types.
$$Percent Specify the percentage change in behavior this view must
experience before the sentry generates an alert. This variable is
for anomaly sentries.
$$SmallWindow Specify an extended period of time you want to the system to
monitor flows in your network. This allows the system a basis of
comparison for traffic over an extended period of time. If the large
window and small window values exceed a certain threshold, the
sentry generates an alert. This variable is for anomaly sentries.

Table 2-4 Default Variables (continued)
$$LargeWindow Specify a period of time you want to the system to monitor flows
in your network. This allows the system a basis of comparison for
traffic over an smaller period of time. If the large window and
small window values exceed a certain threshold, the sentry
generates an alert.
$$Upperbound/ For each threshold, specify the number that must be exceeded
Lowerbound for this sentry to generate an alert. This variable is for threshold
sentries.
$$AutoLearnTime Specify the time stamp of the time when you want the system to
stop learning. This variable is for threshold sentries.
Step 8 Click Save.

Step 9 Close the Sentries window.
Managing Sentries contain packages. You can create packages to reuse with multiple
Packages sentries. Using a saved package allows you to apply the same objects to multiple
areas of your network. For example, you can create a package to monitor for
network misuse. You can use the saved package to apply the same objects to all
areas of your network.
You must apply a package to a sentry through the sentry panel. For more
information, see, Editing Sentry Details. By default, STRM does apply these
packages. You must apply these packages to the appropriate area of your network.
This section includes:

• Creating a Sentry Package
• Editing a Sentry Package
Creating a Sentry To create a new sentry package:

Package
Step 3 From the View By drop-down list box, select Objects.
Step 4 From the menu tree, select Sentry Objects > Packages.

Managing Packages 139
The Package List appears.

Step 5 Click Create New Package.
The Create New Package panel appears.
Table 2-5 Create Sentry Package Parameters
Name Specify the name of the sentry package.
Description Specify a description for the sentry package.
Weight Specify the relative importance of this package. This determines
the ranking of the offense that appears in the Offense Manager.

Table 2-5 Create Sentry Package Parameters (continued)
Components In the menu tree, select the components you want this package
to monitor. The added components appear under the Selected
Components column.
Permissions Specify the users you want to be able to use this package.
Categories For each event, you must select a high-level and low-level event
category. From the High-Level Category drop-down list box,
specify the high-level event category. Once you select the
high-level event category, the appropriate low-level event
categories appear.
Using the Low-Level Category, select the low-level event
category you want to apply to this event.
Note: For detailed information on high-level and low-level event
categories, see the Event Category Correlation Reference Guide.
Logic Unit Using the drop-down list box, select the Logic Unit you want to
apply to this sentry. To edit an existing Logic Unit, click Edit or to
create a new Logic Unit, click Create New. For more information
on sentry packages, see Managing Logic Units.
Variable Defaults Specifies the variable default values for this sentry package.
These values are overwritten by variables of the same name in
the sentry.
Step 7 Click Save.
Editing a Sentry To edit a new sentry package:

Package
Step 4 From the menu tree, select Sentry Objects > Packages.
The Package List appears.
Step 5 For the package you want to edit, click the icon.
The Edit panel appears.

Step 6 Update parameters (see Table 2-5), as necessary.

Step 7 Click Save.
Managing Logic A Logic Unit determines if a violation has occurred and if an alert needs to be
Units generated. A Logic Unit contains the algorithm that a sentry uses to monitor your
network for suspicious behavior. You can use Logic Units to create custom
sentries. You must apply a Logic Unit to a package through the package panel. For
more information, see Managing Packages.
This section includes:

• Creating a Sentry Package
• Editing a Sentry Package
Creating a Logic Unit To create a Logic Unit:

Step 4 From the menu tree, select Sentry Objects > Logic Units.
The Logic Unit List appears.
Step 5 Click Create New Logic Unit.
The Create New Logic Unit panel appears.

Table 2-6 Create new Logic Unit Parameters
Parameter Action
Name Specify a name for this Logic Unit.
Description Specify a description for this Logic Unit,
Step 7 Create your own equation in the Equation field using JavaScript code. The entry
must include the following format:
var testObj = new CustomFunction( $$Counter,
other_custom_vars);
function test()
{
return testObj.test();
}
You can use all the functions available with JavaScript functionality as well as
the following functions:

Table 2-7 JavaScript Functions
Function Description
thresholdCheck Monitors policy and threshold objects. By default, this value
monitors each object separately. If you want to test objects as
group, you must add the value set. This function includes:
• components - String of component names from one or more
layers, separated by colons. For example, in:out.
• funcT - Instance of comparison object including above,
greatThanEq, below, lessThanEq, Eq, notEq, and range.
• isTotal - Set this function to 0 if you want to test objects
seperately. Set this function to 1 if you want to test all objects
as a group.
• time - Indicates time to make a comparison. If no time is
supplied, current time is used.
learnPolicy During the learning period, this function selects only object that
did not include traffic. The sentry then generates an alert on
those objects. This function includes:
• components - String of component names from one or more
layers, separated by colons. For example, in:out.
• lockTime - Indicates the time in which you want to stop the
learning process.
activityAnomaly Detects changes in the activity level for selected databases. This
function includes:
• largewindowsize - Specifies the time range for the large
observation window.
• smallwindowsize - Specifies the time range for small
observation window.
• percentrequired - Specifies the required percentage change
required before the sentry generates an alert.
• layer - Specifies the layer you want to monitor.
• type - Specifies the test objects as a group.
• intervalsize - Specifies the interval size, in seconds.
Step 8 Click Share Logic to access the Select Users window. This window allows you to
specify users you want to share this logic.
Step 9 Click Save.

Editing a Logic Unit To edit a Logic Unit:

Step 4 From the menu tree, select Sentry Objects > Logic Units.
The Logic Unit List appears.
Step 5 For the Logic Unit you want to edit, click the icon.
The Edit panel appears.
Step 6 Update parameters, as necessary.

Step 7 Click Save.

10 MANAGING VIEWS
You can display network traffic with many different views. A view represents traffic
activity on your network for a specific profile. The Local Network View has n-levels
of depth that is specific to your network hierarchy. All views, with the exception of
the Network View, have group levels and leaf object levels. You can also create
Custom Views to display the types of traffic you want to identify, monitor, and be
alerted to, when specific flows appear across your network.
This chapter includes:

• Using STRM Views
• Managing Ports View
• Managing Application Views
• Managing Remote Networks View
• Managing Remote Services Views
• Managing Collector Views
• Managing Custom Views
• Enabling and Disabling Views
• Using Best Practices
Using STRM Views This section provides information regarding views including:
• About Views
• About Global Views
• Defining Unique Objects
About Views STRM includes default views that captures and displays your network activity.
Each view filters traffic and displays the data from many perspectives. You can use
these default views to display your network activity from various perspectives.
You can configure views with an identifiable color scheme. Each color appearing
on your graph represents the activity taking place on your network. Each color is
also displayed in the dynamic legend beside the graph. You can point your mouse
to the color on the legend to identify the traffic type.

146 MANAGING VIEWS
Each view is assigned a weight. Configured for traffic alerting purposes, weight is
the numeric value assigned to a flow property. STRM adds the weight value to the
sentry flow property weight value and assigns a sequence of ranking events. An
alert may be signalled when STRM interprets the combination of the numerical
weight values. For more information on weights, see Chapter 9 Managing
Sentries.
A view is a property of flows divided into the following:

• Group - A collection of objects configured to display the network data that
appears on the graphs in a specific view.
• Object - Assigned flow properties configured to identify specific traffic.
• Layer - Property used to count traffic.
You can create a Custom View to identify more complex traffic patterns. You must
configure Custom Views with equations that identify your network activity and
match the properties built into an equation. You can create Custom Views to:
• Identify protocol misuse from any geographic location.
• Identify traffic from partner sites using applications you have deemed
out-of-policy.
• Create an alternate network hierarchy.
You can also use equations to identify network traffic flows. When traffic flows
match the assigned property-set, STRM identifies and displays the traffic on the
graphs, enabling you to monitor and investigate the activity. An equation is
constructed from the following:
• Objects - Network objects that are currently present on your network. When
choosing an object, you can select the network object, or any one of the leaf
nodes that is associated with the object. The selected object (or leaf node)
becomes part of an equation.
• Elements - Tests of specific flow properties, such as, an IP address, protocol,
or byte count. This specifies the criteria the traffic flow must match to identify
traffic flows. Traffic flows matching the assigned criteria are displayed when
viewing the Custom View on the STRM graphs.
About Global Views You can access Global Views using the Global Views menu option in the Network
Surveillance interface. Configurable Global Views include:
• Local Networks View - Displays traffic by network objects.
• Ports View - Displays traffic originating from identified destination ports.
• Applications View - Displays traffic originating from the application layer by the
client connection and the server connection.
• Remote Networks View - Displays user defined traffic originating from named
remote networks.

Using STRM Views 147
• Remote Services View - Displays traffic originating from user defined network
ranges or, if desired, the Juniper Networks automatic update server.
• Collector View - Displays traffic seen by each Flow Collector
• Protocol - Displays traffic originating from protocol usage.
Note: For more information on default groups and objects, see the STRM Default
Application Configuration Guide.
You can edit several Global Views by adding objects to existing groups or
changing pre-existing properties to suit your environment. STRM does not allow
you to configure Geographic, or Protocol Views. Contact Juniper Networks
Customer Support for assistance.
Caution: You cannot move an existing object to another group (select a new group
and click Add Group), the object name moves from the existing group to the newly
selected group; however, when the configuration changes are deployed, the object
data stored in the database is lost and the object ceases to function. You must
create a new view and recreate the object (that exists with another group).
Defining Unique Some groups within views include objects that are unique to specific views. For
Objects example, InverseIsknown is unique to the Ports View. This group captures the
server traffic when displaying the client view, and displays client traffic when
displaying the server view.
Some groups within views, such as superflows, are for informational purposes only
and cannot be edited. However, you can create a Custom View based on an
existing view and configure the Custom View properties to resemble the groups
that cannot be edited. For more information, see Managing Custom Views.
Unique groups include:

• InverseIsKnown - Specifies traffic for both client and server application traffic
activity. When displaying the client view, InverseIsKnown captures and displays
the server traffic; when displaying the server view, captures and displays
displays the client traffic.
• Other - Specifies traffic that does not match a property-set or is not defined in
the configuration. Traffic that is classified as Other may be used to capture
miscellaneous traffic.
• Unknown - Specifies traffic that is unidentifiable.
• Superflows - Specifies traffic that has been grouped into superflows; where
one superflow is a group of aggregate flows that have a number of similar
properties.
• Known_ to_ client_or_server - Similar to InverseIsKnown. When viewing
client data, this group represents the server data. When viewing server data,
this group represents the client data.

148 MANAGING VIEWS
Managing Ports Ports Views display traffic originating from identified destination ports. Using the
View Ports View, you can view traffic by port. This section provides information on
managing the Ports View including:
• Default Ports Views
• Adding a Ports Object
• Editing a Ports Object
Default Ports Views Ports View includes the following default groups:
Table 3-1 Ports Views
Ports Groups Description

InverseIsKnown Specifies traffic for both client and server application traffic
activity. When displaying client view, InverseIsKnown captures
and displays the server traffic; when displaying server view,
captures and displays displays the client traffic.
MailPorts Specifies e-mail traffic flows originating from each mail port.
Superflows This group is non-configurable. A superflow is a flow that is an
aggregate of a number of flows that have a similar
pre-determined set of elements.
TargetedPorts Specifies traffic flows destined for specific ports.
UnnamedPorts Specifies traffic flows not destined for a specific port.
WebPorts Specifies traffic flows destined for the port assigned for Internet
traffic.
p2pports Specifies traffic flows to and from ports assigned for the
Peer-to-Peer (P2P) traffic within your network.
Adding a Ports To add a ports object:

Object
Step 1 In the Administration Console, click the Views Configuration tab.
The Views Configuration panel appears.
Step 2 Click the Ports icon.
The Manage Group window appears.
Step 3 Click Add.
The Add New Object window appears.

Table 3-2 Ports - Add New Object Parameters
Group Select the group for this object. Using the drop-down list box,
select a group or click Add Group to add a new group.
Name Specify object name.
Weight Specify the object weight or use the arrows to change the existing
numeric value. The range is 1 to 100.
Ports Specify the port number for the object or use the arrows to
change the existing numeric value. Click Add.
Description Specify a description for this object.
Color Specify a color for this object. Enter the RGB alpha-numeric
value or click Select Color to access the color palette.
Database Length Using the drop-down list box, select the database length.
Step 5 Click Save.

Step 7 Close the Ports View window.
Step 8 From the Administration Console menu, select Configuration > Deploy
All changes are deployed.

150 MANAGING VIEWS
Editing a Ports To edit an existing object:

Object
Step 2 Click the Ports icon.
Table 3-3 Manage Group
Name Specifies the name assigned to the object.
Weight Specifies the weight assigned to the object.
Color Specifies the color displayed when viewed on the graphs.
Actions Specifies the action available for each group including:
Open object properties window.
Step 3 Click the group you want to edit.

Value Specifies ports assigned to this object.
Color Specifies the color displayed when viewed on the Network
Surveillance graphs.
Actions Specifies the actions available for each object including:
Edit view properties.
Delete object.
Step 4 From the Manage Group table, or from the tree menu, click the name of the object
you want to edit.
The Properties window appears.

Step 5 Edit values as necessary. See Table 3-2.

Step 6 Click Save.

Step 8 Close the Ports View window.

152 MANAGING VIEWS
Managing Application Views display traffic originating from the application server by the client
Application Views connection and the server connection. Using the Application Views, you can view
traffic by application identification. This section provides information on managing
Application Views including:
• Default Application Views
• Adding an Applications Object
• Editing an Applications Object
Default Application Application View includes the following default groups:

Views
Table 3-5 Application Views
Sub-Component Description
Chat Specifies traffic originating from chat sources, such as AOL,
ICQ, IRC, MISN, and MSN.
ClientServer Specifies traffic originating from a client server such as
Meeting Maker, NetIQ, FIX, MATIP, or CVSup.
ContentDelivery Specifies traffic originating from content delivery applications,
such as, EntryPoint, BackWeb, or Webshots.
DataTransfer DataTransfer group displays traffic originating from data being
transferred from traffic of common file/data transfer protocols,
such as FTP, Misc-Transfer-Ports, NFS, NNTPNews, TFTP,
WindowsFileSharing, WindowsNetworkPorts, and XFER.
DataWarehousing Specifies traffic originating from database applications.
DirectoryServices Specifies traffic originating from directory services, such as
WINS, CRS, or RRP.
FilePrint Specifies traffic originating from file print applications, such as,
a printer or IPP.
Games Specifies traffic originating from game applications, such as,
Doom, Quake, Half-Life, or Kali.
Healthcare Specifies traffic originating from health care related
applications, such as, DICOM or HL7.
InnerSystem Specifies traffic originating from the STRM application, such
as, Common Ports, Flowgen, and UpdateDaemon.
InternetProtocol Specifies traffic originating from Internet protocol related
applications, such as, ActiveX or SOAP-HTTP.
Known_to_client_or_ When viewing client data, this group captures the server data.
server When viewing server data, this group captures the client data.
Legacy Specifies traffic originating from legacy applications, such as,
SNA, LAT, FNA, or SLP.
Mail Specifies all traffic originating from e-mail application traffic,
such as, ESMTP, IMAP, MISC-MAIL-Port, POP, POP-Port,
SMTP, and SMTP-Port.

Table 3-5 Application Views (continued)
Sub-Component Description
Misc Specifies identified miscellaneous application traffic, such as,
Appletalk-IP, Authentication, DHCP, DNS, DNS-Port,
ManagementService, Misc-Ports, MiscApp,
Network-Config-Ports, RPC, SNMP-Ports, Syslog, and Time.
Multimedia Specifies traffic originating from multimedia application traffic,
such as, WebEx, video frames, or Intellex.
NetworkManagement Specifies traffic originating from network management
application traffic, such as, ICMP, SMS, NetFlow, or flow
records.
No_Detect_Attempt Specifies traffic that is void of content within a packet.
P2P Specifies traffic originating from Peer-to-Peer (P2P)
application traffic, such as, BitTorent, Blubster, Common P2P
Port, DirectConnect, Gnutella, Kazaa, LimeWire, OpenNap,
Peerenabler, Piolet, and eDonkey.
Remote Access Specifies traffic originating from applications accessed
remotely, such as, CitrixICA, PCAnywhere, SSH, SSH Ports,
Telnet, Telnet-Port, and VNC.
RoutingProtocols Specifies traffic originating from routing protocols, such as,
RIP, ICMP, ICP, or AURP.
SecurityProtocol Specifies traffic originating from security protocols, such as,
SOCKS, L2TP, SWIPE, or DPA.
Streaming Specifies traffic originating from streaming applications, such
as, MicrosoftMediaServer, StreamingAudio, and
WindowsMediaPlayer.
Unknown_apps Specifies pre-defined flows classed as Unknown traffic.
VoIP Specifies traffic originating from Voice over IP (VoIP)
applications, such as, Skype, I-Phone, SIP, or Clarent-CC.
Web Specifies traffic originating from web applications, such as,
HTTP, JAVA, SecureWeb, WebFile, WebMedia, and Web
Port.
Note: The default views are automatically updated with the Automatic Update
function. For more information regarding automatic updates, see Scheduling
Automatic Updates.
Adding an To add an applications object:

Applications Object
Step 2 Click the Application icon.
Step 3 Click Add.
The Add New Object window appears.window appears.

154 MANAGING VIEWS
Table 3-6 Applications - Add New Object Parameters
AppsIDs Specify the application ID for the object or use the arrows to
change the existing numeric value. Click Add.
Note: The applications identification must be defined in the
mapping file before adding to this object. For more information on
the mapping file, see the STRM Default Application Configuration
Guide.
Description Specify a description for this object.
Step 5 Click Save.

Step 7 Close the Applications View window.

Editing an To edit an applications object:

Applications Object
Step 2 Click the Applications icon.
Name Specifies the name assigned to the group.
Open view properties window.
Step 3 Click the group you want to display.

Name Specifies the group name.
Value Specifies application IDs assigned to the group.
Delete object.
Step 4 Click the name of the object you want to edit.


156 MANAGING VIEWS
Step 5 Edit values as necessary, see Table 3-6.

Step 6 Click Save.


Managing Remote Remote Networks View displays user traffic originating from named remote
Networks View networks. Using the Remote Networks View, you can view traffic by known remote
networks. This section provides information on managing the Remote Networks
View including:
• Default Remote Networks Views
• Adding a Remote Networks Object
• Editing a Remote Networks Object
Default Remote Remote Networks includes the following default groups:

Networks Views
Table 3-9 Remote Networks Views
BOT Specifies traffic originating from BOT applications.
Bogon Specifies traffic originating from un-assigned IP addresses.
Note: Bogon reference: http://completewhois.com/bogons/
HostileNets Specifies the traffic originating from known hostile networks.
HostileNets has a set of 20 (Rank 1 to 20 inclusive) configurable
CIDR ranges.
Neighbours This group is blank by default. You must configure this group to
classify traffic originating from neighboring networks.
Superflows This group is non-configurable. A superflow is a flow that is an
aggregate of a number of flows that have a similar
pre-determined set of elements.
TrustedNetworks This group is blank by default. You must configure this group to
classify traffic originating from trusted networks.
Note: Groups and objects that include superflows are for informational purposes
only and cannot be edited. Groups and objects that include bogons are configured
by the Automatic Update function.
Adding a Remote To add a Remote Networks object:

Networks Object
Step 1 From the Administration Console, click the Views Configuration tab.
Step 2 Click the Remote Networks icon.
Step 3 Click Add.

158 MANAGING VIEWS
Table 3-10 Remote Networks - Add New Object Parameters
Weight Specify the object weight or use the arrows to change the
existing numeric value. The range is 1 to 100.
IP/CIDR(s) Specify the IP address or CIDR range for the object. Click Add.
Description Specify a description for the object.
Step 5 Click Save.

Step 7 Close the Remote Networks View window.

Editing a Remote To edit an existing Remote Networks object:

Networks Object
Step 2 Click the Remote Networks icon.
Name Specifies the name assigned to the view.

Delete object.
Step 4 Click the object you want to edit.


160 MANAGING VIEWS

Step 6 Click Save.

Step 8 Close the Remote Networks View window.
Managing Remote Remote Services Views display traffic originating from user defined network
Services Views ranges, or, if desired the Juniper Networks automatic update server. Using the
Remote Services Views, you can view remote service providers. This section
provides information on managing the Remote Services Views including:
• Default Remote Services Views
• Adding a Remote Services Object
• Editing a Remote Services Object
Default Remote Remote Services view includes the following default groups:
Services Views
Table 3-13 Remote Services - Manage Group Parameters
IRC_Servers Specifies traffic originating from addresses commonly known to
produce superflows.
Porn Specifies traffic originating from addresses commonly known to
contain explicit pornographic material.
Proxies Specifies traffic originating from commonly known open proxy
servers.

Table 3-13 Remote Services - Manage Group Parameters (continued)
Reserved_IP_ Specifies traffic originating from reserved IP address ranges.
Ranges
Spam Specifies traffic originating from addresses commonly known to
produce SPAM or unwanted e-mail.
Spy_Adware Specifies traffic originating from addresses commonly known to
contain spyware or adware.
Superflows Specifies traffic originating from addresses commonly known to
produce superflows.
Warez Specifies traffic originating from addresses commonly known to
contain pirated software.
Adding a Remote To add a Remote Services Object:

Services Object
Step 2 Click the Remote Services icon.
Step 3 Click Add.

162 MANAGING VIEWS
Table 3-14 Remote Services - Add New Object Parameters
IP/CIDR(s) Specify the IP address/CIDR range for the object. Click Add.
Step 5 Click Save.

Step 9 All changes are deployed.
Editing a Remote To edit an existing Remote Services object:

Services Object
Step 2 Click the Remote Services icon.


Delete object.


Step 6 Click Save.

Step 8 Close the Remote Services View window.

164 MANAGING VIEWS
Managing Collector The Collector Views display traffic seen from the Flow Collector and provides the
Views AllCollectors group. This group specifies the traffic originating from all Flow
Collectors that reside on your network.
This section provides information on configuring the Flow Collector view including:
• Adding a Flow Collector Object
• Editing a Flow Collector Object
Adding a Flow To add a Flow Collector object:

Collector Object
Step 2 Click the Collector icon.
Step 3 Click Add.
Table 3-17 Flow Collector - Add New Object Parameters

Managing Collector Views 165
Table 3-17 Flow Collector - Add New Object Parameters (continued)
Collector ID Using the drop-down list box, select the Flow Collector you want
to use as the source.
Color Specify a color for this object. Enter the RGB alpha-numeric value
or click Select Color to access the color palette.
Step 5 Click Save.

Step 7 Close the Collector View window.
Editing a Flow To edit an existing Flow Collector Object:

Collector Object
Step 2 Click the Collector icon.


166 MANAGING VIEWS
Delete object.


Step 6 Click Save.

Step 8 Close the Collector View window.

Managing Custom Custom Views uniquely identify specific traffic flows, such as SSH traffic on a
Views non-standard port, or traffic originating from another country. Each Custom View
object must be configured with an equation, which creates a set of properties that
applies a filter for each network flow.
Custom Views provide you with several advantages. For example, you can use
Custom Views for the following scenarios:
• Define a view to isolate and display traffic relevant to your enterprise.
• Rebuild any default view and configure to suit your enterprise.
• Use a view to remap data in different ways.
• Use a view for an alternate network hierarchy
• Apply Other traffic in a view for reporting purposes.
• Apply the Boolean Logic to the Equation Editor when creating a view.
• Classification Engine can interpret the view information as RPN.
• Build a Custom View object to detect the following sequence:
- Src (source) sends a Syn (synchronize) packet to a Dst
- Dst (destination) sends back an Ack (acknowledge) packet
- Src (source) sends a Syn-Ack (synchronize-acknowledge) or a Syn-Rst
(synchronize-reset) packet to the Dst (destination)
- The initial packet cannot have an empty payload
This section provides information on creating and configuring Custom Views

including:
• About Custom Views
• Editing Custom Views
• Editing the Operators
• Editing the Equation
About Custom Views Custom Views includes the following default groups:
• IP Tracking Group
• Threats Group
• Attacker Target Analysis Group
• Target Analysis Group
• Policy Violations Group
• ASN Source
• ASN Destination
• IFIndex In

168 MANAGING VIEWS
• IFIndex Out
• QoS
• FlowShape
The objects for the IP Tracking, Threats, Attacker Target Analysis, Target Analysis,
and Policy Violations groups depend on the template chosen during the installation
process. For more information on the defaults, see:
• Enterprise Template - See Appendix B Enterprise Template Defaults.
• University Template - See Appendix C University Template Defaults.
STRM detects the ASN and IFIndex values from network flows. When STRM
detects ASN or IFIndex values in a flow, STRM creates a new object in the
respective group. For example, if STRM detects an ASN 238 flow within the source
traffic, the object ASN238 is created in the ASNSource group. However, for STRM
to detect and create objects for ASN and IFIndex values in a flow, you must enable
the respective views. Fore more information on enabling views, see Enabling and
Disabling Views
STRM also detects Quality of Service (QoS) values from your network flows. QoS
provides priority for traffic enabling your network to provide various levels of
service for flows. QoS provides the following basic levels of service:
• Best Effort - This level of service does not guarantee delivery. The delivery of
the flow is considered best effort.
• Differentiated Service - Certain flows are granted priority over other flows.
This priority is granted by classification of traffic.
• Guaranteed Service - This level of service guarantees the reservation of
network resources for certain flows.
To create Custom Views:

Step 2 Click the Custom Views icon.
Step 3 Click Create New View.

Table 3-20 Custom View - Properties for New View: Staging/Globalconfig
Name Specify a name for the new view.
Description Specify a description for the new view.
Step 5 Click Save.

The Custom View Management window appears.
Step 7 From the Manage Group Window, select the view and click Add Equation.

170 MANAGING VIEWS
Table 3-21 Properties Views
Group Using the drop-down list box, select the group you want to add
the object. Click Add Group.
Equation Click Equation Editor to specify your equation for this object.
Step 9 Click Equation Editor.

The Equation Editor window appears.
Step 10 From the Objects box, select the view you want to assign.

Step 11 From the Elements panel, select an element and enter the parameter values to
configure the element. See Table 3-22.
The element is assigned to the selected object. This creates the first instance on
the Equation Editor.
Step 12 Select another object from the Objects box and assign an associated element.
By default, the objects are joined with the AND operator.
Step 13 Continue selecting the objects and assigning elements until you have completed
your equation. Click Save.
Note: If you want to calculate two values before STRM adds the next consecutive
object, insert brackets around the values. For more information on operators, see
Editing the Operators.
You equation should resemble this window:
Table 3-22 Element Options
Count Element Type
Name Specify the element name.
Object Using the drop-down list box, select the targeted traffic flow. Options
include: Src (source), Dst (destination), Local, Remote, and Total.
Note: When ports are counted, the number of unique destination ports
is returned.
Parameter Using the drop-down list box, select the parameter you are testing.
Options include: Bytes, Packets, and ContentLength.
Test Using the drop-down list box, select how to test the numeric value.
Options include: Above, Below, and Equals.
Value Enter a numeric value for the option you have selected. The number of
bytes, number of packets or the content length. This value is based on
a flow stats record reported in a single interval.
Using the drop-down list box, select the byte size unit of measurement.
Options include: K (kilobyte), M (megabyte), G (gigabyte, and T
(terabyte). Click Add.
Protocol Element Type

172 MANAGING VIEWS
Table 3-22 Element Options (continued)
Protocol Specify the protocol identification number. You must enter the protocol
number and not the name. Click Add.
Note: For a list of default protocol identification numbers, see STRM
Default Application Configuration Guide.
Super Flow Count Element Type
Unit Using the drop-down list box, select the element unit. Options include:
Hosts and Ports.
Test Using the drop-down list box, select how to test the numeric Super
Flow Count value. Options include: Above, Below, and Equals.
Value Enter the number of hosts or ports. Click Add.
Flow Stat Element Type
include: Src (Source), Dst (Destination), Local, Remote, and Total.
Unit Using the drop-down list box, select the element unit. The unit is
specific to the stats record in one interval. Options include:
BytesPacketRatio, PacketArrivalRate, ByteArrivalRate, ByteRatio, and
PacketRatio.
Test Using the drop-down list box, select how to test the numeric Flow Stat
value. Options include: Above, Below, and Equals.
Value Specify the numeric value of unit measurements. Click Add.
Content Element Type
Note: Only the content that is captured is counted.
Value Enter the content string. Click Add.
Flags Element Type

Value Enter the character that represents the TCP/IP flags element type you
want to add. STRM accepts the following:
A, ACK - (Acknowledge) - Receiver sends an acknowledgement that
equals the senders sequence.
S, SYN - (Synchronize) - Agreement on sequence numbers during
session setup. Sequence numbers are random.
F, FIN - (Finish) - Sender has no more data to send.
R, RST - (Reset) - Instantaneous abort in both directions. This is an
abnormal session disconnection.
P, PSH - (Push) - Forces data delivery without waiting for buffers to fill.
The data will also be delivered to the application on the receiving end
without buffering.
U, Urg - (Urgent) - Indicates the packet data should be processed as
soon as possible.
7 - Illegal flag that represents the seventh bit of the TCP flag field.
Typically, this flag is not used in normal operations and may be used by
malicious users.
8 - Illegal flag that represents the eight bit of the TCP flag field.
Typically, this flag is not used in normal operations and may be used by
malicious users.
Click Add.
Note: The order in which you enter the TCP/IP Flags is not important;
however, when viewing content capture, STRM displays the flags in the
following order: FSRPAU78
Flow Properties Element Type

174 MANAGING VIEWS
Property Using the drop-down list box, select the flow property. Options include:
• ClassL2L - Traffic between two local objects on your network.
• ClassL2R - Traffic between one local object and one remote object.
• ClassOther - Traffic between hosts not defined in your network.
• SuperFlow - Flow of traffic that is an aggregate of the number of
flows that have a similar predetermined set of elements, such as
protocol, source bytes, source packets, source host, or destination
network. In some cases, other properties may be similar, such as
destination ports, TCP/IP flags, ICMP types, and code; however, the
destination hosts can differ.
• SuperFlowTypeA - SuperFlow identified as one host destined to
many host.
• SuperFlowTypeB - SuperFlow identified as many hosts destined to
one host.
• SuperFlowTypeC - SuperFlow identified as one host to one host.
• StealthPorts - Traffic located outside the normal application ports.
• SrcLocal - Traffic originating from a local source.
• DstLocal - Traffic originating from a remote network destined for
your network.
• NoAppDetect - Traffic with zero application detection that may be
caused by not enough payload; or, traffic originating from ICMP
messages.
• UnknownApp - Non-defined application traffic.
• FlowShapeInOnly - Traffic or flows destined in the network (from
the Flowtype View).
• FlowShapeOutOnly - Traffic or flows destined out from the network
(from the Flowtype View).
Click Add.
Port Element Type
Value Specify the port number. Click Add.
CIDR Element Type
Value Enter the IP address or CIDR range. Click Add.
Application ID Element Type

Value Specify the application identification number. Click Add.
Collector Element Type
Property Using the drop-down list box, select the element property. Options
include: CollectorID and CollectorInterface.
Value Specify the user-defined Flow Collector Identification or Collector
Interface name. Click Add.
Date Element Type
Test Using the drop-down list box, select when to test the value. Options
include: After and Before.
Value Click the Calendar icon and select a date. Click Add. The value default
is the current date.
Time Element Type
Test Using the drop-down list box, select when to test the value. Options
include: After and Before.
Value Using the drop-down list box, select the hour and minutes. Click Add.
Day Element Type
Type Using the drop-down list box, select the amount of time. Options
include: Week and Month.
Value Specify the day of the week or enter the month. Click Add.
Flow Length Element Type
Test Using the drop-down list box, select how to test the numeric Flow
Length value based on a single flow stat record. Options include:
Above, Below, and Equals.
Value Specify the numeric value for the precise flow length. Click Add.
ICMP Element Type
Property Using the drop-down list box, select the ICMP Type property. Options
include: Type and Code.
Value Specify the numeric value for the ICMP Type or Code. Click Add.
Note: For a list of STRM default ICMP Types or Codes, see the STRM
Default Application Configuration Guide; or, for a reference on the
current RFC Standards, go to:
http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/icmp-code.ht
ml

176 MANAGING VIEWS
Flow Context Property
Property Using the drop-down list box, select the flow text property. Options
include: PortIsNew, TargetIsSrc, AttackerIsSrc, TargetIsDst,
AttackerIsDst, TargetIsKnownLocal, AttackerIsKnownLocal,
TargetIsLocal, AttackerIsLocal, TargetPort, AttackerPort, BeforeEvent,
and AfterEvent.
Click Add.
Flow Context Target Port
Port Specify the port number. Click Add.
Interface Index (ifIndex)
Direction Specifies the direction of the traffic. The options are Input or Output.
Value Specify the numeric value for the ifIndex. Click Add.
Quality of Service
Side Using the drop-down list box, select the targeted traffic flow. Options
include: Src (Source), Dst (Destination), Local, or Remote.
Field Using the drop-down list box, select the Quality of Service (QoS) field
you want to test. Options include: IP_Precedence, Type of Service
(TOS), Differentiated Service Code Point (DSCP), or Explicit
Congestion Notification (ECN).
Test Using the drop-down list box, select how to test the QoS value. Options
include: Above, Below, and Equals.
Value Specify the numeric value for the QoS. Click Add.
Editing Custom To edit Custom Views:

Views
Step 2 Click the Custom Views icon.
Step 3 Click the group <Name> or access the group from the navigation menu.
The Manage window appears.
Step 4 Click the object name to edit the object properties.

