Strm Admin

Security Threat Response Manager

STRM Administration Guide

Release 2008.3

Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, CA 94089USA408-745-2000

www.juniper.net

Part Number: 530-028824-01, Revision 1

2

Copyright NoticeCopyright © 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

FCC StatementThe following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with NetScreen’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.

Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

DisclaimerTHE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.

Configuring DSMsRelease 2008.3

Copyright © 2008, Juniper Networks, Inc.

All rights reserved. Printed in USA.

Revision History

January 2009—Revision 1

The information in this document is current as of the date listed in the revision history.

CONTENTS

ABOUT THIS GUIDEAudience 1Conventions 1Technical Documentation 1Contacting Customer Support 2

1 MANAGING USERSManaging Roles 3

Viewing Roles 3Creating a Role 4Editing a Role 8Deleting a Role 9

Managing User Accounts 10Creating a User Account 10Editing a User Account 11Disabling a User Account 12

Authenticating Users 12

2 MANAGING THE SYSTEMManaging Your License Keys 17

Updating your License Key 17Exporting Your License Key Information 19

Accessing the Embedded SNMP Agent 19Configuring Access Settings 20

Configuring Firewall Access 20STRMUpdating Your Host Set-up 22Configuring Interface Roles 23Changing Passwords 24Updating System Time 25

3 SETTING UP STRMCreating Your Network Hierarchy 29

Considerations 29Defining Your Network Hierarchy 30

Scheduling Automatic Updates 34Scheduling Automatic Updates 34

Updating Your Files On-Demand 36Configuring System Settings 37Configuring System Notifications 42Configuring the Console Settings 45Starting and Stopping STRM 48Resetting SIM 48

4 MANAGING AUTHORIZED SERVICESViewing Authorized Services 51Adding an Authorized Service 52Revoking Authorized Services 53

5 MANAGING BACKUP AND RECOVERYManaging Backup Archives 55

Viewing Back Up Archives 55Importing an Archive 56Deleting a Backup Archive 57

Backing Up Your Information 58Scheduling Your Backup 58Initiating a Backup 60

Restoring Your Configuration Information 61

6 USING THE DEPLOYMENT EDITORAbout the Deployment Editor 64

Accessing the Deployment Editor 65Using the Editor 65Creating Your Deployment 67Before you Begin 67Editing Deployment Editor Preferences 68

Building Your Flow View 68Adding STRM Components 69Connecting Components 71Connecting Deployments 72Renaming Components 75

Building Your Event View 75Adding Components 77Connecting Components 79Forwarding Normalized Events 79Renaming Components 82

Managing Your System View 82Setting Up Managed Hosts 83Using NAT with STRM 89Configuring a Managed Host 93Assigning a Component to a Host 93Configuring Host Context 94

Configuring STRM Components 97

Configuring a Flow Collector 97Configuring a Flow Processor 101Configuring a Classification Engine 107Configuring an Update Daemon 109Configuring a Flow Writer 111Configuring an Event Collector 112Configuring an Event Processor 113Configuring the Magistrate 115

7 MANAGING FLOW SOURCESAbout Flow Sources 117

NetFlow 117sFlow 118J-Flow 119Packeteer 119Flowlog File 120

Managing Flow Sources 120Adding a Flow Source 120Editing a Flow Source 122Enabling/Disabling a Flow Source 123Deleting a Flow Source 124

Managing Flow Source Aliases 124Adding a Flow Source Alias 125Editing a Flow Source Alias 125Deleting a Flow Source Alias 126

8 OVERVIEWAbout the Interface 127Accessing the Administration Console 128Using the Interface 128Deploying Changes 129

9 MANAGING SENTRIESAbout Sentries 131Viewing Sentries 132Editing Sentry Details 133Managing Packages 138

Creating a Sentry Package 138Editing a Sentry Package 140

Managing Logic Units 141Creating a Logic Unit 141Editing a Logic Unit 144

10 MANAGING VIEWSUsing STRM Views 145

About Views 145

About Global Views 146Defining Unique Objects 147

Managing Ports View 148Default Ports Views 148Adding a Ports Object 148Editing a Ports Object 150

Managing Application Views 152Default Application Views 152Adding an Applications Object 153Editing an Applications Object 155

Managing Remote Networks View 157Default Remote Networks Views 157Adding a Remote Networks Object 157Editing a Remote Networks Object 159

Managing Remote Services Views 160Default Remote Services Views 160Adding a Remote Services Object 161Editing a Remote Services Object 162

Managing Collector Views 164Adding a Flow Collector Object 164Editing a Flow Collector Object 165

Managing Custom Views 167About Custom Views 167Editing Custom Views 176Editing the Equation 177

Enabling and Disabling Views 178Using Best Practices 180

11 CONFIGURING RULESViewing Rules 182Enabling/Disabling Rules 183Creating a Rule 183

Event Rule Tests 193Offense Rule Tests 209

Copying a Rule 215Deleting a Rule 215Grouping Rules 216

Viewing Groups 216Creating a Group 216Editing a Group 218Copying an Item to Another Group(s) 218Deleting an Item from a Group 220Assigning an Item to a Group 220

Editing Building Blocks 220

12 DISCOVERING SERVERS

13 FORWARDING SYSLOG DATAAdding a Syslog Destination 225Editing a Syslog Destination 226Delete a Syslog Destination 227

A JUNIPER NETWORKS MIB

B ENTERPRISE TEMPLATE DEFAULTSDefault Sentries 241Default Custom Views 249

IP Tracking Group 249Threats Group 250Attacker Target Analysis Group 254Target Analysis Group 255Policy Violations Group 256ASN Source Group 257ASN Destination Group 258IFIndexIn Group 258IFIndexOut Group 258QoS Group 258Flow Shape Group 258

Default Rules 259Default Building Blocks 273

C UNIVERSITY TEMPLATE DEFAULTSDefault Sentries 289Default Custom Views 297

IP Tracking Group 297Threats Group 298Attacker Target Analysis Group 302Target Analysis Group 303Policy Violations Group 304ASN Source Group 305ASN Destination Group 306IFIndexIn Group 306IFIndexOut Group 306QoS Group 306Flow Shape Group 306

Default Rules 307Default Building Blocks 321

D VIEWING AUDIT LOGSLogged Actions 337

Viewing the Log File 341

ABOUT THIS GUIDE

The STRM Administration Guide provides you with information for managing STRM functionality requiring administrative access.

Audience This guide is intended for the system administrator responsible for setting up STRM in your network. This guide assumes that you have STRM administrative access and a knowledge of your corporate network and networking technologies.

Conventions Table 1 lists conventions that are used throughout this guide.

Technical Documentation

You can access technical documentation, technical notes, and release notes directly from the Juniper Customer Support web site at https://www.juniper.net/suport. Once you access the Technical support web site, locate the product and software release for which you require documentation.

Your comments are important to us. Please send your e-mail comments about this guide or any of the Juniper Networks documentation to:

[email protected].

Include the following information with your comments:• Document title

• Page number

Table 1 Icons

Icon Type DescriptionInformation note Information that describes important features or

instructions.

Caution Information that alerts you to potential loss of data or potential damage to an application, system, device, or network.

Warning Information that alerts you to potential personal injury.


2 ABOUT THIS GUIDE

Contacting Customer Support

To help you resolve any issues that you may encounter when installing or maintaining STRM, you can contact Customer Support as follows:• Open a support case using the Case Management link at

http://www.juniper.net/support.

• Call 1-888-314-JTAC (from the United States, Canada, or Mexico) or1-408-745-9500 (from elsewhere).


1
MANAGING USERS
You can add or remove user accounts for all users that you want to access STRM. Each user is associated with a role, which determines the privileges the user has to functionality and information within STRM. You can also restrict or allow access to areas of the network.

This chapter provides information on managing STRM users including:

• Managing Roles• Managing User Accounts

• Authenticating Users

Managing Roles You must create a role before you can create user accounts. By default, STRM provides a default administrative role, which provides access to all areas of STRM. A user that is assigned administrative privileges (including the default administrative role) cannot edit their own account. Another administrative user must make any desired changes.

Using the Administration Console, you can:• View existing user roles. See Viewing Roles.

• Create a role. See Creating a Role.

• Edit a role. See Editing a Role.• Delete a role. See Deleting a Role.

Viewing Roles To view roles:

Step 1 In the Administration Console, click the System Configuration tab.The System Configuration panel appears.

Step 2 Click the User Roles icon.

The Manage Roles window appears.


4 MANAGING USERS

The Manage Roles window provides the following information:

Creating a Role To create a role:



The Manage User Roles window appears.

Step 3 Click Create Role.The Manage Permissions window appears.

Table 2-1 Manage Roles Parameters

Parameter DescriptionRole Specifies the defined user role. Devices Specifies the devices you want this role to access. This

allows you to restrict or grant access for users assigned to the role to view logs, events, and offense data received from assigned security and network devices or device groups. For non-administrative users, this column indicates a link that allows an administrative user to edit the permissions for the role. For more information on editing a user role, see Editing a Role.To view the list of devices that have been assigned to this role, move your mouse over the text in the Devices column.

Associated Users Specifies the users associated with this role. Action Allows you to edit or delete the user role.


Managing Roles 5

Step 4 Enter values for the parameters. You must select at least one permission to proceed.

Table 2-2 Create Roles Parameters

Parameter DescriptionRole Name Specify the name of the role. The name can be up to 15

characters in length and must only contain integers and letters.

Administrator Select the check box if you want to grant this user administrative access to the STRM interface. Within the administrator role, you can grant additional access to the following:• System Administrator - Select this check box if you

want to allow users access to all areas of STRM except Views. Users with this access are not able to edit other administrator accounts.

• Administrator Manager - Select this check box if you want to allow users the ability to create and edit other administrative user accounts. If you select this check box, the System Administrator check box is automatically selected.

• Views Administrator - Select this check box if you want to allow users the ability to create, edit, or delete Views. For example, the Application View and the Ports View.


6 MANAGING USERS

Offense Management Select the check box if you want to grant this user access to Offense Manager functionality. Within the Offense Manager functionality, you can grant additional access to the following:• Assign Offenses to Users - Select the check box if you

want to allow users to assign offenses to other users. • Customized Rule Creation - Select the check box if you

want to allow users to create custom rules. For more information on the Offense Manager, see the STRM Users Guide.

Event Viewer Select the check box if you want this user to have access to the Event Viewer. Within the Event Viewer, you can also grant users additional access to the following:• User Defined Event Properties - Select the check box if

you want to allow users the ability to create user-defined event properties.

• Event Search Restrictions Override - Select the check box if you want to allow users the ability to override event search restrictions.

• Customized Rule Creation functionality - Select the check box if you want to allow users to create rules using the Event Viewer.

For more information on the Event Viewer, see the STRM Users Guide.

Asset Management Select the check box if you want to grant this user access to Asset Management functionality. Within the Asset Management functionality, you can grant additional access to the following:• Server Discovery - Select the check box if you want to

allow users the ability to discover servers. • View VA Data - Select the check box if you want to allow

users access to vulnerability assessment data. • Perform VA Scans - Select the check box if you want to

allows users to perform vulnerability assessment scans.

Table 2-2 Create Roles Parameters (continued)

Parameter Description


Managing Roles 7

Step 5 Click Next. Step 6 Choose one of the following options:

a If you selected a role to include Event Viewer permissions role, go to Step 7.

b If you selected a role that does not include Event Viewer permissions, go to Step 10.

The Select Device Objects window appears.

Network Surveillance Select the check box if you want to grant this user access to Network Surveillance functionality. Within the Network Surveillance functionality, you can grant additional access to the following:• View Flows - Select the check box if you want to allow

users access to content captured using the View Flows function.

• View Flow Content - Select the check box if you want to allow users access to data accessed through the View Flow box.

• View Flows Restrictions Override - Select the check box if you want to allow users the ability to override sentry restrictions.

• Sentry Modification - Select the check box if you want to allows users to modify existing sentries.

For more information, see the STRM Users Guide. Reporting Select the check box if you want to grant this user access to

Reporting functionality. Within the Reporting functionality, you can grant users additional access to the following:• Distribute Reports via Email - Select the check box if

you want to allow users to distribute reports through e-mail.

• Maintain Templates - Select the check box if you want to allow users to maintain reporting templates.

For more information, see the STRM Users Guide.

Table 2-2 Create Roles Parameters (continued)



8 MANAGING USERS

Step 7 From the left panel, click a device or device group that you want users assigned to this role to have access. The selected device moves to the Selected Device Objects field.

Step 8 Repeat for all devices.

Step 9 Click Next. Step 10 Click Return.

Step 11 Close the Manage Roles window.

The STRM Administration Console appears. Step 12 From the menu, select Configurations > Deploy Configuration Changes.

Editing a Role To edit a role:



The Manage Role window appears. Step 3 For the role you want to edit, click the edit icon.

The Permissions for Role window appears.

Step 4 Update the permissions (see Table 2-2), as necessary.

Step 5 Click Next. The Select Device Objects window appears.


Managing Roles 9

Step 6 Update device permissions, as desired:

a To remove a device permission, select the device(s) in the Selected Device Objects field that you want to remove. Click Remove Selected Devices.

b To add a device permission, select an object you want to add from the left panel.

Step 7 Repeat for all devices you want to edit for this role.

Step 8 Click Next. Step 9 Click Return.

Step 10 Click Save.

Step 11 Close the Manage User Roles window. The STRM Administration Console appears.

Step 12 From the menu, select Configurations > Deploy Configuration Changes.

Deleting a Role To delete a role:Step 1 In the Administration Console, click the System Configuration tab.

The System Configuration panel appears.


The Manage Role window appears. Step 3 For the role you want to delete, click the delete icon.

A confirmation window appears.

Step 4 Click Ok. Step 5 From the menu, select Configurations > Deploy Configuration Changes.


10 MANAGING USERS

Managing User Accounts

You can create a STRM user account, which allows a user access to selected network components using the STRM interface. You can also create multiple accounts for your system that include administrative privileges. Only the main administrative account can create accounts that have administrative privileges.

You can create and edit user accounts to access STRM including:

• Creating a User Account

• Editing a User Account• Disabling a User Account

Creating a UserAccount

To create an account for a STRM user:

Step 1 In the Administration Console, click the System Configuration tab.

The System Configuration panel appears.Step 2 Click the Users icon.

The Manage Users window appears.

Step 3 In the Manage Users area, click Add. The User Details window appears.

Step 4 Enter values for the following parameters:

Step 5 Click Next.

Table 2-3 User Details Parameters

Parameter DescriptionUsername Specify a username for the new user. The username must not

include spaces or special characters. Password Specify a password for the user to gain access. The password

must be at least five characters in length. Confirm Password Re-enter the password for confirmation.Email Address Specify the user’s e-mail address. Role Using the drop-down list box, select the role you want this user to

assume. For information on roles, see Managing Roles. If you select Admin, this process is complete.


Managing User Accounts 11

Step 6 Choose one of the following options:

a If you selected Admin as the user role, go to Step 9.b If you selected a non-administrative user role, go to Step 7.

The Selected Network Objects window appears.

Step 7 From the menu tree, select the network objects you want this user to be able to monitor.

The selected network objects appear in the Selected Network Object panel.

Step 8 Choose one of the following options:a Click Deploy Now to deploy new user information immediately.

b Click Cancel to cancel all updates and return to the Manage Users window.

Step 9 Close the Manage Users window. The STRM Administration Console appears.

Editing a UserAccount

To edit a user account:



Step 2 Click the Users icon. The Manage Users window appears.

Step 3 In the Manage Users area, click the user account you want to edit.

The User Details window appears. Step 4 Update values (see Table 2-3), as necessary.


12 MANAGING USERS

Step 5 Click Next. If you are editing a non-administrative user account, the Selected Network Objects window appears. If you are editing an administrative user account, go to Step 9.

Step 6 From the menu tree, select the network objects you want this user to access. The selected network objects appear in the Selected Network Object panel.

Step 7 For all network objects you want to remove access, select the object from the Selected Network Objects panel. Click Remove.


a Click Deploy Now to deploy new user information immediately.b Click Cancel to return to cancel all updates and return to the Manage Users

window. Step 9 Close the Manage Users window.

The STRM Administration Console appears.

Disabling a UserAccount

To disable a user account:


Step 2 Click the Users icon.

The Manage Users window appears. Step 3 In the Manage Users area, click the user account you want to disable.

The User Details window appears.

Step 4 In the Role drop-down list box, select Disabled. Step 5 Click Next. Step 6 Close the Manage Users window.

The STRM Administration Console appears. This user no longer has access to the STRM interface. If this user attempts to log in to STRM, the following message appears: This account has been disabled.

Authenticating Users

You can configure authentication to validate STRM users and passwords. STRM supports the following user authentication types:

• System Authentication - Users are authenticated locally by STRM. This is the default authentication type.

• RADIUS Authentication - Users are authenticated by a Remote Authentication Dial-in User Service (RADIUS) server. When a user attempts to login, STRM encrypts the password only, and forwards the username and password to the RADIUS server for authentication.



• TACACS Authentication - Users are authenticated by a Terminal Access Controller Access Control System (TACACS) server. When a user attempts to login, STRM encrypts the username and password, and forwards this information to the TACACS server for authentication.

• LDAP/ Active Directory - Users are authenticated by a Lightweight Directory Access Protocol (LDAP) server using Kerberos.

If you want to configure RADIUS, TACACS, or LDAP/Active Directory as the authentication type, you must:

• Configure the authentication server before you configure authentication in STRM.

• Make sure the server has the appropriate user accounts and privilege levels to communicate with STRM. See your server documentation for more information.

• Make sure the time of the authentication server is synchronized with the time of the STRM server. For more information on setting STRM time, see Chapter 3 Setting Up STRM.

• Make sure all users have appropriate user accounts and roles in STRM to allow authentication with the third-party servers.

Once authentication is configured and a user enters an invalid username and password combination, a message appears indicating the login was invalid. If the user attempts to access the system multiple times using invalid information, the user must wait the configured amount of time before attempting to access the system again. For more information on configuring Console settings for authentication, see Chapter 3 Setting Up STRM - Configuring the Console Settings. An administrative user can always access STRM through a third-party authentication module or by using the local STRM Admin password.

To configure authentication:


Step 2 Click the Authentication icon.

The Authentication window appears.

Step 3 From the Authentication Module drop-down list box, select the authentication type you want to configure.

Step 4 Configure the selected authentication type:

a If you selected System Authentication, go to Step 5


14 MANAGING USERS

b If you selected RADIUS Authentication, enter values for the following parameters:

c If you selected TACACS Authentication, enter values for the following parameters:

Table 2-4 RADIUS Parameters

Parameter DescriptionRADIUS Server Specify the hostname or IP address of the RADIUS server. RADIUS Port Specify the port of the RADIUS server. Authentication Type

Specify the type of authentication you want to perform. The options are:• CHAP (Challenge Handshake Authentication Protocol) -

Establishes a Point-to-Point Protocol (PPP) connection between the user and the server.

• MSCHAP (Microsoft Challenge Handshake Authentication Protocol) - Authenticates remote Windows workstations.

• ARAP (Apple Remote Access Protocol) - Establishes authentication for AppleTalk network traffic.

• PAP (Password Authentication Protocol) - Sends clear text between the user and the server.

Shared Secret Specify the shared secret that STRM uses to encrypt RADIUS passwords for transmission to the RADIUS server.

Table 2-5 TACACS Parameters

Parameter DescriptionTACACS Server Specify the hostname or IP address of the TACACS server. TACACS Port Specify the port of the TACACS server. Authentication Type

Specify the type of authentication you want to perform. The options are:• ASCII• PAP (Password Authentication Protocol) - Sends clear text

between the user and the server. • CHAP (Challenge Handshake Authentication Protocol) -

Establishes a PPP connection between the user and the server.

• MSCHAP (Microsoft Challenge Handshake Authentication Protocol) - Authenticates remote Windows workstations.

• MSCHAP2 - (Microsoft Challenge Handshake Authentication Protocol version 2)- Authenticates remote Windows workstations using mutual authentication.

• EAPMD5 (Extensible Authentication Protocol using MD5 Protocol) - Uses MD5 to establish a PPP connection.

Shared Secret Specify the shared secret that STRM uses to encrypt TACACS passwords for transmission to the TACACS server.



d If you selected LDAP/ Active Directory, enter values for the following parameters:

Step 5 Click Save.

Table 2-6 LDAP/ Active Directory Parameters

Parameter DescriptionServer URL Specify the URL used to connect to the LDAP server. For

example, ldap://<host>:<port>LDAP Context Specify the LDAP context you want to use, for example,

DC=Q1LABS,DC=INC.LDAP Domain Specify the domain you want to use, for example q1labs.inc


2
MANAGING THE SYSTEM
This chapter provides information for managing your system including:

• Managing Your License Keys

• Accessing the Embedded SNMP Agent• Configuring Access Settings

Managing Your License Keys

For your STRM Console, a default license key provides you access to the interface for 5 weeks. You must manage your license key using the System Management window in the STRM Administration Console. This interface provides the status of the license key for each system (host) in your deployment including:

• Valid - The license key is valid. • Expired - The license key has expired. To update your license key, see

Updating your License Key. • Override Console License - This host is using the Console license key. You

can use the Console key or apply a license key for this system. If you want to use the Console license for any system in your deployment, click Default License in the Manage License window. The license for that system will default to the Console license key.

This section provides information on managing your license keys including:

• Updating your License Key

• Exporting Your License Key Information

Updating yourLicense Key

For your STRM Console, a default license key provides you access to the interface for 5 weeks. Choose one of the following options for assistance with your license key:

• For a new or updated license key, please contact your local sales representative.

• For all other technical issues, please contact Juniper Networks Customer Support.

If you log in to STRM and your Console license key has expired, you are automatically directed to the System Management window. You must update the


18 MANAGING THE SYSTEM

license key before you can continue. However, if one of your non-Console systems includes an expired license key, a message appears when you log in indicating a system requires a new license key. You must navigate to the System Management window to update that license key.

To update your license key:Step 1 In the Administration Console, click the System Configuration tab.


Step 2 Click the System Management icon. The System Management window appears providing a list of all hosts in your deployment.

Step 3 For the host that on which you want to update the license key, click the value that appears in the License column. Note: If you update the license key for your Console, all systems in your deployment default to the Console license key at that time.

The Current License Details window appears.

Step 4 Click Browse beside the New License Key File and locate the license key.

Step 5 Once you locate and select the license key, click Open.

The Current License Details window appears.

Step 6 Click Save. A message appears indicating the license key was successfully updated.


Accessing the Embedded SNMP Agent 19

Note: If you want to revert back to the previous license key, click Revert to Deployed. If you revert to the license key used by the STRM Console system, click Revert to Console.

Step 7 Close the license key window.

The Administration Console appears.

Step 8 From the menu, select Configurations > Deploy All. The license key information is updated in your deployment.

Exporting YourLicense KeyInformation

To export your license key information for all systems in your deployment:



Step 2 Click the System Management icon. The System Management window appears providing a list of all hosts in your deployment.

Step 3 Click Export Licenses.

The export window appears.

Step 4 Select one of the following options:• Open - Opens the license key data in an Excel spreadsheet.

• Save - Allows you to save the file to your desktop.

Step 5 Click OK.

Accessing the Embedded SNMP Agent

To access the SNMP agent:



Step 2 Click the System Management icon. The System Management window appears.



Step 3 In the View Agent column, click View Agent for the SNMP agent you want to access.

The SNMP Agent appears.

Configuring Access Settings

The System Configuration tab provides access to the web-based system administration interface, which allows you to configure firewall rules, interface roles, passwords, and system time. This section includes:

• Firewall access. See Configuring Firewall Access.

• Update your host set-up. See STRMUpdating Your Host Set-up.• Configure the interface roles for a host. See Configuring Interface Roles.

• Change password to a host. See Changing Passwords.

• Update the system time. See Updating System Time.

Configuring FirewallAccess

You can configure local firewall access to enable communications between devices and STRM. Also, you can define access to the web-based system administration interface.

To enable STRM managed hosts to access specific devices or interfaces:Step 1 In the Administration Console, click the System Configuration tab.


Step 2 Click the System Management icon.

The System Management window appears. Step 3 For the host you want to configure firewall access, click Manage System. Step 4 Log-in to the System Administration interface. The default is:

Username: rootPassword: <your root password>Note: The username and password are case sensitive.

Step 5 From the menu, select Managed Host Config > Local Firewall. The Local Firewall window appears.


Configuring Access Settings 21

Step 6 In the Device Access box, you must include any STRM systems you want to have access to this managed host. Only managed hosts listed will have access. For example, if you enter one IP address, only that one IP address will be granted access to the managed host. All other managed hosts are blocked. To configure access:

a In the IP Address field, enter the IP address of the managed host you want to have access.

b From the Protocol list box, select the protocol you want to enable access for the specified IP address and port:

- UDP - Allows UDP traffic.

- TCP - Allows TCP traffic. - Any - Allows any traffic.

c In the Port field, enter the port on which you want to enable communications.

Note: If you change your External Flow Source Monitoring Port parameter in the QFlow Configuration, you must also update your firewall access configuration.

d Click Allow. Step 7 In the System Administration Web Control box, enter the IP address of managed

hosts that you want to allow access to the web-based system administration interface in the IP Address field. Only IP addresses listed will have access to the interface. If you leave the field blank, all IP addresses will have access. Click Allow. Note: Make sure you include the IP address of your client desktop you want to access the interface. Failing to do so may affect connectivity.



Step 8 Click Apply Access Controls.

Step 9 Wait for the interface to refresh before continuing.

STRMUpdating YourHost Set-up

You can use the web-based system administration interface to configure the mail server you want STRM to use, the global password for STRM configuration, and the IP address for the STRM Console:

To configure your host set-up:Step 1 In the Administration Console, click the System Configuration tab.



Step 3 For the host you want to update your host set-up, click Manage System. Step 4 Log-in to the System Administration interface. The default is:


Step 5 From the menu, select Managed Host Config > STRM Setup.

The STRM Setup window appears.

Step 6 You must enable communications between the STRM Console and the current host. In the Enter the IP address of the STRM console field, enter the IP address of the managed host operating the STRM Console.

Step 7 In the Mail Server field, specify the address for the mail server you want STRM to use. STRM uses this mail server to distribute alerts and event messages. To use the mail server provided with STRM, enter localhost.



Step 8 In the Enter the global configuration password, enter the password you want to use to access the host. Confirm the entered password.

Note: The global configuration password must be the same throughout your deployment. If you edit this password, you must also edit the global configuration password on all systems in your deployment.

Step 9 In the Enter the web address of the console field, enter the IP address of the managed host operating the STRM Console.

Step 10 Click Apply Configuration.

Configuring InterfaceRoles

You can assign specific roles to the network interfaces on each managed host.

To assign roles:Step 1 In the Administration Console, click the System Configuration tab.



Step 3 For the host you want to configure interface roles, click Manage System. Step 4 Log-in to the System Administration interface. The default is:


Step 5 From the menu, select Managed Host Config > Network Interfaces. The Network Interfaces window appears with a list of each interface on your managed host.

Note: For assistance with determining the appropriate role for each interface, please contact Juniper Networks Customer Support.



Step 6 For each interface listed, select the role you want to assign to the interface using the Role list box.

Step 7 Click Save Configuration.

Step 8 Wait for the interface to refresh before continuing.

Changing Passwords To change the passwords:


The System Configuration panel appears.Step 2 Click the System Management icon.

The System Management window appears.

Step 3 For the host you want to change passwords, click Manage System. Step 4 Log-in to the System Administration interface. The default is:


Step 5 From the menu, select Managed Host Config > Root Password.

The Root Passwords window appears.

Step 6 Update the passwords and confirm:

Note: Make sure you record the entered values.

• New Root Password - Specify the root password necessary to access the web-based system administration interface.

• Confirm New Root Password - Re-enter the password for confirmation.

Step 7 Click Update Password.



Updating SystemTime

You are able to change the time for the following options:

• System time• Hardware time

• Time Zone

• Time Server

Note: All system time changes must be made within the System Time window. You must change the system time information on the host operating the Console only. The change is then distributed to all managed hosts in your deployment.

You can configure time for your system using one of the following methods:• Configuring Your Time Server Using RDATE

• Configuring Time Settings For Your System

Configuring Your Time Server Using RDATETo update the time settings using RDATE:




Step 3 For the host on which you want to configure time, click Manage System. Step 4 Log-in to the System Administration interface. The default is:


Step 5 From the menu, select Managed Host Config > System Time. The System Time window appears.

Caution: The time settings window is divided into four sections. You must save each setting before continuing. For example, when you configure System Time, you must click Apply within the System Time section before continuing.



Step 6 In the Time Zone box, select the time zone in which this managed host is located using the Change timezone to list box. Click Save.

Step 7 In the Time Server box, you must specify the following options:

• Timeserver hostnames or addresses - Specify the time server hostname or IP address.

• Set hardware time too - Select the check box if you want to set the hardware time as well.

• Synchronize on schedule? - Specify one of the following options:

- No - Select the option if you do not want to synchronize the time specified in the Run at selected time below options. Go to Step 8.

- Yes - Select the option if you want to synchronize the time. See options below.

• Simple Schedule - Specify if you want the time update to occur at a specific time. If not, select the Run at times selected below option.

• Times and dates are selected below - Specify the time you want the time update to occur.

Step 8 Click Sync and Apply.



Configuring Time Settings For Your SystemTo update the time settings for your system:


Step 2 Click the System Management icon.

The System Management window appears. Step 3 For the host on which you want to configure time, click Manage System. Step 4 Log-in to the System Administration interface. The default is:


Step 5 From the menu, select Managed Host Config > System Time. The System Time window appears.

Caution: The time settings window is divided into four sections. You must save each setting before continuing. For example, when you configure System Time, you must click Apply within the System Time section before continuing.



Step 6 In the Time Zone box, select the time zone in which this managed host is located using the Change timezone to list box. Click Save.

Step 7 In the System Time box, you must specify the current date and time you want to assign to the managed host. Click Apply.

If you want to set the System Time to the same as the Hardware time, click Set system time to hardware time.

Step 8 In the Hardware Time box, you must specify the current date and time you want to assign to the managed host. Click Save.

If you want to set the System Time to the same as the Hardware time, click Set hardware time to system time.


3
SETTING UP STRM
This chapter provides information on setting up STRM including:

• Creating Your Network Hierarchy

• Scheduling Automatic Updates• Configuring System Settings

• Configuring System Notifications

• Configuring the Console Settings• Starting and Stopping STRM

• Resetting SIM

Creating Your Network Hierarchy

STRM uses the network hierarchy to understand your network traffic and provide you with the ability to view network activity for your entire deployment.

When you develop your network hierarchy, you should consider the most effective method for viewing network activity. Note that the network you configure in STRM does not have to resemble the physical deployment of your network. STRM supports any network hierarchy that can be defined by a range of IP addresses. You can create your network based on many different variables, including geographical or business units.

Considerations Consider the following when defining your network hierarchy:

• Group together systems and user groups that have similar behavior. This provides you with a clear view of your network.

• Create multiple top-level groups if your deployment is processing more than 600,000 flows.

• Organize your systems/network by role or similar traffic patterns. For example, mail servers, departmental users, labs, development groups, or geographically disperse locations. This allows you to differentiate network behavior and enforce network management security policies.

• Do not group together servers that have unique behavior with other servers on your network. For example, placing a unique server alone provides the server greater visibility in STRM allowing you to enact specific policies.


30 SETTING UP STRM

• Within a group, place servers with high volumes of traffic, such as mail servers, at the top of the group. This provides you a clear visual representation when a discrepancy occurs. We recommend that you extend this practice to all views.

• Combine multiple Classless Inter-Domain Routings (CIDRs) or subnets into a single network/group to conserve disk space. For example:

Note: We recommend that you do not configure a network group with more than 15 objects. This may cause you difficulty in viewing detailed information for each group.

You may also want to define an all encompassing group so when you define new networks, the appropriate policies and behavioral monitors are applied. For example:

If you add a new network to the above example, such as 10.10.50.0/24, which is an HR department, the traffic appears as Cleveland-based and any policies or sentries applied to the Cleveland group is applied by default.

Defining YourNetwork Hierarchy

To define your network hierarchy:


Step 2 Click the Network Hierarchy icon.

The Network Views window appears.

Group Description IP Address1 Marketing 10.10.5.0/242 Sales 10.10.8.0/213 Database Cluster 10.10.1.3/32

10.10.1.4/3210.10.1.5/32

Group Subgroup IP AddressCleveland Cleveland misc 10.10.0.0/16Cleveland Cleveland Sales 10.10.8.0/21Cleveland Cleveland Marketing 10.10.1.0/24


Creating Your Network Hierarchy 31

Step 3 From the menu tree, select the areas of the network you want to add a network component. The Manage Group window appears for the selected network component.

Step 4 Click Add.

The Add Network Object window appears.

Step 5 Enter your network object values:

Table 4-1 Add New Object Parameters

Parameter ActionGroup Specify the group for the new network object. Click Add Group

to specify the group.Name Specify the name for the object.Weight Specify the weight of the object. The range is 0 to 100 and

indicates the importance of the object in the system.IP/CIDR(s) Specify the CIDR range(s) for this object. For more information

on CIDR values, see Accepted CIDR Values.Description Specify a description for this network object.Color Specify a color for this object.Database Length Specify the database length.


32 SETTING UP STRM

Step 6 Click Save.

Step 7 Repeat for all network objects.Step 8 Click Re-Order.

The Reorder Group window appears.

Step 9 Order the network objects in the desired order. Step 10 Click Save.

Note: We recommend adding key servers as individual objects and grouping other major but related servers into multi-CIDR objects.

Accepted CIDR ValuesThe following table provides a list of the CIDR values that STRM accepts:

Table 4-2 Accepted CIDR Values

CIDR Length Mask

Number of Networks Hosts

/1 128.0.0.0 128 A 2,147,483,392/2 192.0.0.0 64 A 1,073,741,696/3 224.0.0.0 32 A 536,870,848/4 240.0.0.0 16 A 268,435,424/5 248.0.0.0 8 A 134,217,712/6 252.0.0.0 4 A 67,108,856/7 254.0.0.0 2 A 33,554,428/8 255.0.0.0 1 A 16,777,214/9 255.128.0.0 128 B 8,388,352/10 255.192.0.0 64 B 4,194,176/11 255.224.0.0 32 B 2,097,088/12 255.240.0.0 16 B 1,048,544/13 255.248.0.0 8 B 524,272/14 255.252.0.0 4 B 262,136/15 255.254.0.0 2 B 131,068/16 255.255.0.0 1 B 65,534/17 255.255.128.0 128 C 32,512/18 255.255.192.0 64 C 16,256/19 255.255.224.0 32 C 8,128/20 255.255.240.0 16 C 4,064/21 255.255.248.0 8 C 2,032/22 255.255.252.0 4 C 1,016/23 255.255.254.0 2 C 508


Creating Your Network Hierarchy 33

For example, a network is called a supernet when the prefix boundary contains fewer bits than the network's natural (such as, classful) mask. A network is called a subnet when the prefix boundary contains more bits than the network's natural mask:

• 209.60.128.0 is a class C network address with a natural mask of /24.

• 209.60.128.0 /22 is a supernet that yields:209.60.128.0 /24

209.60.129.0 /24

209.60.130.0 /24209.60.131.0 /24

• 192.0.0.0 /25

Subnet Host Range0 192.0.0.1-192.0.0.126

1 192.0.0.129-192.0.0.254

• 192.0.0.0 /26Subnet Host Range

0 192.0.0.1 - 192.0.0.62

1 192.0.0.65 - 192.0.0.126

2 192.0.0.129 - 192.0.0.1903 192.0.0.193 - 192.0.0.254

• 192.0.0.0 /27

Subnet Host Range0 192.0.0.1 - 192.0.0.30

1 192.0.0.33 - 192.0.0.62

/24 255.255.255.0 1 C 254/25 255.255.255.128 2 subnets 124/26 255.255.255.192 4 subnets 62/27 255.255.255.224 8 subnets 30/28 255.255.255.240 16 subnets 14/29 255.255.255.248 32 subnets 6/30 255.255.255.252 64 subnets 2/31 255.255.255.254 none none/32 255.255.255.255 1/256 C 1

Table 4-2 Accepted CIDR Values (continued)

CIDR Length Mask

Number of Networks Hosts


34 SETTING UP STRM

2 192.0.0.65 - 192.0.0.94

3 192.0.0.97 - 192.0.0.1264 192.0.0.129 - 192.0.0.158

5 192.0.0.161 - 192.0.0.190

6 192.0.0.193 - 192.0.0.2227 192.0.0.225 - 192.0.0.254

Scheduling Automatic Updates

STRM uses system configuration files to provide useful characterizations of network data flows. You can update your configuration files automatically or manually using the STRM interface to make sure your configuration files contain the latest network security information. The updates, located on the Technical support web site, include threats, vulnerabilities, and geographic information from various security-related web sites. The managed host must be connected to the Internet to receive the updates.

Note: We do not guarantee the accuracy of the third-party information contained on the above-mentioned web sites.

STRM allows you to either replace your existing configuration files or integrate the updates with your existing files to maintain the integrity of your current configuration and information.

You can also update the configuration files for all systems in your STRM deployment. However, the views must be currently created in your deployment editor. For more information on, see Chapter 6 Using the Deployment Editor.

Caution: Failing to build your deployment map before you configure automatic or manual updates results in your remote systems not being updated.

SchedulingAutomatic Updates

To schedule automatic updates:



Step 2 Click the Auto Update icon. The Auto-Update Configuration window appears.


Scheduling Automatic Updates 35

Step 3 In the Update Method list box, select the method you want to use for updating your files:

• Auto Integrate - Integrates the new configuration files with your existing files to maintain the integrity of your information.

• Auto Update - Replaces your existing configuration files with the new configuration files.

Step 4 By default, all views are updated. To prevent views from being updated, select the check box(es) in the Protected Views section for the views you do not want to update with the new configuration files. The configuration files for the selected views are not updated.

Step 5 Schedule automatic updates:

a Select the Schedule Autoupdates check box to enable automatic updates based on the frequency configured in the next step.

b In the Frequency list boxes, select the frequency of the automatic updates. You must select the frequency (Monthly, Daily, Weekly), date, and time. You must select the Schedule Autoupdates check box to save the configured frequency. Otherwise, the frequency defaults to weekly.

Step 6 Click Save.

Step 7 From the menu, select Configurations > Deploy Configuration Changes. The updates are enforced through your deployment.

Note: STRM automatic updates are not enforced through your deployment automatically. After each automatic update, you must log in to STRM and from the


36 SETTING UP STRM

Administration Console menu, select Configurations > Deploy Configuration Changes.

Updating Your FilesOn-Demand

You can update your files, whenever necessary, using the Auto-Update window.

To update your files:Step 1 In the Administration Console, click the System Configuration tab.


Step 2 Click the Auto Update icon. The Auto-Update Configuration window appears.

Step 3 In the Update Method list box, select the method you want to use for updating your files:

• Auto Integrate - Integrates the new configuration files with your existing files to maintain the integrity of your information.

• Auto Update - Replaces your existing configuration files with the new configuration files.

Step 4 In the Protected views section, select the check box(s) for the views you do not want to update with the new configuration files. The configuration files for the selected views are not updated.

Step 5 Click Save and Update Now.

Your views are updated.

Step 6 From the menu, select Configurations > Deploy Configuration Changes. The updates are enforced through your deployment.


Configuring System Settings 37

Configuring System Settings

Using the Administration Console, you can configure the system, database, and sentry settings.

To configure system settings:



Step 2 Click the System Settings icon. The System Settings window appears.

Step 3 Enter values for the parameters:

Table 4-3 System Settings Parameters

Parameter DescriptionSettingsAdministrative Email Address

Specify the e-mail address of the designated system administrator. The default is root@localhost.

Alert Email From Address Specify the e-mail address from which you want to receive e-mail alerts.

Resolution Interval Length Specify the interval length, in minutes. The default is 1 minute.

Delete Root Mail Root mail is the default location for host context messages. Specify one of the following:• Yes - Delete the local administrator e-mail. This is the

default.• No - Do not delete local administrator e-mail.

Temporary Files Retention Period

Specify the time period the system stores temporary files. The default is 6 hours.

Asset Profile Reporting Interval

Specify the interval, in seconds, that the database stores new asset profile information. The default is 900 seconds.

Asset Profile Views Specify the views you want the system to use when accumulating asset profile data.

VIS passive Asset Profile Interval

Specify the interval, in seconds, that the database stores all passive asset profile information. The default is 86,400 seconds.

Audit Log Enable Enables or disables the ability to collect audit logs. You can view audit log information using the Event Viewer. The default is Yes.

TNC Recommendation Enable

Trusted Network Computing (TNC) recommendations enable you to restrict or deny access to the network based on user name or other credentials. Specify one of the following:• Yes - Enables the TNC recommendation functionality. • No - Disables the TNC recommendation functionality.


38 SETTING UP STRM

Coalescing Events Enables or disables the ability for a sensor device to coalesce (bundle) events. This value applies to all sensor devices. However, if you want to alter this value for a specific sensor device, edit the Coalescing Event parameter in the sensor device configuration. For more information, see the Managing Sensor Devices Guide. The default is Yes.

Store Event Payload Enables or disables the ability for a sensor device to store event payload information. This value applies to all sensor devices. However, if you want to alter this value for a specific sensor device, edit the Event Payload parameter in the sensor device configuration. For more information, see the Managing Sensor Devices Guide. The default is Yes.

Global Iptables Access Specify the IP address of a non-Console system that does not have IP tables configuration to which you want to enable direct access. To enter multiple systems, enter a comma-separated list of IP addresses.

Dynamic Custom View Deploy Interval

Specify the interval period, in seconds, you want to deploy changes for any dynamic custom view, such as, ASN or ifIndex Views. When the Classification Engine collects dynamic view information and reports this information to configuration services, this is the interval that configuration services component deploys the changes. The default is 15 seconds.

Database SettingsUser Data Files Specify the location of the user profiles. The default is

/store/users.Database Storage Location

Specify the location of the database files. The default location is /store/db.

Sentry Database Location Specify the location of the sentry database. The default is /store/sentry/db.

Network View Graph Retention Period

Using the drop-down list box, select the period of time you want to store the network view graph information. The default is 4 weeks.

All Views - Group Database Retention Period

Using the drop-down list box, select the period of time you want to store the group views information. The default is 1 week.

All Views - Object Database Retention Period

Using the drop-down list box, select the period of time you want to store the object views information. The default is 1 week.

Offense Retention Period Using the drop-down list box, select the period of time you want to retain offense information. The default is 3 days.

Table 4-3 System Settings Parameters (continued)




Identity History Retention Period

Using the drop-down list box, select the length of time you want to store asset profile history records. The default is 1 week.

Attacker History Retention Period

Specify the amount of time that you want to store the attacker history. The default is 6 months.

Ariel Database SettingsFlow Data Storage Location

Specify the location that you want to store the flow log information. The default location is /store/ariel/flows.

Flow Data Retention Period

Specify the period of time you want to store flow data. The default is 1 week.

Asset Profile Storage Location

Specify the location that you want to store the asset profile storage location. The default location is /store/ariel/hprof.

Asset Profile Retention Period

Specify the period of time, in days, that you want to store the asset profile information. The default is 30 days.

Device Log Storage Location

Specify the location that you want to store the device log information. The default location is /store/ariel/events.

Device Log Data Retention Period

Specify the amount of time that you want to store the device log data. The default is 30 days.

Custom View Retention Period

Specify the amount of time, in seconds, that you want to store custom view information. The default is 259,2000 seconds.

Maximum Real Time Results

Specify the maximum number of results you want to view in the Event Viewer and Flow Viewer. The default is 10,000.

Reporting Max Matched Results

Specify the maximum number of results you want a report to return. This value applies to the search results in the Event Viewer and Flow Viewer. The default is 1,000,000.

Command Line Max Matched Results

Specify the maximum number of results you want the command line to return. The default is 0.

Web Execution Time Limit Specify the maximum amount of time, in seconds, you want a query in the interface to process before a time-out occurs. This value applies to the search results in the Event Viewer and Flow Viewer. The default is 600 seconds.

Reporting Execution Time Limit

Specify the maximum amount of time, in seconds, you want a reporting query to process before a time-out occurs. The default is 57,600 seconds.

Command Line Execution Time Limit

Specify the maximum amount of time, in seconds, you want a query in the command line to process before a time-out occurs. The default is 0 seconds.

Flow Log Hashing Enables or disables the ability for STRM to store a hash file for every stored flow log file. The default is No.




40 SETTING UP STRM

Event Log Hashing Enables or disables the ability for STRM to store a hash file for every stored event log file. The default is No.

Hashing Algorithm You can use a hashing algorithm for database storage and encryption. You can use one of the following hashing algorithms:• Message-Digest Hash Algorithm - Transforms digital

signatures into shorter values called Message-Digests (MD).

• Secure Hash Algorithm (SHA) Hash Algorithm - Standard algorithm that creates a larger (60 bit) MD.

Specify the log hashing algorithm you want to use for your deployment. The options are:• MD2 - Algorithm defined by RFC 1319. • MD5 - Algorithm defined by RFC 1321.• SHA-1 - Default. Algorithm defined by Secure Hash

Standard (SHS), NIST FIPS 180-1.• SHA-256 - Algorithm defined by the draft Federal

Information Processing Standard 180-2, SHS. SHA-256 is a 255-bit hash algorithm intended for 128 bits of security against security attacks.

• SHA-384 - Algorithm defined by the draft Federal Information Processing Standard 180-2, SHS. SHA-384 is a bit hash algorithm is provided by truncating the SHA-512 output.

• SHA-512 - Algorithm defined by the draft Federal Information Processing Standard 180-2, SHS. SHA-512 is a bit hash algorithm intended to provide 256 bits of security.

Sentry SettingsAlert Directory Specify the location you want to store active alerts for

each user. The default is /store/sentry/alerts. Default Sentry Scripts Specify the default sentry scripts you want to execute.

The default is /opt/STRM/triggerbin/system.jsList of Sentry Scripts Specify the sentry scripts you want to execute, in the

order of execution. Separate each entry with a comma. The default is system.js,activity_anomaly.js, learn_policy.js,threshold.js,behavioral.js.

Sentry Properties Specify the sentry properties location. The default is /store/sentry/persistent_properties.xml

Sentry Response Queue Specify the sentry response queue file. The default is /store/sentry/response_queue.xml.

Sentry Database Location Specify the location of the sentry database. The default is /store/sentry/qc_persistentstorage.





Transaction Sentry SettingsTransaction Max Time Limit

A transaction sentry detects unresponsive applications using transaction analysis. If an unresponsive application is detected, the transaction sentry attempts to return the application to a functional state. Using the drop-down list box, select the length of time you want the system to check for transactional issues in the database. The default is 10 minutes.

Resolve Transaction on Non-Encrypted Host

Using the drop-down list box, select whether you want the transaction sentry to resolve all erroneous conditions detected on the Console or non-encrypted managed hosts. If you select No, the conditions are detected and logged but you must manually intervene and correct the error. The default is Yes.

Resolve Transaction on Encrypted Host

Using the drop-down list box, select whether you want the transaction sentry to resolve all erroneous conditions detected on the encrypted managed host. If you select No, the conditions are detected and logged but you must manually intervene and correct the error. The default is Yes.

SNMP SettingsEnable Enables or disables Simple Network Management

Protocol (SNMP) responses in the STRM custom rules engine. The default is No, which means you do not want to accept events using SNMP.

Destination Host Specify the IP address to which you want to send SNMP notifications.

Destination Port Specify the port to which you want to send SNMP notifications. The default is 162.

Community (V2) Specify the SNMP community, such as public. This parameter only applies if you are using SNMPv2.

User Name Specify the name of the user you want to access SNMP related properties.

Security Level Specify the security level for SNMP. The options are:• NOAUTH_NOPRIV - Indicates no authorization and no

privacy. This the default. • AUTH_NOPRIV - Indicates authorization is permitted

but no privacy.• AUTH_PRIV - Allows authorization and privacy.

Authentication Protocol Specify the algorithm you want to use to authenticate SNMP traps.




42 SETTING UP STRM

Step 4 Click Save.

The STRM Administration Console appears. Step 5 From the menu, select Configurations > Deploy All.

Configuring System Notifications

You can configure system performance alerts for thresholds using the STRM Administration Console. This section provides information for configuring your system thresholds.

To configure system thresholds:


The System Configuration panel appears.Step 2 Click the Global System Notifications icon.

The Global System Notifications window appears.

Step 3 Enter values for the parameters. For each parameter, you must select the following options:

• Enabled - Select the check box to enable the option.• Respond if value is - Specify one of the following options:

- Greater Than - An alert occurs if the parameter value exceeds the configured value.

- Less Than - An alert occurs if the parameter value is less than the configured value.

• Resolution Message - Specify a description of the preferred resolution to the alert.

Authentication Password Specify the password you want to use to authenticate SNMP.

Privacy Protocol Specify the protocol you want to use to decrypt SNMP traps.

Privacy Password Specify the password used to decrypt SNMP traps. Embedded SNMP Agent SettingsEnabled Enables or disables access to data from the SNMP Agent

using SNMP requests. The default is No.Community String Specify the SNMP community, such as public. This

parameter only applies if you are using SNMPv2 and SNMPv3.

IP Access List Specify the systems that can access data from the SNMP agent using SNMP request. If the Enabled option is set to Yes, this option is enforced.




Configuring System Notifications 43

Table 4-4 System Thresholds Parameters

Parameter DescriptionUser CPU usage Specify the threshold percentage of user CPU usage.Nice CPU usage Specify the threshold percentage of user CPU usage at

the nice priority.System CPU usage Specify the threshold percentage of CPU usage while

operating at the system level.Idle CPU usage Specify the threshold percentage of idle CPU time.Percent idle time Specify the threshold percentage of idle time. Run queue length Specify the threshold number of processes waiting for

run time. Number of processes in the process list

Specify the threshold number of processes in the process list.

System load over 1 minute

Specify the threshold system load average over the last minute.

System load over 5 minutes

Specify the threshold system load average over the last 5 minutes.

System load over 15 minutes

Specify the threshold system load average over the last 15 minutes.

Kilobytes of memory free Specify the threshold amount, in kilobytes, of free memory.

Kilobytes of memory used Specify the threshold amount, in kilobytes, of used memory. This does not consider memory used by the kernel.

Percentage of memory used

Specify the threshold percentage of used memory.

Kilobytes of cached swap memory

Specify the threshold amount of memory, in kilobytes, shared by the system.

Kilobytes of buffered memory

Specify the threshold amount of memory, in kilobytes, used as a buffer by the kernel.

Kilobytes of memory used for disc cache

Specify the threshold amount of memory, in kilobytes, used to cache data by the kernel.

Kilobytes of swap memory free

Specify the threshold amount of free swap memory, in kilobytes.

Kilobytes of swap memory used

Specify the threshold amount, in kilobytes, of used swap memory.

Percentage of swap used Specify the threshold percentage of used swap space. Number of interrupts per second

Specify the threshold number of received interrupts per second.

Received packets per second

Specify the threshold number of packets received per second.

Transmitted packets per second

Specify the threshold number of packets transmitted per second.


44 SETTING UP STRM

Step 4 Click Save.The STRM Administration Console appears.

Step 5 From the menu, select Configurations > Deploy Configuration Changes.

Received bytes per second

Specify the threshold number of bytes received per second.

Transmitted bytes per second

Specify the threshold number of bytes transmitted per second.

Received compressed packets

Specify the threshold number of compressed packets received per second.

Transmitted compressed packets

Specify the threshold number of compressed packets transmitted per second.

Received multicast packets

Specify the threshold number of received Multicast packets per second.

Receive errors Specify the threshold number of corrupt packets received per second.

Transmit errors Specify the threshold number of corrupt packets transmitted per second.

Packet collisions Specify the threshold number of collisions that occur per second while transmitting packets.

Dropped receive packets Specify the threshold number of received packets that are dropped per second due to a lack of space in the buffers.

Dropped transmit packets Specify the threshold number of transmitted packets that are dropped per second due to a lack of space in the buffers.

Transmit carrier errors Specify the threshold number of carrier errors that occur per second while transmitting packets.

Receive frame errors Specify the threshold number of frame alignment errors that occur per second on received packets.

Receive fifo overruns Specify the threshold number of First In First Out (FIFO) overrun errors that occur per second on received packets.

Transmit fifo overruns Specify the threshold number of First In First Out (FIFO) overrun errors that occur per second on transmitted packets.

Transactions per second Specify the threshold number of transfers per second sent to the system.

Sectors written per second

Specify the threshold number of sectors transferred to or from the system

Table 4-4 System Thresholds Parameters (continued)



Configuring the Console Settings 45

Configuring the Console Settings

The STRM Console provides the interface for STRM. The Console provides real time views, reports, alerts, and in-depth investigation of flows for network traffic and security threats. You can also manage the Console to manage distributed STRM deployments.

You can access the Console from a standard web browser. When you access the system, a prompt appears for a user name and password, which must be configured in advance by the STRM administrator. STRM supports the following web browsers:

• Internet Explorer 6.0 or 7.0

• Mozilla Firefox 3.0

To configure STRM Console settings:


The System Configuration panel appears.Step 2 Click the Console icon.

The STRM Console Settings window appears.


Table 4-5 STRM Console Management Parameters

Parameter DescriptionConsole Settings


46 SETTING UP STRM

ARP - Safe Interfaces Specify the interface you want to be excluded from ARP resolution activities.

Enable 3D graphs in the user interface

Using the drop-down list box, select one of the following:• Yes - Displays Flow Viewer, Event Viewer, and

Dashboard graphics in 3-dimensional format.• No - Displays Flow Viewer, Event Viewer, and

Dashboard graphics in 2-dimensional format. Authentication SettingsPersistent Session Timeout (in days)

Specify the length of time, in days, that a user system will be persisted, in days. The default is 0, which disables this features and the remember me option upon login.

Maximum Login Failures Specify the number of times a login attempt may fail. The default is 5.

Login Failure Attempt Window (in minutes)

Specify the length of time during which a maximum login failures may occur before the system is locked. The default is 10 minutes.

Login Failure Block Time (in minutes)

Specify the length of time that the system is locked if the the maximum login failures value is exceeded. The default is 30 minutes.

Login Host Whitelist Specify a list of hosts who are exempt from being locked out of the system. Enter multiple entries using a comma-separated list.

Inactivity Timeout (in minutes)

Specify the amount of time that a user will be automatically logged out of the system if no activity occurs.

Login Message File Specify the location and name of a file that includes content you want to appear on the STRM login window. This file may be in text or HTML format and the contents of the file appear below the current log in window.

Table 4-5 STRM Console Management Parameters (continued)



Configuring the Console Settings 47

Step 4 Click Save.

Event Permission Precedence

Using the drop-down list box, specify the level of network permissions you want to assign users. This affects the events that appear in the Event Viewer. The options include:• Network Only - A user must have access to either the

source network or the destination network of the event to have the event appear in the Event Viewer.

• Devices Only - A user must have access to either the device or device group that created the event to have the event appear in the Event Viewer.

• Networks and Devices - A user must have access to both the source or the destination network and the device or device group to have an event appear in the Event Viewer.

• None - All events appear in the Event Viewer. Any user with Event Viewer role permissions are able to view all events.

Note: For more information on managing users, see Chapter 1 Managing Users.

DNS SettingsEnable DNS Lookups for Asset Profiles

Enable or disable the ability for STRM to search for DNS information in asset profiles. When enabled, this information is available using the right-mouse button (right-click) on the IP address or host name located in the Host Name (DNS Name) field in the asset profile. The default is False.

Enable DNS Lookups for Host Identity

Enable or disable the ability for STRM to search for host identity information. When enabled, this information is available using the right-mouse button (right-click) on any IP address or asset name in the interface. The default is True.

WINS SettingsWINS Server Specify the location of the Windows Internet Naming

Server (WINS) server. Reporting SettingsReport Retention Period Specify the period of time, in days, that you want the

system to maintain reports. The default is 30 days. Data Export SettingsInclude Header in CSV Exports

Specify whether you want to include a header in a CSV export file.

Maximum Simultaneous Exports

Specify the maximum number of exports you want to occur at one time.

Table 4-5 STRM Console Management Parameters (continued)



48 SETTING UP STRM

Step 5 From the Administration Console menu, select Configurations > Deploy Configuration Changes.

Starting and Stopping STRM

To start, stop, or restart STRM:

Step 1 In the main STRM interface, click Config.

The STRM Administration Console appears.

Step 2 From the System menu, select one of the following options:a STRM Start

b STRM Stop

c STRM Restart

Resetting SIM Using the Administration Console, you can reset the SIM module, which allows you to remove all offenses, attackers, and target information from the database and the disk. This option is useful after tuning your deployment to avoid receiving any additional false positive information.

To reset the SEM module:

Step 1 In the Administration Console, click the SIM Configuration tab.

The SIM Configuration panel appears.Step 2 Click the Clean SIM Model icon.

The Reset SIM Data Module window appears.

Step 3 Read the information in the window.

Step 4 Select one of the following options:• Soft Clean - Closes all offenses in the database.


Resetting SIM 49

• Hard Clean - Closes all active SIM data including offenses, targets and attackers.

Step 5 If you want to continue, select the Are you sure you want to reset the data model? check box.

Step 6 Click Proceed.

A message appears indicating that the SIM reset process has started. This process may take several minutes, depending on the amount of data in your system.

Step 7 Once the SIM reset process is complete, reset your browser.

Note: If you attempt to navigate to other areas of the user interface during the SIM reset process, an error message appears.


4
MANAGING AUTHORIZED SERVICES
You can configure authorized services in the Administration Console to pre-authenticate a customer support service for your STRM deployment. Authenticating a customer support service allows the service to connect to your STRM interface and either dismiss or update notes to an offense using a web service. You can add or revoke an authorized service at any time.

Note: To access the authorized services functionality, a user role must exist with only the Offense Management check box selected. The Assign Offenses to Users and the Customized Rule Creation check boxes must be clear. For more information on creating user roles, see Chapter 4 Managing Users.

This chapter provides information for managing authorized services including:

• Viewing Authorized Services• Adding an Authorized Service

• Revoking Authorized Services

Viewing Authorized Services

To view authorized services for your STRM deployment:



Step 2 Click the Authorized Services icon. The Manage Authorized Services window appears providing the following information:

Table 5-1 Manage Authorized Services Parameters

Parameter DescriptionService Name Specifies the name of the authorized service. Authorized By Specifies the name of the user or administrator that

authorized the addition of the service. Authentication Token Specifies the token associated with this authorized service. User Role Specifies the user role associated with this authorized

service.


52 MANAGING AUTHORIZED SERVICES

Step 3 To select a token from an authorized service, select the appropriate authorized service. The token appears in the Selected Token field in the top bar. This allows you to copy the desired token into your third-party application to authenticate with STRM

Adding an Authorized Service

To add an authorized service:


Step 2 Click the Authorized Services icon.

The Manage Authorized Services window appears.

Step 3 Click Add Authorized Service. The Add Authorized Service window appears.


Created Specifies the date that this authorized service was created. Expired Specifies the date and time that the authorized service will

expire. Also, this field indicates when a service has expired.

Table 5-1 Manage Authorized Services Parameters (continued)


Table 5-2 Add Authorized Services Parameters

Parameter DescriptionService Name Specify a name for this authorized service. The name can be

up to 255 characters in length.User Role Using the drop-down list box, select the user role you want to

assign to this authorized service. The user roles assigned to an authorized service determines the functionality in the STRM interface this service can access.

Expiry Date Specify a date you want this service to expire or select the No Expiry check box if you do not want this service to expire. By default, the authorized service if valid for 30 days.


Revoking Authorized Services 53

Step 5 Click Create Service.

A confirmation message appears. This message contains a token field that you must copy into your third-party application to authenticate with STRM. For more information about setting up your third-party application to integrate with STRM, contact your system administrator.

Revoking Authorized Services

To revoke an authorized service:


The System Configuration panel appears.Step 2 Click the Authorized Services icon.

The Manage Authorized Services window appears.

Step 3 Select the service you want to revoke.

Step 4 Click Revoke Authorization. A confirmation window appears.

Step 5 Click Ok.


5
MANAGING BACKUP AND RECOVERY
Using the Administration Console, you can backup and recover configuration information and data for STRM. You can backup and recover the following information for your system:

• License key information• Sentry configuration

• Rules configuration

• Configuration database information• User profile information

• Views configuration

This chapter provides information on managing backup and recover of including:• Managing Backup Archives

• Backing Up Your Information

• Restoring Your Configuration Information

Managing Backup Archives

Using the Administration Console, you can:

• View your successful backup archives. See Viewing Back Up Archives.

• Import an archive file. See Importing an Archive.• Delete an archive file. See Deleting a Backup Archive.

Viewing Back UpArchives

To view all successful backups:


The System Configuration panel appears.Step 2 Click the Backup Recovery icon.

The Backup Archives window appears.


56 MANAGING BACKUP AND RECOVERY

The list of archives includes backup files that exist in the database. If a backup file is deleted, it is removed from the disk and from the database. Also, the entry is removed from this list and an audit event is generated to indicate the removal. If a backup is in progress, a status window appears to indicate the duration of the current backup, which user/process initiated the backup, and provides you with the option to cancel the backup.

Each archive file includes the data from the previous day. The Backup Archives window provides the following information for each backup archive.

Importing an Archive To import a STRM backup archive file:Step 1 In the Administration Console, click the System Configuration tab.


Step 2 Click the Backup Recovery icon. The Backup Archives window appears.

Table 6-1 Backup Archive Window Parameters

Parameter DescriptionHost Specifies the host that initiated the backup process. Name Specifies the name of the backup archive. To download the

backup file, click the name of the backup. Type Specifies the type of backup. The options are:

• db (database)• config (configuration data)• data (events, flows, and asset profile information)

Size Specifies the size of the archive file. Time Initiated Specifies the time that the backup file was created. Duration Specifies the time to complete the backup process. Initialized By Specifies whether the backup file was created by a user or

through a scheduled process.


Managing Backup Archives 57

Step 3 In the Upload Archive field, click Browse.

The File Upload window appears. Step 4 Select the archive file you want to upload. Click Open.

Step 5 Click Upload.

Deleting a BackupArchive

To delete a backup archive:

Note: To delete a backup archive file, the backup archive file and the Host Context component must reside on the same system. The system must also be in communication with the Console.


Step 2 Click the Backup Recovery icon.


Step 3 Select the archive you want to delete.

Step 4 Click Delete. Step 5 A confirmation window appears.

Step 6 Click Ok.



Backing Up Your Information

You can backup your configuration information and data using the Backup Recovery Configuration window. You can backup your configuration information using a manual process. Also, you can also backup your configuration information and data using a scheduled process. By default, STRM creates a backup archive of your configuration information every night at midnight and the backup includes configuration and/or data from the previous day. This section provides on both methods of backing up your data including:• Scheduling Your Backup

• Initiating a Backup

Scheduling YourBackup

To schedule your backup process:

To configure your backup settings:


The System Configuration panel appears.Step 2 Click the Backup Recovery icon.


Step 3 Click Configure.The Backup Recovery Configuration window appears.


Table 6-2 Backup Recovery Configuration Parameters

Parameter DescriptionGeneral Backup Configuration


Backing Up Your Information 59

Step 5 Click Save.

Backup Repository Path

Specifies the location you want to store your backup file. This path must exist before the backup process is initiated. If this path does not exist, the backup process aborts. The default is /store/backup.Note: If you modify this path, make sure the new path is valid on every system in your deployment.

Backup Retention Period

Specify the length of time, in days, that you want to maintain backup files. The default is 2 days. Note: This period of time only affects backup files generated as a result of a scheduled process. Manually initiated backup processes are not affected by this value.

Nightly Backup Schedule

Select one of the following options:• No Nightly Backups - Disables the creation of a backup

archive on a daily basis. • Configuration Backup Only - Enables the creation of a daily

backup at midnight that includes configuration information only.

• Configuration and Data Backups - Enables the creation of a daily backup at midnight that includes configuration information and data. If you select the Configuration and Data Backups option, you can select the hosts you want to backup. This option backs up all database table information including:- Offenses (including targets and attacker information)- Asset data

- Categories

- Vulnerability data. Once you select the host, you can select one of the following options: Event Data, Flow Data, and Asset Profile Data.

Configuration Only BackupBackup Time Limit Specify the length of time, in minutes, that you want to allow the

backup to process. Backup Priority Specify the level of importance (low, medium, high) you want the

system to place on the configuration information backup process compared to other processes.

Data BackupBackup Time Limit (min)

Specify the length of time, in minutes, that you want to allow the backup to process.

Backup Priority Specify the level of importance (low, medium, high) you want the system to place on the data backup process compared to other processes.

Table 6-2 Backup Recovery Configuration Parameters (continued)




Step 6 From the Administration Console menu, select Configurations > Deploy All.

Initiating a Backup To manually initiate a backup:Step 1 In the Administration Console, click the System Configuration tab.



Step 3 Click On Demand Backup.

The Create a Backup window appears.

Step 4 Enter values for the following parameters:• Name - Specify a unique name you want to assign to this backup file. The name

must be a maximum of 100 alphanumeric characters. Also, the name may contain following characters: underscore (_), dash (-), or period (.).

• Description - Specify a description for this backup. The name can be up to 255 characters in length.

Step 5 Click Run Backup. A confirmation window appears.

Step 6 Click OK.


Restoring Your Configuration Information 61

Restoring Your Configuration Information

You can restore configuration information from existing backup archives using the Restore Backup window. Note the following requirements when you are restoring configuration information:

• You can only restore a backup archive created within the same release of software. For example, if you are running STRM 6.1.2, the backup archive must of been created in STRM 6.1.2. You can not restore configuration information archived in a previous release.

• Each backup archive includes IP address information of the system from which the backup archive was created. The IP address of the system on which you want to restore the information must match the IP address of the backup archive. If the IP addresses do not match, the restore process will fail.

To restore your configuration information using a backup archive:

Note: If the deployment you are restoring includes non-Console systems, make sure you re-add the managed hosts to your deployment and deploy all changes before you initiate the restore process.




Step 3 Select the archive you want to restore.

Step 4 Click Restore. The Restore a Backup window appears.

Step 5 To restore specific items in the archive:

a Clear the All Items check box.

b The list of archived items appears. c Select the check box for each item you want to restore.

Step 6 Click Restore.


Step 7 Click Ok. The restore process begins. This process may take an extended period of time.

Step 8 From the Administration Console menu, select Configurations > Deploy All.



Note: The restore process only restores your configuration information. For assistance in restoring your data, contact Juniper Networks Customer Support.


6
USING THE DEPLOYMENT EDITOR
The deployment editor allows you to manage the individual components of your STRM, and SIM deployment. Once you configure your Flow, Event, and System Views, you can access and configure the individual components of each managed host.

Note: The Deployment Editor requires Java Runtime Environment. Download JRE5.0 at www.java.sun.com. Also, If you are using the Firefox browser, you must configure your browser to accept Java Network Language Protocol (JNLP) files.

Caution: Many third-party web browsers that use the Internet Explorer engine, such as Maxthon or MyIE, install components that may be incompatible with the STRM Administration Console. You must disable any third-party web browsers installed on your system. For further assistance, please contact customer support.

If you want to access the STRM Administration Console from behind a proxy server or firewall, you must configure the appropriate proxy settings on your desktop. This allows the software to automatically detect the proxy settings from your browser. To configure the proxy settings, open the Java configuration located in your Control Panel and configure the IP address of your proxy server. For more information on configuring proxy settings, see your Microsoft documentation.

This chapter provides information on managing your views including:

• About the Deployment Editor

• Editing Deployment Editor Preferences• Building Your Flow View

• Building Your Event View

• Managing Your System View• Configuring STRM Components


64 USING THE DEPLOYMENT EDITOR

About the Deployment Editor

You can access the deployment editor using the STRM Administration Console. You can use the deployment editor to create your deployment, assign connections, and configure each component.

The deployment editor provides the following views of your deployment:

• Flow View - Allows you to create a view that outlines how flows are processed in your deployment by allocating and connecting flow-based components, for example, connecting a Flow Collector to a Flow Processor.

• System View - Allows you to assign software components, such as a Flow Collector, to systems (managed hosts) in your deployment. The System View includes all managed hosts in your deployment. A managed host is a system in your deployment that has STRM software installed. By default, the System View also includes the Host Context component, which monitors all STRM components to ensure that each component is operating as expected.

• Event View - Allows you to create a view for your SIM components including Event Processor, Event Collector, and Magistrate components.