Step 5 Edit the necessary parameters, see Table 3-22.

Step 6 Click Save.
Step 8 Close the Custom View window.
Editing the Equation You can change how an equation is calculated, see Editing the Equation. The Drop
Area of the Equation Editor features a drag and drop method of changing how the
equation is calculated.
To edit the equation using the same objects and elements:

Step 1 Select the object or element and hold.
Step 2 Drag the item to another part of the equation.
As you pass over another item in the Drop Area of the panel, the item becomes
highlighted. This signifies you can drop the item into the equation. This is placed
ahead of the highlighted item. and is joined with the AND operator. This affects the
calculation in two places. The next logical calculation from where the item was
moved and the logical calculation of where the item is placed.
Step 3 Click Save.
Step 4 Close the Custom Views window.

178 MANAGING VIEWS
Editing the Operators

You can edit the operators as they appear in the Drop Area of the Equation Editor.
You can access the following using the right mouse button (right-click) on each
operator:
• And Operator - To change the default AND operator to OR, use the right
mouse button (right-click) on the operator and select OR from the menu.
• Excluding Objects - To exclude an object from part of an equation, use the
right mouse button (right-click) on the object and select NOT from the menu. An
exclamation mark (!) appears before the object.
• Excluding Elements - To exclude an element from part of an equation, use the
right mouse button (right-click) on the object and select NOT from the menu. An
exclamation mark (!) appears before the element.
• Removing Objects - To remove an object from an equation, use the right
mouse button (right-click) on the object and select Remove Object. Click OK to
confirm.
• Removing Elements - To remove an element from an equation, use the right
mouse button (right-click) on the object and select Remove Element. Click OK
to confirm.
• Group Objects - To create grouped objects to apply an action to, hold down on
the Alt key and click the objects you want to include. Use the right mouse button
(right-click) and select Group Selected Objects. You can also include
elements in a group.
• Group Elements - To create grouped elements to apply an action to, hold down
on the Alt key and click the elements you want to include. Use the right mouse
button (right-click) and select Group Selected Objects. You can also include
objects in a group.
• Remove Grouped Objects or Elements - Use the right mouse button
(right-click) on a group and select Remove Brackets.
Enabling and You can enable or disable views using the Administration Console. Disabling views
Disabling Views saves processing power on large structured networks. Depending on your current
network activity, or the type of traffic you are monitoring traffic, some views may be
of more value than others during specific times.
To enable or disable views:

Step 2 Click Enable/Disable View icon.
The View Management window appears.

Enabling and Disabling Views 179
Step 3 Using the drop-down list box, select one of the following for each view:
Table 3-23 View Management
Enabled Using the drop-down list box, select Enabled to enable this view.
This enables the Classification Engine, data collection, data
storage, graphing capabilities, and enables access from the
interface.
Virtual Using the drop-down list box, select Virtual to allow the
Classification Engine to classify each flow. This enables the
Classification Engine to classify the flows; however, this disables
data collection, data storage, graphing capabilities, and removes
the view from the interface. Objects in a virtual view can still be
referenced in a Custom View equation. Also, a Security/Policy
sentry applied to a virtual view will generate events, as
necessary.
To enable access from the interface, select Enabled.
Note: Selecting the Virtual mode can save processing power on
your system.

180 MANAGING VIEWS
Table 3-23 View Management (continued)
Disabled Using the drop-down list box, select Disabled to disable the view.
This disables the Classification Engine, data collection, data
storage, graphing capabilities, and removes the view from the
interface. To enable access from the interface, select Enabled.
Note: Selecting the Disabled mode can save processing power
on your system.
Using Best Given the complexities and network resources required for STRM in large
Practices structured networks, we recommend the following best practices:
• Disable views you are not required to access and display. Disabling views
requires fewer CPU cycles and will not impact processing power in large
structured networks.
• Bundle objects and use the Network Surveillance interface to analyze your
network data. Fewer objects create less I/O to your disk.
- Bundled flows include bi-directional traffic with single source and destination
hosts, multiple source and destination ports.
- All original flows are sent but marked as a bundle.
- One Flow Bundle record is sent every interval.
- Classify processes only the bundle and not the flows.
• Typically, no more than 200 objects per view (for standard system
requirements). More objects may impact your processing power when
investigating your traffic.

Rules match events or offenses by performing a series of tests. If all the conditions
of a test are true, the rule generates a response. Using the Offense Manager, you
can configure rules or building blocks. Building blocks are rules without a
response. Possible responses to a rule include:
• Create an offense.
• Generate a response to an external system (syslog or SNMP).
• Send an e-mail.
• Block the incident.
• System notifications using the Dashboard
The tests in each rule can also reference other building blocks and rules. You do
not need to create rules in any specific order since the system will check for
dependencies each time a new rule is added, edited, or deleted. If a rule that is
referenced by another rule is deleted or disabled, a warning appears and action is
not taken.
Each rule may contain the following components:

• Functions - With functions, you can use building blocks and other rules to
create a multi-event or multi-offense function. You can also OR rules together,
using the when we see an event match any of the following rules function.
• Building blocks - A building block is a rule without a response and is
commonly used as a common variable in multiple rules or used to build
complex rules or logic that you want to use in other rules. You can save a group
of tests as building blocks for use with other functions. Building blocks allow you
to re-use specific rule tests in other rules. For example, you can save a building
block that includes the IP addresses of all mail servers in your network and then
use that building block to exclude those hosts from another rule. The building
block defaults are provided as guidelines, which should be reviewed and edited
based on the needs of your network.
• Tests - Property of an event or an offense, such as, source IP address, severity
of event, or rate analysis.
A user with non-administrative access can create rules for areas of the network
that they have access. You must have the appropriate role access to manage
rules.

You can configure the following rule types:

• Event Rule - An event rule performs tests on events as they are processed in
real-time by the Event Processor. You can create an event rule to detect a
single event (within certain properties) or event sequences. For example, if you
want to monitor your network for invalid login attempts, access multiple hosts,
or a reconnaissance event followed by an exploit, you can create an event rule.
It is common for event rules to create offenses as a response.
• Offense Rule - An offense rule processes offenses only when changes are
made to the offense, such as, when new events are added or the system
scheduled the offense for reassessment.

• Viewing Rules
• Enabling/Disabling Rules
• Creating a Rule
• Copying a Rule
• Deleting a Rule
• Grouping Rules
• Editing Building Blocks
Viewing Rules To view deployed rules, rule type, and status:

Step 1 Select the Offense Manager tab.
The Offense Manager window appears.
Step 2 In the navigation menu, click Rules.
The rules window appears.
Step 3 In the Display drop-down list box, select Rules.

Enabling/Disabling Rules 183
The list of deployed rules appear.

Step 4 Select the rule you want to view.
In the Rule and Notes fields, descriptive information appears.
The default rules that appear depends on the template chosen during the
installation process. For more information on the defaults, see:
Enabling/Disabling To enable or disable a rule:

Rules
The list of deployed rules appear.
Step 4 Select the rule you want to enable or disable.
For more information on each rule, see:
Step 5 Using the Actions drop-down list box, select Enable/Disable.
The Enabled column indicates the status.
Creating a Rule To create a new rule:



a Using the Actions drop-down list box, select New Event Rule to configure a
rule for events.
b Using the Actions drop-down list box, click New Offense Rule to configure a
rule for offenses.
The Custom Rule wizard appears.
Note: If you do not want to view the Welcome to the Custom Rules Wizard window
again, select the Skip this page when running the rules wizard check box.
Step 4 Read the introductory text. Click Next.

The Rules Test Stack Editor window appears.

Creating a Rule 185
Step 5 To add a test to a rule:

a In the Test Group drop-down list box, select the type of test you want to apply to
this rule.
The resulting list of tests appear. For information on tests, see Event Rule Tests
or Offense Rule Tests.
b For each test you want to add to the rule, select the + sign beside the test.
The selected test(s) appear in the Rule field.
c For each test added to the Rule field that you want to identify as an excluded
test, click and at the beginning of the test.
The and appears as and not.
d For each test added to the Rule field, you must customize the variables of the
test. Click the underlined configurable parameter to configure. See Event Rule
Tests or Offense Rule Tests.
Step 6 In the enter rule name here field, enter a name you want to assign to this rule.
Step 7 To export the configured tests as building blocks to use with other rules:
a Click Export as Building Block.
The Save Building Block window appears.

b Enter the name you want to assign to this building block.

c Click Save.
Step 8 In the groups area, select the check box(es) of the groups to which you want to
assign this rule. For more information on grouping rules, see Grouping Rules.
Step 9 In the Notes field, enter any notes you want to include for this rule. Click Next.
The Rule Responses window appears, which allows you to configure the action
STRM takes when the event sequence is detected.
a If you are configuring an Event Rule:
Table 4-1 Event Rule Response Parameters
Severity Select the check box if you want this rule to set or
adjust severity to the configured level. Once
selected, you can configure the desired level.
Credibility Select the check box if you want this rule to set or
adjust credibility to the configured level. Once
Relevance Select the check box if you want this rule to set or
adjust relevance to the configured level. Once

Creating a Rule 187
Table 4-1 Event Rule Response Parameters (continued)
Ensure the detected event is Select the check box if you want the event to be
part of an offense. forwarded to the Magistrate component. If no
offense has been created in the Offense Manager, a
new offense is created. If an offense exist, this event
will be added.
If you select the check box, the following options
appear:
• Include detected events from this attacker
from this point forward, for second(s), in the
offense - Select the check box and configure the
number of seconds you want to include detected
events from the attacker in the Offense Manager.
• Perform realtime flow analysis on flows
between the attacker and target for
seconds(s) - Select the check box and configure
the number of seconds you want to perform
realtime flow analysis on flows between the
attacker and this target.
Drop the detected event Select the check box to force an event, which would
normally be sent to the Magistrate component be
sent to the Aerial database for reporting or
searching. This event does not appear in the
Offense Manager.
Dispatch New Event Select the check box to dispatch a new event in
addition to the original event, which will be
processed like all other events in the system.
The Dispatch New Event parameters appear when
you select the check box. By default, the check box
is clear.
Event Name Specify the name of the event you want to display in
the Offense Manager.
Event Description Specify a description for the event. The description
appears in the Annotations of the event details.

Offense Naming Select one of the following options:
• This information should contribute to the
name of the associated offense(s) - Select this
option if you want the Event Name information to
contribute to the name of the offense(s).
• This information should set or replace the
option if you want the configured Event Name to
be the name of the offense(s).
• This information should not contribute to the
naming of the associated offense(s) - Select
this option if you do not want the Event Name
information to contribute to the name of the
offense(s).
Severity Specify the severity for the event. The range is 1
(lowest) to 10 (highest) and the default is 1. The
Severity appears in the Annotation of the event
details.
Credibility Specify the credibility of the event. The range is 1
(lowest) to 10 (highest) and the default is 10.
Credibility appears in the Annotation of the event
details.
Relevance Specify the relevance of the event. The range is 1
(lowest) to 10 (highest) and the default is 1.
Relevance appears in the Annotation of the event
details.
High-Level Category Specify the high-level event category you want this
rule to use when processing events.
For more information on event categories, see the
Event Category Correlation Reference Guide.
Low-Level Category Specify the low-level event category you want this
rule to use when processing events.
For more information on event categories, see the
Event Category Correlation Reference Guide.
Ensure the Select the check box if you want, as a result of this
dispatched event is rule, the event is forwarded to the Magistrate
part of an offense component. If no offense has been created in the
Offense Manager, a new offense is created. If an
offense exist, this event will be added.
If you select the check box, the following option
appears:
Include detected events from this attacker from
this point forward, for second(s), in the offense -
Select the check box and configure the number of
seconds you want to include detected events from
the attacker in the Offense Manager.

Creating a Rule 189
Action Name Specify the name of the Resolver Action you want to
deploy for the event.
Action Duration Specify the days, minutes, and hours you want to
Resolver Action to be active. Select the Indefinite
check box if you want to specify an indefinite time
period.
Allowed Resolution Select the All Resolver Types check box if you want
Methods the event to be resolved, if available. You can also
select the check box(es) of the Resolver Types you
want to resolve events.
Blocking Rule Specify the blocking rules you want to apply to this
event. The list contains all blocking options available
for the selected Resolver Type. The possible options
include:
• Source to all
• Source to destination
• Source to destination on detected port
• Destination to all
• Destination to source
• Destination to all on detected port
• All source and destination traffic
Email Select the check box to display the email options. By
default, the check box is clear.
Enter e-mail address Specify the e-mail address(es) to send notification if
to notify the event generates. Separate multiple e-mail
addresses using a comma.

SNMP Trap This parameter only appears when the SNMP
Settings parameters are configured in the STRM
System Management window. For more information,
see Chapter 3 Setting Up STRM.
Select the check box to send an SNMP trap.
For an event rule, the SNMP trap output includes
system time, the trap OID, and the notification data,
as defined by the Juniper Networks MIB. For more
information on the Juniper Networks MIB, see
Appendix A Juniper Networks MIB.
For example, the SNMP notification may resemble:
"Wed Sep 28 12:20:57 GMT 2005, STRM
Custom Rule Engine Notification - Rule
'SNMPTRAPTest' Fired. 172.16.20.98:0
-> 172.16.60.75:0 1, Event Name: ICMP
Destination Unreachable Communication
with Destination Host is
Administratively Prohibited, QID:
1000156, Category: 1014, Notes:
Offense description"
Send to SysLog Select the check box if you want to log the event. By
For example, the syslog output may resemble:
Sep 28 12:39:01 localhost.localdomain
ECS: Rule 'Name of Rule' Fired:
172.16.60.219:12642 ->
172.16.210.126:6666 6, Event Name:
SCAN SYN FIN, QID: 1000398, Category:
1011, Notes: Event description
Notify Select the check box if you want events that
generate as a result of this rule to appear in the
System Notifications item in the Dashboard.
For more information on the Event Viewer and the
Dashboard, see the STRM Users Guide.
Response Limiter Specify the frequency you want this rule to respond.
Enable Rule Select the check box to enable this rule. By default,
the check box is selected.
b If you are configuring an Offense Rule:

Table 4-2 Offense Rule Response Parameters
Name Select the check box to display Name options.
New Offense Name Specify the name you want to assign to the offense.

Creating a Rule 191
Table 4-2 Offense Rule Response Parameters (continued)
Offense Annotation Specify the offense annotation you want to appear in
the Offense Manager.
Offense Name Select one of the following options:
• This information should contribute to the
option if you want the Event Name information to
contribute to the name of the offense(s).
• This information should set or replace the
option if you want the configured Event Name to
be the name of the offense(s).
Action Name Specify the name of the Resolver Action you want to
deploy for the event.
Action Duration Specify the days, minutes, and hours you want to
Resolver Action to be active. Select the Indefinite
check box if you want to specify an indefinite time
period.
Allowed Resolution Select the All Resolver Types check box if you want
Methods the event to be resolved, if available. You can also
select the check box(es) of the Resolver Types you
want to resolve events.
Blocking Rule Specify the blocking rules you want to apply to this
event. The list contains all blocking options available
for the selected Resolver Type. The possible options
include:
• Source to all
• Source to destination
• Source to destination on detected port
• Destination to all
• Destination to source
• Destination to all on detected port
• All source and destination traffic
Email Select the check box to display the email options. By
Enter e-mail address Specify the e-mail address(es) to send notification if
to notify the event generates. Separate multiple e-mail
addresses using a comma.

Table 4-2 Offense Rule Response Parameters (continued)
SNMP Trap This parameter only appears when the SNMP
Enabled parameter is enabled in the STRM System
Management window. For more information, see
Chapter 3 Setting Up STRM.
Select the check box to send an SNMP trap.
For an offense rule, the SNMP trap output includes
system time, the trap OID, and the notification data,
as defined by the Juniper Networks MIB. For more
information on the Juniper Networks MIB, see
Appendix A Juniper Networks MIB.
For example, the SNMP notification may resemble:
"Wed Sep 28 12:20:57 GMT 2005, STRM
Custom Rule Engine Notification - Rule
'SNMPTRAPTest' Fired. 172.16.20.98:0
-> 172.16.60.75:0 1, Event Name: ICMP
Destination Unreachable Communication
with Destination Host is
Administratively Prohibited, QID:
1000156, Category: 1014, Notes:
Offense description"
Send to SysLog Select the check box if you want to log the offense.
By default, the check box is clear.
For example, the syslog output may resemble:
Sep 28 12:30:29 localhost.localdomain
ECS: Offense CRE Rule SYSLOGTest fired
on offense #59
Notify Select the check box if you want offenses that
generate as a result of this rule to appear in the
System Notifications item in the Dashboard.
For more information on the Offense Manager and
the Dashboard, see the STRM Users Guide.
Response Limiter Specify the frequency you want this rule to respond
for each offense that the rules matches.
Enable Rule Select the check box to enable this rule. By default,
the check box is selected.
Step 11 Click Next.

The Rule Summary window appears.

Creating a Rule 193
Step 12 Review the configured rule. Click Finish.
Event Rule Tests This section provides information on the tests you can apply to the rules including:
• Network Property Tests
• Event Property Tests
• IP/Port Tests
• Function Tests
• Host Profile Tests
• Date/Time Tests
• Device Tests
Network Property Tests

The network property test group includes:
Table 4-3 Network Property Tests
Test Description Default Test Name Parameters

Network Valid when the source or when the overall source Configure the following parameters:
Vulnerability destination Vulnerability network VA risk is
• source - Specify whether the test
Risk Assessment risk is greater greater than this value
considers a source or destination of
than, less than, or equal the
the event.
configured value.
• greater than - Specify whether the
risk is greater than, less than, or
equal to the configured value.
• this value - Specify the Vulnerability
Assessment risk value, which is a
value from 0 to 10.

Table 4-3 Network Property Tests (continued)

Network This test is valid when the when the amount of Configure the following parameters:
Threat Posing amount of threat a network is threat the network is
posing to local and remote posing is greater than
networks is greater than, less this value
than, or equal to the
configured value. • this value - Specify the amount of
risk you want this test to consider.
The range is from 0 to 10.
Network Threat under is the value when the amount of Configure the following parameters:
Exposure applied to the threat a threat the network is
network is under over time. under is greater than
This is calculated based on this value
the average weighted value
of the threat under over time. • this value - Specify the amount of
risk you want this test to consider.
This test is valid when the
The range is from 0 to 10.
amount of threat a network is
under to local and remote
networks is greater than, less
configured value.
Remote Valid when an IP address is when the source IP is a Configure the following parameters:
Networks part of any or all of the part of any of the
• source IP - Specify if you want this
configured remote network following remote
test to consider the source IP
locations. network location(s)
address, destination IP address, or
any IP address.
• remote network location(s) -
Specify the network locations you
want this test to consider.
Remote Valid when an IP address is when the source IP is a Configure the following parameters:
Services part of any or all of the part of any of the
• source IP - Specify if you want this
Networks configured remote services following remote
network locations. services network
location(s)
any IP address.
• remote services network
location(s) - Specify the services
network locations you want this test
to consider.
Geographic Valid when an IP address is when the Source IP is a Configure the following parameters:
Networks part of any or all of the part of any of the
• Source IP - Specify if you want this
configured geographic following geographic
network locations. network location(s)
any IP address.
• geographic network location(s) -
Specify the network locations you

Creating a Rule 195
Event Property Tests

The event property test group includes:
Table 4-4 Event Property Tests

Local Network Valid when the event occurs when the local network is one of the following - Specify the
Object in the specified network. one of the following areas of the network you want this test
networks to apply.
IP Protocol Valid when the IP protocol of when the IP protocol is protocols - Specify the protocols you
the event is one of the one of the following want to add to this test.
configured protocols. protocols
Event Payload Each event contains a copy when the Event Payload this string - Specify the text string you
Search of the original unnormalized contains this string want include for this test.
event. This test is valid
when the entered search
string is included anywhere
in the event payload.
QID of Event A QID is a unique identifier when the event QID is one QIDs - Use of the following options to
for events. This test is valid of the following QIDs locate QIDs:
when the event identifier is a
• Select the Browse By Category
configured QID.
option and using the drop-down list
boxes, select the high and low-level
category QIDs you want to locate.
• Select the QID Search option and
enter the QID or name you want to
locate. Click Search.
Attack Context Attack Context is the when the attack context is this context - Specify the context you
relationship between the this context want this test to consider. The options
attacker and target. For are:
example, a local attacker to
• Local to Local
a remote target.
• Local to Remote
Valid if the attack context is
one of the following: • Remote to Local
• Local to Local • Remote to Remote
• Local to Remote
• Remote to Local
• Remote to Remote
Event Valid when the event when the event category categories - Specify the event
Category category is the same as the for the event is one of the category you want this test to
configured category, for following categories consider.
example, Denial of Service
For more information on event
(DoS) attack.
categories, see the Event Category
Correlation Reference Guide.

Table 4-4 Event Property Tests (continued)

Severity Valid when the event when the event severity is Configure the following parameters:
severity is greater than, less greater than 5 {default}
severity is greater than, less than,
configured value. The
or equal to the configured value.
default is 5.
• this value - Specify the index,
which is a value from 0 to 10.
Credibility Valid when the event when the event credibility Configure the following parameters:
credibility is greater than, is greater than 5
less than, or equal to the {default}
credibility is greater than, less than,
default is 5.
Relevance Valid when the event when the event relevance Configure the following parameters:
relevance is greater than, is greater than 5
less than, or equal to the {default}
relevance is greater than, less than,
default is 5.
Source Valid when the source IP when the source is local local or remote - Specify either local
Location address of the event is or remote {default: or remote traffic.
either local or remote. remote}
Destination Valid when the destination when the destination is local or remote - Specify either local
Location IP address of the event is local or remote {default: or remote traffic.
either local or remote. remote}
Rate Analysis STRM monitors event rates when the event has been
of all source IP marked with rate analysis
addresses/QIDs and
destination IP
addresses/QIDs and marks
events that exhibit abnormal
rate behavior.
Valid when the event has
been marked for rate
analysis.

Creating a Rule 197

False Positive When you tune false when the false positive signatures - Specify the false positive
Tuning positive events in the Event signature matches one of signature you want this test to
Viewer, the resulting tuning the following signatures consider. Enter the signature in the
values appear in this test. If following format:
you want to remove a false
<CAT|QID|ANY>:<value>:<source
positive tuning, you can edit
IP>:<dest IP>
this test to remove the
necessary tuning values. Where:
<CAT|QID|ANY> - Specify whether
you want this false positive signature
to consider a category (CAT), Juniper
Networks Identifier (QID), or any
value.
<value> - Specify the value for the
<CAT|QID|ANY> parameter. For
example, if you specified QID, you
must specify the QID value.
<source IP> - Specify the source IP
address you want this false positive
signature to consider.
<dest IP> - Specify the destination IP
address you want this false positive
signature to consider.
Username Valid when the configured when the event(s) Configure the following parameters:
username is associated with username is this string
• is - Specify the value you want to
an event.
associate with this test. Options
include: is, contains, starts with, or
ends with.
• this string - Specify a username
you want this test to consider.
Regex Valid when the configured when the username Configure the following parameters:
MAC address, username, matches the following
• username - Specify the value you
hostname, or operating regex
want to associate with this test.
system is associated with a
This test may consider the MAC
particular regular
address, username, hostname, or
expressions (regex) string.
operating system.
Note: This test assumes
• regex - Specify the regex string
knowledge of regular you want this test to consider.
expressions (regex). When
you define custom regex
patterns, adhere to regex
rules as defined by the Java
programming language. For
more information, see the
following web site:
http://java.sun.com/docs/bo
oks/tutorial/extra/regex/


IPv6 Valid when the source or when the source IP(v6) is Configure the following parameters:
destination IPv6 address is one of the following IPv6
• source IP(v6) - Specify whether
the configured IP address. addresses
you want this test to consider the
source or destination IP(v6)
address.
• IPv6 addresses - Specify the IPv6
addresses you want this test to
consider.
IP/Port Tests
The IP/Port tests include:
Table 4-5 IP / Port Test Group

Source Port Valid when the source port when the source port is one ports - Specify the ports you want
of the event is one of the of the following ports this test to consider.
configured source port(s).
Destination Port Valid when the destination when the destination port is ports - Specify the ports you want
port of the event is one of one of the following ports this test to consider.
the configured destination
port(s).
Local Port Valid when the local port of when the local port is one ports - Specify the ports you want
the event is one of the of the following ports this test to consider.
configured local port(s).
Remote Port Valid when the remote port when the remote port is one ports - Specify the ports you want
of the event is one of the of the following ports this test to consider.
configured remote port(s).
Source IP Valid when the source IP when the source IP is one IP addresses - Specify the IP
Address address of the event is one of the following IP address(es) you want this test to
of the configured IP addresses consider.
address(es).
Destination IP Valid when the destination when the destination IP is IP addresses - Specify the IP
Address IP address of the event is one of the following IP address(es) you want this test to
one of the configured IP addresses consider.
address(es).
Local IP Valid when the local IP when the local IP is one of IP addresses - Specify the IP
Address address of the event is one the following IP addresses address(es) you want this test to
of the configured IP consider.
address(es).
Remote IP Valid when the remote IP when the remote IP is one IP addresses - Specify the IP
Address address of the event is one of the following IP address(es) you want this test to
of the configured IP addresses consider.
address(es).

Creating a Rule 199
Table 4-5 IP / Port Test Group (continued)

IP Address Valid when the source or when either the source or IP addresses - Specify the IP
destination IP address of destination IP is one of the address(es) you want this test to
the event is one of the following IP addresses consider.
configured IP address(es).
Function Tests
The function tests include:
Table 4-6 Functions Group

Multi-Rule Allows you to use saved when an event Configure the following parameters:
Event Function building blocks and other rules matches any|all of the
• any|all - Specify either any or all
to populate this test. The event following rules
of the configured rules apply to this
has to match either all or any of
test.
the selected rules. If you want to
create an OR statement for this • rules - Specify the rules you want
rule test, specify the any this test to consider.
parameter.

Table 4-6 Functions Group (continued)

Multi-Rule Allows you to use saved when all of these Configure the following parameters:
Event Function building blocks or other rules to rules, in|in any order,
• these rules - Specify the rules you
populate this test. This function from the same|any
allows you to detect a specific source IP to the
sequence of selected rules same|any destination • in| in any - Specify whether you
involving a source and IP, over this many want this rule to consider in or in
destination within a configured seconds any order.
time period. • the same|any - Specify if you want
this rule to consider the same or
any of the source to destination
port or IP address.
• source IP - Specify the source you
want this test to consider. The
default is the source IP address,
however, you can configure this
test to consider other options, such
as, source port, destination IP,
destination port, QID, or event ID.
• the same|any - Specify if you want
port or IP address.
• destination IP - Specify whether
you want this rule to consider a
destination IP address, username,
or destination port.
• this many - Specify the number of
time intervals you want this rule to
consider.
• seconds - Specify the time interval
you want this rule to consider. The
options are: seconds, minutes,
hours, or days.