Each view is divided into two panels.

In the Flow View, the left panel provides a list of components that you can add to your view and the right panel provides the existing view of your deployment.

In the Event View, the left panel provides a list of SIM components you can add to the view and the right panel provides an existing view of your SIM deployment.

In the System View, the left panel provides a list of managed hosts, which you can view and configure. The deployment editor polls your deployment for updates to


About the Deployment Editor 65

managed hosts. If the deployment editor detects a change to a managed host in your deployment, a message appears notifying you of the change. For example, if you remove a managed host, a message appears indicating that the assigned components to that host must be re-assigned to another host. Also, if you add a managed host to your deployment, the deployment editor displays a message indicating that the managed host has been added.

Accessing theDeployment Editor

In the Administration Console, click the deployment editor icon. The deployment editor appears. Once you update your configuration settings using the deployment editor, you must save those changes to the staging area. You must either manually deploy all changes using the Administration Console Deploy menu option or, upon exiting the Administration Console, a window appears prompting you to deploy changes before you exit. All deployed changes are then enforced throughout your deployment.

Using the Editor The deployment editor provides you with several menu and toolbar options when configuring your views including:

• Menu Options

• Toolbar Options

Menu OptionsThe menu options that appear depend on the selected component in your view. Table 7-1 provides a list of the menu options and the component for which they appear.

Table 7-1 Deployment Editor Menu Options

Menu Option Sub Menu Option DescriptionFile Save to staging Saves deployment to the staging area.

Save and close Save deployment to the staging area and closes the deployment editor.

Open staged deployment

Opens a deployment that was previously saved to the staging area.

Open production deployment

Opens a deployment that was previously saved.

Close current deployment

Closes the current deployment.

Revert Reverts current deployment to the previously saved deployment.

Edit Preferences Opens the preferences window. Close editor Closes the deployment editor.

Edit Delete Deletes a component, host, or connection. Actions Add a managed host Opens the Add a Managed Host wizard.



Toolbar OptionsThe toolbar options include:

Manage NATed Networks

Opens the Manage NATed Networks window, which allows you to manage the list of NATed networks in your deployment.

Rename component Renames an existing component. This option is only available when a component is selected.

Configure Configure a STRM components. This option is only available when a Flow Collector, Flow Processor, Classification Engine, Event Collector, Event Processor, Magistrate, or Update Daemon is selected.

Assign Assigns a component to a managed host.This option is only available when a Flow Collector, Flow Processor, Classification Engine, Event Collector, Event Processor, Magistrate, or Update Daemon is selected.

Unassign Unassigns a component from a managed host. This option is only available when the selected component has a managed host running a compatible version of STRM software. This option is only available when a Flow Collector, Flow Processor, Classification Engine, Event Collector, Event Processor, or Update Daemon is selected.

Help Help and Support Opens user documentation.

Table 7-2 Toolbar Options

Icon DescriptionSaves deployment to the staging area and closes the deployment editor.

Opens current production deployment.

Opens a deployment that was previously saved to the staging area.

Discards recent changes and reloads last saved model.

Table 7-1 Deployment Editor Menu Options (continued)

Menu Option Sub Menu Option Description


About the Deployment Editor 67

Creating YourDeployment

To create your deployment, you must:

Step 1 Build your Flow View. See Building Your Flow View.

Step 2 Build your System View. See Managing Your System View.

Step 3 Configure added components. See Configuring STRM Components.Step 4 Build your Event View. See Building Your Event View.

Step 5 Configure SIM components. See Configuring STRM Components.

Step 6 Stage the deployment. From the deployment editor menu, select File > Save to Staging.

Step 7 Deploy all configuration changes. From the Administration Console menu, select Configurations > Deploy All. For more information on the Administration Console, see Chapter 8 Overview.

Before you Begin Before you begin, you must:

• Install all necessary hardware and STRM software.

• Install Java Runtime Environment. You can download Java version 1.5.0_12 at the following web site: http://java.com/en/download/index.jsp

• If you are using the Firefox browser, you must configure your browser to accept Java Network Language Protocol (JNLP) files.

• Plan your STRM deployment including the IP addresses and login information for all devices in your STRM deployment.

Deletes selected item from the deployment view. This option is only available when the selected component has a managed host running a compatible version of STRM software. Opens the Add a Managed Host wizard, which allows you to add a managed host to your deployment.

Opens the Manage NATed Networks window, which allows you to manage the list of NATed networks in your deployment.

Resets the zoom to the default.

Zoom in.

Zoom out.

Table 7-2 Toolbar Options (continued)

Icon Description



Note: If you require assistance with the above, please contact Juniper Networks Customer Support.

Editing DeploymentEditor Preferences

To edit the deployment editor preferences:

Step 1 From the deployment editor main menu, select File > Edit Preferences.

The Deployment Editor Setting window appears.

Step 2 Enter values for the following parameters:• Presence Poll Frequency - Specify how often, in milliseconds, that the

managed host monitors your deployment for updates, for example, a new or updated managed host.

• Zoom Increment - Specify the increment value when the zoom option is selected. For example. 0.1 indicates 10%.

Step 3 Close the windowThe Deployment Editor appears.

Building Your Flow View

The Flow View allows you to create and manage the flow-based software components of your STRM deployment, for example, a Flow Collector or Flow Processor. If you are using a STRM appliance, a default Flow View appears with the appropriate components. You can edit or update the view, as necessary.

To build your Flow View, you must:Step 1 Add STRM components to your view. See Adding STRM Components.

Step 2 Connect the added components. See Connecting Components.

Step 3 Connect the deployments, if necessary. See Connecting Deployments.Step 4 Rename the components so each component has a unique name. See Renaming

Components

Once you have completed building your Flow View, you can use the Event View to manage your SIM components. See Building Your Event View.


Building Your Flow View 69

Adding STRMComponents

You can add the following STRM components to your Flow View:

• Flow Collector - Collects data from devices and various live and recorded feeds.

• Flow Processor - Collects and consolidates data from one or more Flow Collector(s).

• Classification Engine - Receives input from one or more Flow Processor(s) as well as classifies and accumulates statistical data on flows.

• Update Daemon - Stores TopN and database data once the Classification Engine has processed the flows for an interval.

• Flow Writer - Stores the flow and asset profile data once the Classification Engine has processed the flows for an interval.

Note: The procedures in the section provide information on adding STRM components using the Flow View. You can also add components using the System View. For information on the System View, see Managing Your System View.

To add STRM components to your Flow View:

Step 1 In the deployment editor, click the Flow View tab. The Flow View appears.

Step 2 In the Flow Components panel, select a component you want to add to your deployment.

The Adding a New Component Wizard appears.



Step 3 Enter a unique name for the component you want to add. The name can be up to 15 characters in length and may include underscores or hyphens. Make sure you record the assigned name and Click Next. Note: If the message “There are no hosts to which you can assign this component.” appears, your deployment does not include hosts with the capabilities to support the selected component or the host already has a full compliment of components installed.

The Assign Component window appears.

Step 4 From the Select a host drop-down list box, select the managed host to which you want to assign the new component. Click Next. The component ready to be added window appears.

Step 5 Click Finish.



The component appears in your Flow View.

Step 6 Repeat for each component you want to add to your view. Step 7 From the menu, select File > Save to staging.

ConnectingComponents

Once you add all the necessary components in your Flow View, you must connect them together. The Flow View only allows you to connect appropriate components together. For example, you can connect a Flow Processor to a Flow Collector and not an Update Daemon.

To connect components:Step 1 In the Flow View, select the component for which you want to establish a

connection. Step 2 From the menu, select Actions > Add Connection.

Note: You can also use the right mouse button (right-click) to access the Actions menu item.

An arrow appears in your map.

Step 3 Drag the end of the arrow to the component on which you want to establish a connection. You can only connect appropriate components, for example, you can connect a Classification Engine to an Update Daemon. Table 7-3 provides a list of components you are able to connect.

The arrow connects the two components.

Step 4 Repeat for all remaining components in your deployment that you want to establish a connection.

Step 5 From the menu, select File > Save to Staging.

Table 7-3 Component Connections

You can connect a... ToFlow Collector Flow ProcessorFlow Processor Flow Processor

Classification EngineOff-site TargetOff-site Source

Classification Engine Update DaemonFlow Writer - Multiple Classification Engines may be connected to a single Flow Writer.



ConnectingDeployments

You can connect deployments in your network to allow deployments to share flow data. To connect your deployments, you must configure an off-site Flow Processor (target) in your current deployment and the associated off-site Flow Processor in the receiving deployment (source). You can add the following components to your Flow View:

• Off-site Source - Indicates an off-site Flow Processor from which you want to receive data. The source must be configured with appropriate permissions to send flows to the off-site target.

• Off-site Target - Indicates an off-site Flow Processor to which you want to send data.

Note: The procedures in the section provide information on adding flow sources using the Flow View. You can also add sources using the System View. For information on the System View, see Managing Your System View.

Figure 7-1 shows an example of connecting two deployments, A and B. In this example, deployment B wants to receive flows from deployment A. To connect these deployments, you must configure deployment A with an off-site target to provide the IP address of the managed host that includes Flow Processor B. You must then connect Flow Processor A to the off-site target. In deployment B, you must configure an off-site source with the IP address of the managed host that includes Flow Processor A and the port to which Flow Processor A is monitoring.

If you want to disconnect the off-site source, you must remove the connections from both deployments. From deployment A, you must remove the off-site target and in deployment B, you must remove the off-site source.

If you want to enable encryption between deployments, you must enable encryption on both off-site source and target. Also, you must ensure both the off-site source and target include the public keys to ensure appropriate access. For example, in the example below, if you want to enable encryption between the off-site source and Flow Processor B, you must copy the public key (located at /root/.ssh/id_rsa.pub) from the Flow Processor to the off-site source (copy the file to /root/.ssh/authorized_keys).

Note: To enable encryption between two managed hosts, each managed host must be running at least STRM 5.1.



Figure 7-1 Example of Connecting Deployments

To connect your deployments:

Step 1 In the deployment editor, click the Flow View tab. The Flow View appears.

Step 2 In the Flow Components panel, select either Add Off-site Source or Add Off-site Target. The Adding a New Component Wizard appears.



Step 3 Specify a unique name for the source or target. The name can be up to 15 characters in length and may include underscores or hyphens. Click Next. The flow source/target information window appears.


• Enter a name for the off-site host - Specify the name of the off-site host. The name can be up to 15 characters in length and may include underscores or hyphens.

• Enter the IP address of the server - Specify the IP address of the managed host to which you want to connect.

• Enter port of managed host - Specify the off-site managed host port number.


Building Your Event View 75

• Encrypt traffic from off-site source - Select the check box if you want to encrypt traffic from an off-site source. To enable encryption, you must select this check box on the associated off-site source and target. For more information regarding encryption, see Managing Your System View.

Step 5 Click Next. Step 6 Click Finish.

Step 7 Repeat for all remaining off-site sources and targets.

Step 8 From the main menu, select File > Save to staging.

Note: If you update your Flow Processor configuration or the monitoring ports, you must manually update your source and target configurations to maintain the connection between deployments.

RenamingComponents

You may want to rename a component in your view to uniquely identify components through your deployment.

To rename a component:Step 1 Select the component you want to rename.

Step 2 From the menu, select Actions > Rename component.Note: You can also use the right mouse button (right-click) to access the Actions menu items.

The Rename component window appears.

Step 3 Enter a new name for the component. The name must be alphanumeric with no special characters.

Step 4 Click Ok.

Building Your Event View

The Event View allows you to create and manage the SIM components for your deployment including:• Event Collector - Collects security events from various types of security

devices in your network. The Event Collector gathers events from local, remote, and device sources. The Event Collector then normalizes the events and sends the information to the Event Processor. The Event Collector also bundles all virtually identical events to conserve system usage.

• Event Processor - An Event Processor processes flows collected from one or more Event Collector(s). The events are bundled once again to conserve network usage. Once received, the Event Processor correlates the information



from STRM and distributes to the appropriate area, depending on the type of event. The Event Processor also includes information gathered by STRM to indicate any behavioral changes or policy violations for that event. Rules are then applied to the events that allow the Event Processor to process according to the configured rules. Once complete, the Event Processor sends the events to the Magistrate. You must connect the Event Processor to a Classification Engine or another Event Processor in your deployment. The Classification Engine is responsible for sending the latest event information to the Event Processor. See Figure 7-2 for an example.

• Magistrate - The Magistrate component provides the core processing components of SIM. You can add one Magistrate component for each deployment. The Magistrate provides views, reports, alerts, and analysis of network traffic and security events. The Magistrate processes the event against the defined custom rules to create an offense. If no custom rules exist, the Magistrate uses the default rules to process the event. An offense is an event that has been processed through STRM using multiple inputs, individual events, and events combined with analyzed behavior and vulnerabilities. Magistrate prioritizes the offenses and assigns a magnitude value based on several factors, including number of events, severity, relevance, and credibility.

Once processed, Magistrate also produces a list for each attacker, which provides you with a list of attackers for each event. Once the Magistrate establishes the magnitude for an event, the Magistrate provides multiple options for resolution.

By default, the Event View includes a Magistrate component. Figure 7-2 shows an example of STRM deployment that includes the SIM components. The example shows that the Event Processor is connected to the Classification Engine, which allows for the exchange of flow information.



Figure 7-2 Example of SIM Components in your STRM Deployment

To build your Event View, you must:

Step 1 Add SIM components to your view. See Adding Components.

Step 2 Connect the components. See Connecting Components.Step 3 Forward normalized events. See Forwarding Normalized Events.

Step 4 Rename the components so each component has a unique name. See Renaming Components.

Adding Components To add components to your Event View:

Step 1 In the deployment editor, click the Event View tab. The Event View appears.

Step 2 In the Event Tools panel, select a component you want to add to your deployment.

The Adding a New Component Wizard appears.



Step 3 Enter a unique name for the component you want to add. The name can be up to 15 characters in length and may include underscores or hyphens. Click Next. The Assign Component window appears.

Step 4 From the Select a host to assign to list box, select a managed host to which you want to assign the new component. Click Next.

Step 5 Click Finish. Step 6 Repeat for each component you want to add to your view.




ConnectingComponents

Once you add all the necessary components in your Event View, you must connect them together. The Event View only allows you to connect appropriate components together. For example, you can connect an Event Collector to an Event Processor and not a Magistrate component.

To connect components:Step 1 In the Event View, select the component for which you want to establish a

connection. Step 2 From the menu, select Actions > Add Connection.

Note: You can also use the right mouse button (right-click) to access the Action menu item.

An arrow appears in your map.

Step 3 Drag the end of the arrow to the component on which you want to establish a connection. You can only connect appropriate components, for example, you can connect an Event Collector to an Event Processor. Table 7-4 provides a list of components you are able to connect.

The arrow connects the two components.

Step 4 Repeat for all remaining components that you want to establish a connection.

ForwardingNormalized Events

To forward normalized events, you must configure an off-site Event Collector (target) in your current deployment and the associated off-site Event Collector in the receiving deployment (source).

You can add the following components to your Event View:

• Off-site Source - Indicates an off-site Event Collector from which you want to receive data. The source must be configured with appropriate permissions to send events to the off-site target.

• Off-site Target - Indicates an off-site Event Collector to which you want to send data.

For example, if you want to forward normalized events between two deployments (A and B), where deployment B wants to receive events from deployment A you must configure deployment A with an off-site target to provide the IP address of the managed host that includes Event Collector B. You must then connect Event Collector A to the off-site target. In deployment B, you must configure an off-site source with the IP address of the managed host that includes Event Collector A and the port to which Event Collector A is monitoring.

Table 7-4 Component Connections

You can connect a... ToEvent Processor MagistrateEvent Collector Event Processor



If you want to disconnect the off-site source, you must remove the connections from both deployments. From deployment A, you must remove the off-site target and in deployment B, you must remove the off-site source.

If you want to enable encryption between deployments, you must enable encryption on both off-site source and target. Also, you must ensure both the off-site source and target include the public keys to ensure appropriate access. For example, in the example below, if you want to enable encryption between the off-site source and Event Collector B, you must copy the public key (located at /root/.ssh/id_rsa.pub) from the Event Collector to the off-site source (copy the file to /root/.ssh/authorized_keys).

Figure 7-3 Example of Connecting Deployments

To forward normalized events:Step 1 In the deployment editor, click the Event View tab.

The Event View appears.

Step 2 In the Components panel, select either Add Off-site Source or Add Off-site Target. The Adding a New Component Wizard appears.

Off-site

Target

Event Collector A

Magistrate

Event Processor

Event Collector B

Magistrate

Event Processor

Off-site

Source



Step 3 Specify a unique name for the source or target. The name can be up to 15 characters in length and may include underscores or hyphens. Click Next. The event source/target information window appears.

Step 4 Enter values for the parameters:• Enter a name for the off-site host - Specify the name of the off-site host. The

name can be up to 15 characters in length and may include underscores or hyphens.

• Enter the IP address of the server - Specify the IP address of the managed host to which you want to connect.

• Encrypt traffic from off-site source - Select the check box if you want to encrypt traffic from an off-site source. To enable encryption, you must select this check box on the associated off-site source and target.



Step 5 Click Next. Step 6 Click Finish.Step 7 Repeat for all remaining off-site sources and targets.


Note: If you update your Event Collector configuration or the monitoring ports, you must manually update your source and target configurations to maintain the connection between deployments.

RenamingComponents

You may want to rename a component in your view to uniquely identify components through your deployment.

To rename a component:

Step 1 Select the component you want to rename.Step 2 From the menu, select Actions > Rename Component.

Note: You can also use the right mouse button (right-click) to access the Action menu items.

The Rename component window appears.

Step 3 Enter a new name for the component. The name must be alphanumeric with no special characters.

Step 4 Click Ok.

Managing Your System View

The System View allows you to manage all managed hosts in your network. A managed host is a component in your network that includes STRM software. If you are using a STRM appliance, the components for that appliance model appear. If your STRM software is installed on your own hardware, the System View includes a Host Context component. The System View allows you to select which component(s) you want to run on each managed host.

Using the System View, you can:• Set up managed hosts in your deployment. See Setting Up Managed Hosts.

• Use STRM with NATed networks in your deployment. See Using NAT with STRM.

• Update the managed host port configuration. See Configuring a Managed Host.

• Assign a component to a managed host. See Assigning a Component to a Host.


Managing Your System View 83

• Configure Host Context. See Configuring Host Context.

Setting Up ManagedHosts

Using the deployment editor you can manage all hosts in your deployment including:

• Add a managed host to your deployment. See Adding a Managed Host.• Edit an existing managed host. See Editing a Managed Host.

• Remove a managed host. See Removing a Managed Host.

When adding a managed host, you can also enable encryption between managed hosts running at least STRM 5.1. The deployment editor determines the version of STRM software running on a managed host. You can only add a managed host to your deployment when the managed host is running a compatible version of STRM software. For more information, contact Juniper Networks Customer Support.

You also can not assign or configure components on a non-Console managed host when the STRM software version is incompatible with the software version that the Console is running. If a managed host has previously assigned components and is running an incompatible software version, you can still view the components, however, you are not able to update or delete the components.

Note: To enable encryption between two managed hosts, each managed host must be running at least STRM 5.1.

Encryption provides greater security for all STRM traffic between managed hosts. To provide enhanced security, STRM also provides integrated support for OpenSSh and attachmateWRQ® Reflection SSH software. Reflection SSH software provides a FIPS 140-2 certified encryption solution. When integrated with STRM, Reflection SSH provides secure communication between STRM components. For information on Reflection SSH, see the following web site:

www.wrq.com/products/reflection/ssh

Note: You must have Reflection SSH installed on each managed host you want to encrypt using Reflection SSH. Also, Reflection SSH is not compatible with other SSH software, such as, Open SSH.

Since encryption occurs between managed hosts in your deployment, your deployment must consist of more than one managed host before encryption is possible. Encryption is enabled using SSH tunnels (port forwarding) initiated from the client. A client is the system that initiates a connection in a client/server relationship. When encryption is enabled for a managed host, encryption tunnels are created for all client applications on a managed host to provide protected access to the respective servers. If you enable encryption on a non-Console managed host, encryption tunnels are automatically created for databases and other support service connections to the Console.

Figure 7-4 shows the flow of traffic within a STRM deployment including flows, flow context, and event traffic. The figure also displays the client/server relationships



within the deployment. When enabling encryption on a managed host, the encryption SSH tunnel is created on the client’s host. For example, if you enable encryption for the Event Collector in the below deployment, the connection between the Event Processor and Classification Engine as well as the connection between the Event Processor and Magistrate would be encrypted. The below graphic also displays the client/server relationship between the Console and the Ariel database. When you enable encryption on the Console, an encryption tunnel is used when performing event searches through the Offense Manager.

Note: Enabling encryption reduces the performance of a managed host by at least 50%.

Figure 7-4 Encryption Tunnels

Adding a Managed HostTo add a managed host:

Note: Before you add a managed host, make sure the managed host includes STRM software.

Step 1 From the menu, select Actions > Add a managed host.The Add new host wizard appears.



Step 2 Click Next. The Enter the host’s IP window appears.

Step 3 Enter values for the parameters:• Enter the IP of the server or appliance to add - Specify the IP address of the

host you want to add to your System View.• Enter the root password of the host - Specify the root password for the host.

• Confirm the root password of the host - Specify the password again, for confirmation.

• Host is NATed - Select the check box if you want to use an existing Network Address Translation (NAT) on this managed host. For more information on NAT, see Using NAT with STRM.



Note: If you want to enable NAT for a managed host, the NATed network must be using static NAT translation. For more information on using NAT, see Using NAT with STRM.

• Enable Encryption - Select the check box if you want to create an encryption tunnel for the host. To enable encryption between two managed hosts, each managed host must be running at least STRM 5.1.

If you selected the Host is NATed check box, the Configure NAT settings window appears. Go to Step 4. Otherwise, go to Step 5.

Step 4 To select a NATed network, enter values for the following parameters:• Enter public IP of the server or appliance to add - Specify the public IP

address of the managed host. The managed host uses this IP address to communicate with another managed host that belongs to a different network using NAT.

• Select NATed network - Using the drop-down list box, select network you want this managed host to use.

Note: For information on managing your NATed networks, see Using NAT with STRM.


Note: If your deployment included undeployed changes, a window appears enabling you to deploy all changes.

The System View appears with the host in the Managed Hosts panel.

Editing a Managed HostTo edit an existing managed host:

Step 1 Click the System View tab. Step 2 Use the right mouse button (right-click) on the managed host you want to edit and

select Edit Managed Host. The Edit a managed host wizard appears.

Note: This option is only available when the selected component has a managed host running a compatible version of STRM software.



Step 3 Click Next. The attributes window appears.

Step 4 Edit the following values, as necessary:• Host is NATed - Select the check box if you want to use existing Network

Address Translation (NAT) on this managed host. For more information on NAT, see Using NAT with STRM.

Note: If you want to enable NAT for a managed host, the NATed network must be using static NAT translation. For more information on using NAT, see Using NAT with STRM.



• Enable Encryption - Select the check box if you want to create an encryption tunnel for the host. To enable encryption between two managed hosts, each managed host must be running at least STRM 5.1.

If you selected the Host is NATed check box, the Configure NAT settings window appears. Go to Step 5. Otherwise, go to Step 6.

Step 5 To select a NATed network, enter values for the following parameters:

• Enter public IP of the server or appliance to add - Specify the public IP address of the managed host. The managed host uses this IP address to communicate with another managed host that belongs to a different network using NAT.


Note: For information on managing your NATed networks, see Using NAT with STRM.


The System View appears with the updated host in the Managed Hosts panel.

Removing a Managed HostYou can only remove non-Console managed hosts from your deployment. You can not remove a managed host that is hosting the STRM Console.

To remove a managed host:Step 1 Click the System View tab.

Step 2 Use the right mouse button (right-click) on the managed host you want to delete and select Remove host.Note: This option is only available when the selected component has a managed host running a compatible version of STRM software.


Step 3 Click Ok. Step 4 From the Administration Console menu, select Configurations > Deploy All.



Using NAT withSTRM

Network Address Translation (NAT) translates an IP address in one network to a different IP address in another network. NAT provides increased security for your deployment since requests are managed through the translation process and essentially hides internal IP address.

Before you enable NAT for a STRM managed host, you must set-up your NATed networks using static NAT translation. This ensures communications between managed hosts that exist within different NATed networks. For example, in Figure 7-5 the QFlow 1101 in Network 1 has an internal IP address of 10.100.100.0. When the QFlow 1101 wants to communicate with the Event Collector in Network 2, the NAT router translates the IP address to 192.15.2.1.

Figure 7-5 Using NAT with STRM

Note: Your static NATed networks must be set-up and configured on your network before you enable NAT using STRM. For more information, see your network administrator.

You can add a non-NATed managed host using inbound NAT for the public IP address and dynamic for outbound NAT but are located on the same switch as the Console or managed host. However, you must configure the managed host to use the same IP address for the public and private IP addresses.

When adding or editing a managed host, you can enable NAT for that managed host. You can also use the deployment editor to manage your NATed networks including: • Adding a NATed Network to STRM

• Editing a NATed Network

• Deleting a NATed Network From STRM• Changing the NAT Status for a Managed Host

10.1

00.1

00.1

Network 1

Classification Engine

Update Daemon

QFlow 1101

Magistrate

Network 2

Event Collector

Event Collector

NAT

Router 192.15.2.1



Adding a NATed Network to STRM To add a NATed network to your STRM deployment:

Step 1 In the deployment editor, click the NATed networks icon. Note: You can also use the Actions > Managed NATed Networks menu option to access the Managed NATed Networks window.

The Manage NATed Networks window appears.

Step 2 Click Add.The Add New Nated Network window appears.

Step 3 Enter a name of a network you want to use for NAT.

Step 4 Click Ok. The Manage NATed Networks window appears.

Step 5 Click Ok.

A confirmation window appears. Step 6 Click Yes.

Editing a NATed NetworkTo edit a NATed network:

Step 1 In the deployment editor, click the NATed networks icon.

Note: You can also use the Actions > Managed NATed Networks menu option to access the Managed NATed Networks window.




Step 2 Select the NATed network you want to edit and click Edit.The Edit NATed Network window appears.

Step 3 Update the name of the network you want to use for NAT.

Step 4 Click Ok.


Step 5 Click Ok. A confirmation window appears.

Step 6 Click Yes.

Deleting a NATed Network From STRMTo delete a NATed network from your deployment:

Step 1 In the deployment editor, click the NATed networks icon.

Note: You can also use the Actions > Managed NATed Networks menu option to access the Managed NATed Networks window.


Step 2 Select the NATed network you want to delete. Step 3 Click Delete.


Step 4 Click Ok. Step 5 Click Yes.



Changing the NAT Status for a Managed HostTo change your NAT status for a managed host, make sure you update the managed host configuration within STRM before you update the device. This prevents the host from becoming unreachable and allows you to deploy changes to that host.

To change the status of NAT (enable or disable) for an existing managed host:Step 1 In the deployment editor, click the System View tab.

Step 2 Use the right mouse button (right-click) on the managed host you want to edit and select Edit Managed Host. The Edit a managed host wizard appears.

Step 3 Click Next. The networking and tunneling attributes window appears.

Step 4 Choose one of the following:

a If you want to enable NAT for the managed host, select the check box. Go to Step 5

Note: If you want to enable NAT for a managed host, the NATed network must be using static NAT translation.

b If you want to disable NAT for the managed host, clear the check box. Go to Step 6

Step 5 To select a NATed network, enter values for the following parameters:• Change public IP of the server or appliance to add - Specify the public IP

address of the managed host. The managed host uses this IP address to communicate with another managed host that belongs to a different network using NAT.


• Manage NATs List - Update the NATd network configuration. For more information see, Using NAT with STRM.


The System View appears with the updated host in the Managed Hosts panel.

Note: Once you change the NAT status for an existing managed host error messages may appear. Ignore all error messages.

Step 8 Update the configuration for the device (firewall) to which the managed host is communicating.

Step 9 From the STRM Administration Console menu, select Configurations > Deploy All.



Configuring aManaged Host

To configure a managed host:

Step 1 From the System View, use the right mouse button (right-click) on the managed host you want to configure and select Configure.

The Configure host window appears.

Step 2 Enter values for the parameters:• Minimum port allowed - Specify the minimum port for which you want to

establish communications. • Maximum port allowed - Specify the maximum port for which you want to

establish communications.• Ports to exclude - Specify the port you want to exclude from communications.

You can enter multiple ports you want to exclude. Separate multiple ports using a comma.

Step 3 Click Save.

Assigning aComponent to a Host

You can assign the STRM components added in the Flow or Event Views to the managed hosts in your deployment. This section provides information on assigning a component to a host using the System View, however, you can also assign components to a host in the Flow or Event Views.

To assign a host:

Step 1 Click the System View tab. Step 2 From the Managed Host list, select the managed host to which you want to assign

a STRM component. The System View of the host appears.

Step 3 Select the component you want to assign to a managed host.

Step 4 From the menu, select Actions > Assign. Note: You can also use the right mouse button (right-click) to access the Actions menu items.

The Assign Component wizard appears.



Step 5 From the Select a host drop-down list box, select the host that you want to assign to this component. Click Next. Note: The drop-down list box only displays managed hosts that are running a compatible version of STRM software.


Configuring HostContext

The Host Context component monitors all STRM components to make sure that each component is operating as expected.

To configure Host Context:Step 1 In the Deployment Editor, click the System View tab.

The System View appears.

Step 2 Select the Managed Host that includes the Host Context you want to configure. Step 3 Select the Host Context component.

Step 4 From the menu, select Actions > Configure.

Note: You can also use the right mouse button (right-click) to access the Actions menu item.

The Host Context Configuration window appears.




Table 7-5 Host Context Parameters

Parameter DescriptionDisk Usage Sentinal SettingsWarning Threshold When the configured threshold of disk usage is exceeded,

an e-mail is sent to the administrator indicating the current state of disk usage. The default is 0.75, therefore, when disk usage exceeds 75%, an e-mail is sent indicating that disk usage is exceeding 75%. If disk usage continues to increase above the configured threshold, a new e-mail is sent after every 5% increase in usage. By default, Host Context monitors the below partitions for disk usage:• /• /store• /store/tmpSpecify the desired warning threshold for disk usage. Note: Notification e-mails are send to the Administrative Email Address and are sent from the Alert Email From Address, which is configured in the System Settings. For more information, see Chapter 3 Setting Up STRM.

Shutdown Threshold When the system exceeds the shutdown threshold, all STRM processes are stopped. An e-mail is sent to the administrator indicating the current state of the system. The default is 0.95, therefore, when disk usage exceeds 95%, all STRM processes stop. Specify the shutdown threshold. Note: Notification e-mails are send to the Administrative Email Address and are sent from the Alert Email From Address, which is configured in the System Settings. For more information, see Chapter 3 Setting Up STRM.



Step 6 Click Save.

The System View appears.

Recovery Threshold Once the system has exceeded the shutdown threshold, disk usage must fall below the recovery threshold before STRM processes are restarted. The default is 0.90, therefore, processes will not be restarted until the disk usage is below 90%.Specify the recovery threshold. Note: Notification e-mails are send to the Administrative Email Address and are sent from the Alert Email From Address, which is configured in the System Settings. For more information, see Chapter 3 Setting Up STRM.

Inspection Interval Specify the frequency, in milliseconds, that you want to determine disk usage.

SAR Sentinel SettingsInspection Interval Specify the frequency, in milliseconds, that you want to

inspect SAR output. The default is 300,000 ms. Alert Interval Specify the frequency, in milliseconds, that you want to be

notified that the thresholds have been exceeded. The default is 7,200,000 ms.

Time Resolution Specify the time, in seconds, that you want the SAR inspection to be engaged. The default is 60 seconds.

Log Monitor Settings Inspection Interval Specify the frequency, in milliseconds, that you want to

monitor the log files. The default is 60,000 ms. Monitored SYSLOG File Name

Specify a filename for the SYSLOG file. The default is /var/log/STRM.error.

Alert Size Specify the maximum number of lines you want to monitor from the log file. The default is 1000.

Table 7-5 Host Context Parameters (continued)




Configuring STRM Components

This section provides information on configuring STRM components and includes:

• Configuring a Flow Collector

• Configuring a Flow Processor

• Configuring a Classification Engine• Configuring an Update Daemon

• Configuring a Flow Writer

• Configuring an Event Collector• Configuring an Event Processor

• Configuring the Magistrate

Configuring a FlowCollector

The Flow Collector collects data from devices and various live and recorded feeds, such as, network taps, span/mirror ports, NetFlow, and STRM flow logs. The Flow Collector then groups related individual packets into a flow. A flow starts when the Flow Collector detects the first packet with a unique source IP address, destination IP address, source port, and destination port as well as other specific protocol options, which may determine the start of a communication. Each additional packet is evaluated and counts of bytes and packets are added to the statistical counters in the flow record. At the end of an interval a status record of the flow is sent to a Flow Processor and statistical counters for the flow are reset. A flow ends when no activity for the flow is seen within the configured period of time.

Flow reporting generates records of all the active or expired flows during a specified period of time. STRM defines these flows as a communication session between two pairs of unique IP address/ports that use the same protocol. If the protocol does not support port-based connections, STRM combines all packets between the two hosts into a single flow record. However, a Flow Collector does not record flows until a connection is made to another STRM component and data is retrieved.

To configure a Flow Collector:

Step 1 In either the Flow or System View, select the Flow Collector you want to configure. Step 2 From the menu, select Actions > Configure.

Note: You can also use the right mouse button (right-click) to access the Actions menu items.

The QFlow Configuration window appears.




Table 7-6 Flow Collector Parameters

Parameter DescriptionServer Listen Port The Flow Collector passes data to the next component

in the process. Once the link is established, all collected data is passed for further processing. Specify the port that the Flow Collector monitors for incoming Flow Processor connections. The default range is from 32000 to 65535.

Flow Collector ID In larger installations, several Flow Collectors can be installed throughout the deployment. As several Flow Collectors can function simultaneously, you must provide each Flow Collector a unique name. You can use that name to determine where data is originating from in the Collector View, if configured. Specify the Flow Collector ID.

Maximum Content Capture Flow Collectors capture a configurable number of bytes at the start of each flow. Transferring large amounts of content across the network may affect network and STRM performance. On managed hosts where the Flow Collectors are located on close high-speed links, you can increase the content capture length. Specify the capture length, in bytes, to attach to a flow. A value of 0 disables content capture. The default is 64 bytes.Note: Increasing content capture length will increase disk storage requirements for recommended disk allotment.



Step 4 In the toolbar, click Advanced to display the advanced parameters. The advanced configuration parameters appear.

Step 5 Enter values for the parameters, as necessary:

Alias Autodetection Specify one of the following options:• Yes - Allows the Flow Collector to detect external flow

source aliases. When a Flow Collector receives traffic from a device with an IP address but no current alias, the Flow Collector attempts a reverse DNS lookup to determine the hostname of the device. If the lookup is successful, the Flow Collector adds this information to the database and reports this information to all Flow Collector in your deployment.

• No - Disables the Flow Collector from detecting external flow sources aliases.

For more information on flow sources, see Chapter 7 Managing Flow Sources.

Table 7-6 Flow Collector Parameters (continued)


Table 7-7 Flow Collector Parameters

Parameter DescriptionMaximum Data Capture/Packet

Specify the amount of bytes/packets you want the Flow Collector to capture.

Time Synchronization Server IP Address

Specify the IP address or hostname of the time server.

Time Synchronization Timeout Period

Specify the length of time you want the managed host to continue attempting to synchronize the time before timing out. The default is 15 minutes.



Endace DAG Interface Card Configuration

Specify the Endace Network Monitoring Interface card parameters. For more information, see the Technical support web site or contact Juniper Networks Customer Support.

Flow Buffer Size Specify the amount of memory, in MB, that you want to reserve for flow storage. The default is 400 MB.

Maximum Number of Flows

Specify the maximum number of flows you want to send from the Flow Collector to Flow Processors.

Remove duplicate flows Enables or disables the ability to remove duplicate flows. External Flow De-duplication method

Specify the method you want to use to remove duplicate external flow sources (de-duplication). Options include:• Source - Compares originating flow sources. This

method of removing duplicate external flows compares the IP address of the device that exported the current external flow record to that of the IP address of the device that exported the first external record of the particular flow. If the IP addresses do not match the current external flow record is discarded.

• Record - Compares individual external flow records. This method of removing duplicate external flows logs a list of every external flow record detected by a particular device and compares each subsequent record to that list. If the current record is found in the list, that record is discarded.

External flow record comparison mask

This parameter is only valid if you configure the External Flow De-duplication method parameter to Record. Specify the external flow record fields you want to use to remove duplicate flows. Valid options include: D (Direction), B (ByteCount), or P (PacketCount). Possible combinations of the options include:• DBP - Uses direction, byte count, and packet count when

comparing flow records. • XBP - Uses byte count and packet count when

comparing flow records. • DXP - Uses direction and packet count when comparing

flow records. • DBX - Uses direction and byte count when comparing

flow records. • DXX - Uses direction when comparing flow records. • XBX - Uses byte count when comparing records. • XXP - Uses packet count when comparing records.

Flow Carry-over Window

Specify the number of seconds before the end of an interval that you want one-sided flows to be held over until the next interval if the flow. This allows time for the inverse side of the flow to arrive before being reported.





Step 6 Click Save. The deployment editor appears.

Step 7 Repeat for all Flow Collectors in your deployment you want to configure.

Configuring a FlowProcessor

A Flow Processor collects and consolidates data from one or more Flow Collector(s). Flow Processors are located between the Classification Engine, Flow Collectors, and other Flow Processors. You can connect multiple Flow Processors in a series.

A Flow Processor removes duplicate flows and creates superflows (aggregate flows) before the flows reach the main Classification Engine. A superflow is multiple flows with the same properties combined into one flow, which details one-sided communications and security events, such as scanning and attacks, without losing the information stored in the thousands of individual flows created by an infected host or attacker. The flow contains only the communications that received no response. Valid communications from the attacking or infected hosts are stored in the flow logs. Using superflows, STRM is able to scale to larger environments and manage large attacks without overloading.

Superflows can last long periods of time, just like normal flows. STRM manages superflows in the same manner as regular flows. Superflows are logged every interval and detail the state of the flow during that time period. You can also investigate flows using the Network Surveillance interface to further expand superflows into more traditional flows, which allows for flexible analysis.

Some normally occurring network communications generate flows for which there are no responses, such as web requests to a failed web server or to a host that is down. One-sided flows are generally not a high risk threat and should not apply to superflows. For this reason, there is a configurable threshold for superflow generation, which a host has to breach before the flows are bundled into superflows.

Minimum Buffer Data Specify the minimum amount of data, in bytes, that you want the Endace Dag Interface Card to receive before the captured data is returned to the Flow Collector process. For example, if this parameter is 0 and no data is available, the Endace Dag Interface Card allows non-blocking behavior.

Maximum Wait Time Specify the maximum amount of time, in microseconds, that you want the Endace Dag Interface Card to wait for the minimum amount of data, as specified in the Minimum Buffer Data parameter.

Polling Interval Specify the interval, in microseconds, that you want the Endace Dag Interface Card to wait before checking for additional data. A polling interval avoids excessive polling traffic to the card and therefore conserves bandwidth and processing time.





You can also configure branch filtering in the Flow Processor, which allows you to distribute network processing across multiple Classification Engines. A branch filter consists of a branch and a flow class definition. The branch filter configuration controls which flows a component receives. When configuring branch filtering, you must use groups located at the top of your network hierarchy. For the Flow Processor, the branch filter specifies which flows the Flow Processor receives from flow sources.

To configure a Flow Processor:Step 1 In either the Flow or System View, select the Flow Processor you want to

configure. Step 2 From the menu, select Actions > Configure.


The Flow Processor window appears.


Table 7-8 Flow Processor Parameters

Parameter DescriptionFlow Processor Listen Port

The Classification Engine connects to the Flow Processor to accept flows through a TCP/IP link. Specify the port that the Flow Processor monitors for incoming connections. The default range is from 32000 to 65535.



Step 4 In the toolbar, click Advanced to display advanced parameters.

The configuration parameters appear.

Flow Collectors When the Flow Processor starts, it attempts to establish a link with one or more Flow Collector(s). If the Flow Collector cannot be reached, the Flow Processor attempts to establish the link periodically, until it succeeds. You can have multiple Flow Collectors in your deployment and each Flow Collector can be connected to a different time server. This parameter also indicates whether the Flow Collector either is local or remote. Specifies the list of default Flow Collectors to which the Flow Processor will connect. The information is entered in the following format:<hostname>:<port>:[L|R]Where:<hostname> is the hostname of the Flow Collector.<port> is the port on which communications are established. [L|R] indicates whether the Flow Collector is local (L) or remote (R).Where each Flow Collector is separated with a comma. The default is localhost:32000.

Flow Processors Specifies the list of Flow Processors attached to this Flow Processor. You can have multiple Flow Processors in your deployment and each Flow Processor can be connected to a different time server. This parameter also indicates whether the Flow Processor is either local or remote. If a component is identified as remote, any flows sent to the local Flow Processor are tagged with local interval time. This parameter is for information purposes only and is not amendable. The values are entered in the following format:<hostname>:<port>:[L|R]Where:<hostname> is the hostname of the Flow Processor.<port> is the port on which communications are established.[L|R] indicates whether the Flow Collector is local (L) or remote (R).Each Flow Processor is separated with a comma.

Table 7-8 Flow Processor Parameters (continued)





Table 7-9 Flow Processor Parameters

Parameter DescriptionCreate Flow Bundles Specify one of the following options:

• Yes - Allows the Flow Processor to group flows that have similar properties.

• No - Disables the bundling of flowsMaximum Number of Flows

Specify the maximum number of flows you want to send from the Flow Processor to the Classification Engines. If set to 0, the number of flows is unlimited.

Time Difference for Duplicate Flows

Specify the time difference threshold that determines if duplicate flows are present, in microseconds. The default is 500000.

Type A Superflows Specify the threshold for type A superflows, which is one host sending data to many hosts. A unidirectional flow that is an aggregate of all flows that have the same protocol, source bytes, source hosts, destination network, destination port (TCP and UDP flows only), TCP flags (TCP flows only), ICMP type, and code (ICMP flows only) but different destination hosts.

Type B Superflows Specify the threshold for type B superflows, which is many hosts sending data to one host. A unidirectional flow that is an aggregate of all flows that have the same protocol, source bytes, source packets, destination host, source network, destination port (TCP and UDP flows only), TCP flags (TCP flows only), ICMP type, and code (ICMP flows only), but different source hosts.



Type C Superflows Specify the threshold for type C superflows, which is one host sending data to another host. A unidirectional flow that is an aggregate of all non-ICMP flows that have the same protocol, source host, destination host, source bytes, destination bytes, source packets, and destination packets but different source or destination ports.

IP Address(es) Range Conversion

Specify an IP address or CIDR range to convert to another IP address or CIDR range from the Flow Processor. This allows STRM to identify data sources on networks with similar IP addresses when a single Flow Processor is used to process many data sources. Enter the information in the following format:<IP address>:<convert>Where: <IP address> specifies the IP address or CIDR range to be converted.<convert> specifies the desired conversion range.This option is also available in the Flow Collector.

Maximum Content for Destination STRM Components

A content filter controls where content is denied/allowed. Apply filters in the following format:<CIDR>:<bytes of content>Where:<CIDR> specifies a CIDR range<bytes of content> specifies how much content is allowed. For example, 64 bytes of content or 128 bytes of content.The filter is case sensitive. You must use either all uppercase or lowercase characters. For example:If CIDR=10.100.100.0/24 and you want to allow 64 bytes of content, enter:10.100.100.0/24:64If CIDR=10.100.100.0/24 and you want to deny the content, enter:10.100.100.0/24:0If CIDR=10.100.100.0/24 and you want to allow content only to this CIDR, enter:default:0, 10.100.100.0/24:64





Step 6 Click Save.

Branch Filtering By default, branch filtering is disabled and all traffic is forwarded to all Classification Engines. Filtering does not begin unless the Flow Processor receives a branch filter definition from the Classification Engine. Specify the branch filter using the following syntax:brc1,brc2,..,brc-N

Where:brc-1,brc-2,....,brc-N specifies any branch of the local network hierarchy. If a specified branch does not belong to the network hierarchy, the branch is ignored. For example:ComputingServices,Manufacturing_facilitesCorporate_HQ,other

Recombine Asymmetric Flows

In some networks, traffic is configured to take alternate paths for inbound and outbound traffic. This is asymmetric routing. You can combine flows received from either a single or multiple Flow Collectors. However, if you want to combine flows from multiple Flow Collectors, you must configure flow sources in the Asymmetric Flow Source Interface(s) parameters in the Flow Collector configuration. For more information, see Configuring a Flow Collector. Choose one of the following options:• Yes - Asymmetric flows are combined. • No - Asymmetric flows are not combined.

Ignore Asymmetric Superflows

Specify whether you want to enable the creation of superflows while asymmetric flows are enabled. The default is Yes, which means superflows are created.

Enable Application Mapping

Choose one of the following:• Yes - Application mapping is applied, as defined in your

mapping file. For more information, see the STRM Default Application Configuration Guide. This is the default.

• No - Application mapping is not applied. User Application Mapping

Specify the name of the file that contains your custom application mappings. For more information, see the STRM Default Application Configuration Guide.

Block Content Choose one of the following options:• Yes - All content captured in the flows is removed from

the Flow Processor. • No - Content capture is not removed from flows.

Payload Modification Specify a string to which you want all content to be changed.





The deployment editor appears.

Step 7 Repeat for all Flow Processors in your deployment you want to configure.

Configuring aClassification Engine

The Classification Engine receives inputs from one or more Flow Processor(s), classifies the flows into views and objects, and outputs the resulting database entries and flow logs to the Update Daemon to be stored on disk. Using the deployment map, you can either enable or disable views and configure a Classification Engine. To configure a Classification Engine:

Step 1 In either the Flow or System View, select the Classification Engine you want to configure.


Note: You can also use the right mouse button (right-click) to access the Actions menu items. The Classification Engine window appears.


Table 7-10 Classification Engine Parameters

Parameter DescriptionClassification Engine Server Listen Port

Specify the port that the Classification Engine monitors for incoming connections.The default range is from 32000 to 65535.

Flow Processor Connections

When the Classification Engine starts, it attempts to establish a TCP/IP communications link with one or more Flow Processor(s) to retrieve flows. If the Flow Processors cannot be reached, the Classification Engine attempts to establish the link periodically until it succeeds. This parameter is for information purposes only and is not amendable.Specifies the list of Flow Processor connections using the following format:<hostname>:<port>The default is localhost:32001. Each entry is separated with a comma.






Update Daemon Connections

Specifies the hostname and port of the Update Daemon to which the Classification Engine sends data for storage. This parameter is for information purposes only and is not amendable. The information appears in the following format:<hostname>:<port>The default is localhost:32002.

Flow Writer connection Specifies the hostname and port of the Flow Writer that sends the Classification Engine data for storage. This parameter is for information purposes only and is not amendable. The information appears in the following format:<hostname>:<port>The default is localhost:32010.

Event Collector Connections

Specifies the hostname and port of the Event Collector that sends the Classification Engine data. This parameter is for information purposes only and is not amendable.

Table 7-10 Classification Engine Parameters (continued)


Table 7-11 Classification Engine Parameters

Parameter DescriptionForward Flow Data Specify one of the following options:

• Yes - Process view data only and does not forward flows. This is the default.

• No - Process and forward all data.



Step 6 Click Save.

The deployment map appears. Step 7 Repeat for all Classification Engines in your deployment you want to configure.

Configuring anUpdate Daemon

Once the Classification Engine has processed the flows for an interval, the Update Daemon stores the database and TopN data. Depending on the size of your deployment, you may have multiple Update Daemons.

To configure an Update Daemon:Step 1 In either the Flow or System View, select the Update Daemon you want to



The Update Daemon Configuration window appears.

Process Defined Views Only

If you are using a distributed processing Console, specify the processing information. This requires each involved managed host to have a list of views to process. For assistance, contact Juniper Networks Customer Support.

Branch Filtering By default, branch filtering is disabled and all traffic is forwarded to all Classification Engines. Filtering does not begin unless the Flow Processor receives a branch filter definition from the Classification Engine. Specify the branch filter using the following syntax:brc1,brc2,..,brc-N

Where:brc-1,brc-2,....,brc-N specifies any branch of the local network hierarchy. If a specified branch does not belong to the network hierarchy, the branch is ignored. For example:ComputingServices,Manufacturing_facilitesCorporate_HQ,other

Network Object Limit Specify the maximum number of network objects you want to allow.

Asset Profile Threshold Specify the maximum number of asset profiles you want to monitor. The default is 25,000.

Remote Host Cache Clear Interval

Specify the period of time, in seconds, that you want to retain the log files, which are stored result of a remote view lookup.

Table 7-11 Classification Engine Parameters (continued)




Step 3 For the Server listen port parameter, specify the Update Daemon listening port values. Separate each entry with a comma. This port monitors requests from the Classification Engine. The entered values must match the values configured for the Classification Engine.




Step 6 Click Save.

The deployment map appears. Step 7 Repeat for all Update Daemons in your deployment you want to configure.

Table 7-12 Update Daemon Parameters

Parameter DescriptionDatabase Storage Location

Specify the directory that you want to store the database information. The default is /store/db.

TopN Database Storage Location

Specify the directory that you want to store the TopN database. The default is /store/STRM-tmp/topn.



Configuring a FlowWriter

Once the Classification Engine has processed the flows for an interval, the Flow Writer stores the flow and asset profile data. You can only have one Flow Writer per host, which must be connected to the Classification Engine.

To configure a Flow Writer:

Step 1 In either the Flow or System View, select the Flow Writer you want to configure.

Step 2 From the menu, select Actions > Configure.Note: You can also use the right mouse button (right-click) to access the Actions menu items.

The Flow Writer Configuration window appears.


Step 4 In the toolbar, click Advanced to display the advanced parameters.

The advanced configuration parameter appear.


Step 6 Click Save.

Table 7-13 Flow Writer Parameters

Parameter DescriptionServer listen port Specify the Flow Writer listening port values. Seperate each

entry with a comma. This port monitors requests from the Classification Engine. The entered values must match the values configured for the Classification Engine.

Table 7-14 Flow Writer Advanced Parameters

Parameter DescriptionMaximums Hosts Count Before a Reset

Specify the maximum number of hosts you want the system to store before all counters are reset. The lower the reset threshold the more efficiency of disk space your system offers, however, the query time may be extended.



The deployment map appears.

Configuring an EventCollector

The Event Collector collects security events from various types of security devices in your network.

To configure an Event Collector:Step 1 From either the Event View or System View, select the Event Collector you want to



The Event Collector Configuration window appears.



The advanced configuration parameter appear.

Table 7-15 Event Collector Parameters

Parameter DescriptionEvent Collector Server Listen Port

The Event Collector monitors at least one device per instance of the component.

Destination Event Processor

Specify the destination Event Processor for communications.

Listen Port Specifies the listening port for event forwarding. Event Targets If the Event Collector includes an off-site target, this

parameter specifies the normalized event forwarding device, separated by commas, using the following format:<device>:<type>This parameter is for informational purposes only and is not amendable.




Step 6 Click Save.

The deployment editor appears. Step 7 Repeat for all Event Collectors in your deployment you want to configure.

Configuring an EventProcessor

The Event Processor processes flows collected from one or more Event Collector(s).

To configure an Event Processor:

Step 1 From either the Event View or System View, select the Event Processor you want to configure.



The Event Processor Configuration window appears.

Table 7-16 Event Collector Advanced Parameters

Parameter DescriptionReceives Flow Context Specifies the first Event Collector installed in your

deployment. This parameter is for informational purposes only and is not amendable.

Auto Detection Enabled

Specify if you want the Event Collector to auto analyze and accept traffic from previously unknown sensor devices. The default is true, which means that the Event Collector detects sensor devices in your network. Also, when set to True, the appropriate firewall ports are opened to enable auto detection to receive events. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.





The advanced configuration parameters appear.

Step 5 Enter values for the parameters, as necessary:

Table 7-17 Event Processor Parameters

Parameter DescriptionEvent Processor Server Listen Port

Specify the port that the Event Processor monitors for incoming connections. The default range is from 32000 to 65535.

Destination Magistrate Specifies the Magistrate to which events are sent. This parameter is for informational purposes only and is not amendable.

Classification Engines All Event Processors are connected to all Classification Engines in your deployment. Specifies all Classification Engines in your deployment.This parameter is for informational purposes only and is not amendable.

ESA Server Specifies the Event Statistical Aggregation (ESA) server to which the Event Processor is connected. This parameter is for informational purposes only and is not amendable.



Step 6 Click Save.

The deployment editor appears. Step 7 Repeat for all Event Processors in your deployment you want to configure.

Configuring theMagistrate

The Magistrate component provides the core processing components of the SIM option.

To configure the Magistrate component:

Step 1 From either the Event View or System View, select the Magistrate component you want to configure.

Step 2 From the menu, select Actions > Configure.Note: You can also use the right mouse button (right-click) to access the Action menu items.

The Magistrate Configuration window appears.


Table 7-18 Event Processor Parameters

Parameter DescriptionOverflow Routing Threshold

Specify the events per second threshold that the Event Processor can manage events. Events over this threshold are placed in the cache.

Path to Ariel Events Database

Specify the location you want to store events. The default is /store/ariel/events.

Path to Ariel Payloads Database

Specify the location you want to store payload information. The default is /store/ariel/payloads.

Table 7-19 Magistrate Parameters

Parameter DescriptionMagistrate Server Listen Port

Specify the port that the Magistrate monitors for incoming connections. The default range is 32000 to 65535.

ESA Server Specifies the Event Statistical Aggregation (ESA) server to which the Magistrate is connected. This parameter is for informational purposes only and is not amendable.




The advanced configuration parameters appear.

Step 5 For the Overflow Routing Threshold, specify the events per second threshold that the Magistrate can manage events. Events over this threshold are placed in the cache. The default is 20000.

Step 6 Click Save.

The deployment editor appears.


7
MANAGING FLOW SOURCES
This chapter provides information on managing flows sources in your deployment including:

• About Flow Sources

• Managing Flow Sources

• Managing Flow Source Aliases

About Flow Sources

STRM allows you to integrate internal and external flow sources:

• Internal flow sources - Includes any additional hardware installed on a managed host, such as a Network Interface Card (NIC). Depending on the hardware configuration of your managed host, the options may include:- Network interface card

- Endace Network Monitoring Interface Card.

• External flow sources - Configures an external flow source for the Flow Collector. If your Flow Collector receives multiple flow sources, you can assign each source a distinct name, providing the ability to distinguish one source of external flow data from another when received on the same Flow Collector. To assign names to multiple flow sources, you must configure the External Flow Source Interface Name parameter in the Flow Collector component. External flow sources may include:- NetFlow

- sFlow

- J-Flow- Packeteer

- Flowlog File

NetFlow A proprietary accounting technology developed by Cisco Systems® Inc. that monitors traffic flows through a switch or router, interprets the client, server, protocol, and port used, counts the number of bytes and packets, and sends that data to a NetFlow collector. The process of sending data from NetFlow is often referred to as a NetFlow Data Export (NDE). You can configure STRM to accept NDE's and thus become a NetFlow collector. STRM supports NetFlow versions 1,


118 MANAGING FLOW SOURCES

5, 7, and 9. For more information on NetFlow, see www.cisco.com. While NetFlow expands the amount of the network that is monitored, the following details some NetFlow limitations including:• NetFlow classifies only application traffic from the TCP port (for example, HTTP

on port 80). This layer 4 analysis of traffic does not consider the actual layer 7 identification of application traffic that is available in STRM.

• NetFlow uses a connection-less protocol (UDP) to deliver NDEs. Once an NDE is sent from a switch or router, the NetFlow record is purged. As UDP is used to send this information and does not guarantee the delivery of data, NetFlow records inaccurate recording and reduced alerting capabilities. This can result in inaccurate presentations of both traffic volumes and bi-directional flows.

Once you configure an external flow source for NetFlow, you must:• Make sure the appropriate firewall rules are configured. Note that if you change

your External Flow Source Monitoring Port parameter in the Flow Collector configuration, you must also update your firewall access configuration.

• Make sure the appropriate ports are configured for your Flow Collector.

If you are using NetFlow version 9, make sure the NetFlow template from the NetFlow source includes the following fields:• FIRST_SWITCHED

• LAST_SWITCHED

• PROTOCOL• IPV4_SRC_ADDR

• IPV4_DST_ADDR

• L4_SRC_PORT• L4_DST_PORT

• IN_BYTES and/or OUT_BYTES

• IN_PKTS and/or OUT_BYTES• TCP_FLAGS (TCP flows only)

sFlow A multi-vendor and end-user standard for sampling technology that provides continuous monitoring of application level traffic flows on all interfaces simultaneously. sFlow combines interface counters and flow samples into sFlow datagrams that are sent across the network to an sFlow collector. STRM supports sFlow versions 2, 4, and 5. Note that sFlow traffic is based on sampled data and, therefore, may not represent all network traffic. For more information on sFlow, see www.sflow.org.

sFlow uses a connection-less protocol (UDP). Once data is sent from a switch or router, the sFlow record is purged. As UDP is used to send this information and does not guarantee the delivery of data, sFlow records inaccurate recording and


About Flow Sources 119

reduced alerting capabilities. This can result in inaccurate presentations of both traffic volumes and bi-directional flows.

Once you configure an external flow source for sFlow, you must:

• Make sure the appropriate firewall rules are configured. • Make sure the appropriate ports are configured for your Flow Collector.

J-Flow A proprietary accounting technology used by Juniper® Networks that allows you to collect IP traffic flow statistics. J-Flow enables you to export data to a UDP port on a J-FLow collector. Using J-Flow, you can also enable J-Flow on a router or interface to collect network statistics for specific locations on your network. Note that J-Flow traffic is based on sampled data and, therefore, may not represent all network traffic. For more information on J-Flow, see www.juniper.net.

J-Flow uses a connection-less protocol (UDP). Once data is sent from a switch or router, the J-Flow record is purged. As UDP is used to send this information and does not guarantee the delivery of data, J-Flow records inaccurate recording and reduced alerting capabilities. This can result in inaccurate presentations of both traffic volumes and bi-directional flows.

Once you configure an external flow source for J-Flow, you must:

• Make sure the appropriate firewall rules are configured.


Packeteer Packeteer devices collect, aggregate, and store network performance data. Once you configure an external flow source for Packeteer, you can send flow information from a Packeteer device to STRM.

Packeteer uses a connection-less protocol (UDP). Once data is sent from a switch or router, the Packeteer record is purged. As UDP is used to send this information and does not guarantee the delivery of data, Packeteer records inaccurate recording and reduced alerting capabilities. This can result in inaccurate presentations of both traffic volumes and bi-directional flows.

To configure Packeteer as an external flow source, you must:• Make sure the appropriate firewall rules are configured.

• Make sure that you configure Packeteer devices to export flow detail records and configure the Flow Collector as the destination for the data export.


• Make sure the class IDs from the Packeteer devices will automatically be detected by the Flow Collector.

• For additional information on mapping Packeteer applications into STRM, see the Mapping Packeteer Applications into STRM Technical Note available on Technical support web site.



Flowlog File A file generated from the STRM flow logs.

Managing Flow Sources

For STRM appliances, STRM automatically adds default flow sources for the physical ports on the appliance. Also, STRM also includes a default NetFlow v5 flow source. If you have installed STRM on your own hardware, STRM attempts to automatically detect and add default flow sources for any physical devices (such as a NIC card). Also, once you assign a Flow Collector, STRM includes a default NetFlow flow source.

Using the Administration Console, you can:

• Adding a Flow Source• Editing a Flow Source

• Enabling/Disabling a Flow Source

• Deleting a Flow Source

Adding a FlowSource

To add a flow source:

Step 1 In the Administration Console, click the Flow Configuration tab.

The Flow Configuration panel appears.

Step 2 Click the Manage Flow Sources icon. The Flow Source window appears.

Step 3 Click Add.

The Add Flow Source window appears.


Managing Flow Sources 121


Step 5 Choose one of the following:

Table 8-1 Add Flow Source

Parameter DescriptionBuild from existing flow source

Select the check box if you want to create this flow source using an existing flow source as a template. Once the check box is selected, use the drop-down list box to select the desired flow source and click Use as Template.

Flow Source Name Specify the name of the flow source. We recommend that for an external flow source that is also a physical device, use the device name as the flow source name. If the flow source is not a physical device, make sure you use a meaningful name. For example, if you want to use NetFlow traffic, enter nf1.

Target Flow Collector Using the drop-down list box, select the Flow Collector you want to use for this flow source.

Flow Source Type Using the drop-down list box, select the flow source type for this flow source. The options are:• Flowlog File• JFlow• Netflow v.1, v5, v7, or v9• Network Interface• Packeteer FDR• SFlow v.2, v.4, or v5

Enable Asymmetric Flows In some networks, traffic is configured to take alternate paths for inbound and outbound traffic. This is asymmetric routing. Select the check box is you want to enable asymmetric flows for this flow source.



a If you selected Flowlog File as the Flow Source Type, configure the Source File Path, which is the source path location for the flow log file.

b If you selected JFlow, Netflow, Packeteer FDR, or sFlow as the Flow Source Type, configure the following:

c If you selected Network Interface as the Flow Source Type, configure the following:

Step 6 Click Save.


Editing a FlowSource

To edit a flow source:


The Flow Configuration panel appears.Step 2 Click the Manage Flow Sources icon.

The Flow Source window appears.

Table 8-2 External Flow parameters

Parameter DescriptionMonitoring Interface Using the drop-down list box, select the monitoring interface

you want to use for this flow source. Monitoring Port Specify the port you want this flow source to use. Enable Flow Forwarding

Select the check box to enable flow forwarding for this flow source. Once the check box is selected, the following options appear:• Forwarding Port - Specify the port you wish to forward

flows. The default is 1025. • Forwarding Destinations - Specify the destinations you

wish to forward flows. You can add or remove addresses from the list using the Add and Remove buttons.

Table 8-3 Network Interface Parameters

Parameter DescriptionDevice Using the drop-down list box, select the device interface you

want to assign to this flow source. Note: You can only configure one device per Ethernet Interface. Also, you cannot send different flow types to the same port.

Filter String Specify the filter string for this flow source.


Managing Flow Sources 123

Step 3 Click Edit. The Edit Flow Source window appears.

Step 4 Edit values, as necessary. For more information on values for flow source types, see Adding a Flow Source.

Step 5 Click Save.


Enabling/Disabling aFlow Source

To enable or disable a flow source:



Step 2 Click the Manage Flow Source icon. The Flow Source window appears.

Step 3 Select the flow source you want to enable or disable.



Step 4 Click Enable/Disable.

The Enabled column indicates if the flow source is enabled or disabled. If the flow source was previously disabled, the column now indicates True to indicate the flow source is now enabled. If the flow source was previously enabled, the column now indicates False to indicate the flow source is now disabled.


Deleting a FlowSource

To delete a flow source:



Step 2 Click the Manage Flow Source icon. The Flow Source window appears.

Step 3 Select the flow source you want to delete.

Step 4 Click Delete. A confirmation window appears.

Step 5 Click Ok.


Managing Flow Source Aliases

You can configure a virtual name (or alias) for flow sources. You can identify multiple sources being sent to the same Flow Collector, using the sources’ IP address and virtual name. An alias allows a Flow Collector to uniquely identify and process data sources being sent to the same port.

When a Flow Collector receives traffic from a device with an IP address but no current alias, the Flow Collector attempts a reverse DNS lookup to determine the hostname of the device. If the lookup is successful, the Flow Collector adds this information to the database and includes this information is reported to all Flow Collector in your deployment.

Note: Using the deployment editor, you can configure the Flow Collector to automatically detect flow source aliases. For more information, see Chapter 6 Managing Flow Sources.

Using the Administration Console, you can:• Adding a Flow Source Alias

• Editing a Flow Source Alias

• Deleting a Flow Source Alias


Managing Flow Source Aliases 125

Adding a FlowSource Alias

To add a flow source alias:


The Flow Configuration panel appears.Step 2 Click the Manage Flow Source Aliases icon.

The Flow Source Alias window appears.

Step 3 Click Add. The Flow Source Alias Management window appears.


• IP - Specify the IP address of the flow source alias.

• Name - Specify the name of the flow source alias. Step 5 Click Save.


Editing a FlowSource Alias

To edit a flow source alias:



The Flow Source Alias window appears.

Step 3 Select the flow source alias you want to edit. Step 4 Click Edit.

The Flow Source Alias Management window appears.

Step 5 Update values, as necessary. Step 6 Click Save.




Deleting a FlowSource Alias

To delete a flow source alias:



The Flow Source Aliases window appears.

Step 3 Select the flow source alias you want to delete. Step 4 Click Delete.


Step 5 Click Ok. Step 6 From the Administration Console menu, select Configurations > Deploy

Configuration Changes.


8
OVERVIEW
This chapter provides an overview of the STRM Administration Console and STRM administrative functionality including:

• About the Interface

• Accessing the Administration Console

• Using the Interface• Deploying Changes

About the Interface You must have administrative privileges to access the Administration Console. The STRM Administration Console provides access to following administrative functionality:• Manage users. See Chapter 1 Managing Users.

• Manage your network settings. See Chapter 2 Managing the System.

• Manage STRM settings. See Chapter 3 Setting Up STRM.• Manage authorized services. See Chapter 4 Managing Authorized Services

• Backup and recover your data. See Chapter 5 Managing Backup and Recovery.

• Manage your deployment views. See Chapter 6 Using the Deployment Editor.

• Manage flow sources. See Chapter 7 Managing Flow Sources.• Configure sentries. See Chapter 9 Managing Sentries.

• Configure views. See Chapter 10 Managing Views.

• Configure syslog forwarding. See Chapter 13 Forwarding Syslog Data

All configuration updates using the Administration Console are saved to a staging area. Once all changes are complete, you can deploy the configuration changes or all configuration settings to the remainder of your deployment.


128 OVERVIEW

Accessing the Administration Console

You can access the STRM Administration Console through the main STRM interface. To access the Administration Console, click Config in the main STRM interface. The Administration Console appears.

Using the Interface The Administration Console provides several tab and menu options that allow you to configure STRM including:

• System Configuration - Provides access to administrative functionality, such as, user management, automatic updates, license key, network hierarchy, sentries, system settings, system notifications, authorized services, backup and recovery, and Console configuration.

• Views Configuration - Provides access to STRM views. • SIM Configuration - Provides access to scanners, sensor device

management, syslog forwarding, and reset the SIM model. • Flow Configuration - Provides access to flow source configuration, such as

NetFlow.

The Administration Console also includes several menu options including:

Table 1-1 Administrative Console Menu Options

Menu Option Sub-Menu DescriptionFile Close Closes the Administration Console.Configurations Deployment Editor Opens the deployment editor

interface. Deploy Configuration Changes

Deploys any configuration changes from the current session to your deployment.

Deploy All Deploys all configuration settings to your deployment.

System System Start Starts the STRM application.


Deploying Changes129

The Administration Console provides several toolbar options including:

Deploying Changes Once you update your configuration settings using the Administration Console, you must save those changes to the staging area. You must either manually deploy all changes using the Deploy menu option or, upon exit, a window appears prompting you to deploy changes before you exit. All deployed changes are then enforced throughout your deployment.

Using the Administration Console menu, you can deploy changes as follows:

• Deploy All - Deploys all configuration settings to your deployment.

• Deploy Configuration Changes - Deploys any configuration changes from the current session to your deployment.

System Stop Stops the STRM application. System Restart Restarts the STRM application.

Help Help Contents Opens user documentation. About Displays version information.

Table 1-2 Administration Console Toolbar Options

Icon DescriptionOpens the deployment editor interface.

Deploys all changes made through the Administration Console.

Table 1-1 Administrative Console Menu Options (continued)

Menu Option Sub-Menu Description


9
MANAGING SENTRIES
Sentries provide an alerting function for your network. A sentry can monitor any number of views and generate an alert when traffic in one of the monitored views meets the specified criteria. A non-administrative user can create sentries, however, only an administrative user can configure advanced sentries on a system-wide basis.

Note: For information on creating sentries using the Network Surveillance interface, see the STRM Users Guide.

This chapter provides information on managing STRM sentries including:

• About Sentries

• Viewing Sentries• Editing Sentry Details

• Managing Packages

• Managing Logic Units

About Sentries You can create sentries that perform actions when certain specified conditions are met. These actions may include sending an e-mail notification or storing sentry event information. You can also add sentry alerts for a specific traffic type.