Creating a Rule 201

Multi-Rule Allows you to use saved when at least this Configure the following parameters:
Event Function building blocks or other rules to number of these
• this number - Specify the number
populate this test. You can use rules, in|in any order,
of rules you want this function to
this function to detect a number from the same| any
consider.
of specified rules, in sequence, source IP to the
involving a source and same|any destination • in|in any - Specify whether you
destination within a configured IP, over this many want this rule to consider in or in
time interval. seconds any order.
• the same|any - Specify if you want
port or IP address.
• the same| any - Specify if you
want this rule to consider the same
or any of the source to destination
port or IP address.
you want this rule to consider a
destination IP address, username,
or destination port.
consider.
hours, or days.
Multi-Event Allows you to detect a sequence when this sequence of Configure the following parameters:
Sequence of selected rules involving the rules, involving the
• of rules - Specify the rules you
Function same source and destination same source and
want this test to consider
Between Hosts hosts within the configured time destination hosts in
intervals. You can also use this many seconds • this many - Specify the number of
saved building blocks and other time intervals you want this test to
rules to populate this test. consider.
you want this rule to consider.


Multi-Event Allows you to test the number of when a source IP Configure the following parameters:
Counter events from configured emitting/receiving
Function conditions, such as, source IP more than|exactly
address. You can also use this many of these
building blocks and other rules rules across more
to populate this test. than| exactly this
many destination IP,
over this many
minutes
• more than|exactly - Specify if you
want this test to consider more
than or exactly the number of
rules.
rules you want this test to
consider.
• these rules - Specify the rules you
destination IP address(es),
destination port(s), QID(s), device
event ID(s), or device(s) that you
selected in the source IP option
above.
IP addresses, ports, QIDs, events,
devices, or categories you want
this test to consider.
• destination IP - Specify the
destination you want this test to
consider. The default is destination
IP, however, you can also
configure this test to consider other
options, such as, destination IP(s),
event ID(s), or device(s).
• this many - Specify the time value
you want to assign to this test.
• minutes - Specify the time interval

Creating a Rule 203

Multi-Rule Allows you to detect a series of when any of these Configure the following parameters:
Function rules for a specific IP address or rules with the same
• rules - Specify the rules you want
port followed by a series of source IP more than
specific rules for a specific port this many times,
or IP address. You can also use across more than| • source IP - Specify the source you
building blocks or existing rules exactly this many want this test to consider. The
to populate this test. destination IP within default is the source IP address,
this many minutes however, you can configure this
consider.
destination IP address(es),
event ID(s), or device(s) that you
selected in the source IP option.
• this many - Specify the number
you want this test to consider,
depending on the option you
configured in the source IP.
• destination IP - Specify the
destination you want this test to
consider. The default is destination
IP, however, you can also
configure this test to consider other
options, such as, destination IP(s),
event ID(s), or device(s).
• this many - Specify the time value
you want to assign to this test.


Multi-Rule Allows you to detect a number when at least this Configure the following parameters:
Function of specific rules for a specific IP many of these rules,
address or port followed by a in|in any order, with
number of specific rules for a the same username
consider.
specific port or IP address. You followed by at least
can also use building blocks or this many of these • rules - Specify the rules you want
existing rules to populate this rules in| in any order this test to consider.
test. with the same • in|in any - Specify if you want this
destination IP from test to consider rules in a specific
the previous order.
sequence, within this
many minutes • username - Specify whether you
want this test to consider the
username, source IP, source port,
destination IP, or destination port.
consider.
• rules - Specify the rules you want
• in| in any - Specify if you want this
test to consider rules in a specific
order.
you want this test to consider the
username, source IP, source port,
destination IP, or destination port.
consider.
Username Allows you to detect multiple when the username Configure the following parameters:
Function updates to usernames on a changes more than
• username - Specify if you want
single host. this many times within
this test to consider username,
this many hours on a
MAC address, or hostname.
single host.
changes you want this rule to
consider.
consider.
• hours - Specify the time interval
hours, or days.

Creating a Rule 205
Host Profile Tests

The host profile tests include:
Table 4-7 Host Profile Tests

Host Profile Valid when the port is open on when the local source Configure the following parameters:
Port the configured local source or host destination port is
• source - Specify if you want this
destination. You can also specify open either actively
test to apply to the source or
if the status of the port is or passively seen
destination port. The default is
detected using one of the
source.
following methods:
• either actively or passively -
• Active - STRM actively Specify if you want this test to
searches for the configured consider active and/or passive
port through scanning or
scanning.
vulnerability assessment.
• Passive - STRM passively
monitors the network
recording hosts previously
detected.
Host Existence Valid when the local source or when the local source Configure the following parameters:
destination host is known to exist host exists either
through active or passive actively or passively
test to apply to source or
scanning. seen
You can also specify if the status source.
of the host is detected using one
• either actively or passively -
of the following methods:
Specify if you want this test to
• Active - STRM actively consider active and/or passive
searches for the configured scanning.
port through scanning or
vulnerability assessment.
• Passive - STRM passively
monitors the network
recording hosts previously
detected.
Host Profile Valid when the local source or when the local source Configure the following parameters:
Age destination host profile age is host profile age is
greater than the configured greater than this
test to apply to source or
value within the configured time number of time
intervals. intervals
source.
• greater than - Specify if you want
this test to consider greater than
or less than the profile port age.
• this number of - Specify the
number of time intervals you want
• time intervals - Specify whether
you want this test to consider
minutes or hours.

Table 4-7 Host Profile Tests (continued)

Host Port Age Valid when the local source or when the local source Configure the following parameters:
destination host profile age is host profile port age is
greater than or less than a greater than this
test to apply to the source or
configured amount of time. number of time
intervals
source.
or less than the profile port age.
• this number of - Specify the time
• time intervals - Specify whether
you want this test to consider
minutes or hours.
Host Valid when the local source or when the local Configure the following parameters:
Vulnerability destination host vulnerability risk destination host
• destination - Specify if you want
Assessment level is greater than or less than vulnerability risk level
this test to apply to the source or
Risk Level the configured value. is greater than 5
destination port.
{default}
this test to be greater than or less
than the vulnerability risk.
• 5 - Specify the value you want
Host Valid when the local source or when the local Configure the following parameters:
Vulnerability destination host port vulnerability destination host port
• destination - Specify if you want
Assessment risk level is greater than or less vulnerability risk level
this test to apply to the source or
Port Risk Level than a configured amount of is greater than this
destination port.
time. value
or less than the vulnerability risk.
• this value - Specify the value you
Attacker Threat Threat Posing is the calculated when the amount of Configure the following parameters:
Level value for this attacker over time, threat the attacker is
that indicates how severe the posing is greater than
the threat level to greater than or
attacker is compared to all other this value
less than the configured value.
attackers in your network.
Valid when the amount of threat
posed to the network by an
attacker is greater than or less
than the configured value.

Creating a Rule 207

Attacker Threat STRM calculates the long and when the threat delta Configure the following parameters:
short-term threat of an attacker of the attacker is
and then calculates the greater than this
the threat data to be greater than
difference between the two to value
or less than the configured value.
provide information on changes
in the attacker’s behavior. • this value - Specify the value you
Valid when the threat delta
posed by an attacker is greater
than or less than the configured
value.
Target Threat Threat under is the value applied when the amount of Configure the following parameters:
to the threat a network is under the threat the target is
over time. This is calculated under is greater than
the threat level to be greater than
based on the average weighted this value
value of the threat under over
time. • this value - Specify the value you
amount of threat the target is
under is greater than or less than
the configured value.
Target Threat STRM calculates the long and when the threat delta Configure the following parameters:
short-term threat of a target and the target is greater
then calculates the difference than this value
the threat delta to be greater than
between the two to provide
information on changes in the
target’s behavior. • this value - Specify the value you
Valid when the threat delta of the
target is greater than or less than
the configured value.
Asset Valid when the device being when the destination Configure the following parameters:
attacked (destination) or if the asset has a weight
• destination - Specify if want this
host is that attacker (source) has greater than this
test to consider the source or
an assigned weight greater than value
destination asset.
or less than the configured
value. • greater than - Specify if you want
the value to be greater than or
less than the configured value.


Host Valid when the local host when the target is Configure the following parameters:
Vulnerable to destination port is vulnerable to vulnerable to current
• target - Specify if want this test to
Event the current event. exploit on any port
consider a target, attacker, local
host, or remote host.
• current - Specify if you want this
test to consider current or any
exploit.
• any - Specify if you want this test
to consider any or the current
port.
OSVDB IDs Valid when an IP address when the source IP is Configure the following parameters:
(source, destination, or any) is vulnerable to one of
• source IP - Specify if you want
vulnerable to the configured the following OSVDB
this test to consider the source IP
Open Source Vulnerability IDs
address, destination IP address,
Database (OSVDB) IDs.
or any IP address.
• OSVDB IDs - Specify any
OSVDB IDs that you want this
test to consider. For more
information regarding OSVDB
IDs, see http://osvdb.org/.
Date/Time Tests
The date and time tests include:
Table 4-8 Date/Time Tests

Event Day Valid when the event occurs when the event(s) Configure the following parameters:
on the configured day of the occur on the selected
• on - Specify if you want this test
month. day of the month
to consider on, after, or before the
configured day.
• selected - Specify the day of the
month you want this test to
consider.
Event Week Valid when the event occurs when the event(s) these days of the week - Specify
on the configured days of the occur on any of these the days of the week you want this
week. days of the week test to consider.
Event Time Valid when the event occurs when the event(s) Configure the following parameters:
on the after the configured occur after this time
• after - Specify if you want this
time.
test to consider after, before, or at
the configured time.
• this time - Specify the time you

Creating a Rule 209
Device Tests
The device tests include:
Table 4-9 Device Tests

Source Device Valid when one of the when the event(s) were these devices - Specify the devices
configured source devices is detected by one or that you want this test to detect.
the source of the event. more of these device
Source Device Valid when one of the when the event(s) were these device types - Specify the
Type configured device types is the detected by one or devices that you want this test to
source of the event more of these device detect.
types
Devices Valid when the event(s) have when the event(s) Configure the following parameters:
not been detected by the have not been
• these devices - Specify the
configured devices. detected by one or
devices you want this test to
more of these devices
consider.
for 300 seconds.
• 300 - Specify the time, in
seconds, you want this test to
consider.
Device Groups Valid when an event is when the event(s) were these device groups - Specify the
detected by the configured detected by one or groups you want this rule to
device groups more of these device consider.
groups
Offense Rule Tests This section provides information on the tests you can apply to the rules including:
• IP/Port Tests
• Host Profile Tests
• Date/Time Tests
• Device Tests
• Offense Property Tests
IP/Port Tests
The IP/Port tests include:
Table 4-10 IP/Port Test Group

Attacker IP Valid when the attacker IP when the IP addresses - Specify the IP
Address address is one of the attacker/violator IP is address(es) you want this test to
configured IP address(es). one of the following IP consider. You can enter multiple
addresses. entries using a comma-separated
list.

Table 4-10 IP/Port Test Group (continued)

Target IP Valid when the target list is when the target list Configure the following parameters:
Address any of the configured IP includes any of the
adddress(es). following IP addresses
to consider any or all of the listed
targets.
• IP addresses - Specify the IP
address(es) you want this test to
consider. You can enter multiple
entries using a comma-separated
list.
Function Tests
The function tests include:
Table 4-11 Offense Function Group

Multi-Rule Allows you to use saved when the offense Configure the following parameters:
Offense building blocks and other matches any of the
• any - Specify either any or all of
Function rules to populate this test. The following offense rules.
the configured rules apply to this
offense has to match either all
test.
or any of the selected rules. If
you want to create an OR • rules - Specify the rules you want
statement for this rule test, this test to consider.
specify the any parameter.
Host Profile Tests

The host profile tests include:
Table 4-12 Host Profile Tests

Attacker Threat Threat Posing is the when the amount of Configure the following parameters:
Level calculated value for this threat the attacker is
attacker over time, that posing is greater than
the threat level to be greater than
indicates how severe the this value
attacker is compared to all
other attackers in your • this value - Specify the value you
network. want this test to consider.
Valid when the threat posed
to the network by an attacker
is greater or less than the
configured value.

Creating a Rule 211

Network Valid when the overall VA risk when the overall network Configure the following parameters:
Vulnerability on the network is greater or VA risk is greater than
Risk less than the configured this value
the threat to be greater or less
value.
Network Threat Valid when the amount of when the amount of Configure the following parameters:
Posing threat a network is posing to threat the network is
local and remote networks is posing is greater than
the value to be greater or less
greater than, less than, or this value
Network Threat Threat under is the value when the amount of Configure the following parameters:
Under applied to the threat a threat the network is
network is under over time. under is greater than
the network threat to be greater
This is calculated based on this value
than or less than the configured
the average weighted value of
value.
the threat under over time.
amount of threat a network is
under to local and remote
networks is greater than, less
configured value.
Date/Time Tests
The date and time tests include:
Table 4-13 Date/Time Tests

Event Day Valid when the offense when the offense(s) Configure the following parameters:
occurs on the configured day occur on the selected
• on - Specify if you want this rule
of the month. day of the month
to consider on, after, or before
the selected date.
• selected - Specify the date you
Event Week Valid when the offense when the offense(s) Configure the following parameters:
occurs on the configured day occur on these days of
• on - Specify if you want this rule
of the week. the week
to consider on, after, or before
the selected day.
• these days of the week -
Specify the days you want this
test to consider.

Table 4-13 Date/Time Tests (continued)

Event Time Valid when the offense when the offense(s) Configure the following parameters:
occurs after, before, or on the occur after this time
• after - Specify if you want this
configured time.
test to consider after, before, or
at a specified time.
• this time - Specify the time you
Device Tests
The device tests include:
Table 4-14 Device Tests

Devices Types Valid when one of the when the device device types - Specify the device
configured device types is the type(s) that detected types that you want this test to
source of the event. the offense is one of detect.
the following device
types
Number of Device Valid when the number of when the number of greater than this number - Specify
Type device types is greater than device types that the number of devices types that
the configured value. detected the offense is you want this test to consider.
greater than this
number
Offense Property Tests

The offense property tests include:
Table 4-15 Offense Property Tests

Network Object Valid when the network is when the networks Configure the following parameters:
affected are any or all of the affected are any of one of
configured networks. the following networks
to consider any or all networks.
• one of the following networks -
Specify the networks you want
Offense Valid when the event when the categories of Configure the following parameters:
Category category is any or all of the the offense includes any
configured event categories. of the following list of
to consider any or all categories.
categories
• list of categories - Specify the
categories you want this test to
consider.

Creating a Rule 213
Table 4-15 Offense Property Tests (continued)

Severity Valid when the severity is when the offense severity Configure the following parameters:
greater than, less than, or is greater than 5
• greater than - Specify if you
equal to the configured {default}
want the offense severity to be
value.
greater than, less than, or equal
to the configured value.
Credibility Valid when the credibility is when the offense Configure the following parameters:
greater than, less than, or credibility is greater than
equal to the configured 5 {default}
want the offense credibility to be
value.
Relevance Valid when the relevance is when the offense Configure the following parameters:
greater than, less than, or relevance is greater than
equal to the configured 5 {default}
want the offense relevance to be
value.
Attack Context Attack Context is the when the attack context is this context - Specify the context
relationship between the this context you want this test to consider. The
attacker and target. For options are:
example, a local attacker to
• Local to Local
a remote target.
• Local to Remote
Valid if the attack context is
one of the following: • Remote to Local
• Local to Local • Remote to Remote
• Local to Remote
• Remote to Local
• Remote to Remote
Attacker Location Valid when the attacker is when the attacker is local local or remote - Specify if you
either local or remote. The or remote IPs {default: want the attacker to be local or
default is remote. remote} remote.
Target Location Valid when the target is when the target list local or remote IP addresses -
either local or remote. The includes local or remote Specify if you want the target to be
default is remote. IP addresses {default: local or remote.
remote}


Network Flow Valid when STRM detects when real-time network Configure the following parameters:
Analysis one of the configured flow analysis has
behaviors in the Attacker detected any of the
to consider any or all behaviors.
Target analysis. following attacker target
analysis behaviors listed. • listed - Specify the behaviors
Network Flow Valid when STRM detects when real-time network Configure the following parameters:
Analysis one of the configured flow analysis has
behaviors in the Target detected any of the
to consider any or all behaviors.
analysis. following target analysis
behaviors listed. • listed - Specify the behaviors
Category Count Valid when the number of when the number of Configure the following parameters:
in an Offense event categories for an categories involved in the
offense greater than, less offense is greater than
want the number of categories to
than, or equal to the this number
be greater than, less than, or
configured value.
• this number - Specify the value
Target Count in Valid when the number of when the number of Configure the following parameters:
an Offense targets for an offense greater targets under attack is
than, less than, or equal to greater than this
want the number of targets to be
the configured value. number
Event Count in Valid when the number of when the number of Configure the following parameters:
an Offense events for an offense is events making up the
greater than, less than, or offense is greater than
want the number of events to be
equal to the configured this number
value.
Offense ID Valid when the Offense ID is when the offense ID is this ID - Specify the offense ID you
the configured value. this ID want this test to consider.
Offense Creation Valid when a new offense is when a new offense is
created. created

Copying a Rule 215

Offense Change Valid when the configured when the offense Configure the following parameters:
offense property has property has increased
• property - Specify the property
increased or decreases by at least this percent
below the configured value.
The options are magnitude,
severity, credibility, relevance,
target count, attacker count,
category count, annotation count,
or event count.
• this - Specify the percent value
• percent - Specify if you want this
test to consider percentage or
units.
Copying a Rule To copy a rule:

The Offense Manager appears.
Step 2 In the navigation bar, click Rules.
Step 4 Select the rule you want to duplicate.
Step 5 Using the Actions drop-down list box, select Duplicate.
Step 6 In the Enter name for the copied rule, enter a name for the new rule. Click Ok.
The duplicated rule appears.
Step 7 Click Edit to edit the tests for the rule.
For more information on editing the rule, see Creating a Rule.
Deleting a Rule To delete a rule:

The Offense Manager appears.
Step 2 In the navigation bar, click Rules.
Step 4 Select the rule you want to delete.
Step 5 Using the Actions drop-down list box, select Delete.

Grouping Rules You can now group and view your rules and building blocks based on your chosen
criteria. Categorizing your rules or building blocks into groups allows you to
efficiently view and track your rules. For example, you can view all rules related to
compliance. By default, the Rules interface displays all rules and building blocks.
As you create new rules, you have a choice whether you want to assign the rule to
an existing group. For information on assigning a group to a using the rule wizard,
see Creating a Rule.
Note: You must have administrative access to create, edit, or delete groups. For
more information on user roles, see Chapter 1 Managing Users.
This sections provides information on grouping rules and building blocks including:
• Viewing Groups
• Creating a Group
• Editing a Group
• Copying an Item to Another Group(s)
• Deleting an Item from a Group
• Assigning an Item to a Group
Viewing Groups To view rules or building blocks using groups:

Step 1 Click the Offense Manager tab.
The Offense Manager interface appears.
Step 3 Using the Display drop-down list box, select whether you want to view Rules or
Building blocks.
Step 4 Form the Filter drop-down list box, select the group category you want to view.
Step 5 The list of items assigned to that group appear.
Creating a Group To create a group:

Step 3 Click Groups.
The Group window appears.

Grouping Rules 217
Step 4 From the menu tree, select the group under which you want to create a new group.
Note: Once you create the group, you can drag and drop menu tree items to
change the organization of the tree items.
Step 5 Click New Group.
The Group Properties window appears.

• Name - Specify the name you want to assign to the new group. The name may
be up to 255 characters in length.
• Description - Specify a description you want to assign to this group. The
description may be up to 255 characters in length.
Step 7 Click Ok.
Step 8 If you want to change the location of the new group, click the new group and drag
the folder to the desired location in your menu tree.
Step 9 Close the Groups window.

Editing a Group To edit a group:

Step 4 From the menu tree, select the group you want to edit.
Step 5 Click Edit.
The Group Properties window appears.
Step 6 Update values for the parameters, as necessary:
• Name - Specify the name you want to assign to the new group. The name may
be up to 255 characters in length.
• Description - Specify a description you want to assign to this group. The
description may be up to 255 characters in length.
Step 7 Click Ok.
Step 8 If you want to change the location of the group, click the new group and drag the
folder to the desired location in your menu tree.
Copying an Item to Using the groups functionality, you can copy a rule or building block to one or many
Another Group(s) groups. To copy a rule or building block:

Grouping Rules 219

Step 4 From the menu tree, select the rule or building block you want to copy to another
group.
Step 5 Click Copy.
The Choose Group window appears.
Step 6 Select the check box for the group(s) to which you want to copy the rule or building
block.
Step 7 Click Copy.

Deleting an Item from To delete a rule or building block from a group:

a Group
Note: Deleting a group removes this rule or building block from the Rules
interface. Deleting an item from a group does not delete the rule or building block
from the Rules interface.
Step 4 From the menu tree, select the top level group.
Step 5 From the list of groups, select the group you want to delete.
Step 6 Click Remove.
Step 7 Click Ok.
Step 8 If you want to change the location of the new group, click the new group and drag
the folder to the desired location in your menu tree.
Assigning an Item to To assign a rule or building block to a group:

a Group
Step 3 Select the rule or building block you want to assign to a group.
Step 4 Using the Actions drop-down list box, select Assign Groups.
The Choose Group window appears.
Step 5 Click Assign Groups.
Editing Building Building blocks allow you to re-use specific rule tests in other rules. For example,
Blocks you can save a building block that excludes the IP addresses of all mail servers in
your deployment from the rule.
The default building blocks depend on the template chosen during the installation
process. For more information on the defaults, see:

Editing Building Blocks 221
To edit a building block:

Step 3 In the Display drop-down list box, select Building Blocks.
The Building Blocks appear.
Step 4 Double-click the building block you want to edit.
The Custom Rules Wizard appears.
Step 5 Update the building block, as necessary. Click Next.

Step 6 Continue through the wizard. For more information see, Creating a Rule.
The Rule Summary appears.


The Server Discovery function uses STRM’s Asset Profile database to discover
different server types based on port definitions, then allows you to select which
servers should be added to a server-type building block. This feature makes the
discovery and tuning process simpler and faster by allowing a quick mechanism to
insert servers into building blocks.
The Server Discovery function is based on server-type building blocks. Ports are
used to define the server type so that the server-type building block essentially
functions as a port-based filter when searching the Asset Profile database.
For more information on building blocks, see Chapter 11 Configuring Rules.
To discover servers:
Step 1 Click the Assets tab.
The Assets window appears.
Step 2 In the navigation menu, click Server Discovery.
The Server Discovery panel appears.
Step 3 From the Server Type drop-down list box, select the server type you want to
discover.
Step 4 Select the option to determine the servers you want to discover including:
• All - Search all servers in your deployment with the currently selected Server
Type.
• Assigned - Search servers in your deployment that have been previously
assigned to the currently selected Server Type.
• Unassigned - Search servers in your deployment that have not been
previously assigned.
Step 5 From the Network drop-down list box, select the network you want to search.
Step 6 Click Discover Servers.
The discovered servers appear.

Step 7 In the Matching Servers table, select the check box(es) of all servers you want to
assign to the server role.
Note: If you want to modify the search criteria, click either Edit Port or Edit
Definition. The Rules Wizard appears. For more information on the rules wizard,
see Chapter 11 Configuring Rules.
Step 8 Click Approve Selected Servers.

STRM allows you to forward received log data to other products. You can forward
syslog data (raw log data) received from devices as well as STRM normalized
event data. You can forward data on a per Event Collector/ Event Processor basis
and you can configure multiple forwarding destinations. Also, STRM ensures that
all data that is forwarded is unaltered.

• Adding a Syslog Destination
• Editing a Syslog Destination
• Delete a Syslog Destination
Adding a Syslog To add a syslog forwarding destination:

Destination
Step 2 Click the Syslog Forwarding Destinations icon.
The Syslog Forwarding Destinations window appears.
Step 3 Click Add.



• Forwarding Event Collector - Using the drop-down list box, select the
deployed Event Collector from which you want to forward log data.
• IP - Enter the IP address of the system to which you want to forward log data.
• Port - Enter the port number on the system to which you want to forward log
data.
Step 5 Click Save.
Editing a Syslog To edit a syslog forwarding destination:

Destination
Step 3 Select the entry you want to edit.
Step 4 Click Edit.
Step 5 Update values, as necessary:

• Forwarding Event Collector - Using the drop-down list box, select the
deployed Event Collector from which you want to forward log data.
• IP - Enter the IP address of the system to which you want to forward log data.
• Port - Enter the port number on the system to which you want to forward log
data.
Step 6 Click Save.

Delete a Syslog Destination 227
Delete a Syslog To delete a syslog forwarding destination:

Destination
Step 3 Select the entry you want to delete.
Step 5 Click Ok.

A JUNIPER NETWORKS MIB
This appendix provides information on the Juniper Networks Management

Information Base (MIB). The Juniper Networks MIB allows you to send SNMP
traps to other network management systems. The Juniper Networks OID is
1.3.6.1.4.1.20212.
Note: For assistance with the Juniper Networks MIB, please contact Juniper
Networks Customer Support.
The Juniper Networks MIB includes:

JUNIPER-STRM-TRAPS DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE,
IpAddress
FROM SNMPv2-SMI
jnxStrm
FROM JUNIPER-SMI
DisplayString, DateAndTime, TruthValue,
TEXTUAL-CONVENTION
FROM SNMPv2-TC;
strmTrapInfo MODULE-IDENTITY
LAST-UPDATED "200811101100Z"
ORGANIZATION "Juniper Networks, Inc"
CONTACT-INFO
" Juniper Technical Assistance Center
Juniper Networks, Inc.
1194 N. Mathilda Avenue
Sunnyvale, CA 94089
E-mail: support@juniper.net"
DESCRIPTION "Security Threat Response Manger trap
definitions for STRM"::= { jnxStrm 1 }"
strmTrap OBJECT IDENTIFIER ::= { jnxStrm 0 }
---
--- Variables within the STRM Trap Info
--- .2636.7.1.*
---

230 JUNIPER NETWORKS MIB
strmLocalHostAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "IP address of the local machine where the
notification originated"
::= { strmTrapInfo 1 }
strmTimeString OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..64))
STATUS current
DESCRIPTION "Time offense was created or time the event rule
fired. Example 'Mon Apr 28 10:14:49 GMT 2008'"
strmTimeInMillis OBJECT-TYPE
SYNTAX Counter64
STATUS current
DESCRIPTION "Time offense was created or time the event rule
fired in milliseconds"
---
--- Offense Properties
---
strmOffenseID OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS accessible-for-notifySTATUS current
DESCRIPTION "Offense ID"
strmOffenseDescription OBJECT-TYPE
STATUS current
DESCRIPTION "Description of the Offense"
strmOffenseLink OBJECT-TYPE
STATUS current
DESCRIPTION "HTTP link to the offense"
strmMagnitude OBJECT-TYPE
SYNTAX Integer32
STATUS current

231
DESCRIPTION "Offense magnitude"

strmSeverity OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Offense severity"
strmCreditibility OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Offense creditibility"
strmRelevance OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Offense relevance"
---
--- Attacker Properties
---
strmAttackerIP OBJECT-TYPE
SYNTAX IpAddress
STATUS current
DESCRIPTION "Attacker IP"
strmAttackerUserName OBJECT-TYPE
STATUS current
DESCRIPTION "Attacker's User Name"
strmAttackerCount OBJECT-TYPE
SYNTAX Counter64
STATUS current
DESCRIPTION "Total Number of Attackers"
strmTop5AttackerIPs OBJECT-TYPE

STATUS current
DESCRIPTION "Top 5 Attackers by Magnitude(comma separated)"
243
::= { strmTrapInfo 15 }strmTopAttackerIP OBJECT-TYPE
SYNTAX IpAddress
STATUS current
DESCRIPTION "Top Attacker IPs"
strmTop5AttackerUsernames OBJECT-TYPE
STATUS current
DESCRIPTION "Top 5 Attackers by Magnitude(comma separated)"
strmTopAttackerUsername OBJECT-TYPE
STATUS current
DESCRIPTION "Top Attacker IPs"
strmAttackerNetworks OBJECT-TYPE
STATUS current
DESCRIPTION "Attacker Networks(comma separated)"
---
--- Target Properties
---
strmTargetIP OBJECT-TYPE
SYNTAX IpAddress
STATUS current
DESCRIPTION "Target IP"

233
strmTargetUserName OBJECT-TYPE
STATUS current
DESCRIPTION "Target's User Name"
strmTargetCount OBJECT-TYPE
SYNTAX Counter64
STATUS current
DESCRIPTION "Total Number of Targets"
strmTop5TargetIPs OBJECT-TYPE
STATUS current
DESCRIPTION "Top 5 Target IPs by Magnitude"
strmTopTargetIP OBJECT-TYPE
SYNTAX IpAddress
STATUS current
DESCRIPTION "Top Target"
strmTop5TargetUsernames OBJECT-TYPE
STATUS current
DESCRIPTION "Top 5 Target Usernames by Magnitude"
245
strmTopTargetUsername OBJECT-TYPE
STATUS current
DESCRIPTION "Top Target"

strmTargetNetworks OBJECT-TYPE
STATUS current
DESCRIPTION "Target Networks(comma separated)"
---
--- Category properties
---
strmCategoryCount OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Total Number of Categories"
strmTop5Categories OBJECT-TYPE
STATUS current
DESCRIPTION "Top 5 Categories(comma separated)"
strmTopCategory OBJECT-TYPE
STATUS current
DESCRIPTION "Top Category"
strmCategoryID OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Category ID of Event that triggered the Event CRE
Rule"
strmCategory OBJECT-TYPE

235
STATUS current
DESCRIPTION "Category of the Event that triggered the Event CRE
Rule"
---
--- Annontation Properties
---
strmAnnotationCount OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Total Number of Annotations"
strmTopAnnotation OBJECT-TYPE
STATUS current
DESCRIPTION "Top Annotation"
---
--- Rule Properties
---
strmRuleCount OBJECT-TYPE
247
SYNTAX Integer32
STATUS current
DESCRIPTION "Total Number of Rules contained in the Offense"
strmRuleNames OBJECT-TYPE
STATUS current
DESCRIPTION "Names of the Rules that contributed to the
Offense(comma separated)"

strmRuleID OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "ID of the Rule that was triggered in the CRE"
strmRuleName OBJECT-TYPE
STATUS current
DESCRIPTION "Name of the Rules that was triggered in the CRE"
strmRuleDescription OBJECT-TYPE
STATUS current
DESCRIPTION "Description/Notes of the Rules that was triggered
in the CRE"
---
--- Event Properties
---
strmEventCount OBJECT-TYPE
SYNTAX Counter64
STATUS current
DESCRIPTION "Total Number of Events contained in the Offense"
strmEventID OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "ID of the Event that triggered the Event CRE Rule"
strmQid OBJECT-TYPE
SYNTAX Integer32

237
STATUS current
DESCRIPTION "QID of the Event that triggered the Event CRE Rule"
strmEventName OBJECT-TYPE
STATUS current
DESCRIPTION "Name of the Event that triggered the Event CRE
Rule"
strmEventDescription OBJECT-TYPE
STATUS current
DESCRIPTION "Description/Notes of the Event that triggered the
Event CRE Rule"
249
---
--- IP Properties
---
strmSourceIP OBJECT-TYPE
SYNTAX IpAddress
STATUS current
DESCRIPTION "Source IP of the Event that triggered the Event CRE
Rule"
strmSourcePort OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Source Port of the Event that triggered the Event
CRE Rule"
strmDestinationIP OBJECT-TYPE

SYNTAX IpAddress
STATUS current
DESCRIPTION "Destination IP of the Event that triggered the
Event CRE Rule"
strmDestinationPort OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Destination Port of the Event that triggered the
Event CRE Rule"
strmProtocol OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Protocol of the Event that triggered the Event CRE
Rule"
strmAttackerPort OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Source Port of the Event that triggered the Event
CRE Rule"
strmTargetPort OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Destination Port of the Event that triggered the
Event CRE Rule"
---
--- STRM Trap Notifications
--- .2636.7.0.*
---
strmEventCRENotification NOTIFICATION-TYPE

239
OBJECTS {
strmLocalHostAddress,
strmTimeString,
strmRuleName,
strmRuleDescription,
strmAttackerIP,
strmAttackerPort,
strmAttackerUserName,
strmAttackerNetworks,
strmTargetIP,
strmTargetPort,
strmTargetUserName,
strmTargetNetworks,
strmProtocol,
strmQid,
strmEventName,
strmEventDescription,
251
strmCategory
}
STATUS current
DESCRIPTION "Event CRE Notification"
::= { strmTrap 1 }
strmOffenseCRENotification NOTIFICATION-TYPE
OBJECTS {
strmLocalHostAddress,
strmTimeString,
strmRuleName,
strmRuleDescription,
strmOffenseID,
strmOffenseDescription,
strmOffenseLink,
strmMagnitude,
strmSeverity,
strmCreditibility,
strmRelevance,
strmEventCount,

strmCategoryCount,
strmTop5Categories,
strmAttackerIP,
strmAttackerUserName,
strmAttackerNetworks,
strmAttackerCount,
strmTop5AttackerIPs,
strmTargetIP,
strmTargetUserName,
strmTargetNetworks,
strmTargetCount,
strmTop5TargetIPs,
strmRuleCount,
strmRuleNames,
strmAnnotationCount,
strmTopAnnotation.1,
}
STATUS current
DESCRIPTION "Offense CRE Notification"
::= { strmTrap 2 }
END

B ENTERPRISE TEMPLATE DEFAULTS
The Enterprise template includes settings with emphasis on internal network

activities. This appendix provides the defaults for the Enterprise template
including:
• Default Sentries
• Default Custom Views
• Default Rules
• Default Building Blocks
Default Sentries The default sentries for the Enterprise template include:
Table B-1 Default Sentries
Sentry Description
Behavior - Flow Count Monitors the number of flows on your network and
Behavior Change alerts when a change is detected. By default, this
activity must occur 10 times before an alert generates.
Behavior - Host Count Learns the number of local and remote active hosts in
Behavior Change the network over a weekly period. If the number of
hosts increases dramatically outside the projected
behavior for at least 5 intervals, an event generates.
Behavior - Threat Traffic Detects a behavioral change, within the last 5
Packet Rate Behavior minutes, in the packet rate of traffic considered to be
Change threatening, compared to what has been learned over
the past weeks. This may indicate an attack is in
progress. By default, the minimum number of times, in
flows, this activity must occur before an event
generates is 5.
DoS - External - Distributed Detects a large number of hosts (100,000) sending
DoS Attack (High Number of identical, non-responsive packets to a single target. In
Hosts) this case, the target is treated as the attacker in the
Offense Manager.
DoS - External - Distributed Detects a low number of hosts (500) sending identical,
DoS Attack (Low Number of non-responsive packets to a single target. In this
Hosts) case, the target is treated as the attacker in the
Offense Manager.