You can save Packages and Logic Units for use with other sentries. For example, if you create a DDoS package, you can create sentries at different locations in your network using the DDoS package. Similarly, an administration user can create a package for other non-administration users to use.

Sentries contain the following components:

• Logic Unit - Includes specific algorithm used to test objects. The Logic Unit contains the default variables for the sentry.

• Package - Contains the view objects (default variables) that are forwarded to the Logic Unit and default variables to be used by the sentry. All variables in the Package configuration have priority over the Logic Unit variables. The objects are created from any defined STRM view, with the exception of the main network view. For example, a package may contain all applications that you want to monitor for inappropriate use.


132 MANAGING SENTRIES

• Sentry - Specifies which network location you want the sentry to apply. The network location component of the sentry can also specify any restrictions that you want to enforce. The variables in the sentry component have priority over the Package and Logic Unit variables. For example, you can configure a sentry to monitor the accounting department network location between 8 am and 5 pm. However, you can also specify that you only want to be notified of any misuse if the activity continues for more than 10 minutes.

Viewing Sentries To view the default or deployed sentries:


Step 2 Click the Sentries icon.

If this is the first time you have accessed the Sentries window, the Sentry Initialization window appears. Go to Step 3.

If this is not the first time you have accessed the Sentries window, go to Step 4.

Step 3 Choose one of the following options:a If you want to include default sentries in your sentry list, click Create Sentries.

If you want to use the default sentries, you must tune these sentries for your system.

The default sentries that appear depend on the template chosen during the installation process. For more information on the defaults, see:

- Enterprise Template - See Appendix B Enterprise Template Defaults.- University Template - See Appendix C University Template Defaults

b If you do not want to include pre-configured sentries in your list, click Cancel.The Sentries window appears.

Step 4 From the View By drop-down list box, select the desired view. The options are:

• Objects - View the available sentries or sentry components including:

- Sentry- Package

- Logical Units

• Users - View the available sentries by the user who created the sentry. Step 5 Select the sentry you want to view.


Editing Sentry Details 133

Table 2-1 provides the details of the Sentry List window:

Editing Sentry Details

To edit an existing sentry:

Note: You must create a sentry using the Sentry Wizard. For more information, see the STRM Users Guide.

Step 1 In the STRM interface, click Config.

The STRM Administration Console appears. Step 2 Click the System Configuration tab.


Step 3 Click the Sentries icon. The Sentries window appears.

Step 4 From the View By drop-down list box, select Object. The Sentry Objects menu tree appears.

Step 5 For the sentry you want to edit, click the icon.

The Edit panel appears. The below window shows an example of the parameters available for a Security/Policy sentry.

Table 2-1 Sentry List

Parameter DescriptionName Specifies the name of the configured item. Owner Specifies the name of the user who created the sentry.Action Provides one of the following options:

Allows you to edit the details. You can only edit sentries that you have created.Allows you delete the selected item. You can only delete sentries that you have created.

Enabled Allows you to enable or disable the sentry. To enable the sentry, select the check box. To disable the sentry, clear the check box.



Step 6 Update values for the parameters, as necessary:

a If you are editing a Security/Policy sentry:

Table 2-2 Edit Security/Policy Sentry

Parameter DescriptionName Specify a name for this sentry.Description Specify a description for this sentry. This description appears as

an annotation in the Offense Manager if this sentry results in an offense being generated.

Minimum number of flows before emitting events

Specify the minimum number of times, in flows, this activity must occur before an event generates.

Delay between emitting events

Specify the number of seconds, after the first occurrence of this event, before the next occurrence of this event. For example, if you set the value to 3, an event generates after three seconds of the first instance of the event.

Maximum emitted events per IP

Specify the maximum number of times you want this event to generate per IP address. For example, if you set the maximum alerts to 2, only two alerts generate per event.

Is Enabled Select the check box to enable this sentry. Clear the check box to disable the sentry.



b If you are editing a Behavior, Anomaly, or Threshold sentry:

Options Select the check box if you want this event to be included with other events to create an offense. Use the Address to mark as the target drop-down list box to identify if you want the destination or source IP address to be used as the target. Note: This option only appears for a Security/Policy sentry.

Permissions Specify the users you want to allow access to edit this sentry.Package Using the drop-down list box, select the sentry package you want

to apply to this sentry. To edit an existing package, click Edit or to create a new package, click Create New. For more information on sentry packages, see Managing Packages.

QRL Specifies the details of the current view for this sentry.

Table 2-3 Edit Behavior, Anomaly, or Threshold Sentry

Parameter DescriptionName Specify a name for this sentry.Description Specify a description for this sentry. This description appears as

an annotation in the Offense Manager if this sentry results in an offense being generated.

Minimum activations before alert

Specify the minimum number intervals this activity must occur before an alert generates.

Delay between alerts

Specify the number of intervals after the first occurrence of this event, before the next occurrence of this event.

Maximum responses per events

Specify the maximum number of times you want this event to generate a response.

Is Enabled Select the check box to enable this sentry. Clear the check box to disable the sentry.

Weight Specify the weight of the object. The range is 1 to 100 and indicates the importance of the object in the system.

Test as group Select the check box if you want all objects to add together to be tested. Clear the check box if you want each object to be evaluated separately.

Table 2-2 Edit Security/Policy Sentry (continued)




Step 7 Edit the variables, as necessary. The list of variables includes all configured values for this sentry. Only the variables that apply to this sentry appear. When creating a custom sentry, you can create your own variable.

Restrictions Select the check box for one or more restrictions you want to enforce for an active sentry including:• Date is relevant - Select the check box to indicate that this

sentry must consider the date. When selected, date fields appear. Enter the relevant dates you want this sentry to monitor.

• Day of week is relevant - Select the check box to indicate that this sentry must consider the day of the week. When selected, day of the week fields appear. Using the drop-down list boxes, select the relevant days you want this sentry to consider.

• Time of day is relevant - Select the check box to indicate that this sentry must consider time of day. When selected, time of day fields appear. Using the drop-down list box, select the time of day you want this sentry to consider.

Permissions Specify the users you want to allow access to edit this sentry.Package Using the drop-down list box, select the sentry package you want

to apply to this sentry. To edit an existing package, click Edit or to create a new package, click Create New. For more information on sentry packages, see Managing Packages.

Responses Specify the method you want to be notified if this sentry generates an event. The options are:• Email• Log - Sends event information to standard syslog on STRM

Console. QRL Specifies the details of the current view for this sentry.

Table 2-3 Edit Behavior, Anomaly, or Threshold Sentry (continued)


Table 2-4 Default Variables

Parameter Description$$Base Specify the current traffic level weight that you want to assign to

the current traffic levels against the learned behaviors and the current trend. This variable is for behavioral sentries. The higher the value indicates more weight on the previously recorded value. When you configure a sentry, you must enter a value between 0 to 100, however, when you view a sentry, this value appears in decimal format as 0.01 to 1.



$$Trend Specify the current traffic trend weight that you want to assign to current traffic trends against the calculated behavior. This variable is for behavioral sentries. The higher the value indicates more weight on traffic trends than the calculated behavior. When you configure a sentry, you must enter a value between 1 to 100, however, when you view a sentry, this value appears in decimal format as 0.01 to 1.

$$Season Specify the weight applied to the seasonal component of the behavior sentry. The range is 1 to 100. This variable is for behavioral sentries. When you configure a sentry, you must enter a value between 1 to 100, however, when you view a sentry, this value appears in decimal format as 0.01 to 1.

$$SeasonTime Specify the length of time, in seconds, you want this sentry to consider a season. A season indicates the cycle of data, which STRM uses to determine future data flow. This variable is for behavioral sentries.

$$Scale Specify the alert sensitivity level for this alert. This level indicates how far outside the predicted values before a violation generates. A value of zero indicates the measured value cannot be outside the predicted value and a value of 100 indicates the traffic is more than four times larger than the predicted value. When you configure a sentry, you must enter a value between 1 to 100, however, when you view a sentry, this value appears in decimal format as 0.01 to 1.

$$Counter Specify the layers you want this sentry to consider. This variable is for all sentry types. The options include: in (bytes in), out (bytes out), pin (packet in), pount (packet count), hlocal (host local), hremote (host remote), plocal (packet local), premote (packet remote), and count. Separate each entry with a colon.

$$AsSet Specify 0 if you want all objects to add together to be tested. Specify 1 if you want each object to be evaluated seperately. This variable is for all sentry types.

$$Value For each threshold, specify the number that must be exceeded for this sentry to generate an alert. This variable is for all sentry types.

$$Percent Specify the percentage change in behavior this view must experience before the sentry generates an alert. This variable is for anomaly sentries.

$$SmallWindow Specify an extended period of time you want to the system to monitor flows in your network. This allows the system a basis of comparison for traffic over an extended period of time. If the large window and small window values exceed a certain threshold, the sentry generates an alert. This variable is for anomaly sentries.

Table 2-4 Default Variables (continued)




Step 8 Click Save.

Step 9 Close the Sentries window.

The STRM Administration Console appears. Step 10 From the menu, select Configurations > Deploy Configuration Changes.

Managing Packages

Sentries contain packages. You can create packages to reuse with multiple sentries. Using a saved package allows you to apply the same objects to multiple areas of your network. For example, you can create a package to monitor for network misuse. You can use the saved package to apply the same objects to all areas of your network.

You must apply a package to a sentry through the sentry panel. For more information, see, Editing Sentry Details. By default, STRM does apply these packages. You must apply these packages to the appropriate area of your network.

This section includes:

• Creating a Sentry Package

• Editing a Sentry Package

Creating a SentryPackage

To create a new sentry package:




Step 3 From the View By drop-down list box, select Objects.

The Sentry Objects menu tree appears.

Step 4 From the menu tree, select Sentry Objects > Packages.

$$LargeWindow Specify a period of time you want to the system to monitor flows in your network. This allows the system a basis of comparison for traffic over an smaller period of time. If the large window and small window values exceed a certain threshold, the sentry generates an alert.

$$Upperbound/Lowerbound

For each threshold, specify the number that must be exceeded for this sentry to generate an alert. This variable is for threshold sentries.

$$AutoLearnTime Specify the time stamp of the time when you want the system to stop learning. This variable is for threshold sentries.

Table 2-4 Default Variables (continued)



Managing Packages 139

The Package List appears.

Step 5 Click Create New Package. The Create New Package panel appears.


Table 2-5 Create Sentry Package Parameters

Parameter DescriptionName Specify the name of the sentry package. Description Specify a description for the sentry package. Weight Specify the relative importance of this package. This determines

the ranking of the offense that appears in the Offense Manager.



Step 7 Click Save.

Editing a SentryPackage

To edit a new sentry package:





Step 4 From the menu tree, select Sentry Objects > Packages.

The Package List appears.

Step 5 For the package you want to edit, click the icon.

The Edit panel appears.

Components In the menu tree, select the components you want this package to monitor. The added components appear under the Selected Components column.

Permissions Specify the users you want to be able to use this package. Categories For each event, you must select a high-level and low-level event

category. From the High-Level Category drop-down list box, specify the high-level event category. Once you select the high-level event category, the appropriate low-level event categories appear. Using the Low-Level Category, select the low-level event category you want to apply to this event. Note: For detailed information on high-level and low-level event categories, see the Event Category Correlation Reference Guide.

Logic Unit Using the drop-down list box, select the Logic Unit you want to apply to this sentry. To edit an existing Logic Unit, click Edit or to create a new Logic Unit, click Create New. For more information on sentry packages, see Managing Logic Units.

Variable Defaults Specifies the variable default values for this sentry package. These values are overwritten by variables of the same name in the sentry.

Table 2-5 Create Sentry Package Parameters (continued)



Managing Logic Units 141

Step 6 Update parameters (see Table 2-5), as necessary.

Step 7 Click Save.

Managing Logic Units

A Logic Unit determines if a violation has occurred and if an alert needs to be generated. A Logic Unit contains the algorithm that a sentry uses to monitor your network for suspicious behavior. You can use Logic Units to create custom sentries. You must apply a Logic Unit to a package through the package panel. For more information, see Managing Packages.

This section includes:

• Creating a Sentry Package

• Editing a Sentry Package

Creating a Logic Unit To create a Logic Unit:


The System Configuration panel appears.Step 2 Click the Sentries icon.

The Sentries window appears.


Step 4 From the menu tree, select Sentry Objects > Logic Units.

The Logic Unit List appears. Step 5 Click Create New Logic Unit.

The Create New Logic Unit panel appears.




Step 7 Create your own equation in the Equation field using JavaScript code. The entry must include the following format:

var testObj = new CustomFunction( $$Counter, other_custom_vars);

function test()

{

return testObj.test();

}

You can use all the functions available with JavaScript functionality as well as the following functions:

Table 2-6 Create new Logic Unit Parameters

Parameter ActionName Specify a name for this Logic Unit.Description Specify a description for this Logic Unit,


Managing Logic Units 143

Step 8 Click Share Logic to access the Select Users window. This window allows you to specify users you want to share this logic.

Step 9 Click Save.

Table 2-7 JavaScript Functions

Function DescriptionthresholdCheck Monitors policy and threshold objects. By default, this value

monitors each object separately. If you want to test objects as group, you must add the value set. This function includes:• components - String of component names from one or more

layers, separated by colons. For example, in:out.• funcT - Instance of comparison object including above,

greatThanEq, below, lessThanEq, Eq, notEq, and range. • isTotal - Set this function to 0 if you want to test objects

seperately. Set this function to 1 if you want to test all objects as a group.

• time - Indicates time to make a comparison. If no time is supplied, current time is used.

learnPolicy During the learning period, this function selects only object that did not include traffic. The sentry then generates an alert on those objects. This function includes:• components - String of component names from one or more

layers, separated by colons. For example, in:out.• lockTime - Indicates the time in which you want to stop the

learning process. activityAnomaly Detects changes in the activity level for selected databases. This

function includes:• largewindowsize - Specifies the time range for the large

observation window. • smallwindowsize - Specifies the time range for small

observation window. • percentrequired - Specifies the required percentage change

required before the sentry generates an alert. • layer - Specifies the layer you want to monitor. • type - Specifies the test objects as a group. • intervalsize - Specifies the interval size, in seconds.



Editing a Logic Unit To edit a Logic Unit:


Step 2 Click the Sentries icon.

The Sentries window appears. Step 3 From the View By drop-down list box, select Object.

The Sentry Objects menu tree appears.

Step 4 From the menu tree, select Sentry Objects > Logic Units. The Logic Unit List appears.

Step 5 For the Logic Unit you want to edit, click the icon.

The Edit panel appears.

Step 6 Update parameters, as necessary.Step 7 Click Save.


10
MANAGING VIEWS
You can display network traffic with many different views. A view represents traffic activity on your network for a specific profile. The Local Network View has n-levels of depth that is specific to your network hierarchy. All views, with the exception of the Network View, have group levels and leaf object levels. You can also create Custom Views to display the types of traffic you want to identify, monitor, and be alerted to, when specific flows appear across your network.

This chapter includes:• Using STRM Views

• Managing Ports View

• Managing Application Views• Managing Remote Networks View

• Managing Remote Services Views

• Managing Collector Views• Managing Custom Views

• Enabling and Disabling Views

• Using Best Practices

Using STRM Views This section provides information regarding views including:

• About Views

• About Global Views• Defining Unique Objects

About Views STRM includes default views that captures and displays your network activity. Each view filters traffic and displays the data from many perspectives. You can use these default views to display your network activity from various perspectives.

You can configure views with an identifiable color scheme. Each color appearing on your graph represents the activity taking place on your network. Each color is also displayed in the dynamic legend beside the graph. You can point your mouse to the color on the legend to identify the traffic type.


146 MANAGING VIEWS

Each view is assigned a weight. Configured for traffic alerting purposes, weight is the numeric value assigned to a flow property. STRM adds the weight value to the sentry flow property weight value and assigns a sequence of ranking events. An alert may be signalled when STRM interprets the combination of the numerical weight values. For more information on weights, see Chapter 9 Managing Sentries.

A view is a property of flows divided into the following:

• Group - A collection of objects configured to display the network data that appears on the graphs in a specific view.

• Object - Assigned flow properties configured to identify specific traffic.

• Layer - Property used to count traffic.

You can create a Custom View to identify more complex traffic patterns. You must configure Custom Views with equations that identify your network activity and match the properties built into an equation. You can create Custom Views to:

• Identify protocol misuse from any geographic location.• Identify traffic from partner sites using applications you have deemed

out-of-policy.• Create an alternate network hierarchy.

You can also use equations to identify network traffic flows. When traffic flows match the assigned property-set, STRM identifies and displays the traffic on the graphs, enabling you to monitor and investigate the activity. An equation is constructed from the following:

• Objects - Network objects that are currently present on your network. When choosing an object, you can select the network object, or any one of the leaf nodes that is associated with the object. The selected object (or leaf node) becomes part of an equation.

• Elements - Tests of specific flow properties, such as, an IP address, protocol, or byte count. This specifies the criteria the traffic flow must match to identify traffic flows. Traffic flows matching the assigned criteria are displayed when viewing the Custom View on the STRM graphs.

About Global Views You can access Global Views using the Global Views menu option in the Network Surveillance interface. Configurable Global Views include: • Local Networks View - Displays traffic by network objects.

• Ports View - Displays traffic originating from identified destination ports.

• Applications View - Displays traffic originating from the application layer by the client connection and the server connection.

• Remote Networks View - Displays user defined traffic originating from named remote networks.


Using STRM Views 147

• Remote Services View - Displays traffic originating from user defined network ranges or, if desired, the Juniper Networks automatic update server.

• Collector View - Displays traffic seen by each Flow Collector

• Protocol - Displays traffic originating from protocol usage.

Note: For more information on default groups and objects, see the STRM Default Application Configuration Guide.

You can edit several Global Views by adding objects to existing groups or changing pre-existing properties to suit your environment. STRM does not allow you to configure Geographic, or Protocol Views. Contact Juniper Networks Customer Support for assistance.

Caution: You cannot move an existing object to another group (select a new group and click Add Group), the object name moves from the existing group to the newly selected group; however, when the configuration changes are deployed, the object data stored in the database is lost and the object ceases to function. You must create a new view and recreate the object (that exists with another group).

Defining UniqueObjects

Some groups within views include objects that are unique to specific views. For example, InverseIsknown is unique to the Ports View. This group captures the server traffic when displaying the client view, and displays client traffic when displaying the server view.

Some groups within views, such as superflows, are for informational purposes only and cannot be edited. However, you can create a Custom View based on an existing view and configure the Custom View properties to resemble the groups that cannot be edited. For more information, see Managing Custom Views.

Unique groups include:

• InverseIsKnown - Specifies traffic for both client and server application traffic activity. When displaying the client view, InverseIsKnown captures and displays the server traffic; when displaying the server view, captures and displays displays the client traffic.

• Other - Specifies traffic that does not match a property-set or is not defined in the configuration. Traffic that is classified as Other may be used to capture miscellaneous traffic.

• Unknown - Specifies traffic that is unidentifiable.

• Superflows - Specifies traffic that has been grouped into superflows; where one superflow is a group of aggregate flows that have a number of similar properties.

• Known_ to_ client_or_server - Similar to InverseIsKnown. When viewing client data, this group represents the server data. When viewing server data, this group represents the client data.


148 MANAGING VIEWS

Managing Ports View

Ports Views display traffic originating from identified destination ports. Using the Ports View, you can view traffic by port. This section provides information on managing the Ports View including:

• Default Ports Views

• Adding a Ports Object• Editing a Ports Object

Default Ports Views Ports View includes the following default groups:

Adding a PortsObject

To add a ports object:

Step 1 In the Administration Console, click the Views Configuration tab.The Views Configuration panel appears.

Step 2 Click the Ports icon.

The Manage Group window appears.Step 3 Click Add.

The Add New Object window appears.

Table 3-1 Ports Views

Ports Groups DescriptionInverseIsKnown Specifies traffic for both client and server application traffic

activity. When displaying client view, InverseIsKnown captures and displays the server traffic; when displaying server view, captures and displays displays the client traffic.

MailPorts Specifies e-mail traffic flows originating from each mail port. Superflows This group is non-configurable. A superflow is a flow that is an

aggregate of a number of flows that have a similar pre-determined set of elements.

TargetedPorts Specifies traffic flows destined for specific ports. UnnamedPorts Specifies traffic flows not destined for a specific port.WebPorts Specifies traffic flows destined for the port assigned for Internet

traffic. p2pports Specifies traffic flows to and from ports assigned for the

Peer-to-Peer (P2P) traffic within your network.


Managing Ports View 149


Step 5 Click Save.

Step 6 Click Return.

Step 7 Close the Ports View window.Step 8 From the Administration Console menu, select Configuration > Deploy

Configuration Changes.All changes are deployed.

Table 3-2 Ports - Add New Object Parameters

Parameter DescriptionGroup Select the group for this object. Using the drop-down list box,

select a group or click Add Group to add a new group.Name Specify object name.Weight Specify the object weight or use the arrows to change the existing

numeric value. The range is 1 to 100.Ports Specify the port number for the object or use the arrows to

change the existing numeric value. Click Add.Description Specify a description for this object.Color Specify a color for this object. Enter the RGB alpha-numeric

value or click Select Color to access the color palette.Database Length Using the drop-down list box, select the database length.


150 MANAGING VIEWS

Editing a PortsObject

To edit an existing object:

Step 1 In the Administration Console, click the Views Configuration tab.

The Views Configuration panel appears.Step 2 Click the Ports icon.

The Manage Group window appears.

Step 3 Click the group you want to edit.The Manage Group window appears.

Step 4 From the Manage Group table, or from the tree menu, click the name of the object you want to edit. The Properties window appears.

Table 3-3 Manage Group

Parameter DescriptionName Specifies the name assigned to the object. Weight Specifies the weight assigned to the object.Color Specifies the color displayed when viewed on the graphs. Actions Specifies the action available for each group including:

Open object properties window.


Parameter DescriptionName Specifies the name assigned to the object.Value Specifies ports assigned to this object. Weight Specifies the weight assigned to the object.Color Specifies the color displayed when viewed on the Network

Surveillance graphs.Actions Specifies the actions available for each object including:

Edit view properties.

Delete object.


Managing Ports View 151

Step 5 Edit values as necessary. See Table 3-2.

Step 6 Click Save.


Step 8 Close the Ports View window.Step 9 From the Administration Console menu, select Configuration > Deploy



152 MANAGING VIEWS

Managing Application Views

Application Views display traffic originating from the application server by the client connection and the server connection. Using the Application Views, you can view traffic by application identification. This section provides information on managing Application Views including:

• Default Application Views

• Adding an Applications Object

• Editing an Applications Object

Default ApplicationViews

Application View includes the following default groups:

Table 3-5 Application Views

Sub-Component DescriptionChat Specifies traffic originating from chat sources, such as AOL,

ICQ, IRC, MISN, and MSN.ClientServer Specifies traffic originating from a client server such as

Meeting Maker, NetIQ, FIX, MATIP, or CVSup. ContentDelivery Specifies traffic originating from content delivery applications,

such as, EntryPoint, BackWeb, or Webshots.DataTransfer DataTransfer group displays traffic originating from data being

transferred from traffic of common file/data transfer protocols, such as FTP, Misc-Transfer-Ports, NFS, NNTPNews, TFTP, WindowsFileSharing, WindowsNetworkPorts, and XFER.

DataWarehousing Specifies traffic originating from database applications.DirectoryServices Specifies traffic originating from directory services, such as

WINS, CRS, or RRP. FilePrint Specifies traffic originating from file print applications, such as,

a printer or IPP. Games Specifies traffic originating from game applications, such as,

Doom, Quake, Half-Life, or Kali.Healthcare Specifies traffic originating from health care related

applications, such as, DICOM or HL7.InnerSystem Specifies traffic originating from the STRM application, such

as, Common Ports, Flowgen, and UpdateDaemon.InternetProtocol Specifies traffic originating from Internet protocol related

applications, such as, ActiveX or SOAP-HTTP. Known_to_client_or_ server

When viewing client data, this group captures the server data. When viewing server data, this group captures the client data.

Legacy Specifies traffic originating from legacy applications, such as, SNA, LAT, FNA, or SLP.

Mail Specifies all traffic originating from e-mail application traffic, such as, ESMTP, IMAP, MISC-MAIL-Port, POP, POP-Port, SMTP, and SMTP-Port.


Managing Application Views 153

Note: The default views are automatically updated with the Automatic Update function. For more information regarding automatic updates, see Scheduling Automatic Updates.

Adding anApplications Object

To add an applications object:


Step 2 Click the Application icon.

Step 3 Click Add. The Add New Object window appears.window appears.

Misc Specifies identified miscellaneous application traffic, such as, Appletalk-IP, Authentication, DHCP, DNS, DNS-Port, ManagementService, Misc-Ports, MiscApp, Network-Config-Ports, RPC, SNMP-Ports, Syslog, and Time.

Multimedia Specifies traffic originating from multimedia application traffic, such as, WebEx, video frames, or Intellex.

NetworkManagement Specifies traffic originating from network management application traffic, such as, ICMP, SMS, NetFlow, or flow records.

No_Detect_Attempt Specifies traffic that is void of content within a packet.P2P Specifies traffic originating from Peer-to-Peer (P2P)

application traffic, such as, BitTorent, Blubster, Common P2P Port, DirectConnect, Gnutella, Kazaa, LimeWire, OpenNap, Peerenabler, Piolet, and eDonkey.

Remote Access Specifies traffic originating from applications accessed remotely, such as, CitrixICA, PCAnywhere, SSH, SSH Ports, Telnet, Telnet-Port, and VNC.

RoutingProtocols Specifies traffic originating from routing protocols, such as, RIP, ICMP, ICP, or AURP.

SecurityProtocol Specifies traffic originating from security protocols, such as, SOCKS, L2TP, SWIPE, or DPA.

Streaming Specifies traffic originating from streaming applications, such as, MicrosoftMediaServer, StreamingAudio, and WindowsMediaPlayer.

Unknown_apps Specifies pre-defined flows classed as Unknown traffic.VoIP Specifies traffic originating from Voice over IP (VoIP)

applications, such as, Skype, I-Phone, SIP, or Clarent-CC. Web Specifies traffic originating from web applications, such as,

HTTP, JAVA, SecureWeb, WebFile, WebMedia, and Web Port.

Table 3-5 Application Views (continued)

Sub-Component Description


154 MANAGING VIEWS


Step 5 Click Save.


Step 7 Close the Applications View window.

Table 3-6 Applications - Add New Object Parameters


select a group or click Add Group to add a new group.Name Specify the name for the object.Weight Specify the object weight or use the arrows to change the existing

numeric value. The range is 1 to 100.AppsIDs Specify the application ID for the object or use the arrows to

change the existing numeric value. Click Add. Note: The applications identification must be defined in the mapping file before adding to this object. For more information on the mapping file, see the STRM Default Application Configuration Guide.

Description Specify a description for this object. Color Specify a color for this object. Enter the RGB alpha-numeric



Managing Application Views 155

Step 8 From the Administration Console menu, select Configuration > Deploy Configuration Changes.All changes are deployed.

Editing anApplications Object

To edit an applications object:


Step 2 Click the Applications icon.


Step 3 Click the group you want to display.The Manage Group window appears.

Step 4 Click the name of the object you want to edit.

The Properties window appears.


Parameter DescriptionName Specifies the name assigned to the group. Weight Specifies the weight assigned to the object.Color Specifies the color displayed when viewed on the Network

Surveillance graphs.Actions Specifies the action available for each group including:

Open view properties window.


Parameter DescriptionName Specifies the group name.Value Specifies application IDs assigned to the group. Weight Specifies the weight assigned to the object.Color Specifies the color displayed when viewed on the Network



Delete object.


156 MANAGING VIEWS

Step 5 Edit values as necessary, see Table 3-6.

Step 6 Click Save.

Step 7 Click Return. Step 8 Close the Applications View window.



Managing Remote Networks View 157

Managing Remote Networks View

Remote Networks View displays user traffic originating from named remote networks. Using the Remote Networks View, you can view traffic by known remote networks. This section provides information on managing the Remote Networks View including:

• Default Remote Networks Views

• Adding a Remote Networks Object

• Editing a Remote Networks Object

Default RemoteNetworks Views

Remote Networks includes the following default groups:

Note: Groups and objects that include superflows are for informational purposes only and cannot be edited. Groups and objects that include bogons are configured by the Automatic Update function.

Adding a RemoteNetworks Object

To add a Remote Networks object:

Step 1 From the Administration Console, click the Views Configuration tab.The Views Configuration panel appears.

Step 2 Click the Remote Networks icon.

Step 3 Click Add.The Add New Object window appears.

Table 3-9 Remote Networks Views

Parameter DescriptionBOT Specifies traffic originating from BOT applications. Bogon Specifies traffic originating from un-assigned IP addresses.

Note: Bogon reference: http://completewhois.com/bogons/HostileNets Specifies the traffic originating from known hostile networks.

HostileNets has a set of 20 (Rank 1 to 20 inclusive) configurable CIDR ranges.

Neighbours This group is blank by default. You must configure this group to classify traffic originating from neighboring networks.

Superflows This group is non-configurable. A superflow is a flow that is an aggregate of a number of flows that have a similar pre-determined set of elements.

TrustedNetworks This group is blank by default. You must configure this group to classify traffic originating from trusted networks.


158 MANAGING VIEWS


Step 5 Click Save.

Step 6 Click Return. Step 7 Close the Remote Networks View window.


Table 3-10 Remote Networks - Add New Object Parameters


select a group or click Add Group to add a new group.Name Specify the name for the object.Weight Specify the object weight or use the arrows to change the

existing numeric value. The range is 1 to 100.IP/CIDR(s) Specify the IP address or CIDR range for the object. Click Add. Description Specify a description for the object.Color Specify a color for this object. Enter the RGB alpha-numeric



Managing Remote Networks View 159

Editing a RemoteNetworks Object

To edit an existing Remote Networks object:

Step 1 From the Administration Console, click the Views Configuration tab.

The Views Configuration panel appears.Step 2 Click the Remote Networks icon.


Step 3 Click the group you want to display.The Manage Group window appears.

Step 4 Click the object you want to edit.



Parameter DescriptionName Specifies the name assigned to the view. Weight Specifies the weight assigned to the object.Color Specifies the color displayed when viewed on the Network







Delete object.


160 MANAGING VIEWS


Step 6 Click Save.


Step 8 Close the Remote Networks View window.Step 9 From the Administration Console menu, select Configuration > Deploy


Managing Remote Services Views

Remote Services Views display traffic originating from user defined network ranges, or, if desired the Juniper Networks automatic update server. Using the Remote Services Views, you can view remote service providers. This section provides information on managing the Remote Services Views including:

• Default Remote Services Views• Adding a Remote Services Object

• Editing a Remote Services Object

Default RemoteServices Views

Remote Services view includes the following default groups:

Table 3-13 Remote Services - Manage Group Parameters

Parameter DescriptionIRC_Servers Specifies traffic originating from addresses commonly known to

produce superflows. Porn Specifies traffic originating from addresses commonly known to

contain explicit pornographic material.Proxies Specifies traffic originating from commonly known open proxy

servers.


Managing Remote Services Views 161

Adding a RemoteServices Object

To add a Remote Services Object:


The Views Configuration panel appears.

Step 2 Click the Remote Services icon.The Manage Group window appears.

Step 3 Click Add.



Reserved_IP_Ranges

Specifies traffic originating from reserved IP address ranges.

Spam Specifies traffic originating from addresses commonly known to produce SPAM or unwanted e-mail.

Spy_Adware Specifies traffic originating from addresses commonly known to contain spyware or adware.

Superflows Specifies traffic originating from addresses commonly known to produce superflows.

Warez Specifies traffic originating from addresses commonly known to contain pirated software.

Table 3-13 Remote Services - Manage Group Parameters (continued)



162 MANAGING VIEWS

Step 5 Click Save.

Step 6 Click Return. Step 7 Close the Applications View window.

Step 8 From the Administration Console menu, select Configuration > Deploy Configuration Changes.

Step 9 All changes are deployed.

Editing a RemoteServices Object

To edit an existing Remote Services object:


Step 2 Click the Remote Services icon.


Step 3 Click the group you want to display.

Table 3-14 Remote Services - Add New Object Parameters



numeric value. The range is 1 to 100.IP/CIDR(s) Specify the IP address/CIDR range for the object. Click Add.Color Specify a color for this object. Enter the RGB alpha-numeric







Managing Remote Services Views 163


Step 4 Click the object you want to edit. The Properties window appears.

Step 5 Edit values as necessary. See Table 3-14. Step 6 Click Save.


Step 8 Close the Remote Services View window.





Delete object.


164 MANAGING VIEWS


Managing Collector Views

The Collector Views display traffic seen from the Flow Collector and provides the AllCollectors group. This group specifies the traffic originating from all Flow Collectors that reside on your network.

This section provides information on configuring the Flow Collector view including:

• Adding a Flow Collector Object• Editing a Flow Collector Object

Adding a FlowCollector Object

To add a Flow Collector object:


The Views Configuration panel appears.Step 2 Click the Collector icon.

Step 3 Click Add.



Table 3-17 Flow Collector - Add New Object Parameters

Parameter Description Group Select the group for this object. Using the drop-down list box,


numeric value. The range is 1 to 100.


Managing Collector Views 165

Step 5 Click Save.

Step 6 Click Return. Step 7 Close the Collector View window.


Editing a FlowCollector Object

To edit an existing Flow Collector Object:


Step 2 Click the Collector icon.


Step 3 Click the group you want to display.


Collector ID Using the drop-down list box, select the Flow Collector you want to use as the source.

Color Specify a color for this object. Enter the RGB alpha-numeric value or click Select Color to access the color palette.

Database Length Using the drop-down list box, select the database length.

Table 3-17 Flow Collector - Add New Object Parameters (continued)







166 MANAGING VIEWS

Step 4 Click the object you want to edit.



Step 6 Click Save.


Step 8 Close the Collector View window.






Delete object.


Managing Custom Views 167

Managing Custom Views

Custom Views uniquely identify specific traffic flows, such as SSH traffic on a non-standard port, or traffic originating from another country. Each Custom View object must be configured with an equation, which creates a set of properties that applies a filter for each network flow.

Custom Views provide you with several advantages. For example, you can use Custom Views for the following scenarios:• Define a view to isolate and display traffic relevant to your enterprise.

• Rebuild any default view and configure to suit your enterprise.

• Use a view to remap data in different ways. • Use a view for an alternate network hierarchy

• Apply Other traffic in a view for reporting purposes.

• Apply the Boolean Logic to the Equation Editor when creating a view.• Classification Engine can interpret the view information as RPN.

• Build a Custom View object to detect the following sequence:

- Src (source) sends a Syn (synchronize) packet to a Dst- Dst (destination) sends back an Ack (acknowledge) packet

- Src (source) sends a Syn-Ack (synchronize-acknowledge) or a Syn-Rst (synchronize-reset) packet to the Dst (destination)

- The initial packet cannot have an empty payload

This section provides information on creating and configuring Custom Views including:

• About Custom Views• Editing Custom Views

• Editing the Operators

• Editing the Equation

About Custom Views Custom Views includes the following default groups:

• IP Tracking Group

• Threats Group • Attacker Target Analysis Group

• Target Analysis Group

• Policy Violations Group• ASN Source

• ASN Destination

• IFIndex In


168 MANAGING VIEWS

• IFIndex Out

• QoS• FlowShape

The objects for the IP Tracking, Threats, Attacker Target Analysis, Target Analysis, and Policy Violations groups depend on the template chosen during the installation process. For more information on the defaults, see:• Enterprise Template - See Appendix B Enterprise Template Defaults.

• University Template - See Appendix C University Template Defaults.

STRM detects the ASN and IFIndex values from network flows. When STRM detects ASN or IFIndex values in a flow, STRM creates a new object in the respective group. For example, if STRM detects an ASN 238 flow within the source traffic, the object ASN238 is created in the ASNSource group. However, for STRM to detect and create objects for ASN and IFIndex values in a flow, you must enable the respective views. Fore more information on enabling views, see Enabling and Disabling Views

STRM also detects Quality of Service (QoS) values from your network flows. QoS provides priority for traffic enabling your network to provide various levels of service for flows. QoS provides the following basic levels of service:

• Best Effort - This level of service does not guarantee delivery. The delivery of the flow is considered best effort.

• Differentiated Service - Certain flows are granted priority over other flows. This priority is granted by classification of traffic.

• Guaranteed Service - This level of service guarantees the reservation of network resources for certain flows.

To create Custom Views: Step 1 From the Administration Console, click the Views Configuration tab.


Step 2 Click the Custom Views icon. The Manage Group window appears.

Step 3 Click Create New View.




:


Step 5 Click Save.

The Custom View Management window appears.


Step 7 From the Manage Group Window, select the view and click Add Equation.The Properties window appears.

Table 3-20 Custom View - Properties for New View: Staging/Globalconfig

Parameter DescriptionName Specify a name for the new view.Description Specify a description for the new view.


170 MANAGING VIEWS


Step 9 Click Equation Editor.The Equation Editor window appears.

Step 10 From the Objects box, select the view you want to assign.

Table 3-21 Properties Views

Parameter DescriptionGroup Using the drop-down list box, select the group you want to add

the object. Click Add Group. Name Specify the name for the object.Weight Specify the object weight or use the arrows to change the existing

numeric value. The range is 1 to 100.Color Specify a color for this object. Enter the RGB alpha-numeric

value or click Select Color to access the color palette.Database Length Using the drop-down list box, select the database length.Equation Click Equation Editor to specify your equation for this object.



Step 11 From the Elements panel, select an element and enter the parameter values to configure the element. See Table 3-22.

The element is assigned to the selected object. This creates the first instance on the Equation Editor.

Step 12 Select another object from the Objects box and assign an associated element.

By default, the objects are joined with the AND operator.Step 13 Continue selecting the objects and assigning elements until you have completed

your equation. Click Save. Note: If you want to calculate two values before STRM adds the next consecutive object, insert brackets around the values. For more information on operators, see Editing the Operators.

You equation should resemble this window:

Table 3-22 Element Options

Parameter DescriptionCount Element TypeName Specify the element name.Object Using the drop-down list box, select the targeted traffic flow. Options

include: Src (source), Dst (destination), Local, Remote, and Total. Note: When ports are counted, the number of unique destination ports is returned.

Parameter Using the drop-down list box, select the parameter you are testing. Options include: Bytes, Packets, and ContentLength.

Test Using the drop-down list box, select how to test the numeric value. Options include: Above, Below, and Equals.

Value Enter a numeric value for the option you have selected. The number of bytes, number of packets or the content length. This value is based on a flow stats record reported in a single interval.Using the drop-down list box, select the byte size unit of measurement. Options include: K (kilobyte), M (megabyte), G (gigabyte, and T (terabyte). Click Add.

Protocol Element Type


172 MANAGING VIEWS

Name Specify the element name.Protocol Specify the protocol identification number. You must enter the protocol

number and not the name. Click Add.Note: For a list of default protocol identification numbers, see STRM Default Application Configuration Guide.

Super Flow Count Element TypeName Specify the element name.Unit Using the drop-down list box, select the element unit. Options include:

Hosts and Ports. Test Using the drop-down list box, select how to test the numeric Super

Flow Count value. Options include: Above, Below, and Equals. Value Enter the number of hosts or ports. Click Add. Flow Stat Element TypeName Specify the element name.Object Using the drop-down list box, select the targeted traffic flow. Options

include: Src (Source), Dst (Destination), Local, Remote, and Total. Unit Using the drop-down list box, select the element unit. The unit is

specific to the stats record in one interval. Options include: BytesPacketRatio, PacketArrivalRate, ByteArrivalRate, ByteRatio, and PacketRatio.

Test Using the drop-down list box, select how to test the numeric Flow Stat value. Options include: Above, Below, and Equals.

Value Specify the numeric value of unit measurements. Click Add.Content Element TypeName Specify the element name.Object Using the drop-down list box, select the targeted traffic flow. Options

include: Src (Source), Dst (Destination), Local, Remote, and Total. Note: Only the content that is captured is counted.

Value Enter the content string. Click Add.Flags Element TypeName Specify the element name.Object Using the drop-down list box, select the targeted traffic flow. Options

include: Src (Source), Dst (Destination), Local, Remote, and Total.

Table 3-22 Element Options (continued)




Value Enter the character that represents the TCP/IP flags element type you want to add. STRM accepts the following:A, ACK - (Acknowledge) - Receiver sends an acknowledgement that equals the senders sequence. S, SYN - (Synchronize) - Agreement on sequence numbers during session setup. Sequence numbers are random. F, FIN - (Finish) - Sender has no more data to send. R, RST - (Reset) - Instantaneous abort in both directions. This is an abnormal session disconnection. P, PSH - (Push) - Forces data delivery without waiting for buffers to fill. The data will also be delivered to the application on the receiving end without buffering. U, Urg - (Urgent) - Indicates the packet data should be processed as soon as possible.7 - Illegal flag that represents the seventh bit of the TCP flag field. Typically, this flag is not used in normal operations and may be used by malicious users. 8 - Illegal flag that represents the eight bit of the TCP flag field. Typically, this flag is not used in normal operations and may be used by malicious users. Click Add.Note: The order in which you enter the TCP/IP Flags is not important; however, when viewing content capture, STRM displays the flags in the following order: FSRPAU78

Flow Properties Element TypeName Specify the element name.




174 MANAGING VIEWS

Property Using the drop-down list box, select the flow property. Options include: • ClassL2L - Traffic between two local objects on your network.• ClassL2R - Traffic between one local object and one remote object.• ClassOther - Traffic between hosts not defined in your network.• SuperFlow - Flow of traffic that is an aggregate of the number of

flows that have a similar predetermined set of elements, such as protocol, source bytes, source packets, source host, or destination network. In some cases, other properties may be similar, such as destination ports, TCP/IP flags, ICMP types, and code; however, the destination hosts can differ.

• SuperFlowTypeA - SuperFlow identified as one host destined to many host.

• SuperFlowTypeB - SuperFlow identified as many hosts destined to one host.

• SuperFlowTypeC - SuperFlow identified as one host to one host.• StealthPorts - Traffic located outside the normal application ports.• SrcLocal - Traffic originating from a local source.• DstLocal - Traffic originating from a remote network destined for

your network.• NoAppDetect - Traffic with zero application detection that may be

caused by not enough payload; or, traffic originating from ICMP messages.

• UnknownApp - Non-defined application traffic. • FlowShapeInOnly - Traffic or flows destined in the network (from

the Flowtype View). • FlowShapeOutOnly - Traffic or flows destined out from the network

(from the Flowtype View). Click Add.

Port Element TypeName Specify the element name.Object Using the drop-down list box, select the targeted traffic flow. Options

include: Src (Source), Dst (Destination), Local, Remote, and Total. Value Specify the port number. Click Add.CIDR Element TypeName Specify the element name.Object Using the drop-down list box, select the targeted traffic flow. Options

include: Src (Source), Dst (Destination), Local, Remote, and Total. Value Enter the IP address or CIDR range. Click Add.Application ID Element TypeName Specify the element name.





Value Specify the application identification number. Click Add.Collector Element TypeName Specify the element name.Property Using the drop-down list box, select the element property. Options

include: CollectorID and CollectorInterface. Value Specify the user-defined Flow Collector Identification or Collector

Interface name. Click Add. Date Element TypeName Specify the element name.Test Using the drop-down list box, select when to test the value. Options

include: After and Before. Value Click the Calendar icon and select a date. Click Add. The value default

is the current date.Time Element TypeName Specify the element name.Test Using the drop-down list box, select when to test the value. Options

include: After and Before. Value Using the drop-down list box, select the hour and minutes. Click Add.Day Element TypeName Specify the element name.Type Using the drop-down list box, select the amount of time. Options

include: Week and Month.Value Specify the day of the week or enter the month. Click Add.Flow Length Element TypeName Specify the element name.Test Using the drop-down list box, select how to test the numeric Flow

Length value based on a single flow stat record. Options include: Above, Below, and Equals.

Value Specify the numeric value for the precise flow length. Click Add.ICMP Element TypeName Specify the element name.Property Using the drop-down list box, select the ICMP Type property. Options

include: Type and Code. Value Specify the numeric value for the ICMP Type or Code. Click Add.

Note: For a list of STRM default ICMP Types or Codes, see the STRM Default Application Configuration Guide; or, for a reference on the current RFC Standards, go to: http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/icmp-code.html




176 MANAGING VIEWS

Editing CustomViews

To edit Custom Views:


Step 2 Click the Custom Views icon.


Step 3 Click the group <Name> or access the group from the navigation menu. The Manage window appears.

Step 4 Click the object name to edit the object properties.


Flow Context PropertyName Specify the element name.Property Using the drop-down list box, select the flow text property. Options

include: PortIsNew, TargetIsSrc, AttackerIsSrc, TargetIsDst, AttackerIsDst, TargetIsKnownLocal, AttackerIsKnownLocal, TargetIsLocal, AttackerIsLocal, TargetPort, AttackerPort, BeforeEvent, and AfterEvent. Click Add.

Flow Context Target PortName Specify the element name.Port Specify the port number. Click Add.Interface Index (ifIndex)Name Specify the element name.Direction Specifies the direction of the traffic. The options are Input or Output. Value Specify the numeric value for the ifIndex. Click Add.Quality of ServiceName Specify the element name.Side Using the drop-down list box, select the targeted traffic flow. Options

include: Src (Source), Dst (Destination), Local, or Remote. Field Using the drop-down list box, select the Quality of Service (QoS) field

you want to test. Options include: IP_Precedence, Type of Service (TOS), Differentiated Service Code Point (DSCP), or Explicit Congestion Notification (ECN).

Test Using the drop-down list box, select how to test the QoS value. Options include: Above, Below, and Equals.

Value Specify the numeric value for the QoS. Click Add.





Step 5 Edit the necessary parameters, see Table 3-22.

Step 6 Click Save.

Step 7 Click Return. Step 8 Close the Custom View window.


Editing the Equation You can change how an equation is calculated, see Editing the Equation. The Drop Area of the Equation Editor features a drag and drop method of changing how the equation is calculated.

To edit the equation using the same objects and elements:

Step 1 Select the object or element and hold.Step 2 Drag the item to another part of the equation.

As you pass over another item in the Drop Area of the panel, the item becomes highlighted. This signifies you can drop the item into the equation. This is placed ahead of the highlighted item. and is joined with the AND operator. This affects the calculation in two places. The next logical calculation from where the item was moved and the logical calculation of where the item is placed.

Step 3 Click Save.

Step 4 Close the Custom Views window.



178 MANAGING VIEWS

Editing the Operators You can edit the operators as they appear in the Drop Area of the Equation Editor. You can access the following using the right mouse button (right-click) on each operator:• And Operator - To change the default AND operator to OR, use the right

mouse button (right-click) on the operator and select OR from the menu. • Excluding Objects - To exclude an object from part of an equation, use the

right mouse button (right-click) on the object and select NOT from the menu. An exclamation mark (!) appears before the object.

• Excluding Elements - To exclude an element from part of an equation, use the right mouse button (right-click) on the object and select NOT from the menu. An exclamation mark (!) appears before the element.

• Removing Objects - To remove an object from an equation, use the right mouse button (right-click) on the object and select Remove Object. Click OK to confirm.

• Removing Elements - To remove an element from an equation, use the right mouse button (right-click) on the object and select Remove Element. Click OK to confirm.

• Group Objects - To create grouped objects to apply an action to, hold down on the Alt key and click the objects you want to include. Use the right mouse button (right-click) and select Group Selected Objects. You can also include elements in a group.

• Group Elements - To create grouped elements to apply an action to, hold down on the Alt key and click the elements you want to include. Use the right mouse button (right-click) and select Group Selected Objects. You can also include objects in a group.

• Remove Grouped Objects or Elements - Use the right mouse button (right-click) on a group and select Remove Brackets.

Enabling and Disabling Views

You can enable or disable views using the Administration Console. Disabling views saves processing power on large structured networks. Depending on your current network activity, or the type of traffic you are monitoring traffic, some views may be of more value than others during specific times.

To enable or disable views:Step 1 From the Administration Console, click the Views Configuration tab.


Step 2 Click Enable/Disable View icon.The View Management window appears.


Enabling and Disabling Views 179

Step 3 Using the drop-down list box, select one of the following for each view:

Table 3-23 View Management

Parameter DescriptionEnabled Using the drop-down list box, select Enabled to enable this view.

This enables the Classification Engine, data collection, data storage, graphing capabilities, and enables access from the interface.

Virtual Using the drop-down list box, select Virtual to allow the Classification Engine to classify each flow. This enables the Classification Engine to classify the flows; however, this disables data collection, data storage, graphing capabilities, and removes the view from the interface. Objects in a virtual view can still be referenced in a Custom View equation. Also, a Security/Policy sentry applied to a virtual view will generate events, as necessary. To enable access from the interface, select Enabled.Note: Selecting the Virtual mode can save processing power on your system.


180 MANAGING VIEWS


Using Best Practices

Given the complexities and network resources required for STRM in large structured networks, we recommend the following best practices:• Disable views you are not required to access and display. Disabling views

requires fewer CPU cycles and will not impact processing power in large structured networks.

• Bundle objects and use the Network Surveillance interface to analyze your network data. Fewer objects create less I/O to your disk.

- Bundled flows include bi-directional traffic with single source and destination hosts, multiple source and destination ports.

- All original flows are sent but marked as a bundle.- One Flow Bundle record is sent every interval.

- Classify processes only the bundle and not the flows.

• Typically, no more than 200 objects per view (for standard system requirements). More objects may impact your processing power when investigating your traffic.

Disabled Using the drop-down list box, select Disabled to disable the view. This disables the Classification Engine, data collection, data storage, graphing capabilities, and removes the view from the interface. To enable access from the interface, select Enabled.Note: Selecting the Disabled mode can save processing power on your system.

Table 3-23 View Management (continued)



11
CONFIGURING RULES
Rules match events or offenses by performing a series of tests. If all the conditions of a test are true, the rule generates a response. Using the Offense Manager, you can configure rules or building blocks. Building blocks are rules without a response. Possible responses to a rule include:

• Create an offense.

• Generate a response to an external system (syslog or SNMP).• Send an e-mail.

• Block the incident.

• System notifications using the Dashboard

The tests in each rule can also reference other building blocks and rules. You do not need to create rules in any specific order since the system will check for dependencies each time a new rule is added, edited, or deleted. If a rule that is referenced by another rule is deleted or disabled, a warning appears and action is not taken.

Each rule may contain the following components:

• Functions - With functions, you can use building blocks and other rules to create a multi-event or multi-offense function. You can also OR rules together, using the when we see an event match any of the following rules function.

• Building blocks - A building block is a rule without a response and is commonly used as a common variable in multiple rules or used to build complex rules or logic that you want to use in other rules. You can save a group of tests as building blocks for use with other functions. Building blocks allow you to re-use specific rule tests in other rules. For example, you can save a building block that includes the IP addresses of all mail servers in your network and then use that building block to exclude those hosts from another rule. The building block defaults are provided as guidelines, which should be reviewed and edited based on the needs of your network.

• Tests - Property of an event or an offense, such as, source IP address, severity of event, or rate analysis.

A user with non-administrative access can create rules for areas of the network that they have access. You must have the appropriate role access to manage rules.


182 CONFIGURING RULES

You can configure the following rule types:

• Event Rule - An event rule performs tests on events as they are processed in real-time by the Event Processor. You can create an event rule to detect a single event (within certain properties) or event sequences. For example, if you want to monitor your network for invalid login attempts, access multiple hosts, or a reconnaissance event followed by an exploit, you can create an event rule. It is common for event rules to create offenses as a response.

• Offense Rule - An offense rule processes offenses only when changes are made to the offense, such as, when new events are added or the system scheduled the offense for reassessment.

This chapter includes:

• Viewing Rules

• Enabling/Disabling Rules• Creating a Rule

• Copying a Rule

• Deleting a Rule• Grouping Rules

• Editing Building Blocks

Viewing Rules To view deployed rules, rule type, and status:

Step 1 Select the Offense Manager tab.

The Offense Manager window appears. Step 2 In the navigation menu, click Rules.

The rules window appears.

Step 3 In the Display drop-down list box, select Rules.


Enabling/Disabling Rules 183

The list of deployed rules appear.

Step 4 Select the rule you want to view. In the Rule and Notes fields, descriptive information appears.

The default rules that appear depends on the template chosen during the installation process. For more information on the defaults, see:

• Enterprise Template - See Appendix B Enterprise Template Defaults.


Enabling/Disabling Rules

To enable or disable a rule:

Step 1 Select the Offense Manager tab. The Offense Manager window appears.

Step 2 In the navigation menu, click Rules.


Step 3 In the Display drop-down list box, select Rules. The list of deployed rules appear.

Step 4 Select the rule you want to enable or disable.

For more information on each rule, see:• Enterprise Template - See Appendix B Enterprise Template Defaults.


Step 5 Using the Actions drop-down list box, select Enable/Disable.The Enabled column indicates the status.

Creating a Rule To create a new rule:


The Offense Manager window appears. Step 2 In the navigation menu, click Rules.





a Using the Actions drop-down list box, select New Event Rule to configure a rule for events.

b Using the Actions drop-down list box, click New Offense Rule to configure a rule for offenses.

The Custom Rule wizard appears.

Note: If you do not want to view the Welcome to the Custom Rules Wizard window again, select the Skip this page when running the rules wizard check box.

Step 4 Read the introductory text. Click Next. The Rules Test Stack Editor window appears.


Creating a Rule 185

Step 5 To add a test to a rule:

a In the Test Group drop-down list box, select the type of test you want to apply to this rule.

The resulting list of tests appear. For information on tests, see Event Rule Tests or Offense Rule Tests.

b For each test you want to add to the rule, select the + sign beside the test.

The selected test(s) appear in the Rule field. c For each test added to the Rule field that you want to identify as an excluded

test, click and at the beginning of the test. The and appears as and not.

d For each test added to the Rule field, you must customize the variables of the test. Click the underlined configurable parameter to configure. See Event Rule Tests or Offense Rule Tests.

Step 6 In the enter rule name here field, enter a name you want to assign to this rule.

Step 7 To export the configured tests as building blocks to use with other rules:

a Click Export as Building Block.

The Save Building Block window appears.



b Enter the name you want to assign to this building block.

c Click Save.

Step 8 In the groups area, select the check box(es) of the groups to which you want to assign this rule. For more information on grouping rules, see Grouping Rules.

Step 9 In the Notes field, enter any notes you want to include for this rule. Click Next. The Rule Responses window appears, which allows you to configure the action STRM takes when the event sequence is detected.

Step 10 Choose one of the following:a If you are configuring an Event Rule:

Table 4-1 Event Rule Response Parameters

Parameter DescriptionSeverity Select the check box if you want this rule to set or

adjust severity to the configured level. Once selected, you can configure the desired level.

Credibility Select the check box if you want this rule to set or adjust credibility to the configured level. Once selected, you can configure the desired level.

Relevance Select the check box if you want this rule to set or adjust relevance to the configured level. Once selected, you can configure the desired level.


Creating a Rule 187

Ensure the detected event is part of an offense.

Select the check box if you want the event to be forwarded to the Magistrate component. If no offense has been created in the Offense Manager, a new offense is created. If an offense exist, this event will be added. If you select the check box, the following options appear:• Include detected events from this attacker

from this point forward, for second(s), in the offense - Select the check box and configure the number of seconds you want to include detected events from the attacker in the Offense Manager.

• Perform realtime flow analysis on flows between the attacker and target for seconds(s) - Select the check box and configure the number of seconds you want to perform realtime flow analysis on flows between the attacker and this target.

Drop the detected event Select the check box to force an event, which would normally be sent to the Magistrate component be sent to the Aerial database for reporting or searching. This event does not appear in the Offense Manager.

Dispatch New Event Select the check box to dispatch a new event in addition to the original event, which will be processed like all other events in the system. The Dispatch New Event parameters appear when you select the check box. By default, the check box is clear.

Event Name Specify the name of the event you want to display in the Offense Manager.

Event Description Specify a description for the event. The description appears in the Annotations of the event details.

Table 4-1 Event Rule Response Parameters (continued)




Offense Naming Select one of the following options:• This information should contribute to the

name of the associated offense(s) - Select this option if you want the Event Name information to contribute to the name of the offense(s).

• This information should set or replace the name of the associated offense(s) - Select this option if you want the configured Event Name to be the name of the offense(s).

• This information should not contribute to the naming of the associated offense(s) - Select this option if you do not want the Event Name information to contribute to the name of the offense(s).

Severity Specify the severity for the event. The range is 1 (lowest) to 10 (highest) and the default is 1. The Severity appears in the Annotation of the event details.

Credibility Specify the credibility of the event. The range is 1 (lowest) to 10 (highest) and the default is 10. Credibility appears in the Annotation of the event details.

Relevance Specify the relevance of the event. The range is 1 (lowest) to 10 (highest) and the default is 1. Relevance appears in the Annotation of the event details.

High-Level Category Specify the high-level event category you want this rule to use when processing events. For more information on event categories, see the Event Category Correlation Reference Guide.

Low-Level Category Specify the low-level event category you want this rule to use when processing events. For more information on event categories, see the Event Category Correlation Reference Guide.

Ensure the dispatched event is part of an offense

Select the check box if you want, as a result of this rule, the event is forwarded to the Magistrate component. If no offense has been created in the Offense Manager, a new offense is created. If an offense exist, this event will be added. If you select the check box, the following option appears:Include detected events from this attacker from this point forward, for second(s), in the offense - Select the check box and configure the number of seconds you want to include detected events from the attacker in the Offense Manager.




Creating a Rule 189

Action Name Specify the name of the Resolver Action you want to deploy for the event.

Action Duration Specify the days, minutes, and hours you want to Resolver Action to be active. Select the Indefinite check box if you want to specify an indefinite time period.

Allowed Resolution Methods

Select the All Resolver Types check box if you want the event to be resolved, if available. You can also select the check box(es) of the Resolver Types you want to resolve events.

Blocking Rule Specify the blocking rules you want to apply to this event. The list contains all blocking options available for the selected Resolver Type. The possible options include:• Source to all• Source to destination• Source to destination on detected port• Destination to all• Destination to source• Destination to all on detected port• All source and destination traffic

Email Select the check box to display the email options. By default, the check box is clear.

Enter e-mail address to notify

Specify the e-mail address(es) to send notification if the event generates. Separate multiple e-mail addresses using a comma.





b If you are configuring an Offense Rule:

SNMP Trap This parameter only appears when the SNMP Settings parameters are configured in the STRM System Management window. For more information, see Chapter 3 Setting Up STRM. Select the check box to send an SNMP trap. For an event rule, the SNMP trap output includes system time, the trap OID, and the notification data, as defined by the Juniper Networks MIB. For more information on the Juniper Networks MIB, see Appendix A Juniper Networks MIB.For example, the SNMP notification may resemble:"Wed Sep 28 12:20:57 GMT 2005, STRM Custom Rule Engine Notification - Rule 'SNMPTRAPTest' Fired. 172.16.20.98:0 -> 172.16.60.75:0 1, Event Name: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited, QID: 1000156, Category: 1014, Notes: Offense description"

Send to SysLog Select the check box if you want to log the event. By default, the check box is clear.For example, the syslog output may resemble:Sep 28 12:39:01 localhost.localdomain ECS: Rule 'Name of Rule' Fired: 172.16.60.219:12642 -> 172.16.210.126:6666 6, Event Name: SCAN SYN FIN, QID: 1000398, Category: 1011, Notes: Event description

Notify Select the check box if you want events that generate as a result of this rule to appear in the System Notifications item in the Dashboard. For more information on the Event Viewer and the Dashboard, see the STRM Users Guide.

Response Limiter Specify the frequency you want this rule to respond.Enable Rule Select the check box to enable this rule. By default,

the check box is selected.

Table 4-2 Offense Rule Response Parameters

Parameter DescriptionName Select the check box to display Name options.

New Offense Name Specify the name you want to assign to the offense.




Creating a Rule 191

Offense Annotation Specify the offense annotation you want to appear in the Offense Manager.

Offense Name Select one of the following options:• This information should contribute to the

name of the associated offense(s) - Select this option if you want the Event Name information to contribute to the name of the offense(s).

• This information should set or replace the name of the associated offense(s) - Select this option if you want the configured Event Name to be the name of the offense(s).

Action Name Specify the name of the Resolver Action you want to deploy for the event.

Action Duration Specify the days, minutes, and hours you want to Resolver Action to be active. Select the Indefinite check box if you want to specify an indefinite time period.

Allowed Resolution Methods

Select the All Resolver Types check box if you want the event to be resolved, if available. You can also select the check box(es) of the Resolver Types you want to resolve events.

Blocking Rule Specify the blocking rules you want to apply to this event. The list contains all blocking options available for the selected Resolver Type. The possible options include:• Source to all• Source to destination• Source to destination on detected port• Destination to all• Destination to source• Destination to all on detected port• All source and destination traffic

Email Select the check box to display the email options. By default, the check box is clear.

Enter e-mail address to notify

Specify the e-mail address(es) to send notification if the event generates. Separate multiple e-mail addresses using a comma.

Table 4-2 Offense Rule Response Parameters (continued)




Step 11 Click Next. The Rule Summary window appears.

SNMP Trap This parameter only appears when the SNMP Enabled parameter is enabled in the STRM System Management window. For more information, see Chapter 3 Setting Up STRM. Select the check box to send an SNMP trap. For an offense rule, the SNMP trap output includes system time, the trap OID, and the notification data, as defined by the Juniper Networks MIB. For more information on the Juniper Networks MIB, see Appendix A Juniper Networks MIB.For example, the SNMP notification may resemble:"Wed Sep 28 12:20:57 GMT 2005, STRM Custom Rule Engine Notification - Rule 'SNMPTRAPTest' Fired. 172.16.20.98:0 -> 172.16.60.75:0 1, Event Name: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited, QID: 1000156, Category: 1014, Notes: Offense description"

Send to SysLog Select the check box if you want to log the offense. By default, the check box is clear.For example, the syslog output may resemble:Sep 28 12:30:29 localhost.localdomain ECS: Offense CRE Rule SYSLOGTest fired on offense #59

Notify Select the check box if you want offenses that generate as a result of this rule to appear in the System Notifications item in the Dashboard. For more information on the Offense Manager and the Dashboard, see the STRM Users Guide.

Response Limiter Specify the frequency you want this rule to respond for each offense that the rules matches.

Enable Rule Select the check box to enable this rule. By default, the check box is selected.

Table 4-2 Offense Rule Response Parameters (continued)



Creating a Rule 193

Step 12 Review the configured rule. Click Finish.

Event Rule Tests This section provides information on the tests you can apply to the rules including:• Network Property Tests

• Event Property Tests

• IP/Port Tests• Function Tests

• Host Profile Tests

• Date/Time Tests• Device Tests

Network Property TestsThe network property test group includes:

Table 4-3 Network Property Tests

Test Description Default Test Name ParametersNetwork Vulnerability Risk

Valid when the source or destination Vulnerability Assessment risk is greater than, less than, or equal the configured value.

when the overall source network VA risk is greater than this value

Configure the following parameters:• source - Specify whether the test

considers a source or destination of the event.

• greater than - Specify whether the risk is greater than, less than, or equal to the configured value.

• this value - Specify the Vulnerability Assessment risk value, which is a value from 0 to 10.



Network Threat Posing

This test is valid when the amount of threat a network is posing to local and remote networks is greater than, less than, or equal to the configured value.

when the amount of threat the network is posing is greater than this value

Configure the following parameters:• greater than - Specify whether the

risk is greater than, less than, or equal to the configured value.

• this value - Specify the amount of risk you want this test to consider. The range is from 0 to 10.

Network Exposure

Threat under is the value applied to the threat a network is under over time. This is calculated based on the average weighted value of the threat under over time. This test is valid when the amount of threat a network is under to local and remote networks is greater than, less than, or equal to the configured value.

when the amount of threat the network is under is greater than this value


risk is greater than, less than, or equal to the configured value.

• this value - Specify the amount of risk you want this test to consider. The range is from 0 to 10.

Remote Networks

Valid when an IP address is part of any or all of the configured remote network locations.

when the source IP is a part of any of the following remote network location(s)

Configure the following parameters:• source IP - Specify if you want this

test to consider the source IP address, destination IP address, or any IP address.

• remote network location(s) - Specify the network locations you want this test to consider.

Remote Services Networks

Valid when an IP address is part of any or all of the configured remote services network locations.

when the source IP is a part of any of the following remote services network location(s)

Configure the following parameters:• source IP - Specify if you want this


• remote services network location(s) - Specify the services network locations you want this test to consider.

Geographic Networks

Valid when an IP address is part of any or all of the configured geographic network locations.

when the Source IP is a part of any of the following geographic network location(s)

Configure the following parameters:• Source IP - Specify if you want this


• geographic network location(s) - Specify the network locations you want this test to consider.

Table 4-3 Network Property Tests (continued)

Test Description Default Test Name Parameters


Creating a Rule 195

Event Property TestsThe event property test group includes:

Table 4-4 Event Property Tests

Test Description Default Test Name ParametersLocal Network Object

Valid when the event occurs in the specified network.

when the local network is one of the following networks

one of the following - Specify the areas of the network you want this test to apply.

IP Protocol Valid when the IP protocol of the event is one of the configured protocols.

when the IP protocol is one of the following protocols

protocols - Specify the protocols you want to add to this test.

Event Payload Search

Each event contains a copy of the original unnormalized event. This test is valid when the entered search string is included anywhere in the event payload.

when the Event Payload contains this string

this string - Specify the text string you want include for this test.

QID of Event A QID is a unique identifier for events. This test is valid when the event identifier is a configured QID.

when the event QID is one of the following QIDs

QIDs - Use of the following options to locate QIDs:• Select the Browse By Category

option and using the drop-down list boxes, select the high and low-level category QIDs you want to locate.

• Select the QID Search option and enter the QID or name you want to locate. Click Search.

Attack Context Attack Context is the relationship between the attacker and target. For example, a local attacker to a remote target. Valid if the attack context is one of the following:• Local to Local• Local to Remote• Remote to Local• Remote to Remote

when the attack context is this context

this context - Specify the context you want this test to consider. The options are:• Local to Local• Local to Remote• Remote to Local• Remote to Remote

Event Category

Valid when the event category is the same as the configured category, for example, Denial of Service (DoS) attack.

when the event category for the event is one of the following categories

categories - Specify the event category you want this test to consider. For more information on event categories, see the Event Category Correlation Reference Guide.



Severity Valid when the event severity is greater than, less than, or equal to the configured value. The default is 5.

when the event severity is greater than 5 {default}


severity is greater than, less than, or equal to the configured value.

• this value - Specify the index, which is a value from 0 to 10.

Credibility Valid when the event credibility is greater than, less than, or equal to the configured value. The default is 5.

when the event credibility is greater than 5 {default}


credibility is greater than, less than, or equal to the configured value.


Relevance Valid when the event relevance is greater than, less than, or equal to the configured value. The default is 5.

when the event relevance is greater than 5 {default}


relevance is greater than, less than, or equal to the configured value.


Source Location

Valid when the source IP address of the event is either local or remote.

when the source is local or remote {default: remote}

local or remote - Specify either local or remote traffic.

Destination Location

Valid when the destination IP address of the event is either local or remote.

when the destination is local or remote {default: remote}

local or remote - Specify either local or remote traffic.

Rate Analysis STRM monitors event rates of all source IP addresses/QIDs and destination IP addresses/QIDs and marks events that exhibit abnormal rate behavior.Valid when the event has been marked for rate analysis.

when the event has been marked with rate analysis

Table 4-4 Event Property Tests (continued)



Creating a Rule 197

False Positive Tuning

When you tune false positive events in the Event Viewer, the resulting tuning values appear in this test. If you want to remove a false positive tuning, you can edit this test to remove the necessary tuning values.

when the false positive signature matches one of the following signatures

signatures - Specify the false positive signature you want this test to consider. Enter the signature in the following format:<CAT|QID|ANY>:<value>:<source IP>:<dest IP>Where:<CAT|QID|ANY> - Specify whether you want this false positive signature to consider a category (CAT), Juniper Networks Identifier (QID), or any value. <value> - Specify the value for the <CAT|QID|ANY> parameter. For example, if you specified QID, you must specify the QID value. <source IP> - Specify the source IP address you want this false positive signature to consider. <dest IP> - Specify the destination IP address you want this false positive signature to consider.