242 ENTERPRISE TEMPLATE DEFAULTS
Table B-1 Default Sentries (continued)
Sentry Description
DoS - External - Distributed Detects a medium number of hosts (5,000) sending
DoS Attack (Medium Number identical, non-responsive packets to a single target. In
of Hosts) this case, the target is treated as the attacker in the
Offense Manager.
DoS - External - Flood Attack Detects flood attacks above 100,000 packets per
(High) second. This activity may indicate a serious attack.
(Medium) second. This activity typically indicates a serious
attack.
DoS - External - Flood Attack Detects flood attacks above 500 packets per second.
(Low) This activity may indicate an attack.
DoS - External - Potential Detects flows that appear to be an ICMP Denial of
ICMP DoS Service (DoS) attack attempt.
DoS - External - Potential Detects flows that appear to be a TCP DoS attack
TCP DoS attempt.
DoS - External - Potential Detects flows that appear to be a UDP DoS attack
UDP DoS attempt.
DoS - External - Potential Detects a low number of hosts sending identical,
Unresponsive Service or non-responsive packets to a single target.
Distributed DoS
DoS - Internal - Distributed Detects a large number of hosts (100,000) sending
Offense Manager.
DoS - Internal - Distributed Detects a low number of hosts (500) sending identical,
Offense Manager.
DoS - Internal - Distributed Detects a medium number of hosts (5,000) sending
Offense Manager.
DoS - Internal - Flood Attack Detects flood attacks above 5,000 packets per
attack.
Dos - Internal - Flood Attack Detects flood attacks above 100,000 packets per
(High) section. This activity typically indicates a serious
attack.
DoS - Internal - Flood Attack Detects flood attacks above 500 packets per second.
DoS - Internal - Potential Detects flows that appear to be an ICMP Denial of
DoS - Internal - Potential Detects flows that appear to be a TCP DoS attack
TCP DoS attempt.

Sentry Description
DoS - Internal - Potential Detects flows that appear to be a UDP DoS attack
UDP DoS attempt.
DoS - Internal - Potential Detects a low number of hosts sending identical,
Distributed DoS
Policy-External - Large Detects a possible information leak.
Outbound File Transfer
Local Host Count Change Detects scanning activity or a worm infection.
Malware - External - Client Detects a host attempting to connect to a DNS server
Based DNS Activity to the that is not defined as a local network. With the
Internet exception of your DNS servers or other hosts
specifically configured to communicate with external
DNS servers, this is suspicious activity and may be
the sign of a bot net connection. If this is a false
positive, add the external DNS server to the BB DNS
Servers building block in custom rules. By default, this
sentry generates an event 30 seconds after the first
instance of the event.
Malware - External Detects an IP address being communicated that was
Communication with BOT a control channel for a BOTNET. The local machine
Control Channel may be infected with a bot and should be investigated.
Policy - External - Clear Text Detects flows to or from the Internet where the
Application Usage application types use clear text passwords. This many
include application such as Telnet, FTP, and POP.
Policy - External - Hidden Detects an FTP server on a non-standard port. The
FTP Server default port for FTP is TCP port 21. Detecting FTP on
other ports may indicate an exploited host, where the
attacker has installed this server to provide backdoor
access to the host.
Policy - Internal - Clear Text Detects flows to or from the Internet where the
Policy - Internal - Hidden FTP Detects an FTP server on a non-standard port. The
Server default port for FTP is TCP port 21. Detecting FTP on
access to the host.
Policy - External - IM/Chat Detects an excessive amount of IM/Chat traffic from a
single source. By default, the minimum number of
times, in flows, this activity must occur before an event
generates is 20.
Policy - External - IRC Detects a local host issuing an excessive number of
Connections IRC connections to the Internet. By default, the
minimum number of times, in flows, this activity must
occur before an event generates is 20.

Sentry Description
Policy - Local P2P Server Detects local hosts operating as a Peer-to-Peer (P2P)
Detected server. This indicates a violation of local network
policy and may indicate illegal activities, such as,
copyright infringement.
Policy - External - Long Detects a flow communicating to or from the Internet
Duration Flow Detected with a sustained duration of more than 48 hours. This
is not typical behavior for most applications. We
recommend that you investigate the host for potential
malware infections. By default, this parameter is set to
3,600 seconds, which means that an event generates
after 3,600 seconds of the first instance of the event.
Policy - External - P2P Detects Peer-to-Peer (P2P) communications.
Communications Detected
Policy - External - Possible Detects possible tunneling, which can indicate a
Tunneling bypass of policy, or an infected system.
Policy - External - Remote Detects the Microsoft Remote Desktop Protocol from
Desktop Access from the the Internet to a local host. Most companies consider
Internet this a violation of corporate policy. If this is normal
activity on your network, you should remove this
sentry.
Policy - External - SMTP Mail Detects an internal host sending a large number of
Sender SMTP flows from the same source to the Internet, in
one interval. This may indicate a mass mailing, worm,
or spam relay is present. By default, the minimum
number of times, in flows, this activity must occur
before an event generates is 10.
Policy - External - SSH or Detects an SSH or Telnet server on a non-standard
Telnet Detected on port. The default port for SSH and Telnet servers is
Non-Standard Ports TCP port 22 and 23. Detecting SSH or Telnet
operating on other ports may indicate an exploited
host, where the attacker has installed these servers to
provide backdoor access to the host.
Policy - Internal - SSH or Detects an SSH or Telnet server on a non-standard
Policy - External - Usenet Detects flows to or from a Usenet server. It is
Usage uncommon for legitimate business communications to
use Usenet or NNTP services. The hosts involved
may be violating corporate policy.
Policy - External - VNC Detects VNC (a remote desktop access application)
Access From the Internet to a from the Internet to a local host. Many companies
Local Host consider this an policy issue that should be
addressed. If this is normal activity on your network,
remove this sentry.

Sentry Description
Recon - External - ICMP Detects a host scanning more than 100,000 hosts per
Scan (High) minute using ICMP. This indicates a host performing
reconnaissance activity at an extremely high rate. This
is typical of a worm infection or a standard scanning
application.
Recon - External - ICMP Detects a host scanning more than 500 hosts per
Scan (Low) minute using ICMP. This may indicate a host
configured for network management or normal server
behavior on a busy internal network. However,
typically client hosts in your network should not be
exhibiting this behavior for long periods of time. If this
behavior continues for long periods of time, this may
indicate classic behavior of worm activity. We
recommend that you check the host for infection or
malware installation.
Recon - External - ICMP Detects a host scanning more the 5,000 hosts per
Scan (Medium) minute using ICMP. This indicates a host performing
reconnaissance activity at a high rate. This is typical of
a worm infection or a host configured for network
management purposes.
Recon - External - Potential Detects a host sending identical packets to a number
Network Scan of hosts that have not responded. This may indicate a
host configured for network management or normal
server behavior on a busy internal network. However,
client hosts in your network should not be exhibiting
this behavior for long periods of time.
Recon - External - Scanning Detects a host performing reconnaissance activity at
Activity (High) an extremely high rate (100,000 hosts per minute),
which is typical of a worm infection or a scanning
application.
Recon - External - Scanning Detects a host performing reconnaissance activity at a
Activity (Low) rate of 500 hosts per minute. This may indicate a host
Activity (Medium) high rate (5,000 hosts per minute), which is typical of a
worm infection or a scanning application. This activity
may also indicate network management hosts or even
busy servers on internal networks.

Sentry Description
Recon - Internal - ICMP Scan Detects a host scanning more than 100,000 hosts per
(High) minute using ICMP. This indicates a host performing
application.
Recon - Internal - ICMP Scan Detects a host scanning more than 500 hosts per
(Low) minute using ICMP. This may indicate a host
typically client hosts in your network should not exhibit
this behavior for long periods of time. If this behavior
continues for long periods of time, this may indicate
classic behavior of worm activity. We recommend that
you check the host for infection or malware
installation.
Recon - Internal - ICMP Scan Detects a host scanning more the 5,000 hosts per
(Medium) minute using ICMP. This indicates a host performing
Recon - Internal - Potential Detects a host sending identical packets to a number
Recon - Internal - Scanning Detects a host performing reconnaissance activity at
application.
Recon - Internal - Scanning Detects a host performing reconnaissance activity at a
installation.

Sentry Description
Suspicious - Internal - Detects an excessive rate (more than 1,000) of
Outbound Unidirectional inbound unidirectional (local host not responding)
Flows Threshold flows within the last 5 minutes. This may indicate a
scan is in progress, worms, DoS attack, or issues with
your network configuration. By default, this activity
must occur 5 times before an alert generates.
Suspicious- External - Detects an excessive rate of outbound unidirectional
Outbound Unidirectional (remote host not responding) flows within 5 minutes.
Flows Threshold By default, this activity must occur 5 times before an
alert generates.
Suspicious - External - Detects an excessive rate (more than 1,000) of
Inbound Unidirectional Flows inbound unidirectional (local host not responding)
Threshold flows within the last 5 minutes. This may indicate a
Suspicious - External - Detects an excessive number of ICMP flows from one
Anomalous ICMP Flows source IP address, where the applied ICMP types and
codes are considered abnormal when seen entering
or leaving the network. By default, the minimum
Suspicious - External - Invalid Detects flows that appear to have improper flag
TCP Flag usage combinations. This may indicate various troubling
behaviors, such as OS detection, DoS attacks, or
even forms of reconnaissance. By default, the
Suspicious - External - Port 0 Detects flows whose destination or source ports are 0.
Flows Detected This may be considered suspicious.
Suspicious - External - Detects flows that indicate a host is attempting to
Rejected Communication establish connections to other hosts but is being
Attempts refused or is responding with packets containing no
payload. By default, the minimum number of times, in
generates is 15.
Suspicious - External - Detects excessive unidirectional ICMP traffic from a
Unidirectional ICMP Detected single source. This may indicate an attempt to
enumerate hosts on the network or other serious
network issues. By default, the minimum number of
generates is 15.
Suspicious - External - Detects excessive unidirectional ICMP responses
Unidirectional ICMP from a single source. This may indicate an attempt to
Responses Detected enumerate hosts on the network, or can be an
indicator of other serious network issues. By default,
the minimum number of times, in flows, this activity
must occur before an event generates is 15.

Sentry Description
Suspicious - External - Detects flows that indicate a host is sending an
Unidirectional TCP Flows excessive quantity (at least 15) of unidirectional flows.
These types of flows may be considered normal,
however, client workstations and other devices,
should not be seen emitting large quantities of such
flows, and therefore should be considered suspicious.
Suspicious - External - Detects an excessive number of UDP, non-TCP, or
Unidirectional UDP or Misc ICMP from a single source. By default, the minimum
Flows number of times, in flows, this activity must occur
Suspicious - External - Detects suspicious IRC traffic.
Suspicious IRC Traffic
Suspicious - Internal - Detects an excessive number of ICMP flows from one
Suspicious - Internal - Invalid Detects flows that appear to have improper flag
Suspicious - Internal - Port 0 Detects flows whose destination or source ports are 0.
Suspicious - Internal - Detects flows that indicate a host is attempting to
generates is 15.
Suspicious - Internal - Detects excessive unidirectional ICMP traffic from a
generates is 15.
Suspicious - Internal - Detects excessive unidirectional ICMP responses

Sentry Description
Suspicious - Internal - Detects flows that indicate a host is sending an
Suspicious - Internal - Detects an excessive number of UDP, non-TCP, or
Unidirectional UDP or Misc ICMP from a single source. By default, the minimum
Flows number of times, in flows, this activity must occur
Default Custom This section provides the default custom views for the Enterprise template
Views including:
• Threats Group
• ASN Source Group
• ASN Destination Group
• IFIndexIn Group
• IFIndexOut Group
• QoS Group
• Flow Shape Group
IP Tracking Group Pre-configured groups that specify traffic flows from your local and remote IP
addresses including:
Table B-2 Custom Views - IP Tracking View
IP Tracking
Group Group Objects
Locals Specifies traffic flows originating from specific local IP addresses
or CIDR ranges. Configure to specify traffic flows for your local IP
addresses.
Remotes Specifies traffic flows originating from specific remote IP
addresses or CIDR ranges. Configure to specify traffic flows for
your remote IP addresses.

Threats Group Pre-configured groups that specify traffic flows from suspicious IP addresses,
protocols, server ports, and network sweeps including:
Table B-3 Custom Views - Threats View
Group Objects
Exceptions This group includes:
Network_Management_Hosts - Defines network management
servers or other system responsible for reconnaissance, SNMP,
large numbers of ICMP requests, or other attacks, such as, traffic
on your network such as vulnerability assessment (VA) scanners.

Table B-3 Custom Views - Threats View (continued)
Group Objects
DoS The Denial of Service (DoS) group includes:
• Inbound_Flood_NoResponse_High - Defines a remote
source sending packets, which are not being responded to, at
a rate greater than 100,000 packets per second.
• Inbound_Flood_NoResponse_Medium - Defines a remote
• Inbound_Flood_NoResponse_Low - Defines a remote
a rate greater than 500 packets per second.
• Outbound_Flood_NoResponse_High - Defines a local
• Outbound_Flood_NoResponse_Medium - Defines a local
• Outbound_Flood_NoResponse_Low - Defines a local
• Multihost_Attack_High - Defines a scan of more than
100,000 hosts per minute.
• Multihost_Attack_Medium - Defines a scan of more than
• Multihost_Attack_Low - Defines a scan of more than 500
hosts per minute.
• Potential_TCP_DoS - Detects TCP Syn flood flows with a
packet arrival rate of more then 300 packets per second and
have lasted for at least 5 seconds. This may indicate an
attempted TCP DoS attack.
• Potential_UDP_DoS - Detects UDP Flows with a packet
arrival rate of more then 750 packets per second and have
lasted for at least 3 seconds. This may indicate an attempted
ICMP DoS attack.
• Potential_ICMP_DoS - Detects ICMP flows with a packet
ICMP DoS attack.
• Potential_Multihost_Attack - Detects type B superflows.
This may indicate a service failure or an attack.

Group Objects
Scanning This scanning group includes:
• ICMPScan_High - Detects a host sending ICMP packets to
more than 100,000 hosts more minute.
• ICMPScan_Medium - Detects a host sending ICMP packets
to more than 5,000 hosts more minute.
• ICMPScan_Low - Detects a host sending ICMP packets to
more than 500 hosts more minute.
• Scan_High - Defines a scan of more than 100,000 hosts per
minute.
• Scan_Medium - Defines a scan of more than 5,000 hosts per
minute.
• Scan_Low - Defines a scan of more than 500 hosts per
minute.
• Empty_Responsive_Flows_High - Defines traffic with more
than 100,000 packets per second that contain little, if any,
payload. These can be the result of scans where the target
responds to the attack.
• Empty_Responsive_Flows_Medium - Defines traffic with
more than 5,000 packets per second that contain little, if any,
• Empty_Responsive_Flows_Low - Defines traffic with more
than 500 packets per second that contain little, if any, payload.
These can be the result of scans where the target responds to
the attack.
• Potential_Scan - Defines a type A superflow. This may
indicate a host performing scanning activity.
PortScans This PortScans group includes:
• Host_Scans - Detects a host attempting to make multiple
connections, using TCP, to another host targeting multiple
unique ports.
• UDPPortScan - Detects a host attempting to make multiple
connections, using UDP, to another host targeting multiple
unique ports.

Group Objects
Suspicious_IP_ This group includes:
Protocol_Usage
• Illegal_TCP_Flag_Combination - Detects flows with illegal
TCP flag combinations. This may indicate malicious activity,
such as port scanning or operating system detection.
• Suspicious_ICMP_Type_Code - Detects flows entering or
leaving your network from the Internet, using ICMP types or
codes generally accepted to be suspicious or malicious. For
more information, see http://techrepublic.com.com
/5100-1035_11-5087087.html
• TCP_UDP_Port_0 - Detects flows with a source or destination
port of 0. This is illegal according to Internet RFCs and should
be considered malicious.
• Unidirectional_TCP_Flows - Detects unidirectional TCP
flows. This may indicate application failures to connect to a
service, but an indicate other issues if the quantity or rate of
these flows is high.
• Unidirectional_ICMP_Reply - Detects unidirectional ICMP
replies or unreachable flows. This may be expected network
behavior, however, an excessive quantity may indicate that a
host is scanning the network attempting to enumerate hosts.
• Unidirectional_ICMP_Flows - Detects unidirectional ICMP
flows. This may be expected network behavior, however, an
excessive quantity of these flows from a single source may
indicate a host scanning the network attempting to enumerate
hosts.
• Unidirectional_UDP_And_Misc_Flows - Detects
unidirectional UDP (or other flows not including TCP or ICMP)
excessive quantity should be considered suspicious.
• Zero_Payload_Bidirectional_Flows - Detects flows that
contain small amounts (if any) payload. This may be the result
of scans where the target responds with reset packets.
• Long_Duration_Flow - Detects a flow communicating to or
from the Internet with a sustained duration of more than 48
hours. This is not typical behavior for most applications. We
recommend that you investigate the host for potential malware
infections.
• Large_DNS_Packets - Detects UDP DNS packets that are
larger than 1K in size.
• Large_ICMP_Packets - Detects ICMP packets that are larger
than 1K in size.

Group Objects
Remote_Access_ This group includes:
Violation
• Hidden_Telnet_SSH - Detects flows where the application
type is Telnet or SSH but the destination server port is not one
of the common ports for this application. This may indicate that
a system has been altered to provide a backdoor for
unauthorized access.
• Hidden_FTP - Detects flows to a local host where the
application type is FTP but the destination server port is not
one of the common ports of this application. This may indicate
that the server is hosting illegal data, such as pirated
applications or other media.
• Remote_Desktop_Access_From_Internet - Detects Remote
Desktop Protocol (RDP) access to the local network from the
Internet. If you want to allow this activity on your network,
delete this view. Otherwise, you should consider this activity
suspicious and we recommend investigating the accessed
server.
• VNC_Activity_From_Internet - Detects Virtual Network
Computing (VNC) access to the local network from the
server.
Suspicious_IRC Detects suspicious IRC activity.
Attacker Target Pre-configured groups that specify traffic flows from attackers, responses, and
Analysis Group events including:
Table B-4 Custom Views - AttackerTargetAnalysis
Group Objects
AttackResponse This group includes:
Analysis
• Target_Did_Not_Respond - The network flow that appears to
have carried the attack event that triggered this analysis
indicates that the target host did not respond to the attack.
• Target_Responded - The network flow analysis indicates a
target responded to the event from the attacker, and therefore
increases the likelihood the attacker was successful.

Table B-4 Custom Views - AttackerTargetAnalysis (continued)
Group Objects
PeripheralComms This group includes:
Analysis
• Activity_Before_Event - The network flow analysis indicates
a target and attacker were communicating prior to the event
that generated this analysis. This can indicate a false positive,
or that this attacker is concentrating on breaking this host.
Many typical attacks fire an exploit at the target with little or no
prior host investigation.
• Activity_After_Event - The network flow analysis indicates a
target and attacker were communicating after the event that
triggered this analysis. This can indicate a false positive if the
attacker/target were also seen communicating before the
event, and the device emitting these events has a high false
positive rate. Conversely, if this is a serious event and the
device is credible, it can indicate a successful attack has
occurred.
• Target_Initiating_Comms_To_Attacker - The network flow
analysis indicates a target was seen initiating connections
back to the attacker before or after the event. This may
indicate that the attacker has successfully forced the target to
communicate with the attacker, bypassing firewall rules.
Target Analysis Pre-configured groups that specify traffic flows from back door entries, scanning
Group behaviors, malicious software (malware), spam relay including:
Table B-5 Custom Views - TargetAnalysis
Group Objects
BotNetAnalysis BotNet_Connect - The network flow analysis indicates a target
host is connected to IRC servers on the Internet. This may
indicate the attacker has installed an IRC Bot on the target
requesting the target to connect to an IRC Channel, which is
controlled by the attacker, to wait for further instructions. Large
numbers of such exploited machines form a BotNet and can be
used by the attacker to coordinate large scale Distributed Denial
of Service attacker (DDoS).
MalwareAnalysis Malware_Server_Connection - Network flow analysis indicates
a target is aggressively attempting (and failing) to connect to
many other hosts on the network (or Internet). This behavior is
seen in the presence of security events aimed at this host, and
therefore is possible the attacker has infected the target with a
worm, or other hostile malware, and it is attempting to spread
from this host.

Table B-5 Custom Views - TargetAnalysis (continued)
Group Objects
Analysis
• Service_Unresponsive_After_Attack - The network flow
analysis indicates that the service on the target that was
attacked is unresponsive to other hosts on the network. This
may indicate that the attack has intentionally, or inadvertently
stopped the service running on this host.
• Spam_Relay_Possible - The network flow analysis indicates
that a target is accepting and servicing SMTP mail server
connections. Given this activity is occurring in the presence of
security events targeting this host, it is possible the attacker
has installed an SMTP server to operate as a spam relay. If
this target is a mail server, this behavior is to be expected.
• Outbound_Mail_Relay_Possible - The network flow analysis
indicates that a target is sending mail to SMTP servers on the
Internet. Given this activity is occurring in the presence of a
security event targeting this host, it is possible the attacker has
installed mass mailing malware on the target. This behavior is
also to be expected if the target is a known mail server.
Policy Violations Pre-configured groups that specify traffic flows from your internal and external
Group policies, such as mail policies, web polices, P2P, games, applications, and
compliance policies including:
Table B-6 Custom Views - PolicyViolations
Group Objects
Mail_Policy_ This group includes:
Violation
• Outbound_Mail_Sender - Detects flows sent from local hosts
to the Internet on port 25 (SMTP) or detected with the SMTP
application signature. This may indicate hosts violating
network mail policy, or that a host is infected with a mass
mailing agent. We recommend updating this equation to not
include network mail servers.
• Remote_Connection_to_Internal_Mail_Server - Detects
bidirectional flows inbound into the local network on port 25
(SMTP). This indicates communication with a local SMTP
server. Additionally, such servers may be the result of an
infected host, which is inadvertently running a SPAM relay.
We recommend updating this equation to not include network
mail servers.

Table B-6 Custom Views - PolicyViolations (continued)
Group Objects
IRC_IM_Policy_ This group includes:
Violation
• IRC_Connection_to_Internet - Detects bidirectional flows
from local client hosts to the Internet on common IRC port or
detected though an application signature. This indicates an
active IRC connection. This can simply be a user disregarding
corporate policy, or can indicate a host that has been exploited
and is connected to an IRC botnet. IRC botnets are used to
remotely control exploited hosts to perform DoS attacks and
other illegal activities.
• IM_Communications - Detects bidirectional flows from client
hosts on the network indicating the use of common Instant
Messaging clients (IM), such as MSN.
Remote_Access_ Remote_Access_Shell - Detects bidirectional flows, where
Policy_Violation remote hosts were connecting to local remote access servers.
Detection of any of the following access technologies include:
Citrix, PCAnywhere, SSH, Telnet, or VNC.
P2P_ This group includes:
Policy_Violation
• Local_P2P__Server - Detects flows indicating a P2P server is
operating on the local network. This can be in violation of local
network policy.
• Local_P2P_Client - Detects flows indicating a P2P client is
network policy.
Application_ This group includes:
Policy_Violation
• NNTP_to_Internet - Detects flows indicating an NNTP news
client is operating on the local network. This may be in
violation of local network policy.
• Unknown_Local_Service - Detects an active service on a
local host.
Compliance_ This group includes:
Policy_Violations
• Clear_Text_Application_Usage - Detects flows where the
application types use clear text passwords. Applications that
usage for this view include Telnet, FTP, and POP. We
recommend that you tune this view to add or remove
additional applications.
• Large_Outbound_Transfer - Detects large outbound file
transfers.
ASN Source Group STRM detects the ASN values from network flows. When STRM detects a ASN
source values in a flow, STRM creates a new object in the ASN Source group. For
example, if STRM detects an ASN 238 flow within the source traffic, the object
ASN238 is created in the ASNSource group.

ASN Destination STRM detects the ASN values from network flows. When STRM detects a ASN
Group destination values in a flow, STRM creates a new object in the ASN destination
group. For example, if STRM detects an ASN 238 flow within the destination traffic,
the object ASN238 is created in the ASNDestination group.
IFIndexIn Group STRM detects the IFIndex values from network flows. When STRM detects
IFIndex values in a flow, STRM creates a new object in the respective group.
IFIndexOut Group STRM detects the IFIndex values from network flows. When STRM detects
QoS Group Default QoS groups include:

Table B-7 Custom Views - QoS View
QoS Group Group Objects

NetworkControl Specifies QoS values related to link layer and routing
Object protocols.
IPRoutingControl Specifies QoS values used by IP routing protocols.
Expedited Specifies values related to expedited forwarding, such as, a
virtual leased line or premium service.
Class 4 Specifies values related to Class 4 traffic.
Best Effort Specifies traffic related to best effort QoS traffic. Best effort
services does not guarantee delivery.
Flow Shape Group Default FlowShape groups include:

Table B-8 Custom Views - Flow Shape View
Flow Shape Group Group Objects

Inbound_Only Specifies traffic flows originating from a host on the Internet
and is not responded to by a local host.
Outbound_Only Specifies traffic flows originating from a local host attempting
to communicate with a host on the Internet in which the
remote host does not respond.
Mostly_Inbound Specifies traffic flows that sends 5 times more data into the
network than received.
Mostly_Outbound Specifies traffic flows that sends 5 times more bytes out of the
NearSame_Internet Specifies traffic to and from hosts on the Internet that have
around the same amount of bytes sent and received.