Username Valid when the configured username is associated with an event.

when the event(s) username is this string

Configure the following parameters:• is - Specify the value you want to

associate with this test. Options include: is, contains, starts with, or ends with.

• this string - Specify a username you want this test to consider.

Regex Valid when the configured MAC address, username, hostname, or operating system is associated with a particular regular expressions (regex) string. Note: This test assumes knowledge of regular expressions (regex). When you define custom regex patterns, adhere to regex rules as defined by the Java programming language. For more information, see the following web site: http://java.sun.com/docs/books/tutorial/extra/regex/

when the username matches the following regex

Configure the following parameters:• username - Specify the value you

want to associate with this test. This test may consider the MAC address, username, hostname, or operating system.

• regex - Specify the regex string you want this test to consider.





IP/Port Tests The IP/Port tests include:

IPv6 Valid when the source or destination IPv6 address is the configured IP address.

when the source IP(v6) is one of the following IPv6 addresses

Configure the following parameters:• source IP(v6) - Specify whether

you want this test to consider the source or destination IP(v6) address.

• IPv6 addresses - Specify the IPv6 addresses you want this test to consider.



Table 4-5 IP / Port Test Group

Test Description Default Test Name ParametersSource Port Valid when the source port

of the event is one of the configured source port(s).

when the source port is one of the following ports

ports - Specify the ports you want this test to consider.

Destination Port Valid when the destination port of the event is one of the configured destination port(s).

when the destination port is one of the following ports


Local Port Valid when the local port of the event is one of the configured local port(s).

when the local port is one of the following ports


Remote Port Valid when the remote port of the event is one of the configured remote port(s).

when the remote port is one of the following ports


Source IP Address

Valid when the source IP address of the event is one of the configured IP address(es).

when the source IP is one of the following IP addresses

IP addresses - Specify the IP address(es) you want this test to consider.

Destination IP Address

Valid when the destination IP address of the event is one of the configured IP address(es).

when the destination IP is one of the following IP addresses


Local IP Address

Valid when the local IP address of the event is one of the configured IP address(es).

when the local IP is one of the following IP addresses


Remote IP Address

Valid when the remote IP address of the event is one of the configured IP address(es).

when the remote IP is one of the following IP addresses



Creating a Rule 199

Function TestsThe function tests include:

IP Address Valid when the source or destination IP address of the event is one of the configured IP address(es).

when either the source or destination IP is one of the following IP addresses


Table 4-5 IP / Port Test Group (continued)


Table 4-6 Functions Group

Test Description Default Test Name ParametersMulti-Rule Event Function

Allows you to use saved building blocks and other rules to populate this test. The event has to match either all or any of the selected rules. If you want to create an OR statement for this rule test, specify the any parameter.

when an event matches any|all of the following rules

Configure the following parameters:• any|all - Specify either any or all

of the configured rules apply to this test.

• rules - Specify the rules you want this test to consider.



Multi-Rule Event Function

Allows you to use saved building blocks or other rules to populate this test. This function allows you to detect a specific sequence of selected rules involving a source and destination within a configured time period.

when all of these rules, in|in any order, from the same|any source IP to the same|any destination IP, over this many seconds

Configure the following parameters:• these rules - Specify the rules you

want this test to consider. • in| in any - Specify whether you

want this rule to consider in or in any order.

• the same|any - Specify if you want this rule to consider the same or any of the source to destination port or IP address.

• source IP - Specify the source you want this test to consider. The default is the source IP address, however, you can configure this test to consider other options, such as, source port, destination IP, destination port, QID, or event ID.


• destination IP - Specify whether you want this rule to consider a destination IP address, username, or destination port.

• this many - Specify the number of time intervals you want this rule to consider.

• seconds - Specify the time interval you want this rule to consider. The options are: seconds, minutes, hours, or days.

Table 4-6 Functions Group (continued)



Creating a Rule 201

Multi-Rule Event Function

Allows you to use saved building blocks or other rules to populate this test. You can use this function to detect a number of specified rules, in sequence, involving a source and destination within a configured time interval.

when at least this number of these rules, in|in any order, from the same| any source IP to the same|any destination IP, over this many seconds

Configure the following parameters:• this number - Specify the number

of rules you want this function to consider.

• in|in any - Specify whether you want this rule to consider in or in any order.


• source IP - Specify the source you want this test to consider. The default is the source IP address, however, you can configure this test to consider other options, such as, source port, destination IP, destination port, QID, or event ID.

• the same| any - Specify if you want this rule to consider the same or any of the source to destination port or IP address.

• destination IP - Specify whether you want this rule to consider a destination IP address, username, or destination port.


• seconds - Specify the time interval you want this rule to consider. The options are: seconds, minutes, hours, or days.

Multi-Event Sequence Function Between Hosts

Allows you to detect a sequence of selected rules involving the same source and destination hosts within the configured time intervals. You can also use saved building blocks and other rules to populate this test.

when this sequence of rules, involving the same source and destination hosts in this many seconds

Configure the following parameters:• of rules - Specify the rules you

want this test to consider• this many - Specify the number of

time intervals you want this test to consider.

• seconds - Specify the time interval you want this rule to consider.





Multi-Event Counter Function

Allows you to test the number of events from configured conditions, such as, source IP address. You can also use building blocks and other rules to populate this test.

when a source IP emitting/receiving more than|exactly this many of these rules across more than| exactly this many destination IP, over this many minutes

Configure the following parameters:• source IP - Specify the source you

want this test to consider. The default is the source IP address, however, you can configure this test to consider other options, such as, source port, destination IP, destination port, QID, or event ID.

• more than|exactly - Specify if you want this test to consider more than or exactly the number of rules.

• this many - Specify the number of rules you want this test to consider.

• these rules - Specify the rules you want this test to consider.

• more than|exactly - Specify if you want this test to consider more than or exactly the number of destination IP address(es), destination port(s), QID(s), device event ID(s), or device(s) that you selected in the source IP option above.

• this many - Specify the number of IP addresses, ports, QIDs, events, devices, or categories you want this test to consider.

• destination IP - Specify the destination you want this test to consider. The default is destination IP, however, you can also configure this test to consider other options, such as, destination IP(s), destination port(s), QID(s), device event ID(s), or device(s).

• this many - Specify the time value you want to assign to this test.

• minutes - Specify the time interval you want this rule to consider.




Creating a Rule 203

Multi-Rule Function

Allows you to detect a series of rules for a specific IP address or port followed by a series of specific rules for a specific port or IP address. You can also use building blocks or existing rules to populate this test.

when any of these rules with the same source IP more than this many times, across more than| exactly this many destination IP within this many minutes

Configure the following parameters:• rules - Specify the rules you want

this test to consider. • source IP - Specify the source you

want this test to consider. The default is the source IP address, however, you can configure this test to consider other options, such as, source port, destination IP, destination port, QID, or event ID.


• more than|exactly - Specify if you want this test to consider more than or exactly the number of destination IP address(es), destination port(s), QID(s), device event ID(s), or device(s) that you selected in the source IP option.

• this many - Specify the number you want this test to consider, depending on the option you configured in the source IP.

• destination IP - Specify the destination you want this test to consider. The default is destination IP, however, you can also configure this test to consider other options, such as, destination IP(s), destination port(s), QID(s), device event ID(s), or device(s).

• this many - Specify the time value you want to assign to this test.






Multi-Rule Function

Allows you to detect a number of specific rules for a specific IP address or port followed by a number of specific rules for a specific port or IP address. You can also use building blocks or existing rules to populate this test.

when at least this many of these rules, in|in any order, with the same username followed by at least this many of these rules in| in any order with the same destination IP from the previous sequence, within this many minutes

Configure the following parameters:• this many - Specify the number of

rules you want this test to consider.


• in|in any - Specify if you want this test to consider rules in a specific order.

• username - Specify whether you want this test to consider the username, source IP, source port, destination IP, or destination port.

• this many - Specify the number of rules you want this test to consider.


• in| in any - Specify if you want this test to consider rules in a specific order.

• destination IP - Specify whether you want this test to consider the username, source IP, source port, destination IP, or destination port.



Username Function

Allows you to detect multiple updates to usernames on a single host.

when the username changes more than this many times within this many hours on a single host.

Configure the following parameters:• username - Specify if you want

this test to consider username, MAC address, or hostname.

• this many - Specify the number of changes you want this rule to consider.


• hours - Specify the time interval you want this rule to consider. The options are: seconds, minutes, hours, or days.




Creating a Rule 205

Host Profile TestsThe host profile tests include:

Table 4-7 Host Profile Tests

Test Description Default Test Name ParametersHost Profile Port

Valid when the port is open on the configured local source or destination. You can also specify if the status of the port is detected using one of the following methods:• Active - STRM actively

searches for the configured port through scanning or vulnerability assessment.

• Passive - STRM passively monitors the network recording hosts previously detected.

when the local source host destination port is open either actively or passively seen

Configure the following parameters:• source - Specify if you want this

test to apply to the source or destination port. The default is source.

• either actively or passively - Specify if you want this test to consider active and/or passive scanning.

Host Existence Valid when the local source or destination host is known to exist through active or passive scanning. You can also specify if the status of the host is detected using one of the following methods:• Active - STRM actively

searches for the configured port through scanning or vulnerability assessment.

• Passive - STRM passively monitors the network recording hosts previously detected.

when the local source host exists either actively or passively seen


test to apply to source or destination port. The default is source.

• either actively or passively - Specify if you want this test to consider active and/or passive scanning.

Host Profile Age

Valid when the local source or destination host profile age is greater than the configured value within the configured time intervals.

when the local source host profile age is greater than this number of time intervals


test to apply to source or destination port. The default is source.

• greater than - Specify if you want this test to consider greater than or less than the profile port age.

• this number of - Specify the number of time intervals you want this test to consider.

• time intervals - Specify whether you want this test to consider minutes or hours.



Host Port Age Valid when the local source or destination host profile age is greater than or less than a configured amount of time.

when the local source host profile port age is greater than this number of time intervals


test to apply to the source or destination port. The default is source.

• greater than - Specify if you want this test to consider greater than or less than the profile port age.

• this number of - Specify the time you want this test to consider.

• time intervals - Specify whether you want this test to consider minutes or hours.

Host Vulnerability Assessment Risk Level

Valid when the local source or destination host vulnerability risk level is greater than or less than the configured value.

when the local destination host vulnerability risk level is greater than 5 {default}

Configure the following parameters:• destination - Specify if you want

this test to apply to the source or destination port.

• greater than - Specify if you want this test to be greater than or less than the vulnerability risk.

• 5 - Specify the value you want this test to consider.

Host Vulnerability Assessment Port Risk Level

Valid when the local source or destination host port vulnerability risk level is greater than or less than a configured amount of time.

when the local destination host port vulnerability risk level is greater than this value

Configure the following parameters:• destination - Specify if you want

this test to apply to the source or destination port.

• greater than - Specify if you want this test to consider greater than or less than the vulnerability risk.

• this value - Specify the value you want this test to consider.

Attacker Threat Level

Threat Posing is the calculated value for this attacker over time, that indicates how severe the attacker is compared to all other attackers in your network. Valid when the amount of threat posed to the network by an attacker is greater than or less than the configured value.

when the amount of threat the attacker is posing is greater than this value

Configure the following parameters:• greater than - Specify if you want

the threat level to greater than or less than the configured value.


Table 4-7 Host Profile Tests (continued)



Creating a Rule 207

Attacker Threat STRM calculates the long and short-term threat of an attacker and then calculates the difference between the two to provide information on changes in the attacker’s behavior.Valid when the threat delta posed by an attacker is greater than or less than the configured value.

when the threat delta of the attacker is greater than this value


the threat data to be greater than or less than the configured value.


Target Threat Threat under is the value applied to the threat a network is under over time. This is calculated based on the average weighted value of the threat under over time. This test is valid when the amount of threat the target is under is greater than or less than the configured value.

when the amount of the threat the target is under is greater than this value


the threat level to be greater than or less than the configured value.


Target Threat STRM calculates the long and short-term threat of a target and then calculates the difference between the two to provide information on changes in the target’s behavior.Valid when the threat delta of the target is greater than or less than the configured value.

when the threat delta the target is greater than this value


the threat delta to be greater than or less than the configured value.


Asset Valid when the device being attacked (destination) or if the host is that attacker (source) has an assigned weight greater than or less than the configured value.

when the destination asset has a weight greater than this value

Configure the following parameters:• destination - Specify if want this

test to consider the source or destination asset.

• greater than - Specify if you want the value to be greater than or less than the configured value.






Date/Time TestsThe date and time tests include:

Host Vulnerable to Event

Valid when the local host destination port is vulnerable to the current event.

when the target is vulnerable to current exploit on any port

Configure the following parameters:• target - Specify if want this test to

consider a target, attacker, local host, or remote host.

• current - Specify if you want this test to consider current or any exploit.

• any - Specify if you want this test to consider any or the current port.

OSVDB IDs Valid when an IP address (source, destination, or any) is vulnerable to the configured Open Source Vulnerability Database (OSVDB) IDs.

when the source IP is vulnerable to one of the following OSVDB IDs

Configure the following parameters:• source IP - Specify if you want

this test to consider the source IP address, destination IP address, or any IP address.

• OSVDB IDs - Specify any OSVDB IDs that you want this test to consider. For more information regarding OSVDB IDs, see http://osvdb.org/.



Table 4-8 Date/Time Tests

Test Description Default Test Name ParametersEvent Day Valid when the event occurs

on the configured day of the month.

when the event(s) occur on the selected day of the month

Configure the following parameters:• on - Specify if you want this test

to consider on, after, or before the configured day.

• selected - Specify the day of the month you want this test to consider.

Event Week Valid when the event occurs on the configured days of the week.

when the event(s) occur on any of these days of the week

these days of the week - Specify the days of the week you want this test to consider.

Event Time Valid when the event occurs on the after the configured time.

when the event(s) occur after this time

Configure the following parameters:• after - Specify if you want this

test to consider after, before, or at the configured time.

• this time - Specify the time you want this test to consider.


Creating a Rule 209

Device TestsThe device tests include:

Offense Rule Tests This section provides information on the tests you can apply to the rules including:• IP/Port Tests

• Host Profile Tests

• Date/Time Tests• Device Tests

• Offense Property Tests

IP/Port Tests The IP/Port tests include:

Table 4-9 Device Tests

Test Description Default Test Name ParametersSource Device Valid when one of the

configured source devices is the source of the event.

when the event(s) were detected by one or more of these device

these devices - Specify the devices that you want this test to detect.

Source Device Type

Valid when one of the configured device types is the source of the event

when the event(s) were detected by one or more of these device types

these device types - Specify the devices that you want this test to detect.

Devices Valid when the event(s) have not been detected by the configured devices.

when the event(s) have not been detected by one or more of these devices for 300 seconds.

Configure the following parameters:• these devices - Specify the

devices you want this test to consider.

• 300 - Specify the time, in seconds, you want this test to consider.

Device Groups Valid when an event is detected by the configured device groups

when the event(s) were detected by one or more of these device groups

these device groups - Specify the groups you want this rule to consider.

Table 4-10 IP/Port Test Group

Test Description Default Test Name ParametersAttacker IP Address

Valid when the attacker IP address is one of the configured IP address(es).

when the attacker/violator IP is one of the following IP addresses.

IP addresses - Specify the IP address(es) you want this test to consider. You can enter multiple entries using a comma-separated list.



Function TestsThe function tests include:

Host Profile TestsThe host profile tests include:

Target IP Address

Valid when the target list is any of the configured IP adddress(es).

when the target list includes any of the following IP addresses

Configure the following parameters:• any - Specify if you want this test

to consider any or all of the listed targets.

• IP addresses - Specify the IP address(es) you want this test to consider. You can enter multiple entries using a comma-separated list.

Table 4-10 IP/Port Test Group (continued)


Table 4-11 Offense Function Group

Test Description Default Test Name ParametersMulti-Rule Offense Function

Allows you to use saved building blocks and other rules to populate this test. The offense has to match either all or any of the selected rules. If you want to create an OR statement for this rule test, specify the any parameter.

when the offense matches any of the following offense rules.

Configure the following parameters:• any - Specify either any or all of

the configured rules apply to this test.


Table 4-12 Host Profile Tests

Test Description Default Test Name ParametersAttacker Threat Level

Threat Posing is the calculated value for this attacker over time, that indicates how severe the attacker is compared to all other attackers in your network. Valid when the threat posed to the network by an attacker is greater or less than the configured value.

when the amount of threat the attacker is posing is greater than this value


the threat level to be greater than or less than the configured value.



Creating a Rule 211

Date/Time TestsThe date and time tests include:

Network Vulnerability Risk

Valid when the overall VA risk on the network is greater or less than the configured value.

when the overall network VA risk is greater than this value


the threat to be greater or less than the configured value.


Network Threat Posing

Valid when the amount of threat a network is posing to local and remote networks is greater than, less than, or equal to the configured value.

when the amount of threat the network is posing is greater than this value


the value to be greater or less than the configured value.


Network Threat Under

Threat under is the value applied to the threat a network is under over time. This is calculated based on the average weighted value of the threat under over time. This test is valid when the amount of threat a network is under to local and remote networks is greater than, less than, or equal to the configured value.

when the amount of threat the network is under is greater than this value


the network threat to be greater than or less than the configured value.




Table 4-13 Date/Time Tests

Test Description Default Test Name ParametersEvent Day Valid when the offense

occurs on the configured day of the month.

when the offense(s) occur on the selected day of the month

Configure the following parameters:• on - Specify if you want this rule

to consider on, after, or before the selected date.

• selected - Specify the date you want this test to consider.

Event Week Valid when the offense occurs on the configured day of the week.

when the offense(s) occur on these days of the week

Configure the following parameters:• on - Specify if you want this rule

to consider on, after, or before the selected day.

• these days of the week - Specify the days you want this test to consider.



Device TestsThe device tests include:

Offense Property TestsThe offense property tests include:

Event Time Valid when the offense occurs after, before, or on the configured time.

when the offense(s) occur after this time

Configure the following parameters:• after - Specify if you want this

test to consider after, before, or at a specified time.

• this time - Specify the time you want this test to consider.

Table 4-13 Date/Time Tests (continued)


Table 4-14 Device Tests

Test Description Default Test Name ParametersDevices Types Valid when one of the

configured device types is the source of the event.

when the device type(s) that detected the offense is one of the following device types

device types - Specify the device types that you want this test to detect.

Number of Device Type

Valid when the number of device types is greater than the configured value.

when the number of device types that detected the offense is greater than this number

greater than this number - Specify the number of devices types that you want this test to consider.

Table 4-15 Offense Property Tests

Test Description Default Test Name ParametersNetwork Object Valid when the network is

affected are any or all of the configured networks.

when the networks affected are any of one of the following networks


to consider any or all networks.• one of the following networks -

Specify the networks you want this test to consider.

Offense Category

Valid when the event category is any or all of the configured event categories.

when the categories of the offense includes any of the following list of categories


to consider any or all categories.• list of categories - Specify the

categories you want this test to consider.

For more information on event categories, see the Event Category Correlation Reference Guide.


Creating a Rule 213

Severity Valid when the severity is greater than, less than, or equal to the configured value.

when the offense severity is greater than 5 {default}

Configure the following parameters:• greater than - Specify if you

want the offense severity to be greater than, less than, or equal to the configured value.


Credibility Valid when the credibility is greater than, less than, or equal to the configured value.

when the offense credibility is greater than 5 {default}


want the offense credibility to be greater than, less than, or equal to the configured value.


Relevance Valid when the relevance is greater than, less than, or equal to the configured value.

when the offense relevance is greater than 5 {default}


want the offense relevance to be greater than, less than, or equal to the configured value.


Attack Context Attack Context is the relationship between the attacker and target. For example, a local attacker to a remote target. Valid if the attack context is one of the following:• Local to Local• Local to Remote• Remote to Local• Remote to Remote

when the attack context is this context

this context - Specify the context you want this test to consider. The options are:• Local to Local• Local to Remote• Remote to Local• Remote to Remote

Attacker Location Valid when the attacker is either local or remote. The default is remote.

when the attacker is local or remote IPs {default: remote}

local or remote - Specify if you want the attacker to be local or remote.

Target Location Valid when the target is either local or remote. The default is remote.

when the target list includes local or remote IP addresses {default: remote}

local or remote IP addresses - Specify if you want the target to be local or remote.

Table 4-15 Offense Property Tests (continued)




Network Flow Analysis

Valid when STRM detects one of the configured behaviors in the Attacker Target analysis.

when real-time network flow analysis has detected any of the following attacker target analysis behaviors listed.


to consider any or all behaviors.• listed - Specify the behaviors

you want this test to consider. Network Flow Analysis

Valid when STRM detects one of the configured behaviors in the Target analysis.

when real-time network flow analysis has detected any of the following target analysis behaviors listed.


to consider any or all behaviors.• listed - Specify the behaviors

you want this test to consider. Category Count in an Offense

Valid when the number of event categories for an offense greater than, less than, or equal to the configured value.

when the number of categories involved in the offense is greater than this number


want the number of categories to be greater than, less than, or equal to the configured value.

• this number - Specify the value you want this test to consider.

For more information on event categories, see the Event Category Correlation Reference Guide.

Target Count in an Offense

Valid when the number of targets for an offense greater than, less than, or equal to the configured value.

when the number of targets under attack is greater than this number


want the number of targets to be greater than, less than, or equal to the configured value.


Event Count in an Offense

Valid when the number of events for an offense is greater than, less than, or equal to the configured value.

when the number of events making up the offense is greater than this number


want the number of events to be greater than, less than, or equal to the configured value.


Offense ID Valid when the Offense ID is the configured value.

when the offense ID is this ID

this ID - Specify the offense ID you want this test to consider.

Offense Creation Valid when a new offense is created.

when a new offense is created




Copying a Rule 215

Copying a Rule To copy a rule:

Step 1 Select the Offense Manager tab.The Offense Manager appears.

Step 2 In the navigation bar, click Rules.

Step 3 In the Display drop-down list box, select Rules. Step 4 Select the rule you want to duplicate.

Step 5 Using the Actions drop-down list box, select Duplicate.

Step 6 In the Enter name for the copied rule, enter a name for the new rule. Click Ok. The duplicated rule appears.

Step 7 Click Edit to edit the tests for the rule.

For more information on editing the rule, see Creating a Rule.

Deleting a Rule To delete a rule:


The Offense Manager appears.

Step 2 In the navigation bar, click Rules.

Step 3 In the Display drop-down list box, select Rules. Step 4 Select the rule you want to delete.

Step 5 Using the Actions drop-down list box, select Delete.

Offense Change Valid when the configured offense property has increased or decreases below the configured value.

when the offense property has increased by at least this percent

Configure the following parameters:• property - Specify the property

you want this test to consider. The options are magnitude, severity, credibility, relevance, target count, attacker count, category count, annotation count, or event count.

• this - Specify the percent value you want this test to consider.

• percent - Specify if you want this test to consider percentage or units.





Grouping Rules You can now group and view your rules and building blocks based on your chosen criteria. Categorizing your rules or building blocks into groups allows you to efficiently view and track your rules. For example, you can view all rules related to compliance. By default, the Rules interface displays all rules and building blocks.

As you create new rules, you have a choice whether you want to assign the rule to an existing group. For information on assigning a group to a using the rule wizard, see Creating a Rule.

Note: You must have administrative access to create, edit, or delete groups. For more information on user roles, see Chapter 1 Managing Users.

This sections provides information on grouping rules and building blocks including:• Viewing Groups

• Creating a Group

• Editing a Group• Copying an Item to Another Group(s)

• Deleting an Item from a Group

• Assigning an Item to a Group

Viewing Groups To view rules or building blocks using groups:

Step 1 Click the Offense Manager tab.

The Offense Manager interface appears. Step 2 In the navigation menu, click Rules.

Step 3 Using the Display drop-down list box, select whether you want to view Rules or Building blocks.

Step 4 Form the Filter drop-down list box, select the group category you want to view.

Step 5 The list of items assigned to that group appear.

Creating a Group To create a group:



Step 3 Click Groups.

The Group window appears.


Grouping Rules 217

Step 4 From the menu tree, select the group under which you want to create a new group.

Note: Once you create the group, you can drag and drop menu tree items to change the organization of the tree items.

Step 5 Click New Group. The Group Properties window appears.


• Name - Specify the name you want to assign to the new group. The name may be up to 255 characters in length.

• Description - Specify a description you want to assign to this group. The description may be up to 255 characters in length.

Step 7 Click Ok. Step 8 If you want to change the location of the new group, click the new group and drag

the folder to the desired location in your menu tree. Step 9 Close the Groups window.



Editing a Group To edit a group:

Step 1 Click the Offense Manager tab.The Offense Manager interface appears.


Step 3 Click Groups. The Group window appears.

Step 4 From the menu tree, select the group you want to edit.

Step 5 Click Edit. The Group Properties window appears.

Step 6 Update values for the parameters, as necessary:

• Name - Specify the name you want to assign to the new group. The name may be up to 255 characters in length.

• Description - Specify a description you want to assign to this group. The description may be up to 255 characters in length.

Step 7 Click Ok. Step 8 If you want to change the location of the group, click the new group and drag the

folder to the desired location in your menu tree.

Step 9 Close the Groups window.

Copying an Item toAnother Group(s)

Using the groups functionality, you can copy a rule or building block to one or many groups. To copy a rule or building block:


The Offense Manager interface appears.



Grouping Rules 219


The Group window appears.

Step 4 From the menu tree, select the rule or building block you want to copy to another group.

Step 5 Click Copy.

The Choose Group window appears.

Step 6 Select the check box for the group(s) to which you want to copy the rule or building block.

Step 7 Click Copy.




Deleting an Item froma Group

To delete a rule or building block from a group:

Note: Deleting a group removes this rule or building block from the Rules interface. Deleting an item from a group does not delete the rule or building block from the Rules interface.




The Group window appears. Step 4 From the menu tree, select the top level group.

Step 5 From the list of groups, select the group you want to delete.

Step 6 Click Remove. A confirmation window appears.

Step 7 Click Ok.

Step 8 If you want to change the location of the new group, click the new group and drag the folder to the desired location in your menu tree.


Assigning an Item toa Group

To assign a rule or building block to a group:


The Offense Manager interface appears.

Step 2 In the navigation menu, click Rules. Step 3 Select the rule or building block you want to assign to a group.

Step 4 Using the Actions drop-down list box, select Assign Groups.

The Choose Group window appears. Step 5 Click Assign Groups.

Editing Building Blocks

Building blocks allow you to re-use specific rule tests in other rules. For example, you can save a building block that excludes the IP addresses of all mail servers in your deployment from the rule.

The default building blocks depend on the template chosen during the installation process. For more information on the defaults, see:

• Enterprise Template - See Appendix B Enterprise Template Defaults.• University Template - See Appendix C University Template Defaults.


Editing Building Blocks 221

To edit a building block:

Step 1 Select the Offense Manager tab. The Offense Manager window appears.


The rules window appears. Step 3 In the Display drop-down list box, select Building Blocks.

The Building Blocks appear.

Step 4 Double-click the building block you want to edit. The Custom Rules Wizard appears.

Step 5 Update the building block, as necessary. Click Next. Step 6 Continue through the wizard. For more information see, Creating a Rule.

The Rule Summary appears.





12
DISCOVERING SERVERS
The Server Discovery function uses STRM’s Asset Profile database to discover different server types based on port definitions, then allows you to select which servers should be added to a server-type building block. This feature makes the discovery and tuning process simpler and faster by allowing a quick mechanism to insert servers into building blocks.

The Server Discovery function is based on server-type building blocks. Ports are used to define the server type so that the server-type building block essentially functions as a port-based filter when searching the Asset Profile database.

For more information on building blocks, see Chapter 11 Configuring Rules.

To discover servers:

Step 1 Click the Assets tab.

The Assets window appears. Step 2 In the navigation menu, click Server Discovery.

The Server Discovery panel appears.

Step 3 From the Server Type drop-down list box, select the server type you want to discover.

Step 4 Select the option to determine the servers you want to discover including: • All - Search all servers in your deployment with the currently selected Server

Type. • Assigned - Search servers in your deployment that have been previously

assigned to the currently selected Server Type. • Unassigned - Search servers in your deployment that have not been

previously assigned. Step 5 From the Network drop-down list box, select the network you want to search.

Step 6 Click Discover Servers. The discovered servers appear.


224 DISCOVERING SERVERS

Step 7 In the Matching Servers table, select the check box(es) of all servers you want to assign to the server role.

Note: If you want to modify the search criteria, click either Edit Port or Edit Definition. The Rules Wizard appears. For more information on the rules wizard, see Chapter 11 Configuring Rules.

Step 8 Click Approve Selected Servers.


13
FORWARDING SYSLOG DATA
STRM allows you to forward received log data to other products. You can forward syslog data (raw log data) received from devices as well as STRM normalized event data. You can forward data on a per Event Collector/ Event Processor basis and you can configure multiple forwarding destinations. Also, STRM ensures that all data that is forwarded is unaltered.

This chapter includes:

• Adding a Syslog Destination

• Editing a Syslog Destination• Delete a Syslog Destination

Adding a Syslog Destination

To add a syslog forwarding destination:


The SIM Configuration panel appears.

Step 2 Click the Syslog Forwarding Destinations icon. The Syslog Forwarding Destinations window appears.

Step 3 Click Add. The Syslog Forwarding Destinations window appears.


226 FORWARDING SYSLOG DATA


• Forwarding Event Collector - Using the drop-down list box, select the deployed Event Collector from which you want to forward log data.

• IP - Enter the IP address of the system to which you want to forward log data.

• Port - Enter the port number on the system to which you want to forward log data.

Step 5 Click Save.

Editing a Syslog Destination

To edit a syslog forwarding destination:

Step 1 In the Administration Console, click the SIM Configuration tab. The SIM Configuration panel appears.

Step 2 Click the Syslog Forwarding Destinations icon.

The Syslog Forwarding Destinations window appears.Step 3 Select the entry you want to edit.

Step 4 Click Edit. The Syslog Forwarding Destinations window appears.

Step 5 Update values, as necessary:• Forwarding Event Collector - Using the drop-down list box, select the

deployed Event Collector from which you want to forward log data.

• IP - Enter the IP address of the system to which you want to forward log data. • Port - Enter the port number on the system to which you want to forward log

data. Step 6 Click Save.


Delete a Syslog Destination 227

Delete a Syslog Destination

To delete a syslog forwarding destination:


The SIM Configuration panel appears. Step 2 Click the Syslog Forwarding Destinations icon.

The Syslog Forwarding Destinations window appears.

Step 3 Select the entry you want to delete. Step 4 Click Delete.


Step 5 Click Ok.


A
JUNIPER NETWORKS MIB
This appendix provides information on the Juniper Networks ManagementInformation Base (MIB). The Juniper Networks MIB allows you to send SNMPtraps to other network management systems. The Juniper Networks OID is 1.3.6.1.4.1.20212.

Note: For assistance with the Juniper Networks MIB, please contact Juniper Networks Customer Support.