Default Rules 259
Table B-8 Custom Views - Flow Shape View (continued)

Local_Unidirectional Specifies a one-sided flow with a source and destination
within the local network.
Local_SRC_Bias Specifies internal traffic that has 5 times more bytes
transferred by the source than the destination.
Local_DST_Bias Specifies internal traffic that has 5 times more bytes
transferred by the destination than the source.
NearSame_Internal Specifies internal traffic that has a balance of source and
destination bytes.
Default Rules Default rules for the Enterprise template include:

Table B-9 Default Rules
Rule
Rule Group Type Enabled Description
Default-Response- Response Offense False Reports any offense matching the severity,
E-mail: Offense E-mail credibility, and relevance minimums to e-mail.
Sender You must configure the e-mail address. You can
limit the number of e-mails sent by tuning the
severity, credibility, and relevance limits. Also,
this rule only sends one e-mail every hour, per
offense.
Sylog: Offense credibility, or relevance minimum to syslog.
SYSLOG Sender
Default-Rule-Anomaly: Anomaly Event False Monitors devices for high event rates. Typically,
Devices with High Event the default threshold is low for most networks
Rates and we recommend that you adjust this value
before enabling this rule. To configure which
devices will be monitored, edit the
Default-BB-DeviceDefinition: Devices to Monitor
for High Event Rates building block.
Default-Rule-Anomaly: Anomaly Event False Reports when connections are bridged across
DMZ Jumping your network’s Demilitarized Zone (DMZ).
DMZ Reverse Tunnel your network’s DMZ through a reverse tunnel.
Default-Rule-Anomaly: Anomaly Event True Reports an excessive number of successful
Excessive Database database connections.
Connections
Default-Rule- Anomaly Event False Reports excessive firewall accepts across
Anomaly: Excessive multiple hosts. More than 100 events were
Firewall Accepts Across detected across at least 100 unique destination
Multiple Hosts IP addresses in 5 minutes.

Table B-9 Default Rules (continued)
Rule
Default-Rule- Anomaly Event True Reports excessive firewall denies from a single
Anomaly: Excessive host. Detects more than 400 firewall deny
Firewall Denies from attempts from a single source to a single
Single Source destination within 5 minutes.
Default-Rule- Anomaly Event True Reports a flow communicating to or from the
Anomaly: Long Duration Internet with a sustained duration of more than
Flow 48 hours. This is not typical behavior for most
applications. We recommend that you
investigate the host for potential malware
infections.
Default-Rule- Anomaly Event False Reports an event that was targeting or sourced
Anomaly: Potential from a honeypot or tarpit defined address.
Honeypot Access Before enabling this rule, you must configure the
Default-BB-HostDefinition: Honeypot like
addresses building block and create the
appropriate sentry from the Network
Surveillance interface.
Default-Rule- Anomaly Event False Reports a host emitting events at a rate greater
Anomaly: Rate Analysis than normal. This may be normal, but in some
Marked Events cases can be an early warning sign that the host
has changed behavior. We recommend that you
perform an event search and/or flow search to
determine if the host is exhibiting other
suspicious activity.
Default-Rule- Anomaly Event False Reports successful logins or access from an IP
Anomaly: Remote address known to be in a country that does not
Access from Foreign have remote access right. Before you enable
Country this rule, we recommend that you configure the
Default-BB-CategoryDefinition: Countries with
no Remote Access building block.
Default-Rule-Anomaly: Anomaly Event False Reports when the MAC address of a single IP
Single IP with Multiple address changes multiple times over a period of
MAC Addresses time.
Default-Rule- Authentication Event True Reports a host login message from a disabled
Authentication: Login user account. If the user is no longer a member
Failure to Disabled of the organization, we recommend that you
Account investigate any other received authentication
messages from the same user.
Default-Rule- Authentication Event True Reports a host login failure message from an
Authentication: Login expired user account known. If the user is no
Failure to Expired longer a member of the organization, we
Account recommend that you investigate any other
received authentication messages.
Default-Rule - Authentication Event True Reports authentication failures on the same
Authentication: Login source IP address more than three times, across
Failures Across Multiple more than three destination IP addresses within
Hosts 10 minutes.

Default Rules 261
Rule
Default-Rule- Authentication Event True Reports multiple log in failures to a single host,
Authentication: Login followed by a successful log in to the host.
Failures Followed By
Success
Default-Rule- Authentication, Event True Reports a successful log in to a host after
Authentication: Login Compliance reconnaissance has been performed against
Successful After Scan this network.
Attempt
Default-Rule- Authentication Event True Reports multiple log in failures to a VoIP PBX.
Authentication: Multiple
VoIP Login Failures
Default-Rule- Authentication Event True Reports when a source IP address causes an
Authentication: authentication failure event at least seven times
Repeated Login to a single destination within 5 minutes.
Failures, Single Host
Default-Rule-Botnet: Botnet,Exploit Event False Reports a host connecting or attempting to
Potential Botnet connect to a DNS server on the Internet. This
Connection (DNS) may indicate a host connecting to a Botnet. The
host should be investigated for malicious code.
Do not enable this rule until you have tuned the
Default-BB-HostDefinition: DNS Servers building
block.
Note: Laptops that include wireless adapters
may cause this rule to generate alerts since the
laptops may attempt to communicate with
another IDPs DNS server. If this occurs, define
the ISPs DNS server in the
block.
Default-Rule-Botnet: Botnet Event True Reports a host connecting or attempting to
Potential Botnet connect to an IRC server on the Internet. This
Connection (IRC) may indicate a host connecting to a Botnet. The
Default-Rule-Botnet: Botnet Event True Reports exploit attacks on events. Enable this
Potential Botnet Events rule if you want all events categorized as
Become Offenses exploits to create an offense.
Default-Rule-Category Category Event True Reports events in different Access Denied
Definitions: Access Definition categories.
Denied
Default-Rule-Category Category Event True Reports all Session Closed events by
Definitions: Session Definition, categories.
Closed Malware
Default-Rule-Category Category Event True Reports all Session Opened events by
Opened Malware

Rule
Default-Rule-Category Category Event True Reports all virus detection events.
Definitions: Virus Definition,
Detected Malware
Default-Rule-Category Category Event True Reports VPN events that are considered Denied
Definitions: VPN Access Definition Access events.
Denied
Default-Rule-Category Category Event True Reports database events indicate denied access
Definitions: Database Definition activities.
Access Denied
Default-Rule-Category Category Event True Reports database events that indicate permitted
Definitions: Database Definition access.
Access Permitted
Default-Rule-Category Category Event True Rule detects events that may indicate a system
Definitions: System Definitions error or failure.
Errors and Failures
Default-Rule-Category Category Event True Reports VPN events that indicate permitted
Definitions: VPN Access Definition access.
Accepted
Default-Rule- Compliance Event False Reports compliance-based events, such as,
Compliance: clear text passwords.
Compliance Events
Become Offenses
Default-Rule- Compliance Event False Reports excessive authentication failures to a
Compliance: Excessive compliance server within 10 minutes.
Failed Logins to
Compliance IS
Default-Rule-Database: Compliance, Event True Reports when a configuration modification is
Attempted Configuration Database attempted to a database server from a remote
Modification by a remote network.
host
Default-Rule-Database: Compliance, Event True Reports when several authentications to a
Concurrent Logins from Database database server occur across many remote IP
Multiple Locations addresses.
Default-Rule-Database: Compliance, Event True Reports when there are failures followed by the
Failures Followed by Database addition or change of a user account.
User Changes
Default-Rule-Database: Compliance, Event True Monitors changes to groups on a database
Groups changed from Database when the change is initiated from a remote
Remote Host network.
Default-Rule-Database: Compliance, Event True Reports when there are multiple database
Multiple Database Database failures followed by a success within a short
Failures Followed by period of time.
Success
Default-Rule-Database: Compliance, Event True Increases the severity of a failed login attempt to
Remote Login Failure Database a database from a remote network.

Default Rules 263
Rule
Default-Rule-Database: Compliance, Event True Reports when a successful authentication
Remote Login Success Database occurs to a database server from a remote
network.
Default-Rule-Database: Compliance, Event True Reports when changes to user privileges occurs
User Rights Changed Database to a database from a remote network.
from Remote Host
Default-Rule-DDoS D\DoS Event True Reports network Distributed Denial of Service
Attack Detected (DDoS) attacks on a system.
Default-Rule-DDoS: D\DoS Event True Reports when offenses are created for
DDoS Events with High DoS-based events with high magnitude.
Magnitude Become
Offenses
Default-Rule-Device Device Event True Reports all access, authentication, and audit
Definition: Access/ Definition devices.
Authentication/Audit
Default-Rule-Device Device Event True Reports all antivirus services on the system.
Definition: AntiVirus Definition
Default-Rule-Device Device Event True Reports all application and OS devices on the
Definition: Application Definition network.
Default-Rule-Device Device Event True Reports all firewall (FW), routers, and switches
Definition: FW/Router/ Definition on the network.
Switch
Default-Rule-Device Device Event True Reports all IDS and IPS devices on the network.
Definition: IDS/IPS Definition
Default-Rule-Device Device Event True Reports all VPNs on the network.
Definition:VPN Definition
Default-Rule-DoS: D\DoS Event True If a low rate flow-based DoS attack is detected,
Decrease Magnitude of this rule decreases the magnitude of the current
Low Rate Attacks event.
Default-Rule-DoS: DoS D/DoS Event False Reports when DoS attack events are identified
Events from Darknet on Darknet network ranges.
Default-Rule-DoS: DoS D\DoS Event True Rule forces the creation of an offense for DoS
Events with High based events with a high magnitude.
Magnitude Become
Offenses
Default-Rule-DoS: D\DoS Event True If a high rate flow-based DoS attack is detected,
Increase Magnitude of this rule increases the magnitude of the current
High Rate Attacks event.
Default-Rule-DoS: D\DoS Event True Reports network Denial of Service (DoS) attacks
Network DoS Attack on a system.
Detected
Default-Rule-DoS: D\DoS Event True Reports a DoS attack against a local target that
Service DoS Attack is known to exist and the target port is open.
Detected

Rule
Default-Rule-Exploit:All Exploit Event False Reports exploit attacks on events. By default,
Exploits Become this rule is disabled. Enable this rule if you want
Offenses all events categorized as exploits to create an
offense.
Default-Rule-Exploit: Exploit Event False Reports when exploit or attack events are
Attack followed by followed by typical responses, which may
Attack Response indicate a successful attack.
Default-Rule-Exploit: Exploit Event False Reports an attack from a local host where the
Attacker Vulnerable to attacker has at least one vulnerability. It is
any Exploit possible the attacker was a target in an earlier
offense.
Attacker Vulnerable to attacker is vulnerable to the attack being used. It
this Exploit is possible that the attacker was a target in an
earlier offense.
Default-Rule-Exploit: Exploit Event False Reports an exploit or attack type activity from a
Exploit Followed by source IP address followed by suspicious
Suspicious Host Activity account activity on the destination host within 15
minutes.
Default-Rule-Exploit: Exploit Event True Reports a source IP address generating multiple
Exploit/Malware Events (at least 5) exploits or malicious software
Across Multiple Targets (malware) events in the last 5 minutes. These
events are not targeting hosts that are
vulnerable and may indicate false positives
generating from a device.
Default-Rule-Exploit: Exploit Event True Rule forces the creation of offenses for
Exploits Events with exploit-based events with a high magnitude.
High Magnitude
Become Offenses
Exploits Followed by followed by firewall accept events, which may
Firewall Accepts indicate a successful attack.
Default-Rule-Exploit: Exploit Event True Reports a target attempting to be exploited using
Multiple Exploit Types multiple types of attacks from one or more
Against Single Target attackers.
Default-Rule-Exploit: Exploit Event False Reports when an attacker attempts multiple
Multiple Vector Attacker attack vectors. This may indicate an attacker
specifically targeting an asset.
Default-Rule-Exploit: Exploit Event False Reports multiple failed logins to your VoIP
Potential VoIP Toll hardware followed by sessions being opened. At
Fraud least 3 events were detected within 30 seconds.
This action could indicate that illegal users are
executing VoIP sessions on your network.
Default-Rule-Exploit: Exploit Event True Reports reconnaissance followed by an exploit
Recon followed by from the same source IP address to the same
Exploit destination port within 1 hour.

Default Rules 265
Rule
Default-Rule-Exploit: Exploit Event True Reports an attack against a vulnerable local
Target Vulnerable to target, where the target is known to exist, and
Detected Exploit the host is vulnerable to the attack.
Detected Exploit on a the host is vulnerable to the attack on a different
Different Port port.
Default-Rule-Exploit: Exploit Event False Reports an attack against a vulnerable local
Different Exploit than the host is vulnerable to some attack but not the
Attempted on Attacked one being attempted.
Port
Default-Rule-False False Positive Event True Reports events that include false positive rules
Positive: False Positive and building blocks, such as,
Rules and Building Default-BB-FalsePositive: Windows Server
Blocks False Positive Events. Events that match the
above conditions are stored but also dropped. If
you add any new building blocks or rules to
remove events from becoming offenses, you
must add these new rules or building blocks to
this rule.
Default-Rule-Malware: Malware Event False Enable this rule if you want all events
Treat Backdoor, Trojans categorized as backdoor, viruses, and trojans to
and Virus Events as create an offense.
Offenses
Treat Key Loggers as categorized as key loggers to create offenses.
Offenses
Default-Rule- Malware Event False Reports non-spyware malware attacks on
Malware: Treat events. Enable this rule if you want all events
Non-Spyware Malware categorized as malware to create an offense.
as Offenses
Default-Rule- Malware Event False Reports spyware and/or a virus on events.
Malware: Treat Spyware Enable this rule if you want all events
and Virus as Offenses categorized as Virus or Spyware to create an
offense.
Default-Rule-Malware: Malware, Policy Event False Reports malware being sent from local hosts.
Local Host Sending
Malware
Default-Rule-Network Network Event True Reports events that are considered
Definition: Local to Local Definition Local-to-Local (L2L).
Definition: Local to Definition Local-to-Remote (L2R).
Remote

Rule
Definition: Remote to Definition Remote-to-Local (R2L).
Local
Default-Rule-Policy: Policy Event False Reports Instant Messenger traffic or any event
Create Offenses for All categorized as Instant Messenger traffic where
Instant Messenger the source is local and the destination is remote.
Traffic
Default-Rule-Policy: Policy Event False Reports P2P traffic or any event categorized as
Create Offenses for All P2P.
P2P Usage
Default-Rule-Policy: Policy Event False Reports policy events. By default, this rule is
Create Offenses for All disabled. Enable this rule if you want all events
Policy Events categorized as policy to create an offense.
Default-Rule-Policy: Policy Event False Reports any traffic that contains illicit materials
Create Offenses for All or any event categorized as Porn. By default,
Porn Usage this rule is disabled. Enable this rule if you want
all events categorized as Porn to create an
offense.
Default-Rule-Policy: Policy Event False Rule acts as a warning that the asset in which an
Host has SANS Top 20 event identifies is vulnerable to a vulnerability
Vulnerability identified in the SANS Top 20 Vulnerabilities.
(www.sans.org/top20/)
Default-Rule-Policy: Policy Event True Reports local Peer-to-Peer (P2P) traffic or any
Local P2P Server event categorized as P2P. More than 10 hosts
Detected were detected connecting to a local host that
appears to be operating as a P2P server.
Default-Rule-Policy: Policy Event False Reports when a new host has been discovered
New Host Discovered on the network.
Default-Rule-Policy: Policy Event False Reports when an existing host has a newly
New Service discovered service.
Discovered
Default-Rule-Policy: Policy Event False Rule identifies potential tunneling that can be
Potential Tunneling used to bypass policy or security controls.
Default-Rule-Policy: Policy Event False Reports potential file uploads to a local web
Upload to Local server. To edit the details of this rule, edit the
WebServer Default-BB-CategoryDefinition: Upload to Local
WebServer building block.
Default-Rule-Recon: Recon Event True Reports an aggressive scan from a local source
Aggressive Local IP address, scanning other local or remote IP
Scanner Detected addresses. More than 400 targets received
reconnaissance or suspicious events in less
than 2 minutes. This may indicate a manually
driven scan, an exploited host searching for
other targets, or a worm is present on the
system.

Default Rules 267
Rule
Default-Rule-Recon: Recon Event True Reports an aggressive scan from a remote
Aggressive Remote source IP address, scanning other local or
Scanner Detected remote IP addresses. More than 50 targets
received reconnaissance or suspicious events in
less than 3 minutes. This may indicate a
manually driven scan, an exploited host
searching for other targets, or a worm on a
system.
Default-Rule-Recon: Recon Event True Reports excessive attempts, from local hosts, to
Excessive Firewall access the firewall and access is denied. More
Denies From Local than 40 attempts are detected across at least 40
Hosts destination IP addresses in 5 minutes.
Default-Rule-Recon: Recon Event True Reports excessive attempts, from remote hosts,
Excessive Firewall to access the firewall and access is denied.
Denies From Remote More than 40 attempts are detected across at
Hosts least 40 destination IP addresses in 5 minutes.
Default-Rule-Recon: Recon Event True Reports a single source IP address scanning
Host Port Scan more than 50 ports in under 3 minutes.
Detected by Local Host
Default-Rule-Recon: Recon Event True Reports when more than 400 ports were
Host Port Scan scanned from a single source IP address in
Detected by Remote under 2 minutes.
Host
Default-Rule-Recon: Recon Event True If a high rate flow-based scanning attack is
Increase Magnitude of detected, this rule increases the magnitude of
High Rate Scans the current event.
Default-Rule-Recon: Recon Event True If a medium rate flow-based scanning attack is
Medium Rate Scans the current event.
Default-Rule-Recon: Recon Event True Reports a source IP address attempting
Local LDAP Server reconnaissance or suspicious connections on
Scanner common LDAP ports to more than 60 hosts in 10
minutes.
Default-Rule-Recon: Recon Event True Reports a scan from a local host against other
Local Database local or remote targets. At least 30 host were
Scanner scanned in 10 minutes.
Local DHCP Scanner reconnaissance or suspicious connections on
common DHCP ports to more than 60 hosts in
10 minutes.
Local DNS Scanner reconnaissance or suspicious connections on
common DNS ports to more than 60 hosts in 10
minutes.

Rule
Local FTP Scanner reconnaissance or suspicious connections on
common FTP ports to more than 30 hosts in 10
minutes.
Local Game Server reconnaissance or suspicious connections on
Scanner common game server ports to more than 60
hosts in 10 minutes.
Local ICMP Scanner reconnaissance or suspicious connections on
common ICMP ports to more than 60 hosts in 10
minutes.
Local IM Server reconnaissance or suspicious connections on
Scanner common IM server ports to more than 60 hosts
in 10 minutes.
Local IRC Server reconnaissance or suspicious connections on
Scanner common IRC server ports to more than 10 hosts
in 10 minutes.
Local Mail Server reconnaissance or suspicious connections on
Scanner common mail server ports to more than 60 hosts
in 10 minutes.
Local P2P Server reconnaissance or suspicious connections on
Scanner common Peer-to-Peer (P2P) server ports to
more than 60 hosts in 10 minutes.
Local Proxy Server reconnaissance or suspicious connections on
Scanner common proxy server ports to more than 60
Local RPC Server reconnaissance or suspicious connections on
Scanner common RPC server ports to more than 60
Local Scanner Detected hosts or remote targets. At least 60 hosts were
scanned within 20 minutes. This activity was
using a protocol other than TCP, UDP, or ICMP.
Local SNMP Scanner reconnaissance or suspicious connections on
common SNMP ports to more than 60 hosts in
10 minutes.

Default Rules 269
Rule
Local SSH Server reconnaissance or suspicious connections on
Scanner common SSH ports to more than 30 hosts in 10
minutes.
Default-Rule-Recon: Recon Event False Reports when various suspicious or
Local Suspicious Probe reconnaissance events have been detected
Events Detected from the same local source IP address to more
than 5 destination IP address in 4 minutes. This
can indicate various forms of host probing, such
as Nmap reconnaissance, which attempts to
identify the services and operation systems of
the target.
Local TCP Scanner reconnaissance or suspicious connections on
common TCP ports to more than 60 hosts in 10
minutes.
Local UDP Scanner reconnaissance or suspicious connections on
common UDP ports to more than 60 hosts in 10
minutes.
Local Web Server reconnaissance or suspicious connections on
Scanner common local web server ports to more than 60
Local Windows Server reconnaissance or suspicious connections on
Scanner to Internet common Windows server ports to more than 60
Default-Rule-Recon: Recon Event True Reports on events that are detected by the
Local Windows Server system and when the attack context is
Scanner Local-to-Local (L2L).
Default-Rule-Recon: Recon Event False Adds an additional event into the event stream
Recon Followed by when a host that has been performing
Accept reconnaissance also has a firewall accept
following the reconnaissance activity.
Default-Rule-Recon: Recon Event True Reports a scan from a remote host against other
Remote Database local or remote targets. At least 30 hosts were
Default-Rule-Recon: Recon Event True Reports a remote host attempting
Remote DHCP Scanner reconnaissance or suspicious connections on
10 minutes.
Remote DNS Scanner reconnaissance or suspicious connections on
minutes.

Rule
Remote FTP Scanner reconnaissance or suspicious connections on
minutes.
Remote Game Server reconnaissance or suspicious connections on
Remote ICMP Scanner reconnaissance or suspicious connections on
minutes.
in 10 minutes.
in 10 minutes.
Remote LDAP Server local or remote targets. At least 30 hosts were
Remote Mail Server reconnaissance or suspicious connections on
in 10 minutes.
Remote P2P Server reconnaissance or suspicious connections on
Remote Proxy Server reconnaissance or suspicious connections on
Remote RPC Server reconnaissance or suspicious connections on
Remote Scanner hosts or remote targets. At least 60 hosts were
Detected scanned within 20 minutes. This activity was
Default-Rule-Recon: Recon Event True Reports scans from a remote host against local
Remote SNMP Scanner or remote targets. At least 30 hosts were
scanned in 10 minutes.

Default Rules 271
Rule
Remote SSH Server reconnaissance or suspicious connections on
minutes.
Default-Rule-Recon: Recon Event False Reports various suspicious or reconnaissance
Remote Suspicious events from the same remote source IP address
Probe Events Detected to more then 5 destination IP addresses in 4
minutes. This may indicate various forms of host
probing, such as Nmap reconnaissance that
attempts to identify the services and operating
system of the targets.
Remote TCP Scanner reconnaissance or suspicious connections on
minutes.
Remote UDP Scanner reconnaissance or suspicious connections on
minutes.
Remote Web Server reconnaissance or suspicious connections on
Remote Windows reconnaissance or suspicious connections on
Server Scanner common Windows server ports to more than 60
Default-Rule-Recon: Recon Event True Reports merged reconnaissance events
Single Merged Recon generated by some devices. This rule causes all
Events these events to create an offense. All devices of
this type and their categories should be added to
the Default-BB-ReconDetected: Devices which
Merge Recon into Single Events building block.
Default-Rule-Suspicious Event False Rule identifies events that have common internal
Activity: Common only ports, communicating outside of the local
Non-Local to Remote network.
Ports
Default-Rule-Suspicious Anomaly Event False Reports events that are involved with known
Activity: Communication hostile networks.
with Known Hostile
Networks
Default-Rule-Suspicious Anomaly Event False Reports events that are involved with networks
Activity: Communication identified as possible sites that may involve data
with Known Online loss.
Services

Rule
Default-Rule-Suspicious Anomaly Event False Reports events that are involved with networks
Activity: Communication that are defined as networks you wish to
with Known Watched monitor.
Networks
Default-Rule-Suspicious Compliance Event False Reports assets that appear to be customer
Activity: Consumer grade equipment.
Grade Equipment
Default-Rule-System- Event True Rule ensures that notification events shall be
Notification sent to the notification framework.
Default-Rule-System: System Event True Creates an offense when an event matches a
100% Accurate Events 100% accurate signature for successful
comprises.
Default-Rule-System: System Event False Reports when STRM detects critical event.
Critical System Events
Default-Rule-System: System Event False Reports when an event source has not sent an
Device Stopped event to the system in over 1 hour. Edit this rule
Sending Events to add devices you want to monitor.
Default-Rule-System: System Event False Reports when STRM detects events that
Host Based Failures indicate failures within services or hardware.
Default-Rule-System: System Event True Loads BBs that need to be run to assist with
Load Building Blocks reporting. This rule has no actions or responses.
Default-Rule-Recon: System Event False Reports when as source has 10 system errors
Multiple System Errors within 3 minutes.
Default-Rule- Compliance Event False Reports when a vulnerability is discovered on a
Vulnerabilities: local host.
Vulnerability Reported
by Scanner
Default-Rule-Worms Worm Event True Reports a local host sending more than 20
Detection: Local Mass SMTP flows in 1 minute. This may indicate a
Mailing Host Detected host being used as a spam relay or infected with
a form of mass mailing worm.
Default-Rule-Worms Worm Event True Reports a local host generating reconnaissance
Detection: Possible or suspicious events across a large number of
Local Worm Detected hosts (greater than 300) in 20 minutes. This may
indicate the presence of a worm on the network
or a wide spread scan.
Default-Rule-Worms Worm Event True Reports exploits or worm activity on a system for
Detection: Worm local-to-local or local-to-remote traffic.
Detected (Events)

Default Building Default building blocks for the Enterprise template include:
Blocks
Table B-10 Default Building Blocks
Block Associated Building

Building Block Group Type Description Blocks, if applicable
Default-BB-Behavior Category Event Edit this BB to include categories
Definition: Compromise Definitions that are considered part of events
Activities detected during a typical
compromise.
Definition: Post Definitions that are considered part of events
Compromise Activities detected after a typical
compromise.
Default-BB-Category Category Event Edit this BB to include all events
Definition: Authentication Definitions, that indicate an unsuccessful
Failures Compliance attempt to access the network.
Definition: Authentication Definitions, that indicate successful attempts
Success Compliance to access the network.
Definition: Authentication Definitions, that indicate failed attempts to
to Disabled Account Compliance access the network using a
disabled account.
to Expired Account Compliance access the network using an
expired account.
Default-BB-Category Category Event Edit this building block to include
Definition: Authentication Definitions, all events that indicate modification
User or Group Added or Compliance to accounts or groups.
Changed
Default-BB-Category Category Event Edit this BB to include any
Definition: Countries with Definitions geographic location that typically
no Remote Access would not be allowed remote
access to the enterprise. Once
configured, you can enable the
Default-Rule-Anomaly: Remote
Access from Foreign Country rule.
Default-BB-Category Category Event Edit this BB to define successful
Definition: Database Definitions logins to databases. You may
Connections need to add additional device
types for this BB.
Default-BB-Category Category Event Edit this BB to include all event
Definition: DDoS Attack Definitions categories that you want to
categorize as a DDoS attack.
Definition: Exploits, Definitions that are typically exploits,
Backdoors, and Trojans backdoor, or trojans.

Table B-10 Default Building Blocks (continued)

Default-BB-Category Category Event Edit this BB that indicate failure
Definition: Failure Service Definitions, within a service or hardware.
or Hardware Compliance
Definition: Firewall or ACL Definitions that indicate access to the firewall.
Accept
Definition: Firewall or ACL Definitions that indicate unsuccessful
Denies attempts to access the firewall.
Definition: Firewall Definitions that may indicate a firewall system
System Errors error. By default, this BB applies
when an event is detected by one
or more of the following devices:
• CheckPoint
• Generic Firewall
• Iptables
• NetScreen Firewall
• Cisco Pix
Definition: Flow Events Definitions that indicate flow events within
your network. By default, this BB
applies to events detected by the
Default-BB-Category Category Event Edit this BB to the severity,
Definition: High Definitions credibility, and relevance levels
Magnitude Events you want to generate an event.
The defaults are:
• Severity = 6
• Credibility = 7
• Relevance = 7
Definitions: KeyLoggers Definitions that are typically exploits,
backdoor, or trojans.
Default-BB-Category Category Event Edit this BB to define mail policy
Definition: Mail Policy Definitions, violations.
Violation Compliance
Default-BB-Category Category Event Edit this BB to include event
Definition: Malware Definitions categories that are typically
Annoyances associated with spyware
infections.


Definition: Network DoS Definitions categories that you want to
Attack categorize as a network DoS
attack.
Definition: Policy Events Definitions, categories that may indicate a
Compliance violation to network policy.
Definition: Post Exploit Definitions categories that may indicate
Account Activity exploits to accounts.
Default-BB-Category Category Event STRM monitors event rates of all
Definition: Rate Analysis Definitions source IP addresses/QIDs and
Marked Events destination IP addresses/QIDs and
marks events that exhibit abnormal
rate behavior.
Edit this BB to include events that
are marked with rate analysis.
Definition: Recon Events Definitions that indicate reconnaissance
activity.
Default-BB-Category Category Event Edit this BB to define Denial of
Definition: Service DoS Definitions Service (DoS) attack events.
Definition: Suspicious Definitions that indicate suspicious activity.
Events
Default-BB-Category Category Event Edits this BB to define system
Definition: System Definitions, configuration events.
Configuration Malware
Default-BB-Category Category Event Typically, most networks are
Definition: Upload to Local Definitions configured to restrict applications
WebServer that use the PUT method running
on their web application servers.
This BB detects if a remote host
has used this method on a local
server. The BB could be
duplicated to also detect other
unwanted methods or for local
hosts using the method connecting
to remote servers. This building
block is referenced by the
Default-Rule-Policy: Upload to
Local WebServer rule.
Definition: VoIP Definitions that indicate a VoIP login failure.
Authentication Failure
Events


Definition: VoIP Session Definitions that indicate the start of a VoIP
Opened session.
Definition: Windows Definitions, categories that indicate
Compliance Events Compliance compliance events.
Default-BB-Category Category Event Edit this BB to define worm events.
Definition: Worm Events Definitions This BB only applies to events not
detected by a custom rule.
Default-BB-Compliance Compliance, Event Edit this BB to include your GLBA
Definition: GLBA Servers Host IP systems. You must then apply
Definitions this BB to rules related to failed
logins, remote access, etc.
Default-BB-Compliance Compliance, Event Edit this BB to include your HIPAA
Definition: HIPAA Servers Host Servers by IP address. You must
Definitions then apply this BB to rules related
to failed logins, remote access,
etc.
Default-BB-Compliance Compliance, Event Edit this BB to include your SOX IP
Definition: SOX Servers Host Servers. You must then apply this
Definitions BB to rules related to failed logins,
remote access, etc.
Default-BB-Compliance Compliance, Event Edit this BB to include your PCI
Definition: PCI DSS Host DSS servers by IP address. You
Servers Definitions, must apply this BB to rules related
Response to failed logins, remote access,
etc.
Default-BB-Database: Category Event Edit this BB to include any events
System Action Allow Definitions, that indicates successful actions
Compliance within a database.
System Action Deny Definitions, that indicate unsuccessful actions
Default-BB-Database: Category Event Edit this BB to include events that
User Addition or Change Definitions, indicate the successful addition or
Compliance change of user privileges
Default-BB-Device Device Event Edit this BB to include MAC
Definition: Consumer Definitions addresses of known consumer
Grade Routers grade routers.
Default-BB-Device Device Event Edit this BB to include MAC
Definition: Consumer Definitions addresses of known consumer
Grade Wireless APs grade wireless access points.
Default-BB-Device Device Event
Definition: Database Definitions

Default-BB-Device Device Event Edit this BB to include devices you
Definition: Devices to Definitions want to monitor for high event
Monitor for High Event rates. The event rate threshold is
Rates controlled by the
Default-Rule-Anomaly: Devices
with High Event Rates.
Default-BB-False False Event Edit this BB to include events that
Negative: Events That Positive indicate a successful compromise.
Indicate Successful These events generally have
Compromise 100% accuracy.
Default-BB-FalsePositive: False Event Edit this BB to include all false All Default-BB-False
All Default False Positive Positive positive building blocks. Positive building blocks
BBs
Default-BB-FalsePositive: False Event Edit this BB to define all the false
Broadcast Address False Positive positive categories that occur to or
Positive Categories from the broadcast address space.
Default-BB-FalsePositive: False Event Edit this BB to define all the false Default-BB-HostDefinition:
Database Server False Positive positive categories that occur to or Database Servers
Positive Categories from database servers that are
defined in the
Default-BB-HostDefinition:
Database Servers building block.
Database Server False Positive positive QIDs that occur to or from Database Servers
Positive Events database servers that are defined
in the Default-BB-HostDefinition:
Default-BB-FalsePositive: False Event Edit this BB to include the devices
Device and Specific Event Positive and QID of devices that continually
generate false positives.
DHCP Server False Positive positive categories that occur to or DHCP Servers
Positive Categories from DHCP servers that are
defined in the
Default-BB-HostDefinition: DHCP
Servers building block.
DHCP Server False Positive positive QIDs that occur to or from DHCP Servers
Positive Events DHCP servers that are defined in
the Default-BB-HostDefinition:
DHCP Servers building block.


DNS Server False Positive positive categories that occur to or DNS Servers
Positive Categories from DNS based servers that are
defined in the
Default-BB-HostDefinition: DNS
DNS Server False Positive positive QIDs that occur to or from DNS Servers
Positive Events DNS-based servers that are
defined in the
Default-BB-FalsePositive: False Event Edit this BB to define firewall deny
Firewall Deny False Positive events that are false positives
Positive Events
FTP Server False Positive Positive positive categories that occur to or FTP Servers
Categories from FTP based servers that are
defined in the
Default-BB-HostDefinition: FTP
FTP False Positive Events Positive positive QIDs that occur to or from FTP Servers
FTP-based servers that are
defined in the
Default-BB-FalsePositive: False Event Edit this BB to include any event
Global False Positive Positive QIDs that you want to ignore.
Events
Internal Attacker to Positive positive QIDs that occur to or from
Internal Target False Local-to-Local (L2L) based
Positives servers.
Remote Target False Local-to-Remote (L2R) based
Positives servers.
Default-BB-FalsePositive: False Event Edit this BB to define specific
Large Volume Local FW Positive events that can create a large
Events volume of false positives in
general rules.


LDAP Server False Positive positive categories that occur to or LDAP Servers
Positive Categories from LDAP servers that are
defined in the
Default-BB-HostDefinition: LDAP
LDAP Server False Positive positive QIDs that occur to or from LDAP Servers
Positive Events LDAP servers that are defined in
LDAP Servers building block.
Mail Server False Positive Positive positive categories that occur to or Mail Servers
Categories from mail servers that are defined
Mail Servers building block.
Mail Server False Positive Positive positive QIDs that occur to or from Mail Servers
Events mail servers that are defined in the
Default-BB-HostDefinition: Mail
Network Management Positive positive categories that occur to or Network Management
Servers Recon from network management servers Servers
that are defined in the
Network Management Servers
building block.
Proxy Server False Positive positive categories that occur to or Proxy Servers
Positive Categories from proxy servers that are defined
Proxy Servers building block.
Proxy Server False Positive positive QIDs that occur to or from Proxy Servers
Positive Events proxy servers that are defined in
Remote Attacker to Positive positive QIDs that occur to or from
Internal Target False Remote-to-Local (R2L) based
Positives servers.
RPC Server False Positive positive categories that occur to or RPC Servers
Positive Categories from RPC servers that are defined
RPC Servers building block.


RPC Server False Positive positive QIDs that occur to or from RPC Servers
Positive Events RPC servers that are defined in
SNMP Sender or Positive positive categories that occur to or SNMP Servers
Receiver False Positive from SNMP servers that are
Categories defined in the
Default-BB-HostDefinition: SNMP
SNMP Sender or Positive positive QIDs that occur to or from SNMP Servers
Receiver False Positive SNMP servers that are defined in
Events the Default-BB-HostDefinition:
SNMP Servers building block.
Default-BB-FalsePositive: False Event Edit this BB to include source IP
Source IP and Specific Positive addresses or specific events that
Event you want to remove.
SSH Server False Positive positive categories that occur to or SSH Servers
Positive Categories from SSH servers that are defined
SSH Servers building block.
SSH Server False Positive positive QIDs that occur to or from SSH Servers
Positive Events SSH servers that are defined in the
Default-BB-HostDefinition: SSH
Default-BB-FalsePositive: False Event Edit this BB to define all false Default-BB-HostDefinition:
Syslog Sender False Positive positive categories that occur to or Syslog Servers and
Positive Categories from syslog sources. Senders
Syslog Sender False Positive positive events that occur to or Syslog Servers and
Positive Events from syslog sources or Senders
destinations.
Virus Definition Update Positive positive QIDs that occur to or from Virus Definition
Categories virus definition or other automatic
update hosts that are defined in
Virus Definition and Other Update
Web Server False Positive positive categories that occur to or Web Servers
Positive Categories from web servers that are defined
Web Servers building block.

Web Server False Positive positive QIDs that occur to or from Web Servers
Positive Events Web servers that are defined in the
Default-BB-HostDefinition: Web
Windows Server False Positive positive categories that occur to or Windows Servers
Positive Categories Local from Windows servers that are
defined in the
Windows Servers building block.
Windows Server False Positive positive QIDs that occur to or from Windows Servers
Positive Events Windows servers that are defined
Default-BB-HostBased: Category Event Edit this BB to define event
Critical Events Definitions, categories that indicate critical
Compliance events.
Default-BB-Host Host Event Edit this BB to define typical Default-BB-FalsePositive:
Definition: Database Definitions database servers. Database Server False
Servers Positive Categories
Default-BB-FalsePositive:
Database Server False
Positive Events
Default-BB-Host Host Event Edit this BB to define typical DHCP Default-BB-False Positive:
Definition: DHCP Servers Definitions servers. DHCP Server False
Positives Categories
Default-BB-FalsePositve:
DHCP Server False
Positive Events
Default-BB-Host Host Event Edit this BB to define typical DNS Default-BB-False Positive:
Definition: DNS Servers Definitions servers. DNS Server False
DNS Server False
Positive Events
Default-BB-Host Host Event Edit this BB to define typical FTP Default-BB-False Positive:
Definition: FTP Servers Definitions servers. FTP Server False
FTP Server False Positive
Events


Default-BB-Host Host Event Edit this BB to include a host and
Definition: Host with Port Definitions port that is actively or passively
Open seen.
Default-BB-Host Host Event Edit this BB to define typical LDAP Default-BB-False Positive:
Definition: LDAP Servers Definitions servers. LDAP Server False
LDAP Server False
Positive Events
Default-BB-Host Host Event Edit this BB to define typical mail Default-BB-False Positive:
Definition: Mail Servers Definitions servers. Mail Server False
Mail Server False Positive
Events
Default-BB-Host Host Event Edit this BB to define typical
Definition: Network Definitions network management servers.
Management Servers
Default-BB-Host Host Event Edit this BB to define typical proxy Default-BB-False Positive:
Definition: Proxy Servers Definitions servers. Proxy Server False
Proxy Server False
Positive Events
Default-BB-Host Host Event Edit this BB to define typical RPC Default-BB-False Positive:
Definition: RPC Servers Definitions servers. RPC Server False
RPC Server False
Positive Events
Default-BB-Host Host Event Edit this BB to define generic
Definition: Servers Definitions servers.
Default-BB-Host Host Event Edit this BB to define SNMP Default-BB-PortDefinition:
Definition: SNMP Sender Definitions senders or receivers. SNMP Ports
or Receiver
Default-BB-Host Host Event Edit this BB to define typical SSH Default-BB-False Positive:
Definition: SSH Servers Definitions servers. SSH Server False
SSH Server False Positive
Events


Default-BB-Host Host Event Edit this BB to define typical host Default-BB-FalsePositive:
Definition: Syslog Servers Definitions that send or receive syslog traffic. Syslog Server False
and Senders Positive Categories
Syslog Server False
Positive Events
Default-BB-Host Host Event Edit this BB to include the source
Definition: VA Scanner Definitions IP address of your VA scanner. By
Source IP default, this BB applies when the
source IP address is 127.0.0.2.
Default-BB-Host Host Event Edit this BB to include all servers
Definition: Virus Definition Definitions that include virus protection and
and Other Update Servers update functions.
Default-BB-Host Host Event Edit this BB to define typical VoIP
Definition: VoIP IP PBX Definitions IP PBX servers.
Server
Default-BB-Host Host Event Edit this BB to define typical web Default-BB-False Positive:
Definition: Web Servers Definitions servers. Web Server False
Web Server False Positive
Events
Default-BB-Host Host Event Edit this BB to define typical Default-BB-False Positive:
Definition: Windows Definitions Windows servers, such as domain Windows Server False
Servers controllers or exchange servers. Positives Categories
Windows Server False
Positive Events
Default-BB-Network Network Event Edit this BB to include the
Definition: Broadcast Definition broadcast address space of your
Address Space network. This is used to remove
false positive events that may be
caused by the use of broadcast
messages.
Default-BB-Network Network Event Edit this BB to include all networks
Definition: Client Definition that include client hosts.
Networks
Default-BB-Network Network Event Edit this BB to include networks
Definition: Darknet Definition that you want to add to a Darket
Addresses list.
Definition: DLP Addresses Definition that you want to add to a data loss
prevention (DLP) list.
Default-BB-Network Network Event Edit this BB to include addresses
DMZ Addresses Definition that are included in the DMZ.


Default-BB-Network Network Event Edit this BB by replacing the other
Definition: Honeypot like Definition network with network objects
Addresses defined in your network hierarchy
that are currently not in use in your
network or are used in a honeypot
or tarpit installation. Once these
have been defined, you must
enable the Default-Rule-Anomaly:
Potential Honeypot Access rule.
You must also add a
security/policy sentry to these
network objects to generate events
based on attempted access.
Default-BB-Network Network Event Edit this BB to define typical
Definition: NAT Address Definition Network Address Translation
Range (NAT) range you want to use in
your deployment.
Definition: Server Definition networks where your servers are
Networks located.
Default-BB-Network Network Event Edit this BB to include areas of
Definition: Undefined IP Definition your network that does not contain
Space any valid hosts.
Definition: Watch List Definition that should be added to a watch
Addresses list.
Default-BB-Policy: Policy Event Edit this BB to define policy
Application Policy application and violation events.
Violation Events
Default-BB-Policy: IRC/IM Policy Event Edit this BB to define all policy
Connection Violations IRC/IM connection violations.
Default-BB-Policy: Policy Policy Event Edit this BB to include all events
P2P that indicate Peer-to-Peer (P2P)
events.
Default-BB-Port Port\ Event Edit this BB to include ports that
Definition: Authorized L2R Protocol are commonly detected in
Ports Definition Local-to-Remote (L2R) traffic.
Default-BB-PortDefinition: Port\ Event Edit this BB to include all common
Database Ports Protocol database ports.
Definition
DHCP Ports Protocol DHCP ports.
Definition
DNS Ports Protocol DNS ports.
Definition


FTP Ports Protocol FTP ports.
Definition
Game Server Ports Protocol game server ports.
Definition
Default-BB-PortDefinition: Compliance, Event Edit this BB to include all common
IM Ports Port\ IM ports.
Protocol
Definition
IRC Ports Protocol IRC ports.
Definition
LDAP Ports Protocol ports used by LDAP servers.
Definition
Mail Ports Protocol ports used by mail servers.
Definition
P2P Ports Protocol ports used by Peer-to-Peer (P2P)
Definition servers.
Proxy Ports Protocol ports used by proxy servers.
Definition
RPC Ports Protocol ports used by RPC servers.
Definition
SNMP Ports Protocol ports used by SNMP servers.
Definition
SSH Ports Protocol ports used by SSH servers.
Definition
Syslog Ports Protocol ports used by the syslog servers.
Definition
Default-BB-PortDefinition: Port\ Event Edit this BB to include ports that
Unauthorized L2R Ports Protocol are not typically detected in
Definition Local-to-Remote (L2R) traffic.
Web Ports Protocol ports used by Web servers.
Definition


Windows Ports Protocol ports used by Windows servers.
Definition
Default-BB-Protocol Port\ Event Edit this BB to include all common
Definition: Windows Protocol protocols (not including TCP) used
Protocols Definition by Windows servers that will be
ignored for false positive tuning
rules.
Default-BB-Recon Recon Event Define all Juniper Networks default
Detected: All Recon Rules reconnaissance tests. This BB is
used to detect a host that has
performed reconnaissance such
that other follow on tests can be
performed. For example,
reconnaissance followed by
firewall accept.
Default-BB-Recon Recon Event Edit this BB to include all devices
Detected: Devices That that accumulate reconnaissance
Merge Recon into Single across multiple hosts or ports into
Events a single event. This rule forces
these events to become offenses.
Default-BB-Recon Recon Event Edit this BB to define
Detected: Host Port Scan reconnaissance scans on hosts in
your deployment.
Default-BB-Recon Recon Event Edit this BB to indicate port
Detected: Port Scan scanning activity across multiple
Detected Across Multiple hosts. By default, this BB applies
Hosts when an attacker is performing
reconnaissance against more than
5 hosts within 10 minutes. If
internal, this may indicate an
exploited machine or a worm
scanning for targets.
User-BB-FalsePositive: User Tuning Event This BB contains any events that
User Defined False you have tuned using the False
Positives Tunings Positive tuning function. For more
information, see the STRM Users
Guide.
User-BB-FalsePositive: User Tuning Event Edit this BB to include any User-BB-HostDefinition:
User Defined Server Type categories you want to consider User Defined Server Type
1 False Positive false positives for hosts defined in 1
Categories the User-BB-HostDefinition: User
Defined Server Type 1 building
block.


User-BB-FalsePositive: User Tuning Event Edit this BB to include any events User-BB-HostDefinition:
User Defined Server Type you want to consider false User Defined Server Type
1 False Positive Events positives for hosts defined in the 1
User-BB-HostDefinition: User
block.
block.
block.
block.
block.
User-BB-Host User Tuning Event Edit this BB to include the IP User-BB-FalsePositives:
Definition: User Defined address of your custom server User Defined Server Type
Server Type 1 type. Once you have added the 1 False Positive Category
servers, add any events or
User-BB-False Positives:
categories you want to consider
User Defined Server Type
false positives to these servers as
1 False Positive Events
defined in the
User-BB-FalsePositives: User
Defined Server Type 1 False
Positive Category or the
User-BB-False Positives: User
Positive Events building blocks.


defined in the
servers, add any events or User-BB-False Positives:
defined in the

C UNIVERSITY TEMPLATE DEFAULTS
The University template includes settings with emphasis on internal network

activities. This appendix provides the defaults for the University template including:
• Default Sentries
• Default Custom Views
• Default Rules
• Default Building Blocks
Default Sentries The default sentries for the University template include:
Table C-1 Default Sentries
Sentry Description
Behavior - Flow Count Monitors the number of flows on your network and
Behavior Change alerts when a change is detected. By default, this
activity must occur 10 times before an alert generates.
Behavior - Host Count Learns the number of local and remote active hosts in
Behavior Change the network over a weekly period. If the number of
hosts increases dramatically outside the projected
behavior for at least 5 intervals, an event generates.
Behavior - Threat Traffic Detects a behavioral change, within the last 5
Packet Rate Behavior minutes, in the packet rate of traffic considered to be
Change threatening, compared to what has been learned over
the past weeks. This may indicate an attack is in
progress. By default, the minimum number of times, in
generates is 5.
DoS - External - Distributed Detects a large number of hosts (100,000) sending
Offense Manager.

290 UNIVERSITY TEMPLATE DEFAULTS
Table C-1 Default Sentries (continued)
Sentry Description
DoS - External - Distributed Detects a low number of hosts (500) sending identical,
Offense Manager.
DoS - External - Distributed Detects a medium number of hosts (5,000) sending
Offense Manager.
attack.
DoS - External - Flood Attack Detects flood attacks above 500 packets per second.
DoS - External - Potential Detects flows that appear to be an ICMP Denial of
DoS - External - Potential Detects flows that appear to be a TCP DoS attack
TCP DoS attempt.
DoS - External - Potential Detects flows that appear to be a UDP DoS attack
UDP DoS attempt.
DoS - External - Potential Detects a low number of hosts sending identical,
Unresponsive Service or non-responsive packets to a single target. In this
Distributed DoS case, the target is treated as the attacker in the
Offense Manager.
DoS - Internal - Distributed Detects a large number of hosts (100,000) sending
Offense Manager.
DoS - Internal - Distributed Detects a low number of hosts (500) sending identical,
Offense Manager.
DoS - Internal - Distributed Detects a medium number of hosts (5,000) sending
Offense Manager.

Sentry Description
attack.
DoS - Internal - Flood Attack Detects flood attacks above 500 packets per second.
DoS - Internal - Potential Detects flows that appear to be an ICMP Denial of
DoS - Internal - Potential Detects flows that appear to be a TCP DoS attack
TCP DoS attempt.
DoS - Internal - Potential Detects flows that appear to be a UDP DoS attack
UDP DoS attempt.
DoS - Internal - Potential Detects a low number of hosts sending identical,
Distributed DoS
Malware - External - Client Detects a host attempting to connect to a DNS server
Based DNS Activity to the that is not defined as a local network. With the
Internet exception of your DNS servers or other hosts
specifically configured to communicate with external
DNS servers, this is suspicious activity and may be
the sign of a bot net connection. If this is a false
positive, add the external DNS server to the BB DNS
Servers building block in custom rules. By default, this
sentry generates an event 30 seconds after the first
instance of the event.
Malware - External Detects an IP address being communicated with was
Communication with BOT a control channel for a BOTNET. The local machine
Control Channel may be infected with a bot and should be investigated.
Policy - External - Clear Text Detects flows to or from the Internet where the
Policy - External - Hidden Detects an FTP server on a non-standard port. The
FTP Server default port for FTP is TCP port 21. Detecting FTP on
access to the host.
Policy - Internal - Clear Text Detects flows to or from the Internet where the
Policy - Internal - Hidden FTP Detects an FTP server on a non-standard port. The
Server default port for FTP is TCP port 21. Detecting FTP on
access to the host.

Sentry Description
Policy - External - IM/Chat Detects an excessive amount of IM/Chat traffic from a
single source. By default, the minimum number of
generates is 20.
Policy - External - IRC Detects a local host issuing an excessive number of
Connections IRC connections to the Internet. By default, the
Policy - Local P2P Server Detects local hosts operating as a Peer-to-Peer (P2P)
Detected server. This indicates a violation of local network
policy and may indicate illegal activities, such as,
copyright infringement.
Policy - External - Long Detects a flow communicating to or from the Internet
Duration Flow Detected with a sustained duration of more than 48 hours. This
is not typical behavior for most applications. We
recommend that you investigate the host for potential
malware infections. By default, this parameter is set to
3600 seconds, which means that an event generates
after 3600 seconds of the first instance of the event.
Policy - External - P2P Detects Peer-to-Peer (P2P) communications.
Communications Detected
Policy - External - Possible Detects possible tunneling, which can indicate a
Tunneling bypass of policy, or an infected system.
Policy - External - Remote Detects the Microsoft Remote Desktop Protocol from
Desktop Access from the the Internet to a local host. Most companies consider
Internet this a violation of corporate policy. If this is normal
activity on your network, you should remove this
sentry.
Policy - External - SMTP Mail Detects an internal host sending a large number of
Sender SMTP flows from the same source to the Internet, in
one interval. This may indicate a mass mailing, worm,
or spam relay is present. By default, the minimum
Policy - External - SSH or Detects an SSH or Telnet server on a non-standard
Policy - Internal - SSH or Detects an SSH or Telnet server on a non-standard

Sentry Description
Policy - External - Usenet Detects flows to or from a Usenet server. It is
Usage uncommon for legitimate business communications to
use Usenet or NNTP services. The hosts involved
may be violating corporate policy.
Policy - External - VNC Detects VNC (a remote desktop access application)
Access From the Internet to a from the Internet to a local host. Many companies
Local Host consider this an policy issue that should be
addressed. If this is normal activity on your network,
remove this sentry.
Policy - P2P Policy Threshold Detects more than 100 KB/s of Peer-to-Peer (P2P)
traffic within 5 minutes.
Recon - External - ICMP Detects a host scanning more than 100,000 hosts per
Scan (High) minute using ICMP. This indicates a host performing
application.
Recon - External - ICMP Detects a host scanning more than 500 hosts per
Scan (Low) minute using ICMP. This may indicate a host
Recon - External - ICMP Detects a host scanning more the 5,000 hosts per
Scan (Medium) minute using ICMP. This indicates a host performing
Recon - External - Potential Detects a host sending identical packets to a number
Recon - External - Scanning Detects a host performing reconnaissance activity at
application.

Sentry Description
Recon - Internal - ICMP Scan Detects a host scanning more than 100,000 hosts per
(High) minute using ICMP. This indicates a host performing
application.
Recon - Internal - ICMP Scan Detects a host scanning more than 500 hosts per
(Low) minute using ICMP. This may indicate a host
installation.
Recon - Internal - ICMP Scan Detects a host scanning more the 5,000 hosts per
(Medium) minute using ICMP. This indicates a host performing
Recon - Internal - Potential Detects a host sending identical packets to a number
Recon - Internal - Scanning Detects a host performing reconnaissance activity at
application.

Sentry Description
installation.
Suspicious - External - Detects an excessive number of ICMP flows from one
Suspicious - External - Invalid Detects flows that appear to have improper flag
Suspicious - External - Port 0 Detects flows whose destination or source ports are 0.
Suspicious - External - Detects flows that indicate a host is attempting to
generates is 40.
Suspicious - External - Detects excessive unidirectional ICMP traffic from a
generates is 40.
Suspicious - External - Detects excessive unidirectional ICMP responses

Sentry Description
Suspicious - External - Detects flows that indicate a host is sending an
Suspicious - Internal - Detects an excessive number of ICMP flows from one
Suspicious - Internal - Invalid Detects flows that appear to have improper flag
Suspicious - External - Detects an excessive rate of outbound unidirectional
Outbound Unidirectional (remote host not responding) flows within 5 minutes.
Flows Threshold
Suspicious - Internal - Port 0 Detects flows whose destination or source ports are 0.
Suspicious - Internal - Detects flows that indicate a host is attempting to
generates is 40.
Suspicious - Internal - Detects excessive unidirectional ICMP traffic from a
generates is 40.
Suspicious - Internal - Detects excessive unidirectional ICMP responses
Suspicious - Internal - Detects flows that indicate a host is sending an

Sentry Description
Excessive Unidirectional Detects an excessive number of UDP, non-TCP, or
UDP or Misc Flows ICMP from a single source. By default, the minimum
Default Custom This section provides the default custom views for the Enterprise template
Views including:
• Threats Group
• ASN Source Group
• ASN Destination Group
• IFIndexIn Group
• IFIndexOut Group
• QoS Group
• Flow Shape Group
IP Tracking Group Pre-configured groups that specify traffic flows from your local and remote IP
addresses including:
Table C-2 Custom Views - IP Tracking View
IP Tracking
Group Group Objects
Locals Specifies traffic flows originating from specific local IP addresses
or CIDR ranges. Configure to specify traffic flows for your local IP
addresses.
Remotes Specifies traffic flows originating from specific remote IP
addresses or CIDR ranges. Configure to specify traffic flows for
your remote IP addresses.

Threats Group Pre-configured groups that specify traffic flows from suspicious IP addresses,
protocols, server ports, and network sweeps including:
Table C-3 Custom Views - Threats View
Group Objects
Exceptions This group includes:
Network_Management_Hosts - Defines network management
servers or other system responsible for reconnaissance, SNMP,
large numbers of ICMP requests, or other attacks, such as, traffic
on your network such as vulnerability assessment (VA) scanners.

Table C-3 Custom Views - Threats View (continued)
Group Objects
DoS The Denial of Service (DoS) group includes:
• Inbound_Flood_NoResponse_High - Defines a remote
• Inbound_Flood_NoResponse_Medium - Defines a remote
• Inbound_Flood_NoResponse_Low - Defines a remote
• Outbound_Flood_NoResponse_High - Defines a local
• Outbound_Flood_NoResponse_Medium - Defines a local
• Outbound_Flood_NoResponse_Low - Defines a local
• Multihost_Attack_High - Defines a scan of more than
• Multihost_Attack_Medium - Defines a scan of more than
• Multihost_Attack_Low - Defines a scan of more than 500
hosts per minute.
• Potential_TCP_DoS - Detects TCP Syn flood flows with a
packet arrival rate of more then 300 packets per second and
have lasted for at least 5 seconds. This may indicate an
attempted TCP DoS attack.
• Potential_UDP_DoS - Detects UDP Flows with a packet
ICMP DoS attack.
• Potential_ICMP_DoS - Detects ICMP flows with a packet
ICMP DoS attack.
• Potential_Multihost_Attack - Detects type B superflows.
This may indicate a service failure or an attack.

Group Objects
Scanning This scanning group includes:
• ICMPScan_High - Detects a host sending ICMP packets to
more than 100,000 hosts more minute.
• ICMPScan_Medium - Detects a host sending ICMP packets
to more than 5,000 hosts more minute.
• ICMPScan_Low - Detects a host sending ICMP packets to
more than 500 hosts more minute.
• Scan_High - Defines a scan of more than 100,000 hosts per
minute.
• Scan_Medium - Defines a scan of more than 5,000 hosts per
minute.
• Scan_Low - Defines a scan of more than 500 hosts per
minute.
• Empty_Responsive_Flows_High - Defines traffic with more
than 100,000 packets per second that contain little, if any,
• Empty_Responsive_Flows_Medium - Defines traffic with
more than 5,000 packets per second that contain little, if any,
• Empty_Responsive_Flows_Low - Defines traffic with more
than 500 packets per second that contain little, if any, payload.
These can be the result of scans where the target responds to
the attack.
• Potential_Scan - Defines a type A superflow. This may
indicate a host performing scanning activity.
PortScans This PortScans group includes:
• Host_Scans - Detects a host attempting to make multiple
connections, using TCP, to another host targeting multiple
unique ports.
• UDPPortScan - Detects a host attempting to make multiple
connections, using UDP, to another host targeting multiple
unique ports.

Group Objects
Suspicious_IP_ This group includes:
Protocol_Usage
• Illegal_TCP_Flag_Combination - Detects flows with illegal
TCP flag combinations. This may indicate malicious activity,
such as port scanning or operating system detection.
• Suspicious_ICMP_Type_Code - Detects flows entering or
leaving your network from the Internet, using ICMP types or
codes generally accepted to be suspicious or malicious. For
more information, see http://techrepublic.com.com
/5100-1035_11-5087087.html
• TCP_UDP_Port_0 - Detects flows with a source or destination
port of 0. This is illegal according to Internet RFCs and should
be considered malicious.
• Unidirectional_TCP_Flows - Detects unidirectional TCP
flows. This may indicate application failures to connect to a
service, but an indicate other issues if the quantity or rate of
these flows is high.
• Unidirectional_ICMP_Reply - Detects unidirectional ICMP
replies or unreachable flows. This may be expected network
behavior, however, an excessive quantity may indicate that a
host is scanning the network attempting to enumerate hosts.
• Unidirectional_ICMP_Flows - Detects unidirectional ICMP
excessive quantity of these flows from a single source may
indicate a host scanning the network attempting to enumerate
hosts.
• Unidirectional_UDP_And_Misc_Flows - Detects
unidirectional UDP (or other flows not including TCP or ICMP)
excessive quantity should be considered suspicious.
• Zero_Payload_Bidirectional_Flows - Detects flows that
contain small amounts (if any) payload. This may be the result
of scans where the target responds with reset packets.
• Long_Duration_Flow - Detects a flow communicating to or
from the Internet with a sustained duration of more than 48
hours. This is not typical behavior for most applications. We
recommend that you investigate the host for potential malware
infections.
• Large_DNS_Packets - Detects UDP DNS packets that are
larger than 1K in size.
• Large_ICMP_Packets - Detects ICMP packets that are larger
than 1K in size.

Group Objects
Remote_Access_ This group includes:
Violation
• Hidden_Telnet_SSH - Detects flows where the application
type is Telnet or SSH but the destination server port is not one
of the common ports for this application. This may indicate that
a system has been altered to provide a backdoor for
unauthorized access.
• Hidden_FTP - Detects flows to a local host where the
application type is FTP but the destination server port is not
one of the common ports of this application. This may indicate
that the server is hosting illegal data, such as pirated
applications or other media.
• Remote_Desktop_Access_From_Internet - Detects Remote
Desktop Protocol (RDP) access to the local network from the
server.
• VNC_Activity_From_Internet - Detects Virtual Network
Computing (VNC) access to the local network from the
server.
Suspicious_IRC Detects suspicious IRC activity.
Attacker Target Pre-configured groups that specify traffic flows from attackers, responses, and
Analysis Group events including:
Table C-4 Custom Views - AttackerTargetAnalysis
Group Objects
AttackResponse This group includes:
Analysis
• Target_Did_Not_Respond - The network flow that appears to
have carried the attack event that triggered this analysis
indicates that the target host did not respond to the attack.
• Target_Responded - The network flow analysis indicates a
target responded to the event from the attacker, and therefore
increases the likelihood the attacker was successful.

Table C-4 Custom Views - AttackerTargetAnalysis (continued)
Group Objects
Analysis
• Activity_Before_Event - The network flow analysis indicates
a target and attacker were communicating prior to the event
that triggered this analysis. This can indicate a false positive,
or that this attacker is concentrating on breaking this host.
Many typical attacks fire an exploit at the target with little or no
prior host investigation.
• Activity_After_Event - The network flow analysis indicates a
target and attacker were communicating after the event that
triggered this analysis. This can indicate a false positive if the
attacker/target were also seen communicating before the
event, and the device emitting these events has a high false
positive rate. Conversely, if this is a serious event and the
device is credible, it can indicate a successful attack has
occurred.
• Target_Initiating_Comms_To_Attacker - The network flow
analysis indicates a target was seen initiating connections
back to the attacker before or after the event. This can
sometimes indicate the attacker has been able to force the
target to communicate back to the attacker, therefore
bypassing some firewall rules.
Target Analysis Pre-configured groups that specify traffic flows from back door entries, scanning
Group behaviors, malicious software (malware), spam relay including:
Table C-5 Custom Views - TargetAnalysis
Group Objects
BotNetAnalysis BotNet_Connect - The network flow analysis indicates a target
host is connected to IRC servers on the Internet. This may
indicate the attacker has installed an IRC Bot on the target and
instructed the target to connect to an IRC Channel that is under
the control and await instructions. Large numbers of such
exploited machines form a BotNet and can be used by the
attacker to coordinate large scale Distributed Denial of Service
attacker (DDoS).
MalwareAnalysis Malware_Server_Connection - Network flow analysis indicates
a target is aggressively attempting (and failing) to connect to
many other hosts on the network (or Internet). This behavior is
being seen in the presence of security events aimed at this host,
and therefore is possible the attacker has infected the target with
a worm, or other hostile malware, and it is attempting to spread
from this host.

Table C-5 Custom Views - TargetAnalysis (continued)
Group Objects
Analysis
• Service_Unresponsive_After_Attack - The network flow
analysis indicates that the service on the target that was
attacked is unresponsive to other hosts on the network. This
may indicate that the attack has intentionally, or inadvertently
crashed the service running on this host.
• Spam_Relay_Possible - The network flow analysis indicates
that a target is accepting and servicing SMTP mail server
connections. Given this activity is occurring in the presence of
security events targeting this host, it is possible the attacker
has installed an SMTP server to operate as a spam relay. If
this target is a mail server, this behavior is to be expected.
• Outbound_Mail_Relay_Possible - The network flow analysis
indicates that a target is sending mail to SMTP servers on the
Internet. Given this activity is occurring in the presence of a
security event targeting this host, it is possible the attacker has
installed mass mailing malware on the target. This behavior is
also to be expected if the target is a known mail server.
Policy Violations Pre-configured groups that specify traffic flows from your internal and external
Group policies, such as mail policies, web polices, P2P, games, applications, and
compliance policies including:
Table C-6 Custom Views - PolicyViolations
Group Objects
Mail_Policy_ This group includes:
Violation
• Outbound_Mail_Sender - Detects flows sent from local hosts
to the Internet on port 25 (SMTP) or detected with the SMTP
application signature. This may indicate hosts violating
network mail policy, or that a host is infected with a mass
mailing agent. We recommend updating this equation to not
include network mail servers.
• Remote_Connection_to_Internal_Mail_Server - Detects
bidirectional flows inbound into the local network on port 25
(SMTP). This indicates communication with a local SMTP
server. Additionally, such servers may be the result of an
infected host which is inadvertently running a SPAM relay. We
recommend updating this equation to not include network mail
servers.

Table C-6 Custom Views - PolicyViolations (continued)
Group Objects
IRC_IM_Policy_ This group includes:
Violation
• IRC_Connection_to_Internet - Detects bidirectional flows
from local client hosts to the Internet on common IRC port or
detected though an application signature. This indicates an
active IRC connection. This can simply be a user disregarding
corporate policy, or can indicate a host that has been exploited
and is connected to an IRC botnet. IRC botnets are used to
remotely control exploited hosts to perform DoS attacks and
other illegal activities.
• IM_Communications - Detects bidirectional flows from client
hosts on the network indicating the use of common Instant
Messaging clients (IM), such as MSN.
Remote_Access_ Remote_Access_Shell - Detects bidirectional flows, where
Policy_Violation remote hosts were connecting to local remote access servers.
Detection of any of the following access technologies include:
Citrix, PCAnywhere, SSH, Telnet, or VNC.
P2P_ This group includes:
Policy_Violation
• Local_P2P__Server - Detects flows indicating a P2P server is
network policy.
• Local_P2P_Client - Detects flows indicating a P2P client is
network policy.
Application_ This group includes:
Policy_Violation
• NNTP_to_Internet - Detects flows indicating an NNTP news
client is operating on the local network. This may be in
violation of local network policy.
• Unknown_Local_Service - Detects an active service on a
local host.
Compliance_ This group includes:
Policy_Violations
• Clear_Text_Application_Usage - Detects flows where the
application types use clear text passwords. Applications that
usage for this view include Telnet, FTP, and POP. We
recommend that you tune this view to add or remove
additional applications.
• Large_Outbound_Transfer - Detects large outbound file
transfers.
ASN Source Group STRM detects the ASN values from network flows. When STRM detects a ASN
source values in a flow, STRM creates a new object in the ASN Source group. For
example, if STRM detects an ASN 238 flow within the source traffic, the object
ASN238 is created in the ASNSource group.

ASN Destination STRM detects the ASN values from network flows. When STRM detects a ASN
Group destination values in a flow, STRM creates a new object in the ASN destination
group. For example, if STRM detects an ASN 238 flow within the destination traffic,
the object ASN238 is created in the ASNDestination group.
IFIndexIn Group STRM detects the IFIndex values from network flows. When STRM detects
IFIndexOut Group STRM detects the IFIndex values from network flows. When STRM detects
QoS Group Default QoS groups include:

Table C-7 Custom Views - QoS View
QoS Group Group Objects

NetworkControl Specifies QoS values related to link layer and routing
Object protocols.
IPRoutingControl Specifies QoS values used by IP routing protocols.
Expedited Specifies values related to expedited forwarding, such as, a
virtual leased line or premium service.
Best Effort Specifies traffic related to best effort QoS traffic. Best effort
services does not guarantee delivery.
Flow Shape Group Default FlowShape groups include:

Table C-8 Custom Views - Flow Shape View

Inbound_Only Specifies traffic flows originating from a host on the Internet
and is not responded to by a local host.
Outbound_Only Specifies traffic flows originating from a local host attempting
to communicate with a host on the Internet in which the
remote host does not respond.
Mostly_Inbound Specifies traffic flows that sends 5 times more data into the
Mostly_Outbound Specifies traffic flows that sends 5 times more bytes out of the
NearSame_Internet Specifies traffic to and from hosts on the Internet that have
around the same amount of bytes sent and received.

Default Rules 307
Table C-8 Custom Views - Flow Shape View (continued)

Local_Unidirectional Specifies a one-sided flow with a source and destination
within the local network.
Local_SRC_Bias Specifies internal traffic that has 5 times more bytes
transferred by the source than the destination.
Local_DST_Bias Specifies internal traffic that has 5 times more bytes
transferred by the destination than the source.
NearSame_Internal Specifies internal traffic that has a balance of source and
destination bytes.
Default Rules Default rules for the University template include:

Table C-9 Default Rules
Rule
E-mail: Offense E-mail credibility, and relevance minimums to e-mail.
Sender You must configure the e-mail address. You can
limit the number of e-mails sent by tuning the
severity, credibility, and relevance limits. Also,
this rule only sends one e-mail every hour, per
offense.
Sylog: Offense credibility, or relevance minimum to syslog.
SYSLOG Sender
Default-Rule-Anomaly: Anomaly Event False Monitors devices for high event rates. Typically,
Devices with High Event the default threshold is low for most networks
Rates and we recommend that you adjust this value
before enabling this rule. To configure which
devices will be monitored, edit the
Default-BB-DeviceDefinition: Devices to Monitor
for High Event Rates building block.
DMZ Jumping your network’s Demilitarized Zone (DMZ).
Default-Rule-Anomaly: Anomaly Event True Reports an excessive number of successful
Excessive Database database connections.
Connections
Default-Rule- Anomaly Event False Reports excessive firewall accepts across
Anomaly: Excessive multiple hosts. More than 100 events were
Firewall Accepts Across detected across at least 100 unique destination
Multiple Hosts IP addresses in 5 minutes.
Default-Rule- Anomaly Event True Reports excessive firewall denies from a single
Anomaly: Excessive host. Detects more than 400 firewall deny
Firewall Denies from attempts from a single source to a single
Single Source destination within 5 minutes.

Table C-9 Default Rules (continued)
Rule
Default-Rule- Anomaly Event False Reports a flow communicating to or from the
Anomaly: Long Duration Internet with a sustained duration of more than
Flow 48 hours. This is not typical behavior for most
applications. We recommend that you
investigate the host for potential malware
infections.
Default-Rule- Anomaly Event False Reports an event that was targeting or sourced
Anomaly: Potential from a honeypot or tarpit defined address.
Honeypot Access Before enabling this rule, you must configure the
Default-BB-HostDefinition: Honeypot like
addresses building block and create the
appropriate sentry from the Network
Surveillance interface.
Default-Rule- Anomaly Event False Reports a host emitting events at a rate greater
Anomaly: Rate Analysis than normal. This may be normal, but in some
Marked Events cases can be an early warning sign that the host
has changed behavior. We recommend that you
perform an event search and/or flow search to
determine if the host is exhibiting other
suspicious activity.
Default-Rule- Anomaly Event False Reports successful logins or access from an IP
Anomaly: Remote address known to be in a country that does not
Access from Foreign have remote access right. Before you enable
Country this rule, we recommend that you configure the
Default-BB-CategoryDefinition: Countries with
no Remote Access building block.
Default-Rule- Authentication Event True Reports a host login message from a disabled
Authentication: Login user account. If the user is no longer a member
Failure to Disabled of the organization, we recommend that you
Account investigate any other received authentication
messages from the same user.
Default-Rule- Authentication Event False Reports a host login failure message from an
Authentication: Login expired user account known. If the user is no
Failure to Expired longer a member of the organization, we
Account recommend that you investigate any other
received authentication messages.
Default-Rule - Authentication Event True Reports authentication failures on the same
Authentication: Login source IP address more than three times, across
Failures Across Multiple more than three destination IP addresses within
Hosts 10 minutes.
Default-Rule- Authentication Event True Reports multiple log in failures to a single host,
Authentication: Login followed by a successful log in to the host.
Failures Followed By
Success

Default Rules 309
Rule
Default-Rule- Authentication, Event True Reports on events detected by the system when
Authentication: Login Compliance at least one of the configured rules is detected
Successful After Scan with the same source IP address followed by
Attempt successful authentication with the same IP
address, within 30 minutes.
Default-Rule- Authentication Event True Reports multiple log in failures to a VoIP PBX.
Authentication: Multiple
VoIP Login Failures
Default-Rule- Authentication Event True Reports when a source IP address causes an
Authentication: authentication failure event at least seven times
Repeated Login to a single destination within 5 minutes.
Failures, Single Host
Default-Rule-Botnet: Botnet,Exploit Event False Reports a host connecting or attempting to
Potential Botnet connect to a DNS server on the Internet. This
Connection (DNS) may indicate a host connecting to a Botnet. The
Do not enable this rule until you have tuned the
block.
Note: Laptops that include wireless adapters
may cause this rule to generate alerts since the
laptops may attempt to communicate with
another IDPs DNS server. If this occurs, define
the ISPs DNS server in the
block.
Default-Rule-Botnet: Botnet Event False Reports a host connecting or attempting to
Potential Botnet connect to an IRC server on the Internet. This
Connection (IRC) may indicate a host connecting to a Botnet. The
Default-Rule-Botnet: Botnet Event True Reports exploit attacks on events. Enable this
Potential Botnet Events rule if you want all events categorized as
Become Offenses exploits to create an offense.
Default-Rule-Category Category Event True Reports events in different Access Denied
Definitions: Access Definition categories.
Denied
Default-Rule-Category Category Event True Reports all Session Closed events by
Closed Malware
Default-Rule-Category Category Event True Reports all Session Opened events by
Opened Malware
Default-Rule-Category Category Event True Reports all virus detection events.
Definitions: Virus Definition,
Detected Malware

Rule
Default-Rule-Category Category Event True Reports events that may indicate a system error
Definitions: System Definitions or failure.
Errors and Failures
Default-Rule-Category Category Event True Reports VPN events that are considered Denied
Definitions: VPN Access Definition Access events.
Denied
Default-Rule-Category Category Event True Reports database events indicate denied access
Definitions: Database Definition activities.
Access Denied
Default-Rule-Category Category Event True Reports database events that indicate permitted
Definitions: Database Definition access.
Access Permitted
Default-Rule-Category Category Event True Reports VPN events that indicate permitted
Definitions: VPN Access Definition access.
Accepted
Default-Rule- Compliance Event False Reports compliance-based events, such as,
Compliance: clear text passwords.
Compliance Events
Become Offenses
Default-Rule- Compliance Event False Reports excessive authentication failures to a
Compliance: Excessive compliance server within 10 minutes.
Failed Logins to
Compliance IS
Default-Rule-Database: Database, Event False Reports when a configuration modification is
Attempted Configuration Compliance attempted to a database server from a remote
Modification by a remote network.
host
Default-Rule-Database: Database, Event True Reports when several authentications to a
Concurrent Logins from Compliance database server occur across many remote IP
Multiple Locations addresses.
Default-Rule-Database: Database, Event True Reports when there are failures followed by the
Failures Followed by Compliance addition or change of a user account.
User Changes
Default-Rule-Database: Database, Event True Monitors changes to groups on a database
Groups changed from Compliance when the change is initiated from a remote
Remote Host network.
Default-Rule-Database: Database, Event True Reports when there are multiple database
Multiple Database Compliance failures followed by a success within a short
Failures Followed by period of time.
Success
Default-Rule-Database: Database, Event True Increases the severity of a failed login attempt to
Remote Login Failure Compliance a database from a remote network.
Default-Rule-Database: Database, Event True Reports when a successful authentication
Remote Login Success Compliance occurs to a database server from a remote
network.

Default Rules 311
Rule
Default-Rule-Database: Database, Event True Reports when changes to user privileges occurs
User Rights Changed Compliance to a database from a remote network.
from Remote Host
Default-Rule-DDoS D\DoS Event False Reports network Distributed Denial of Service
Attack Detected (DDoS) attacks on a system.
Default-Rule-Device Device Event True Reports all access, authentication, and audit
Definitions: Access/ Definition devices.
Authentication/Audit
Default-Rule-Device Device Event True Reports all antivirus services on the system.
Definitions: AntiVirus Definition
Default-Rule-Device Device Event True Reports all application and OS devices on the
Definitions: Application Definition network.
Default-Rule-Device Device Event True Reports all databases on the system.
Definitions: Database Definition
Default-Rule-Device Device Event True Reports all firewall (FW), routers, and switches
Definitions: FW/Router/ Definition on the network.
Switch
Default-Rule-Device Device Event True Reports all IDS and IPS devices on the network.
Definitions: IDS/IPS Definition
Default-Rule-Device Device Event True Reports all VPNs on the network.
Definitions:VPN Definition
Default-Rule-DoS: DoS D/DoS Event False Reports when DoS attack events are identified
Events from Darknet on Darknet network ranges.
Default-Rule-DDoS: D\DoS Event False Reports when offenses are created for
DDoS Events with High DoS-based events with high magnitude.
Magnitude Become
Offenses
Default-Rule-DoS: DoS D\DoS Event True Rule forces the creation of an offense for DoS
Events with High based events with a high magnitude.
Magnitude Become
Offenses
Default-Rule-DoS: D\DoS Event True If a high rate flow-based DoS attack is detected,
Increase Magnitude of this rule increases the magnitude of the current
High Rate Attacks event.
Default-Rule-DoS: D\DoS Event True Reports network Denial of Service (DoS) attacks
Network DoS Attack on a system.
Detected

Rule
Default-Rule-DoS: D\DoS Event True Reports a DoS attack against a local target that
Service DoS Attack is known to exist and the target port is open.
Detected
Default-Rule-Exploit: All Exploit Event False Reports exploit attacks on events. By default,
Exploits Become this rule is disabled. Enable this rule if you want
Offenses all events categorized as exploits to create an
offense.
Attacker Vulnerable to attacker has at least one vulnerability. It is
any Exploit possible the attacker was a target in an earlier
offense.
Attack followed by followed by typical responses, which may
Attack Response indicate a successful attack.
Attacker Vulnerable to attacker is vulnerable to the attack being used. It
this Exploit is possible that the attacker was a target in an
earlier offense.
Default-Rule-Exploit: Exploit Event False Reports an exploit or attack type activity from a
Exploit Followed by source IP address followed by suspicious
Suspicious Host Activity account activity on the destination host within 15
minutes.
Default-Rule-Exploit: Exploit Event True Reports a source IP address generating multiple
Exploit/Malware Events (at least 5) exploits or malicious software
Across Multiple Targets (malware) events in the last 5 minutes. These
events are not targeting hosts that are
vulnerable and may indicate false positives
generating from a device.
Default-Rule-Exploit: Exploit Event False Rule forces the creation of offenses for
Exploits Events with exploit-based events with a high magnitude.
High Magnitude
Become Offenses
Exploits Followed by followed by firewall accept events, which may
Firewall Accepts indicate a successful attack.
Default-Rule-Exploit: Exploit Event True Reports a target attempting to be exploited using
Multiple Exploit Types multiple types of attacks from one or more
Against Single Target attackers.
Default-Rule-Exploit: Exploit Event False Reports when an attacker attempts multiple
Multiple Vector Attacker attack vectors. This may indicate an attacker
specifically targeting an asset.
Default-Rule-Exploit: Exploit Event False Reports multiple failed logins to your VoIP
Potential VoIP Toll hardware followed by sessions being opened. At
Fraud least 3 events were detected within 30 seconds.
This action could indicate that illegal users are
executing VoIP sessions on your network.

Default Rules 313
Rule
Default-Rule-Exploit: Exploit Event True Reports reconnaissance followed by an exploit
Recon followed by from the same source IP address to the same
Exploit destination port within 1 hour.
Detected Exploit the host is vulnerable to the attack.
Detected Exploit on a the host is vulnerable to the attack on a different
Different Port port.
Default-Rule-Exploit: Exploit Event False Reports an attack against a vulnerable local
Different Exploit than the host is vulnerable to some attack but not the
Attempted on Attacked one being attempted.
Port
Default-Rule-False False Positive Event True Reports events that include false positive rules
Positive: False Positive and building blocks, such as,
Rules and Building Default-BB-FalsePositive: Windows Server
Blocks False Positive Events. Events that match the
above conditions are stored but also dropped. If
you add any new building blocks or rules to
remove events from becoming offenses, you
must add these new rules or building blocks to
this rule.
Treat Backdoor, Trojans categorized as backdoor, viruses, and trojans to
and Virus Events as create an offense.
Offenses
Default-Rule-Malware: Malware, Policy Event False Reports malware being sent from local hosts.
Local Host Sending
Malware
Treat Key Loggers as categorized as key loggers to create offenses.
Offenses
Default-Rule- Malware Event False Reports non-spyware malware attacks on
Malware: Treat events. Enable this rule if you want all events
Non-Spyware Malware categorized as malware to create an offense.
as Offenses
Default-Rule- Malware Event False Reports spyware and/or a virus on events.
Malware: Treat Spyware Enable this rule if you want all events
and Virus as Offenses categorized as Virus or Spyware to create an
offense.
Definition: Local to Local Definition Local-to-Local (L2L).

Rule
Definition: Local to Definition Local-to-Remote (L2R).
Remote
Definition: Remote to Definition Remote-to-Local (R2L).
Local
Default-Rule-Policy: Policy Event False Reports Instant Messenger traffic or any event
Create Offenses for All categorized as Instant Messenger traffic where
Instant Messenger the source is local and the destination is remote.
Traffic
Default-Rule-Policy: Policy Event False Reports P2P traffic or any event categorized as
Create Offenses for All P2P.
P2P Usage
Default-Rule-Policy: Policy, Event False Reports policy events. By default, this rule is
Create Offenses for All Compliance disabled. Enable this rule if you want all events
Policy Events categorized as policy to create an offense.
Default-Rule-Policy: Policy Event False Reports any traffic that contains illicit materials
Create Offenses for All or any event categorized as Porn. By default,
Porn Usage this rule is disabled. Enable this rule if you want
all events categorized as Porn to create an
offense.
Default-Rule-Policy: Policy Event False Rule acts as a warning that the asset in which an
Host has SANS Top 20 event identifies is vulnerable to a vulnerability
Vulnerability identified in the SANS Top 20 Vulnerabilities.
(www.sans.org/top20/)
Default-Rule-Policy: Policy Event False Reports local Peer-to-Peer (P2P) traffic or any
Local P2P Server event categorized as P2P. More than 10 hosts
Detected were detected connecting to a local host that
appears to be operating as a P2P server.
Default-Rule-Policy: Policy Event False Reports when a new host has been discovered
New Host Discovered on the network.
Default-Rule-Policy: Authentication, Event False Reports when a new host has been discovered
New Host Discovered in Compliance in the DMZ.
DMZ
Default-Rule-Policy: Policy Event False Reports when an existing host has a newly
New Service discovered service.
Discovered
Default-Rule-Policy: Policy Event False Rule identifies potential tunneling that can be
Potential Tunneling used to bypass policy or security controls.
Default-Rule-Policy: Authentication, Event False Reports when a new service has been
New Service Compliance discovered in the DMZ.
Discovered in DMZ

Default Rules 315
Rule
Default-Rule-Policy: Policy Event False Reports potential file uploads to a local web
Upload to Local server. To edit the details of this rule, edit the
WebServer Default-BB-CategoryDefinition: Upload to Local
WebServer building block.
Default-Rule-Recon: Recon Event True Reports an aggressive scan from a local source
Aggressive Local IP address, scanning other local or remote IP
Scanner Detected addresses. This may indicate a manually driven
scan, an exploited host searching for other
targets, or a worm is present on the system.
Default-Rule-Recon: Recon Event True Reports an aggressive scan from a remote
Aggressive Remote source IP address, scanning other local or
Scanner Detected remote IP addresses. This may indicate a
manually driven scan, an exploited host
searching for other targets, or a worm on a
system.
Default-Rule-Recon: Recon Event True Reports excessive attempts, from a local host, to
Excessive Firewall access the firewall and access is denied. More
Denies From Local Host than 40 attempts are detected across at least 40
destination IP addresses in 5 minutes.
Default-Rule-Recon: Recon Event True Reports excessive attempts, from a remote host,
Excessive Firewall to access the firewall and access is denied.
Denies From Remote More than 40 attempts are detected across at
Host least 40 destination IP addresses in 5 minutes.
Default-Rule-Recon: Recon Event True Reports a single source IP address scanning
Host Port Scan more than 50 ports in under 3 minutes.
Detected by Local Host
Default-Rule-Recon: Recon Event True Reports when more than 50 ports were scanned
Host Port Scan from a single source IP address in under 3
Detected by Remote minutes.
Host
Default-Rule-Recon: Recon Event True If a high rate flow-based scanning attack is
High Rate Scans the current event.
Default-Rule-Recon: Recon Event True If a medium rate flow-based scanning attack is
Medium Rate Scans the current event.
Local LDAP Server reconnaissance or suspicious connections on
Scanner common LDAP ports to more than 60 hosts in 10
minutes.
Local Database local or remote targets. At least 30 host were

Rule
Local DHCP Scanner reconnaissance or suspicious connections on
10 minutes.
Local DNS Scanner reconnaissance or suspicious connections on
minutes.
Local FTP Scanner reconnaissance or suspicious connections on
minutes.
Local Game Server reconnaissance or suspicious connections on
Local ICMP Scanner reconnaissance or suspicious connections on
minutes.
in 10 minutes.
in 10 minutes.
Local Mail Server reconnaissance or suspicious connections on
in 10 minutes.
Local P2P Server reconnaissance or suspicious connections on
Local Proxy Server reconnaissance or suspicious connections on
Local RPC Server reconnaissance or suspicious connections on

Default Rules 317
Rule
Local Scanner Detected hosts or remote targets. At least 60 hosts were
scanned within 10 minutes. This activity was
Local SNMP Scanner reconnaissance or suspicious connections on
common SNMP ports to more than 60 hosts in
10 minutes.
Local SSH Server reconnaissance or suspicious connections on
minutes.
Default-Rule-Recon: Recon Event False Reports when various suspicious or
Local Suspicious Probe reconnaissance events have been detected
Events Detected from the same local source IP address to more
than 5 destination IP address in 4 minutes. This
can indicate various forms of host probing, such
as Nmap reconnaissance, which attempts to
identify the services and operation systems of
the target.
Local TCP Scanner reconnaissance or suspicious connections on
minutes.
Local UDP Scanner reconnaissance or suspicious connections on
minutes.
Local Web Server reconnaissance or suspicious connections on
Local Windows Scanner reconnaissance or suspicious connections on
to Internet the same source IP address more than 5 times,
across more than 60 destination IP address(es)
within 20 minutes.
Local Windows Server reconnaissance or suspicious connections on
Scanner common Windows server ports with the same
source IP address more than 5 times, across
more than 200 destination IP address(es) within
20 minutes.

Rule
Default-Rule-Recon: Recon Event False Adds an additional event into the event stream
Recon Followed by when a host that has been performing
Accept reconnaissance also has a firewall accept
following the reconnaissance activity.
Remote Database local or remote targets. At least 30 hosts were
Remote DHCP Scanner reconnaissance or suspicious connections on
10 minutes.
Remote DNS Scanner reconnaissance or suspicious connections on
minutes.
Remote FTP Scanner reconnaissance or suspicious connections on
minutes.
Remote Game Server reconnaissance or suspicious connections on
Remote ICMP Scanner reconnaissance or suspicious connections on
minutes.
in 10 minutes.
in 10 minutes.
Remote LDAP Server local or remote targets. At least 30 hosts were
Remote Mail Server reconnaissance or suspicious connections on
in 10 minutes.
Remote P2P Server reconnaissance or suspicious connections on

Default Rules 319
Rule
Remote Proxy Server reconnaissance or suspicious connections on
Remote RPC Server reconnaissance or suspicious connections on
Remote Scanner hosts or remote targets. At least 60 hosts were
Detected scanned within 20 minutes. This activity was
Default-Rule-Recon: Recon Event True Reports scans from a remote host against local
Remote SNMP Scanner or remote targets. At least 30 hosts were
scanned in 10 minutes.
Remote SSH Server reconnaissance or suspicious connections on
minutes.
Default-Rule-Recon: Recon Event False Reports various suspicious or reconnaissance
Remote Suspicious events from the same remote source IP address
Probe Events Detected to more then 5 destination IP addresses in 4
minutes. This may indicate various forms of host
probing, such as Nmap reconnaissance that
attempts to identify the services and operating
system of the targets.
Remote TCP Scanner reconnaissance or suspicious connections on
minutes.
Remote UDP Scanner reconnaissance or suspicious connections on
minutes.
Remote Web Server reconnaissance or suspicious connections on
Remote Windows reconnaissance or suspicious connections on
Server Scanner common Windows server ports to more than 60

Rule
Default-Rule-Recon: Recon Event True Reports merged reconnaissance events
Single Merged Recon generated by some devices. This rule causes all
Events these events to create an offense. All devices of
this type and their categories should be added to
the Default-BB-ReconDetected: Devices which
Merge Recon into Single Events building block.
Default-Rule-System- Event True Rule ensures that notification events shall be
Notification sent to the notification framework.
Default-Rule-System: System Event True Creates an offense when an event matches a
100% Accurate Events 100% accurate signature for successful
comprises.
Default-Rule-System: System Event False Reports when STRM detects critical event.
Critical System Events
Default-Rule-System: System Event False Reports when an event source has not sent an
Device Stopped event to the system in over 1 hour. Edit this rule
Sending Events to add devices you want to monitor.
Default-Rule-System: System Event False Reports when STRM detects events that
Host Based Failures indicate failures within services or hardware.
Default-Rule-System: System Event True Loads BBs that need to be run to assist with
Load Building Blocks reporting. This rule has no actions or responses.
Default-Rule-Recon: System Event False Reports when as source has 10 system errors
Multiple System Errors within 3 minutes.
Default-Rule-Vulnerabili Compliance Event False Reports when a vulnerability is discovered on a
ties: Vulnerability local host.
Reported by Scanner
Default-Rule-Worms Worms Event False Reports a local host sending more than 20
Detection: Local Mass SMTP flows in 1 minute. This may indicate a
Mailing Host Detected host being used as a spam relay or infected with
a form of mass mailing worm.
Default-Rule-Worms Worms Event True Reports a local host generating reconnaissance
Detection: Possible or suspicious events across a large number of
Local Worm Detected hosts (greater than 300) in 20 minutes. This may
indicate the presence of a worm on the network
or a wide spread scan.
Default-Rule-Worms Worms Event True Reports exploits or worm activity on a system for
Detection: Worm local-to-local or local-to-remote traffic.
Detected (Events)

Default Building Default building blocks for the University template include:
Blocks
Table C-10 Default Building Blocks

Definition: Post Definitions that are considered part of events
Compromise Activities detected after a typical
compromise.
Definition: Authentication Definitions, that indicate an unsuccessful
Failures Compliance attempt to access the network.
Definition: Authentication Definitions, that indicate successful attempts
Success Compliance to access the network.
to Disabled Account Compliance access the network using a
disabled account.
to Expired Account Compliance access the network using an
expired account.
Default-BB-Category Category Event Edit this building block to include
Definition: Authentication Definitions, all events that indicate modification
User or Group Added or Compliance to accounts or groups.
Changed
Default-BB-Category Category Event Edit this BB to include any
Definition: Countries with Definitions geographic location that typically
no Remote Access would not be allowed remote
access to the enterprise. Once
configured, you can enable the
Default-Rule-Anomaly: Remote
Access from Foreign Country rule.
Default-BB-Category Category Event Edit this BB to define successful
Definition: Database Definitions logins to databases. You may
Connections need to add additional device
types for this BB.
Definition: DDoS Attack Definitions categories that you want to
categorize as a DDoS attack.
Definition: Exploits, Definitions that are typically exploits,
Backdoors, and Trojans backdoor, or trojans.
Default-BB-Category Category Event Edit this BB that indicate failure
Definition: Failure Service Definitions, within a service or hardware.
or Hardware Compliance

Table C-10 Default Building Blocks (continued)

Definition: Firewall or ACL Definitions that indicate access to the firewall.
Accept
Definition: Firewall or ACL Definitions that indicate unsuccessful
Denies attempts to access the firewall.
Definition: Firewall Definitions that may indicate a firewall system
System Errors error. By default, this BB applies
when an event is detected by one
or more of the following devices:
• CheckPoint
• Generic Firewall
• Iptables
• NetScreen Firewall
• Cisco Pix
Definition: Flow Events Definitions that indicate flow events within
your network. By default, this BB
applies to events detected by the
Default-BB-Category Category Event Edit this BB to the severity,
Definition: High Definitions credibility, and relevance levels
Magnitude Events you want to generate an event.
The defaults are:
• Severity = 6
• Credibility = 7
• Relevance = 7
Definitions: KeyLoggers Definitions that are typically exploits,
backdoor, or trojans.
Default-BB-Category Category Event Edit this BB to define mail policy
Definition: Mail Policy Definitions, violations.
Violation Compliance
Default-BB-Category Category Event Edit this BB to include event
Definition: Malware Definitions categories that are typically
Annoyances associated with spyware
infections.
Definition: Network DoS Definitions categories that you want to
Attack categorize as a network DoS
attack.


Definition: Policy Events Definitions, categories that may indicate a
Compliance violation to network policy.
Definition: Post Exploit Definitions categories that may indicate
Account Activity exploits to accounts.
Default-BB-Category Category Event STRM monitors event rates of all
Definition: Rate Analysis Definitions source IP addresses/QIDs and
Marked Events destination IP addresses/QIDs and
marks events that exhibit abnormal
rate behavior.
Edit this BB to include events that
are marked with rate analysis.
Definition: Recon Events Definitions that indicate reconnaissance
activity.
Default-BB-Category Category Event Edit this BB to define Denial of
Definition: Service DoS Definitions Service (DoS) attack events.
Definition: Suspicious Definitions that indicate suspicious activity.
Events
Default-BB-Category Category Event Edits this BB to define system
Definition: System Definitions, configuration events.
Configuration Malware
•
Default-BB-Category Category Event Typically, most networks are
Definition: Upload to Local Definitions configured to restrict applications
WebServer that use the PUT method running
on their web application servers.
This BB detects if a remote host
has used this method on a local
server. The BB could be
duplicated to also detect other
unwanted methods or for local
hosts using the method connecting
to remote servers. This building
block is referenced by the
Default-Rule-Policy: Upload to
Local WebServer rule.
Definition: VoIP Definitions that indicate a VoIP login failure.
Authentication Failure
Events
Definition: VoIP Session Definitions that indicate the start of a VoIP
Opened session.


Definition: Windows Definitions, categories that indicate
Compliance Events Compliance compliance events.
Default-BB-Category Category Event Edit this BB to define worm events.
Definition: Worm Events Definitions This BB only applies to events not
detected by a custom rule.
Default-BB-Compliance Compliance, Event Edit this BB to include your GLBA
Definition: GLBA Servers Host IP systems. You must then apply
Definitions this BB to rules related to failed
logins, remote access, etc.
Default-BB-Compliance Compliance, Event Edit this BB to include your HIPAA
Definition: HIPAA Servers Host Servers by IP address. You must
Definitions then apply this BB to rules related
to failed logins, remote access,
etc.
Default-BB-Compliance Compliance, Event Edit this BB to include your SOX IP
Definition: SOX Servers Host Servers. You must then apply this
Definitions BB to rules related to failed logins,
remote access, etc.
Default-BB-Compliance Compliance, Event Edit this BB to include your PCI
Definition: PCI DSS Host DSS servers by IP address. You
Servers Definitions, must apply this BB to rules related
Response to failed logins, remote access,
etc.
System Action Allow Definitions, that indicates successful actions
System action Deny Definitions, that indicate unsuccessful actions
Default-BB-Database: Category Event Edit this BB to include events that
User Addition or Change Definitions, indicate the successful addition or
Compliance change of user privileges
Default-BB-Device Category Event Edit this BB to include devices you
Definition: Devices to Definitions want to monitor for high event
Monitor for High Event rates. The event rate threshold is
Rates controlled by the
Default-Rule-Anomaly: Devices
with High Event Rates.
Default-BB-False False Event Edit this BB to include events that
Negative: Events That Positive indicate a successful compromise.
Indicate Successful These events generally have
Compromise 100% accuracy.
Default-BB-FalsePositive: False Event Edit this BB to include all false All Default-BB-False
All Default False Positive Positive positive building blocks. Positive building blocks
Building Blocks
Broadcast Address False Positive positive categories that occur to or
Positive Categories from the broadcast address space.

Database Server False Positive positive categories that occur to or Database Servers
Positive Categories from database servers that are
defined in the
Database Server False Positive positive QIDs that occur to or from Database Servers
Positive Events database servers that are defined
Default-BB-FalsePositive: False Event Edit this BB to include the devices
Device and Specific Event Positive and QID of devices that continually
generate false positives.
DHCP Server False Positive positive categories that occur to or DHCP Servers
Positive Categories from DHCP servers that are
defined in the
Default-BB-HostDefinition: DHCP
DHCP Server False Positive positive QIDs that occur to or from DHCP Servers
Positive Events DHCP servers that are defined in
DHCP Servers building block.
DNS Server False Positive positive categories that occur to or DNS Servers
Positive Categories from DNS based servers that are
defined in the
DNS Server False Positive positive QIDs that occur to or from DNS Servers
Positive Events DNS-based servers that are
defined in the
Default-BB-FalsePositive: False Event Edit this BB to define firewall deny
Firewall Deny False Positive events that are false positives
Positive Events
FTP Server False Positive Positive positive categories that occur to or FTP Servers
Categories from FTP based servers that are
defined in the


FTP False Positive Events Positive positive QIDs that occur to or from FTP Servers
FTP-based servers that are
defined in the
Default-BB-FalsePositive: False Event Edit this BB to include any event
Global False Positive Positive QIDs that you want to ignore.
Events
Internal Target False Local-to-Local (L2L) based
Positives servers.
Remote Target False Local-to-Remote (L2R) based
Positives servers.
LDAP Server False Positive positive categories that occur to or LDAP Servers
Positive Categories from LDAP servers that are
defined in the
Default-BB-HostDefinition: LDAP
LDAP Server False Positive positive QIDs that occur to or from LDAP Servers
Positive Events LDAP servers that are defined in
LDAP Servers building block.
Default-BB-FalsePositive: False Event Edit this BB to define specific
Large Volume Local FW Positive events that can create a large
Events volume of false positives in
general rules.
Mail Server False Positive Positive positive categories that occur to or Mail Servers
Categories from mail servers that are defined
Mail Servers building block.
Mail Server False Positive Positive positive QIDs that occur to or from Mail Servers
Events mail servers that are defined in the
Default-BB-HostDefinition: Mail


Network Management Positive positive categories that occur to or Network Management
Servers Recon from network management servers Servers
that are defined in the
Network Management Servers
building block.
Proxy Server False Positive positive categories that occur to or Proxy Servers
Positive Categories from proxy servers that are defined
Proxy Server False Positive positive QIDs that occur to or from Proxy Servers
Positive Events proxy servers that are defined in
Remote Attacker to Positive positive QIDs that occur to or from
Internal Target False Remote-to-Local (R2L) based
Positives servers.
RPC Server False Positive positive categories that occur to or RPC Servers
Positive Categories from RPC servers that are defined
RPC Server False Positive positive QIDs that occur to or from RPC Servers
Positive Events RPC servers that are defined in
SNMP Sender or Positive positive categories that occur to or SNMP Servers
Receiver False Positive from SNMP servers that are
Categories defined in the
Default-BB-HostDefinition: SNMP
SNMP Sender or Positive positive QIDs that occur to or from SNMP Servers
Receiver False Positive SNMP servers that are defined in
Events the Default-BB-HostDefinition:
SNMP Servers building block.
Default-BB-FalsePositive: False Event Edit this BB to include source IP
Source IP and Specific Positive addresses or specific events that
Event you want to remove.


SSH Server False Positive positive categories that occur to or SSH Servers
Positive Categories from SSH servers that are defined
SSH Servers building block.
SSH Server False Positive positive QIDs that occur to or from SSH Servers
Positive Events SSH servers that are defined in the
Default-BB-HostDefinition: SSH
Syslog Sender False Positive positive categories that occur to or Syslog Servers and
Positive Categories from syslog sources. Senders
Syslog Sender False Positive positive events that occur to or Syslog Servers and
Positive Events from syslog sources or Senders
destinations.
Virus Definition Update Positive positive QIDs that occur to or from Virus Definition
Categories virus definition or other automatic
update hosts that are defined in
Virus Definition and Other Update
Web Server False Positive positive categories that occur to or Web Servers
Positive Categories from web servers that are defined
Web Servers building block.
Web Server False Positive positive QIDs that occur to or from Web Servers
Positive Events Web servers that are defined in the
Default-BB-HostDefinition: Web
Windows Server False Positive positive categories that occur to or Windows Servers
Positive Categories Local from Windows servers that are
defined in the
Windows Server False Positive positive QIDs that occur to or from Windows Servers
Positive Events Windows servers that are defined


Default-BB-HostBased: Category Event Edit this BB to define event
Critical Events Definitions, categories that indicate critical
Compliance events.
Default-BB-Host Host Event Edit this BB to define typical Default-BB-FalsePositive:
Definition: Database Definitions database servers. Database Server False
Servers Positive Categories
Database Server False
Positive Events
Default-BB-Host Host Event Edit this BB to define typical DHCP Default-BB-False Positive:
Definition: DHCP Servers Definitions servers. DHCP Server False
DHCP Server False
Positive Events
Default-BB-Host Host Event Edit this BB to define typical DNS Default-BB-False Positive:
Definition: DNS Servers Definitions servers. DNS Server False
DNS Server False
Positive Events
Default-BB-Host Host Event Edit this BB to define typical FTP Default-BB-False Positive:
Definition: FTP Servers Definitions servers. FTP Server False
FTP Server False Positive
Events
Default-BB-Host Host Event Edit this BB to include a host and
Definition: Host with Port Definitions port that is actively or passively
Open seen.
Default-BB-Host Host Event Edit this BB to define typical LDAP Default-BB-False Positive:
Definition: LDAP Servers Definitions servers. LDAP Server False
LDAP Server False
Positive Events
Default-BB-Host Host Event Edit this BB to define typical mail Default-BB-False Positive:
Definition: Mail Servers Definitions servers. Mail Server False
Mail Server False Positive
Events


Default-BB-Host Host Event Edit this BB to define typical
Definition: Network Definitions network management servers.
Management Servers
Default-BB-Host Host Event Edit this BB to define typical proxy Default-BB-False Positive:
Definition: Proxy Servers Definitions servers. Proxy Server False
Proxy Server False
Positive Events
Default-BB-Host Host Event Edit this BB to define typical RPC Default-BB-False Positive:
Definition: RPC Servers Definitions servers. RPC Server False
RPC Server False
Positive Events
Default-BB-Host Host Event Edit this BB to define generic
Definition: Servers Definitions servers.
Default-BB-Host Host Event Edit this BB to define SNMP Default-BB-PortDefinition:
Definition: SNMP Sender Definitions senders or receivers. SNMP Ports
or Receiver
Default-BB-Host Host Event Edit this BB to define typical SSH Default-BB-False Positive:
Definition: SSH Servers Definitions servers. SSH Server False
SSH Server False Positive
Events
Default-BB-Host Host Event Edit this BB to define typical host Default-BB-FalsePositive:
Definition: Syslog Servers Definitions that send or receive syslog traffic. Syslog Server False
and Senders Positive Categories
Syslog Server False
Positive Events
Default-BB-Host Host Event Edit this BB to include the source
Definition: VA Scanner Definitions IP address of your VA scanner. By
Source IP default, this BB applies when the
source IP address is 127.0.0.2.
Default-BB-Host Host Event Edit this BB to include all servers
Definition: Virus Definition Definitions that include virus protection and
and Other Update Servers update functions.
Default-BB-Host Host Event Edit this BB to define typical VoIP
Definition: VoIP IP PBX Definitions IP PBX servers.
Server


Default-BB-Host Host Event Edit this BB to define typical web Default-BB-False Positive:
Definition: Web Servers Definitions servers. Web Server False
Web Server False Positive
Events
Default-BB-Host Host Event Edit this BB to define typical Default-BB-False Positive:
Definition: Windows Definitions Windows servers, such as domain Windows Server False
Servers controllers or exchange servers. Positives Categories
Windows Server False
Positive Events
Definition: Broadcast Definition broadcast address space of your
Address Space network. This is used to remove
false positive events that may be
caused by the use of broadcast
messages.
Default-BB-Network Network Event Edit this BB to include all networks
Definition: Client Definition that include client hosts.
Networks
Definition: Darknet Definition that you want to add to a Darket
Addresses list.
Definition: DLP Addresses Definition that you want to add to a data loss
prevention (DLP) list.
Default-BB-Network Network Event Edit this BB by replacing the other
Definition: Honeypot like Definition network with network objects
Addresses defined in your network hierarchy
that are currently not in use in your
network or are used in a honeypot
or tarpit installation. Once these
have been defined, you must
enable the Default-Rule-Anomaly:
Potential Honeypot Access rule.
You must also add a
security/policy sentry to these
network objects to generate events
based on attempted access.
Default-BB-Network Network Event Edit this BB to define typical
Definition: NAT Address Definition Network Address Translation
Range (NAT) range you want to use in
your deployment.


Definition: Server Definition networks where your servers are
Networks located.
Default-BB-Network Network Event Edit this BB to include areas of
Definition: Undefined IP Definition your network that does not contain
Space any valid hosts.
Definition: Watch List Definition that should be added to a watch
Addresses list.
Default-BB-Policy: Policy Event Edit this BB to define policy
Application Policy application and violation events.
Violation Events
Default-BB-Policy: IRC/IM Policy Event Edit this BB to define all policy
Connection Violations IRC/IM connection violations.
Default-BB-Policy: Policy Policy Event Edit this BB to include all events
P2P that indicate Peer-to-Peer (P2P)
events.
Database Ports Protocol database ports.
Definition
DHCP Ports Protocol DHCP ports.
Definition
DNS Ports Protocol DNS ports.
Definition
FTP Ports Protocol FTP ports.
Definition
Game Server Ports Protocol game server ports.
Definition
Default-BB-PortDefinition: Compliance, Event Edit this BB to include all common
IM Ports Port\ IM ports.
Protocol
Definition
IRC Ports Protocol IRC ports.
Definition
LDAP Ports Protocol ports used by LDAP servers.
Definition


Mail Ports Protocol ports used by mail servers.
Definition
P2P Ports Protocol ports used by Peer-to-Peer (P2P)
Definition servers.
Proxy Ports Protocol ports used by proxy servers.
Definition
RPC Ports Protocol ports used by RPC servers.
Definition
SNMP Ports Protocol ports used by SNMP servers.
Definition
SSH Ports Protocol ports used by SSH servers.
Definition
Syslog Ports Protocol ports used by the syslog servers.
Definition
Web Ports Protocol ports used by Web servers.
Definition
Windows Ports Protocol ports used by Windows servers.
Definition
Default-BB-Protocol Port\ Event Edit this BB to include all common
Definition: Windows Protocol protocols (not including TCP) used
Protocols Definition by Windows servers that will be
ignored for false positive tuning
rules.
Default-BB-Recon Recon Event Define all Juniper Networks default
Detected: All Recon Rules reconnaissance tests. This BB is
used to detect a host that has
performed reconnaissance such
that other follow on tests can be
performed. For example,
reconnaissance followed by
firewall accept.
Default-BB-Recon Recon Event Edit this BB to include all devices
Detected: Devices That that accumulate reconnaissance
Merge Recon into Single across multiple hosts or ports into
Event a single event. This rule forces
these events to become offenses.


Default-BB-Recon Recon Event Edit this BB to define
Detected: Host Port Scan reconnaissance scans on hosts in
your deployment.
Default-BB-Recon Recon Event Edit this BB to indicate port
Detected: Port Scan scanning activity across multiple
Detected Across Multiple hosts. By default, this BB applies
Hosts when an attacker is performing
reconnaissance against more than
5 hosts within 10 minutes. If
internal, this may indicate an
exploited machine or a worm
scanning for targets.
User-BB-FalsePositive: User Tuning Event This BB contains any events that
User Defined False you have tuned using the False
Positives Tunings Positive tuning function. For more
information, see the STRM Users
Guide.
block.
block.
block.
block.
block.


block.
defined in the
defined in the
defined in the

D VIEWING AUDIT LOGS
Changes made by STRM users are recorded in the audit logs. You can view the
audit logs to monitor changes to STRM and the users performing those changes.
All audit logs are stored in plain text and are archived and compressed once the
audit log file reaches a size of 200 MB. The current log file is named audit.log.
Once the file reaches a size of 200 MB, the file is compressed and renamed as
follows: audit.1.gz, audit.2.gz, etc with the file number incrementing each
time a log file is archived. STRM stores up to 50 archived log files.
This appendix provides information on using the audit logs including:

• Logged Actions
• Viewing the Log File
Logged Actions STRM logs the following categories of actions in the audit log file:
Table D-1 Logged Actions
Category Action
User Authentication Log in to STRM.
User Authentication Log out of STRM.
Administrator Authentication Log in to the STRM Administration Console.
Administrator Authentication Log out of the STRM Administration Console.
Session Authentication Create a new administration session.
Terminate an administration session.
Deny an invalid authentication session.
Expire a session authentication.
Create an authentication session.
Terminate an authentication session.

338 VIEWING AUDIT LOGS
Table D-1 Logged Actions (continued)
Category Action
User Authentication Ariel Deny a login attempt.
Add an Ariel property.
Delete an Ariel property.
Edit an Ariel property.
Add an Ariel property extension.
Delete an Ariel property extension.
Edit an Ariel property extension.
Root Login Log in to STRM, as root.
Log out of STRM, as root.
Rules Add a rule.
Delete a rule.
Edit a rule.
Sentry Add a sentry.
Edit a sentry.
Delete a sentry.
Edit a sentry package.
Edit sentry logic.
User Accounts Add an account.
Edit an account.
Delete an account.
User Roles Add a role.
Edit a role.
Delete a role.
Sensor Devices Add a sensor device.
Edit a sensor device.
Delete a sensor device.
Add a sensor device group.
Edit a sensor device group.
Delete a sensor device group.
Edit the DSM parsing order.

Logged Actions 339
Category Action
Sensor Device Extension Add an sensor device extension.
Edit the sensor device extension.
Delete a sensor device extension.
Upload a sensor device extension.
Upload a sensor device extension successfully.
Upload an invalid sensor device extension.
Download a sensor device extension.
Report a sensor device extension.
Modify a sensor devices association to a device or
device type.
Protocol Configuration Add a protocol configuration.
Delete a protocol configuration.
Edit a protocol configuration.
Flow Sources Add a flow source.
Edit a flow source.
Delete a flow source.
Offense Manager Hide an offense.
Close an offense.
Close all offenses.
TNC Recommendations Create a recommendation.
Edit a recommendation.
Delete a recommendation.
Syslog Forwarding Add a syslog forwarding.
Delete a syslog forwarding.
Edit a syslog forwarding.
Reports Add a template.
Delete a template.
Edit a template.
Execute a template.
Delete a report.
Groups Add a group.
Delete a group.
Edit a group.

340 VIEWING AUDIT LOGS
Category Action
Backup and Recovery Edit the configuration.
Initiate the backup.
Complete the backup.
Fail the backup.
Delete the backup.
Synchronize the backup.
Cancel the backup.
Initiate the restore.
Upload a backup.
Upload an invalid backup.
Delete the backup.
Purge the backup.
VIS Discover a new host.
Discover a new operating system.
Discover a new port.
Discover a new vulnerability.
Scanner Add a scanner.
Delete a scanner.
Edit a scanner.
Scanner Schedule Add a schedule.
Edit a schedule.
Delete a schedule.
SIM Clean a SIM model.
Asset Delete all assets.
QIDmap Add a QID map entry.
Edit a QID map entry.
Ariel Properties Add a custom event property.
Edit a custom event property.
Delete a custom property.
Ariel Property Extensions Add a custom event property expression.
Edit a custom event property expression.
Delete a custom event property expression.
Installation Install a .rpm package, such as a DSM update.
License Add a license key.
Edit a license key.

Viewing the Log File 341
Viewing the Log To view the audit logs:

File
Step 1 Log in to STRM, as root.
Step 2 Go to the following directory:
/var/log/audit
Step 3 Open the desired audit log file.
Each entry in the log file displays using the following format:
Note: The maximum size of any audit message (not including date, time, and host
name) is 1024 characters.
<date_time> <host name> <user>@<IP address> (thread ID)
[<category>] [<sub-category>] [<action>] <payload>
Where:
<date_time> is the date and time of the activity in the format: Month Date
HH:MM:SS.
<host name> is the host name of the Console where this activity was logged.
<user> is the name of the user that performed the action.
<IP address> is the IP address of the user that performed the action.
(thread ID) is the identifier of the Java thread that logged this activity.
<category> is the high-level category of this activity.
<sub-category> is the low-level category of this activity.
<action> is the activity that occurred.
<payload> is the complete record that has changed, if any. This may include a
user record or an event rule.
For example:
Nov 6 12:22:31 localhost.localdomain admin@10.100.100.15
(Session) [Authentication] [User] [Login]
Nov 6 12:22:31 localhost.localdomain jsam@10.100.100.15 (0)
[Configuration] [User Account] [Account Modified]
username=james, password=/oJDuXP7YXUYQ, networks=ALL,
email=sam@q1labs.com, userrole=Admin
Nov 13 10:14:44 localhost.localdomain admin@10.100.45.61 (0)
[Configuration] [FlowSource] [FlowSourceModified] Flowsource(
name="tim", enabled="true", deployed="false",
asymmetrical="false", targetQflow=DeployedComponent(id=3),
flowsourceType=FlowsourceType(id=6),
flowsourceConfig=FlowsourceConfig(id=1))

A
administration console
about 127
accessing 128
using 128
administrative e-mail address 37
administrator role 5
aeriel database settings 39
alert directory 40
alert e-mail from address 37
Ariel database 115
asset management role 6
asset profile reporting interval 37
asset profile view 37
asymmetric flows 106, 121
audience 1
audit log 37
viewing 341
authentication
configuring 13
LDAP 13
RADIUS 12
system 12
TACACS 13
user 12
authorized services 51
adding 52
revoking 53
token 51
viewing 51
auto detection 99, 113
automatic update
about 34
on demand 36
scheduling 34
B
backup and recovery 55
branch filtering 106, 109
building blocks
about 181
editing 220
C
changes
deploying 129
Classification Engine 107
343
configuring 107
coalescing events 38
command line max matched results 39
components 97
connecting 71
connecting deployments 72
console
settings 45
content capture 98
content filter 105
conventions 1
Custom Views
about 167
Attacker Target Analysis Group 254, 302
creating 168
editing 176
equation
editing 177
equation editor 170
IP Tracking 249, 297
managing 167
operators
editing 178
Policy Violations Group 256, 304
Target Analysis Group 255, 303
Threats Group 250, 298
customer support
contacting 2
D
database settings 38
database storage location 38
delete root mail 37
deploying changes 129
deployment editor 63
about 63
accessing 65
creating your deployment 67
event view 75
flow view 68
preferences 68
requirements 67
system view 82
toolbar 66
using 65
deployment STRM components 97
344
deployments
connecting 72
device access 20
device management 23
discover servers 223
dynamic custom view deploy interval 38
E
element types 171
enabling and disabling views 178
encryption 72, 75, 80, 81, 83
enterprise template 241
building blocks
default 273, 321
rules
default 259
equation editor 170
element type 171
equations
editing 177
elements 146
objects 146
Event Collector
about 75
configuring 112
Event Processor
about 75
configuring 113
event rule 182
about 182
data/time tests 208
device tests 209
event property tests 195
host profile tests 205
IP/port tests 198
network property tests 193
test 193
event view
about 64
adding components 77
building 75
connecting components 79
renaming components 82
event viewer role 6
external flow sources 117
345
F
firewall access 20
flow configuration 120
Flow Processor
configuring 101
flow source
about 117
adding 120
alias 124
adding 125
deleting 126
editing 125
deleting 124
editing 122
enabling/disabling 123
external 117
internal 117
managing 117
virtual name 124
flow view
about 64
adding components 69
building 68
components 69, 72, 79
connecting components 71
renaming components 75
Flow Writer
configuring 111
flowlog file 120
functions 181
G
global IPtables access 38
H
hashing
alogrithm 40
event log 40
flow log 39
hlocal 137
host
adding 84
host context 64, 94
hremote 137
I
interface roles 23
internal flow sources 117
346
IP range conversion 105
J
JavaScript 142
J-Flow 119
L
LDAP/Active directory 13
license key
exporting 19
managing 17
logic unit 131, 141
M
Magistrate
about 76
configuring 115
managed host
adding 84
assigning components 93
editing 86
removing 88
set-up 22
maximum real-time results 39
MIB 229
N
NAT
editing 90
enabling 88
removing 91
using with STRM 89
NetFlow 97, 117
Network Address Translation. See NAT
network hierarchy
creating 29
network surveillance role 7
network taps 97
network view graph retention period 38
NTP 27
O
offense management role 6
offense rule
about 182
date/time tests 211
device tests 212
host profile tests 210
IP/port tests 209
offense property tests 212
347
off-site source 73, 80
off-site target 73, 80
operators
editing 178
P
package 131, 138
creating 138
Packeteer 119
passwords
changing 24
pin 137
plocal 137
ports view 148
pount 137
Q
QFlow Collector
configuring 97
QFlow ID 98
R
RADIUS authentication 12
RDATE 25
recovery 55
reporting max matched results 39
reset SIM 19, 48
resolution interval length 37
restarting STRM 48
retention period
asset profile 39
attacker history 39
custom view 39
device log data 39
flow data 39
identity history 39
offense 38
views
group 38
object 38
role 3
administrator 5
asset management 6
creating 4
editing 8
event viewer 6
managing 3
network surveillance 7
348
offense management 6
reporting 7
rules 181
copying 215
creating 183
deleting 215
enabling/disabling 183
group 216
assigning 220
copying 218
create 216
deleting 220
editing 218
viewing 182
S
scripts
default sentry 40
list of sentry 40
sentry 131
about 131
database location 40
editing 133
enterprise
defaults 241
logic unit 131
creating 141
editing 144
package 131
creating 138
editing 140
managing 138
properties 40
response queue 40
university
defaults 289
variables 136
viewing 132
sentry database location 38
sentry layers 137
sentry settings 40
servers
discovering 223
services
authorized 51
sFlow 118
349
SIM
reset 19, 48
SNMP
embedded SNMP agent settings 42
SNMP agent
accessing 19
SNMP settings 41
source
off-site 72, 73, 79, 80
starting STRM 48
stopping STRM 48
storage 110
storage location
asset profile 39
device log 39
flow data 39
store event payload 38
STRM components 97
superflows 101, 104
syslog
forwarding 225
adding 225
deleting 227
editing 226
system authentication 12
system settings 37
configuring 37
system thresholds 42
system time 25
system view
about 64
adding a host 84
assigning components 93
Host Context 94
managed host 93
managing 82
T
TACACS authentication 13
target
off-site 72, 73, 79, 80
templates 132
enterprise 241
university 289
temporary files retention period 37
tests
350
about 181
thresholds 42
time 25
time limit
command like execution 39
reporting execution 39
web execution 39
TNC recommendation 37
transaction sentry 41
U
university template 289
Update Daemon
configuring 109
user
authentication 12
creating account 10
editing account 11, 12
managing 3
roles 3
user accounts
managing 10
user data files 38
V
views
applications object
editing 155
Applications View 152
adding 153
best practices 180
Custom Views 167
defining unique groups and objects 147
enable and disable 178
ports 148
ports object
adding 148
editing 150
Ports View 148
QFlow Collector object
adding 164
QFlow Collectors 164
Remote Networks 157
Remote Networks object
adding 157
editing 159
Remote Services 160
351
Remote Services object
adding 161
editing 162
VIS passive host profile interval 37
352

STRM Admin

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

STRM Admin

Hochgeladen von

Copyright:

Verfügbare Formate

Security Threat Response Manager

STRM Administration Guide

Juniper Networks, Inc.

Copyright © 2008, Juniper Networks, Inc.

All rights reserved. Printed in USA.

ABOUT THIS GUIDE

2 MANAGING THE SYSTEM

4 MANAGING AUTHORIZED SERVICES

5 MANAGING BACKUP AND RECOVERY

6 USING THE DEPLOYMENT EDITOR

7 MANAGING FLOW SOURCES

13 FORWARDING SYSLOG DATA

A JUNIPER NETWORKS MIB

B ENTERPRISE TEMPLATE DEFAULTS

C UNIVERSITY TEMPLATE DEFAULTS

D VIEWING AUDIT LOGS

Icon Type Description

Caution Information that alerts you to potential loss of

Include the following information with your comments:

STRM Administration Guide

STRM Administration Guide

This chapter provides information on managing STRM users including:

Using the Administration Console, you can:

Viewing Roles To view roles:

STRM Administration Guide

The Manage Roles window provides the following information:

Creating a Role To create a role:

STRM Administration Guide

STRM Administration Guide

Table 2-2 Create Roles Parameters (continued)

STRM Administration Guide

Table 2-2 Create Roles Parameters (continued)

Step 5 Click Next.

STRM Administration Guide

Editing a Role To edit a role:

STRM Administration Guide

Step 6 Update device permissions, as desired:

Deleting a Role To delete a role:

STRM Administration Guide

Creating a User To create an account for a STRM user:

Step 4 Enter values for the following parameters:

Table 2-3 User Details Parameters

Step 5 Click Next.

STRM Administration Guide

Step 6 Choose one of the following options:

Editing a User To edit a user account:

STRM Administration Guide

Step 5 Click Next.

Disabling a User To disable a user account:

STRM Administration Guide

• TACACS Authentication - Users are authenticated by a Terminal Access

If you want to configure RADIUS, TACACS, or LDAP/Active Directory as the

Once authentication is configured and a user enters an invalid username and

STRM Administration Guide

b If you selected RADIUS Authentication, enter values for the following

c If you selected TACACS Authentication, enter values for the following

STRM Administration Guide

Step 5 Click Save.

STRM Administration Guide

This chapter provides information for managing your system including:

This section provides information on managing your license keys including:

STRM Administration Guide