The Juniper Networks MIB includes:

JUNIPER-STRM-TRAPS DEFINITIONS ::= BEGINIMPORTSMODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE,IpAddressFROM SNMPv2-SMIjnxStrmFROM JUNIPER-SMIDisplayString, DateAndTime, TruthValue,TEXTUAL-CONVENTIONFROM SNMPv2-TC;strmTrapInfo MODULE-IDENTITYLAST-UPDATED "200811101100Z"ORGANIZATION "Juniper Networks, Inc"CONTACT-INFO" Juniper Technical Assistance CenterJuniper Networks, Inc.1194 N. Mathilda AvenueSunnyvale, CA 94089E-mail: [email protected]"DESCRIPTION "Security Threat Response Manger trapdefinitions for STRM"::= { jnxStrm 1 }"strmTrap OBJECT IDENTIFIER ::= { jnxStrm 0 }------ Variables within the STRM Trap Info--- .2636.7.1.*---


230 JUNIPER NETWORKS MIB

strmLocalHostAddress OBJECT-TYPESYNTAX IpAddressMAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "IP address of the local machine where thenotification originated"::= { strmTrapInfo 1 }strmTimeString OBJECT-TYPESYNTAX DisplayString (SIZE(0..64))MAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "Time offense was created or time the event rulefired. Example 'Mon Apr 28 10:14:49 GMT 2008'"::= { strmTrapInfo 2 }strmTimeInMillis OBJECT-TYPESYNTAX Counter64MAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "Time offense was created or time the event rulefired in milliseconds"::= { strmTrapInfo 3 }------ Offense Properties---strmOffenseID OBJECT-TYPESYNTAX Counter64MAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "Offense ID"::= { strmTrapInfo 4 }strmOffenseDescription OBJECT-TYPESYNTAX DisplayString (SIZE(0..1024))MAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "Description of the Offense"::= { strmTrapInfo 6 }strmOffenseLink OBJECT-TYPESYNTAX DisplayString (SIZE(0..1024))MAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "HTTP link to the offense"::= { strmTrapInfo 7 }strmMagnitude OBJECT-TYPESYNTAX Integer32MAX-ACCESS accessible-for-notifySTATUS current


231

DESCRIPTION "Offense magnitude"::= { strmTrapInfo 8 }strmSeverity OBJECT-TYPESYNTAX Integer32MAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "Offense severity"::= { strmTrapInfo 9 }strmCreditibility OBJECT-TYPESYNTAX Integer32MAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "Offense creditibility"::= { strmTrapInfo 10 }STRM Administration Guide242 JUNIPER NETWORKS MIBstrmRelevance OBJECT-TYPESYNTAX Integer32MAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "Offense relevance"::= { strmTrapInfo 11 }------ Attacker Properties---strmAttackerIP OBJECT-TYPESYNTAX IpAddressMAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "Attacker IP"::= { strmTrapInfo 12 }strmAttackerUserName OBJECT-TYPESYNTAX DisplayString (SIZE(0..1024))MAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "Attacker's User Name"::= { strmTrapInfo 13 }strmAttackerCount OBJECT-TYPESYNTAX Counter64MAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "Total Number of Attackers"::= { strmTrapInfo 14 }strmTop5AttackerIPs OBJECT-TYPESYNTAX DisplayString (SIZE(0..1024))MAX-ACCESS accessible-for-notify



STATUS currentDESCRIPTION "Top 5 Attackers by Magnitude(comma separated)"STRM Administration Guide243::= { strmTrapInfo 15 }strmTopAttackerIP OBJECT-TYPE

SYNTAX IpAddress

MAX-ACCESS accessible-for-notify

STATUS current

DESCRIPTION "Top Attacker IPs"

::= { strmTrapInfo 16 }

strmTop5AttackerUsernames OBJECT-TYPE

SYNTAX DisplayString (SIZE(0..1024))


STATUS current

DESCRIPTION "Top 5 Attackers by Magnitude(comma separated)"


strmTopAttackerUsername OBJECT-TYPE



STATUS current

DESCRIPTION "Top Attacker IPs"


strmAttackerNetworks OBJECT-TYPE



STATUS current

DESCRIPTION "Attacker Networks(comma separated)"


---

--- Target Properties

---

strmTargetIP OBJECT-TYPE

SYNTAX IpAddress




STATUS current

DESCRIPTION "Target IP"



233

strmTargetUserName OBJECT-TYPE



STATUS current

DESCRIPTION "Target's User Name"


strmTargetCount OBJECT-TYPE

SYNTAX Counter64


STATUS current

DESCRIPTION "Total Number of Targets"


strmTop5TargetIPs OBJECT-TYPE



STATUS current

DESCRIPTION "Top 5 Target IPs by Magnitude"


strmTopTargetIP OBJECT-TYPE

SYNTAX IpAddress


STATUS current

DESCRIPTION "Top Target"


strmTop5TargetUsernames OBJECT-TYPE



STATUS current

DESCRIPTION "Top 5 Target Usernames by Magnitude"



245

strmTopTargetUsername OBJECT-TYPE



STATUS current

DESCRIPTION "Top Target"




strmTargetNetworks OBJECT-TYPE



STATUS current

DESCRIPTION "Target Networks(comma separated)"


---

--- Category properties

---

strmCategoryCount OBJECT-TYPE

SYNTAX Integer32


STATUS current

DESCRIPTION "Total Number of Categories"


strmTop5Categories OBJECT-TYPE



STATUS current

DESCRIPTION "Top 5 Categories(comma separated)"


strmTopCategory OBJECT-TYPE



STATUS current

DESCRIPTION "Top Category"




strmCategoryID OBJECT-TYPE

SYNTAX Integer32


STATUS current

DESCRIPTION "Category ID of Event that triggered the Event CRE

Rule"


strmCategory OBJECT-TYPE



235


STATUS current

DESCRIPTION "Category of the Event that triggered the Event CRE

Rule"


---

--- Annontation Properties

---

strmAnnotationCount OBJECT-TYPE

SYNTAX Integer32


STATUS current

DESCRIPTION "Total Number of Annotations"


strmTopAnnotation OBJECT-TYPE



STATUS current

DESCRIPTION "Top Annotation"


---

--- Rule Properties

---

strmRuleCount OBJECT-TYPE


247

SYNTAX Integer32


STATUS current

DESCRIPTION "Total Number of Rules contained in the Offense"


strmRuleNames OBJECT-TYPE



STATUS current

DESCRIPTION "Names of the Rules that contributed to the

Offense(comma separated)"




strmRuleID OBJECT-TYPE

SYNTAX Integer32


STATUS current

DESCRIPTION "ID of the Rule that was triggered in the CRE"


strmRuleName OBJECT-TYPE



STATUS current

DESCRIPTION "Name of the Rules that was triggered in the CRE"


strmRuleDescription OBJECT-TYPE



STATUS current

DESCRIPTION "Description/Notes of the Rules that was triggered

in the CRE"




---

--- Event Properties

---

strmEventCount OBJECT-TYPE

SYNTAX Counter64


STATUS current

DESCRIPTION "Total Number of Events contained in the Offense"


strmEventID OBJECT-TYPE

SYNTAX Integer32


STATUS current

DESCRIPTION "ID of the Event that triggered the Event CRE Rule"


strmQid OBJECT-TYPE

SYNTAX Integer32


237


STATUS current

DESCRIPTION "QID of the Event that triggered the Event CRE Rule"


strmEventName OBJECT-TYPE



STATUS current

DESCRIPTION "Name of the Event that triggered the Event CRE

Rule"


strmEventDescription OBJECT-TYPE



STATUS current

DESCRIPTION "Description/Notes of the Event that triggered the

Event CRE Rule"


249


---

--- IP Properties

---

strmSourceIP OBJECT-TYPE

SYNTAX IpAddress


STATUS current

DESCRIPTION "Source IP of the Event that triggered the Event CRE

Rule"


strmSourcePort OBJECT-TYPE

SYNTAX Integer32


STATUS current

DESCRIPTION "Source Port of the Event that triggered the Event

CRE Rule"


strmDestinationIP OBJECT-TYPE



SYNTAX IpAddress


STATUS current

DESCRIPTION "Destination IP of the Event that triggered the

Event CRE Rule"


strmDestinationPort OBJECT-TYPE

SYNTAX Integer32


STATUS current

DESCRIPTION "Destination Port of the Event that triggered the

Event CRE Rule"


strmProtocol OBJECT-TYPE

SYNTAX Integer32


STATUS current

DESCRIPTION "Protocol of the Event that triggered the Event CRE Rule"


strmAttackerPort OBJECT-TYPE

SYNTAX Integer32


STATUS current

DESCRIPTION "Source Port of the Event that triggered the Event CRE Rule"


strmTargetPort OBJECT-TYPE

SYNTAX Integer32


STATUS current

DESCRIPTION "Destination Port of the Event that triggered the Event CRE Rule"


---

--- STRM Trap Notifications

--- .2636.7.0.*

---

strmEventCRENotification NOTIFICATION-TYPE


239

OBJECTS {

strmLocalHostAddress,

strmTimeString,

strmRuleName,

strmRuleDescription,

strmAttackerIP,

strmAttackerPort,

strmAttackerUserName,

strmAttackerNetworks,

strmTargetIP,

strmTargetPort,

strmTargetUserName,

strmTargetNetworks,

strmProtocol,

strmQid,

strmEventName,

strmEventDescription,


251

strmCategory

}

STATUS current

DESCRIPTION "Event CRE Notification"

::= { strmTrap 1 }

strmOffenseCRENotification NOTIFICATION-TYPE

OBJECTS {

strmLocalHostAddress,

strmTimeString,

strmRuleName,

strmRuleDescription,

strmOffenseID,

strmOffenseDescription,

strmOffenseLink,

strmMagnitude,

strmSeverity,

strmCreditibility,

strmRelevance,

strmEventCount,



strmCategoryCount,

strmTop5Categories,

strmAttackerIP,

strmAttackerUserName,

strmAttackerNetworks,

strmAttackerCount,

strmTop5AttackerIPs,

strmTargetIP,

strmTargetUserName,

strmTargetNetworks,

strmTargetCount,

strmTop5TargetIPs,

strmRuleCount,

strmRuleNames,

strmAnnotationCount,

strmTopAnnotation.1,







}

STATUS current

DESCRIPTION "Offense CRE Notification"

::= { strmTrap 2 }

END


B
ENTERPRISE TEMPLATE DEFAULTS
The Enterprise template includes settings with emphasis on internal network activities. This appendix provides the defaults for the Enterprise template including:

• Default Sentries• Default Custom Views

• Default Rules

• Default Building Blocks

Default Sentries The default sentries for the Enterprise template include:

Table B-1 Default Sentries

Sentry DescriptionBehavior - Flow Count Behavior Change

Monitors the number of flows on your network and alerts when a change is detected. By default, this activity must occur 10 times before an alert generates.

Behavior - Host Count Behavior Change

Learns the number of local and remote active hosts in the network over a weekly period. If the number of hosts increases dramatically outside the projected behavior for at least 5 intervals, an event generates.

Behavior - Threat Traffic Packet Rate Behavior Change

Detects a behavioral change, within the last 5 minutes, in the packet rate of traffic considered to be threatening, compared to what has been learned over the past weeks. This may indicate an attack is in progress. By default, the minimum number of times, in flows, this activity must occur before an event generates is 5.

DoS - External - Distributed DoS Attack (High Number of Hosts)

Detects a large number of hosts (100,000) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offense Manager.

DoS - External - Distributed DoS Attack (Low Number of Hosts)

Detects a low number of hosts (500) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offense Manager.


242 ENTERPRISE TEMPLATE DEFAULTS

DoS - External - Distributed DoS Attack (Medium Number of Hosts)

Detects a medium number of hosts (5,000) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offense Manager.

DoS - External - Flood Attack (High)

Detects flood attacks above 100,000 packets per second. This activity may indicate a serious attack.

DoS - External - Flood Attack (Medium)

Detects flood attacks above 5,000 packets per second. This activity typically indicates a serious attack.

DoS - External - Flood Attack (Low)

Detects flood attacks above 500 packets per second. This activity may indicate an attack.

DoS - External - Potential ICMP DoS

Detects flows that appear to be an ICMP Denial of Service (DoS) attack attempt.

DoS - External - Potential TCP DoS

Detects flows that appear to be a TCP DoS attack attempt.

DoS - External - Potential UDP DoS

Detects flows that appear to be a UDP DoS attack attempt.

DoS - External - Potential Unresponsive Service or Distributed DoS

Detects a low number of hosts sending identical, non-responsive packets to a single target.

DoS - Internal - Distributed DoS Attack (High Number of Hosts)


DoS - Internal - Distributed DoS Attack (Low Number of Hosts)


DoS - Internal - Distributed DoS Attack (Medium Number of Hosts)


DoS - Internal - Flood Attack (Medium)


Dos - Internal - Flood Attack (High)

Detects flood attacks above 100,000 packets per section. This activity typically indicates a serious attack.

DoS - Internal - Flood Attack (Low)


DoS - Internal - Potential ICMP DoS


DoS - Internal - Potential TCP DoS


Table B-1 Default Sentries (continued)

Sentry Description


Default Sentries 243

DoS - Internal - Potential UDP DoS


DoS - Internal - Potential Unresponsive Service or Distributed DoS


Policy-External - Large Outbound File Transfer

Detects a possible information leak.

Local Host Count Change Detects scanning activity or a worm infection. Malware - External - Client Based DNS Activity to the Internet

Detects a host attempting to connect to a DNS server that is not defined as a local network. With the exception of your DNS servers or other hosts specifically configured to communicate with external DNS servers, this is suspicious activity and may be the sign of a bot net connection. If this is a false positive, add the external DNS server to the BB DNS Servers building block in custom rules. By default, this sentry generates an event 30 seconds after the first instance of the event.

Malware - External Communication with BOT Control Channel

Detects an IP address being communicated that was a control channel for a BOTNET. The local machine may be infected with a bot and should be investigated.

Policy - External - Clear Text Application Usage

Detects flows to or from the Internet where the application types use clear text passwords. This many include application such as Telnet, FTP, and POP.

Policy - External - Hidden FTP Server

Detects an FTP server on a non-standard port. The default port for FTP is TCP port 21. Detecting FTP on other ports may indicate an exploited host, where the attacker has installed this server to provide backdoor access to the host.

Policy - Internal - Clear Text Application Usage


Policy - Internal - Hidden FTP Server


Policy - External - IM/Chat Detects an excessive amount of IM/Chat traffic from a single source. By default, the minimum number of times, in flows, this activity must occur before an event generates is 20.

Policy - External - IRC Connections

Detects a local host issuing an excessive number of IRC connections to the Internet. By default, the minimum number of times, in flows, this activity must occur before an event generates is 20.


Sentry Description



Policy - Local P2P Server Detected

Detects local hosts operating as a Peer-to-Peer (P2P) server. This indicates a violation of local network policy and may indicate illegal activities, such as, copyright infringement.

Policy - External - Long Duration Flow Detected

Detects a flow communicating to or from the Internet with a sustained duration of more than 48 hours. This is not typical behavior for most applications. We recommend that you investigate the host for potential malware infections. By default, this parameter is set to 3,600 seconds, which means that an event generates after 3,600 seconds of the first instance of the event.

Policy - External - P2P Communications Detected

Detects Peer-to-Peer (P2P) communications.

Policy - External - Possible Tunneling

Detects possible tunneling, which can indicate a bypass of policy, or an infected system.

Policy - External - Remote Desktop Access from the Internet

Detects the Microsoft Remote Desktop Protocol from the Internet to a local host. Most companies consider this a violation of corporate policy. If this is normal activity on your network, you should remove this sentry.

Policy - External - SMTP Mail Sender

Detects an internal host sending a large number of SMTP flows from the same source to the Internet, in one interval. This may indicate a mass mailing, worm, or spam relay is present. By default, the minimum number of times, in flows, this activity must occur before an event generates is 10.

Policy - External - SSH or Telnet Detected on Non-Standard Ports

Detects an SSH or Telnet server on a non-standard port. The default port for SSH and Telnet servers is TCP port 22 and 23. Detecting SSH or Telnet operating on other ports may indicate an exploited host, where the attacker has installed these servers to provide backdoor access to the host.

Policy - Internal - SSH or Telnet Detected on Non-Standard Ports


Policy - External - Usenet Usage

Detects flows to or from a Usenet server. It is uncommon for legitimate business communications to use Usenet or NNTP services. The hosts involved may be violating corporate policy.

Policy - External - VNC Access From the Internet to a Local Host

Detects VNC (a remote desktop access application) from the Internet to a local host. Many companies consider this an policy issue that should be addressed. If this is normal activity on your network, remove this sentry.


Sentry Description



Recon - External - ICMP Scan (High)

Detects a host scanning more than 100,000 hosts per minute using ICMP. This indicates a host performing reconnaissance activity at an extremely high rate. This is typical of a worm infection or a standard scanning application.

Recon - External - ICMP Scan (Low)

Detects a host scanning more than 500 hosts per minute using ICMP. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not be exhibiting this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation.

Recon - External - ICMP Scan (Medium)

Detects a host scanning more the 5,000 hosts per minute using ICMP. This indicates a host performing reconnaissance activity at a high rate. This is typical of a worm infection or a host configured for network management purposes.

Recon - External - Potential Network Scan

Detects a host sending identical packets to a number of hosts that have not responded. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, client hosts in your network should not be exhibiting this behavior for long periods of time.

Recon - External - Scanning Activity (High)

Detects a host performing reconnaissance activity at an extremely high rate (100,000 hosts per minute), which is typical of a worm infection or a scanning application.

Recon - External - Scanning Activity (Low)

Detects a host performing reconnaissance activity at a rate of 500 hosts per minute. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not be exhibiting this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation.

Recon - External - Scanning Activity (Medium)

Detects a host performing reconnaissance activity at a high rate (5,000 hosts per minute), which is typical of a worm infection or a scanning application. This activity may also indicate network management hosts or even busy servers on internal networks.


Sentry Description



Recon - Internal - ICMP Scan (High)


Recon - Internal - ICMP Scan (Low)

Detects a host scanning more than 500 hosts per minute using ICMP. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not exhibit this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation.

Recon - Internal - ICMP Scan (Medium)


Recon - Internal - Potential Network Scan


Recon - Internal - Scanning Activity (High)


Recon - Internal - Scanning Activity (Low)

Detects a host performing reconnaissance activity at a rate of 500 hosts per minute. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not exhibit this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation.

Recon - Internal - Scanning Activity (Medium)



Sentry Description



Suspicious - Internal - Outbound Unidirectional Flows Threshold

Detects an excessive rate (more than 1,000) of inbound unidirectional (local host not responding) flows within the last 5 minutes. This may indicate a scan is in progress, worms, DoS attack, or issues with your network configuration. By default, this activity must occur 5 times before an alert generates.

Suspicious- External - Outbound Unidirectional Flows Threshold

Detects an excessive rate of outbound unidirectional (remote host not responding) flows within 5 minutes. By default, this activity must occur 5 times before an alert generates.

Suspicious - External - Inbound Unidirectional Flows Threshold


Suspicious - External - Anomalous ICMP Flows

Detects an excessive number of ICMP flows from one source IP address, where the applied ICMP types and codes are considered abnormal when seen entering or leaving the network. By default, the minimum number of times, in flows, this activity must occur before an event generates is 15.

Suspicious - External - Invalid TCP Flag usage

Detects flows that appear to have improper flag combinations. This may indicate various troubling behaviors, such as OS detection, DoS attacks, or even forms of reconnaissance. By default, the minimum number of times, in flows, this activity must occur before an event generates is 10.

Suspicious - External - Port 0 Flows Detected

Detects flows whose destination or source ports are 0. This may be considered suspicious.

Suspicious - External - Rejected Communication Attempts

Detects flows that indicate a host is attempting to establish connections to other hosts but is being refused or is responding with packets containing no payload. By default, the minimum number of times, in flows, this activity must occur before an event generates is 15.

Suspicious - External - Unidirectional ICMP Detected

Detects excessive unidirectional ICMP traffic from a single source. This may indicate an attempt to enumerate hosts on the network or other serious network issues. By default, the minimum number of times, in flows, this activity must occur before an event generates is 15.

Suspicious - External - Unidirectional ICMP Responses Detected

Detects excessive unidirectional ICMP responses from a single source. This may indicate an attempt to enumerate hosts on the network, or can be an indicator of other serious network issues. By default, the minimum number of times, in flows, this activity must occur before an event generates is 15.


Sentry Description



Suspicious - External - Unidirectional TCP Flows

Detects flows that indicate a host is sending an excessive quantity (at least 15) of unidirectional flows. These types of flows may be considered normal, however, client workstations and other devices, should not be seen emitting large quantities of such flows, and therefore should be considered suspicious.

Suspicious - External - Unidirectional UDP or Misc Flows

Detects an excessive number of UDP, non-TCP, or ICMP from a single source. By default, the minimum number of times, in flows, this activity must occur before an event generates is 20.

Suspicious - External - Suspicious IRC Traffic

Detects suspicious IRC traffic.

Suspicious - Internal - Anomalous ICMP Flows


Suspicious - Internal - Invalid TCP Flag usage


Suspicious - Internal - Port 0 Flows Detected


Suspicious - Internal - Rejected Communication Attempts


Suspicious - Internal - Unidirectional ICMP Detected


Suspicious - Internal - Unidirectional ICMP Responses Detected



Sentry Description


Default Custom Views 249

Default Custom Views

This section provides the default custom views for the Enterprise template including:

• IP Tracking Group• Threats Group

• Attacker Target Analysis Group

• Target Analysis Group• Policy Violations Group

• ASN Source Group

• ASN Destination Group• IFIndexIn Group

• IFIndexOut Group

• QoS Group• Flow Shape Group

IP Tracking Group Pre-configured groups that specify traffic flows from your local and remote IP addresses including:

Suspicious - Internal - Unidirectional TCP Flows


Suspicious - Internal - Unidirectional UDP or Misc Flows



Sentry Description

Table B-2 Custom Views - IP Tracking View

IP Tracking Group Group ObjectsLocals Specifies traffic flows originating from specific local IP addresses

or CIDR ranges. Configure to specify traffic flows for your local IP addresses.

Remotes Specifies traffic flows originating from specific remote IP addresses or CIDR ranges. Configure to specify traffic flows for your remote IP addresses.



Threats Group Pre-configured groups that specify traffic flows from suspicious IP addresses, protocols, server ports, and network sweeps including:

Table B-3 Custom Views - Threats View

Group ObjectsExceptions This group includes:

Network_Management_Hosts - Defines network management servers or other system responsible for reconnaissance, SNMP, large numbers of ICMP requests, or other attacks, such as, traffic on your network such as vulnerability assessment (VA) scanners.



DoS The Denial of Service (DoS) group includes: • Inbound_Flood_NoResponse_High - Defines a remote

source sending packets, which are not being responded to, at a rate greater than 100,000 packets per second.

• Inbound_Flood_NoResponse_Medium - Defines a remote source sending packets, which are not being responded to, at a rate greater than 5,000 packets per second.

• Inbound_Flood_NoResponse_Low - Defines a remote source sending packets, which are not being responded to, at a rate greater than 500 packets per second.

• Outbound_Flood_NoResponse_High - Defines a local source sending packets, which are not being responded to, at a rate greater than 100,000 packets per second.

• Outbound_Flood_NoResponse_Medium - Defines a local source sending packets, which are not being responded to, at a rate greater than 500 packets per second.

• Outbound_Flood_NoResponse_Low - Defines a local source sending packets, which are not being responded to, at a rate greater than 500 packets per second.

• Multihost_Attack_High - Defines a scan of more than 100,000 hosts per minute.

• Multihost_Attack_Medium - Defines a scan of more than 5,000 hosts per minute.

• Multihost_Attack_Low - Defines a scan of more than 500 hosts per minute.

• Potential_TCP_DoS - Detects TCP Syn flood flows with a packet arrival rate of more then 300 packets per second and have lasted for at least 5 seconds. This may indicate an attempted TCP DoS attack.

• Potential_UDP_DoS - Detects UDP Flows with a packet arrival rate of more then 750 packets per second and have lasted for at least 3 seconds. This may indicate an attempted ICMP DoS attack.

• Potential_ICMP_DoS - Detects ICMP flows with a packet arrival rate of more then 300 packets per second and have lasted for at least 2 seconds. This may indicate an attempted ICMP DoS attack.

• Potential_Multihost_Attack - Detects type B superflows. This may indicate a service failure or an attack.

Table B-3 Custom Views - Threats View (continued)

Group Objects



Scanning This scanning group includes: • ICMPScan_High - Detects a host sending ICMP packets to

more than 100,000 hosts more minute. • ICMPScan_Medium - Detects a host sending ICMP packets

to more than 5,000 hosts more minute. • ICMPScan_Low - Detects a host sending ICMP packets to

more than 500 hosts more minute. • Scan_High - Defines a scan of more than 100,000 hosts per

minute.• Scan_Medium - Defines a scan of more than 5,000 hosts per

minute.• Scan_Low - Defines a scan of more than 500 hosts per

minute.• Empty_Responsive_Flows_High - Defines traffic with more

than 100,000 packets per second that contain little, if any, payload. These can be the result of scans where the target responds to the attack.

• Empty_Responsive_Flows_Medium - Defines traffic with more than 5,000 packets per second that contain little, if any, payload. These can be the result of scans where the target responds to the attack.

• Empty_Responsive_Flows_Low - Defines traffic with more than 500 packets per second that contain little, if any, payload. These can be the result of scans where the target responds to the attack.

• Potential_Scan - Defines a type A superflow. This may indicate a host performing scanning activity.

PortScans This PortScans group includes: • Host_Scans - Detects a host attempting to make multiple

connections, using TCP, to another host targeting multiple unique ports.

• UDPPortScan - Detects a host attempting to make multiple connections, using UDP, to another host targeting multiple unique ports.


Group Objects



Suspicious_IP_Protocol_Usage

This group includes: • Illegal_TCP_Flag_Combination - Detects flows with illegal

TCP flag combinations. This may indicate malicious activity, such as port scanning or operating system detection.

• Suspicious_ICMP_Type_Code - Detects flows entering or leaving your network from the Internet, using ICMP types or codes generally accepted to be suspicious or malicious. For more information, see http://techrepublic.com.com /5100-1035_11-5087087.html

• TCP_UDP_Port_0 - Detects flows with a source or destination port of 0. This is illegal according to Internet RFCs and should be considered malicious.

• Unidirectional_TCP_Flows - Detects unidirectional TCP flows. This may indicate application failures to connect to a service, but an indicate other issues if the quantity or rate of these flows is high.

• Unidirectional_ICMP_Reply - Detects unidirectional ICMP replies or unreachable flows. This may be expected network behavior, however, an excessive quantity may indicate that a host is scanning the network attempting to enumerate hosts.

• Unidirectional_ICMP_Flows - Detects unidirectional ICMP flows. This may be expected network behavior, however, an excessive quantity of these flows from a single source may indicate a host scanning the network attempting to enumerate hosts.

• Unidirectional_UDP_And_Misc_Flows - Detects unidirectional UDP (or other flows not including TCP or ICMP) flows. This may be expected network behavior, however, an excessive quantity should be considered suspicious.

• Zero_Payload_Bidirectional_Flows - Detects flows that contain small amounts (if any) payload. This may be the result of scans where the target responds with reset packets.

• Long_Duration_Flow - Detects a flow communicating to or from the Internet with a sustained duration of more than 48 hours. This is not typical behavior for most applications. We recommend that you investigate the host for potential malware infections.

• Large_DNS_Packets - Detects UDP DNS packets that are larger than 1K in size.

• Large_ICMP_Packets - Detects ICMP packets that are larger than 1K in size.


Group Objects



Attacker TargetAnalysis Group

Pre-configured groups that specify traffic flows from attackers, responses, and events including:

Remote_Access_Violation

This group includes:• Hidden_Telnet_SSH - Detects flows where the application

type is Telnet or SSH but the destination server port is not one of the common ports for this application. This may indicate that a system has been altered to provide a backdoor for unauthorized access.

• Hidden_FTP - Detects flows to a local host where the application type is FTP but the destination server port is not one of the common ports of this application. This may indicate that the server is hosting illegal data, such as pirated applications or other media.

• Remote_Desktop_Access_From_Internet - Detects Remote Desktop Protocol (RDP) access to the local network from the Internet. If you want to allow this activity on your network, delete this view. Otherwise, you should consider this activity suspicious and we recommend investigating the accessed server.

• VNC_Activity_From_Internet - Detects Virtual Network Computing (VNC) access to the local network from the Internet. If you want to allow this activity on your network, delete this view. Otherwise, you should consider this activity suspicious and we recommend investigating the accessed server.

Suspicious_IRC Detects suspicious IRC activity.


Group Objects

Table B-4 Custom Views - AttackerTargetAnalysis

Group ObjectsAttackResponseAnalysis

This group includes:• Target_Did_Not_Respond - The network flow that appears to

have carried the attack event that triggered this analysis indicates that the target host did not respond to the attack.

• Target_Responded - The network flow analysis indicates a target responded to the event from the attacker, and therefore increases the likelihood the attacker was successful.



Target AnalysisGroup

Pre-configured groups that specify traffic flows from back door entries, scanning behaviors, malicious software (malware), spam relay including:

PeripheralCommsAnalysis

This group includes:• Activity_Before_Event - The network flow analysis indicates

a target and attacker were communicating prior to the event that generated this analysis. This can indicate a false positive, or that this attacker is concentrating on breaking this host. Many typical attacks fire an exploit at the target with little or no prior host investigation.

• Activity_After_Event - The network flow analysis indicates a target and attacker were communicating after the event that triggered this analysis. This can indicate a false positive if the attacker/target were also seen communicating before the event, and the device emitting these events has a high false positive rate. Conversely, if this is a serious event and the device is credible, it can indicate a successful attack has occurred.

• Target_Initiating_Comms_To_Attacker - The network flow analysis indicates a target was seen initiating connections back to the attacker before or after the event. This may indicate that the attacker has successfully forced the target to communicate with the attacker, bypassing firewall rules.

Table B-4 Custom Views - AttackerTargetAnalysis (continued)

Group Objects

Table B-5 Custom Views - TargetAnalysis

Group ObjectsBotNetAnalysis BotNet_Connect - The network flow analysis indicates a target

host is connected to IRC servers on the Internet. This may indicate the attacker has installed an IRC Bot on the target requesting the target to connect to an IRC Channel, which is controlled by the attacker, to wait for further instructions. Large numbers of such exploited machines form a BotNet and can be used by the attacker to coordinate large scale Distributed Denial of Service attacker (DDoS).

MalwareAnalysis Malware_Server_Connection - Network flow analysis indicates a target is aggressively attempting (and failing) to connect to many other hosts on the network (or Internet). This behavior is seen in the presence of security events aimed at this host, and therefore is possible the attacker has infected the target with a worm, or other hostile malware, and it is attempting to spread from this host.



Policy ViolationsGroup

Pre-configured groups that specify traffic flows from your internal and external policies, such as mail policies, web polices, P2P, games, applications, and compliance policies including:


This group includes:• Service_Unresponsive_After_Attack - The network flow

analysis indicates that the service on the target that was attacked is unresponsive to other hosts on the network. This may indicate that the attack has intentionally, or inadvertently stopped the service running on this host.

• Spam_Relay_Possible - The network flow analysis indicates that a target is accepting and servicing SMTP mail server connections. Given this activity is occurring in the presence of security events targeting this host, it is possible the attacker has installed an SMTP server to operate as a spam relay. If this target is a mail server, this behavior is to be expected.

• Outbound_Mail_Relay_Possible - The network flow analysis indicates that a target is sending mail to SMTP servers on the Internet. Given this activity is occurring in the presence of a security event targeting this host, it is possible the attacker has installed mass mailing malware on the target. This behavior is also to be expected if the target is a known mail server.

Table B-5 Custom Views - TargetAnalysis (continued)

Group Objects

Table B-6 Custom Views - PolicyViolations

Group ObjectsMail_Policy_Violation

This group includes:• Outbound_Mail_Sender - Detects flows sent from local hosts

to the Internet on port 25 (SMTP) or detected with the SMTP application signature. This may indicate hosts violating network mail policy, or that a host is infected with a mass mailing agent. We recommend updating this equation to not include network mail servers.

• Remote_Connection_to_Internal_Mail_Server - Detects bidirectional flows inbound into the local network on port 25 (SMTP). This indicates communication with a local SMTP server. Additionally, such servers may be the result of an infected host, which is inadvertently running a SPAM relay. We recommend updating this equation to not include network mail servers.



ASN Source Group STRM detects the ASN values from network flows. When STRM detects a ASN source values in a flow, STRM creates a new object in the ASN Source group. For example, if STRM detects an ASN 238 flow within the source traffic, the object ASN238 is created in the ASNSource group.

IRC_IM_Policy_Violation

This group includes:• IRC_Connection_to_Internet - Detects bidirectional flows

from local client hosts to the Internet on common IRC port or detected though an application signature. This indicates an active IRC connection. This can simply be a user disregarding corporate policy, or can indicate a host that has been exploited and is connected to an IRC botnet. IRC botnets are used to remotely control exploited hosts to perform DoS attacks and other illegal activities.

• IM_Communications - Detects bidirectional flows from client hosts on the network indicating the use of common Instant Messaging clients (IM), such as MSN.

Remote_Access_Policy_Violation

Remote_Access_Shell - Detects bidirectional flows, where remote hosts were connecting to local remote access servers. Detection of any of the following access technologies include: Citrix, PCAnywhere, SSH, Telnet, or VNC.

P2P_Policy_Violation

This group includes:• Local_P2P__Server - Detects flows indicating a P2P server is

operating on the local network. This can be in violation of local network policy.

• Local_P2P_Client - Detects flows indicating a P2P client is operating on the local network. This can be in violation of local network policy.

Application_Policy_Violation

This group includes:• NNTP_to_Internet - Detects flows indicating an NNTP news

client is operating on the local network. This may be in violation of local network policy.

• Unknown_Local_Service - Detects an active service on a local host.

Compliance_Policy_Violations

This group includes:• Clear_Text_Application_Usage - Detects flows where the

application types use clear text passwords. Applications that usage for this view include Telnet, FTP, and POP. We recommend that you tune this view to add or remove additional applications.

• Large_Outbound_Transfer - Detects large outbound file transfers.

Table B-6 Custom Views - PolicyViolations (continued)

Group Objects



ASN DestinationGroup

STRM detects the ASN values from network flows. When STRM detects a ASN destination values in a flow, STRM creates a new object in the ASN destination group. For example, if STRM detects an ASN 238 flow within the destination traffic, the object ASN238 is created in the ASNDestination group.

IFIndexIn Group STRM detects the IFIndex values from network flows. When STRM detects IFIndex values in a flow, STRM creates a new object in the respective group.

IFIndexOut Group STRM detects the IFIndex values from network flows. When STRM detects IFIndex values in a flow, STRM creates a new object in the respective group.

QoS Group Default QoS groups include:

Flow Shape Group Default FlowShape groups include:

Table B-7 Custom Views - QoS View

QoS Group Group ObjectsNetworkControl Object

Specifies QoS values related to link layer and routing protocols.

IPRoutingControl Specifies QoS values used by IP routing protocols. Expedited Specifies values related to expedited forwarding, such as, a

virtual leased line or premium service. Class 4 Specifies values related to Class 4 traffic. Class 3 Specifies values related to Class 3 traffic. Class 2 Specifies values related to Class 2 traffic. Class 1 Specifies values related to Class 1 traffic. Best Effort Specifies traffic related to best effort QoS traffic. Best effort

services does not guarantee delivery.

Table B-8 Custom Views - Flow Shape View

Flow Shape Group Group ObjectsInbound_Only Specifies traffic flows originating from a host on the Internet

and is not responded to by a local host. Outbound_Only Specifies traffic flows originating from a local host attempting

to communicate with a host on the Internet in which the remote host does not respond.

Mostly_Inbound Specifies traffic flows that sends 5 times more data into the network than received.

Mostly_Outbound Specifies traffic flows that sends 5 times more bytes out of the network than received.

NearSame_Internet Specifies traffic to and from hosts on the Internet that have around the same amount of bytes sent and received.


Default Rules 259

Default Rules Default rules for the Enterprise template include:

Local_Unidirectional Specifies a one-sided flow with a source and destination within the local network.

Local_SRC_Bias Specifies internal traffic that has 5 times more bytes transferred by the source than the destination.

Local_DST_Bias Specifies internal traffic that has 5 times more bytes transferred by the destination than the source.

NearSame_Internal Specifies internal traffic that has a balance of source and destination bytes.

Table B-8 Custom Views - Flow Shape View (continued)

Flow Shape Group Group Objects

Table B-9 Default Rules

Rule GroupRule Type Enabled Description

Default-Response-E-mail: Offense E-mail Sender

Response Offense False Reports any offense matching the severity, credibility, and relevance minimums to e-mail. You must configure the e-mail address. You can limit the number of e-mails sent by tuning the severity, credibility, and relevance limits. Also, this rule only sends one e-mail every hour, per offense.

Default-Response-Sylog: Offense SYSLOG Sender

Response Offense False Reports any offense matching the severity, credibility, or relevance minimum to syslog.

Default-Rule-Anomaly: Devices with High Event Rates

Anomaly Event False Monitors devices for high event rates. Typically, the default threshold is low for most networks and we recommend that you adjust this value before enabling this rule. To configure which devices will be monitored, edit the Default-BB-DeviceDefinition: Devices to Monitor for High Event Rates building block.

Default-Rule-Anomaly: DMZ Jumping

Anomaly Event False Reports when connections are bridged across your network’s Demilitarized Zone (DMZ).

Default-Rule-Anomaly: DMZ Reverse Tunnel

Anomaly Event False Reports when connections are bridged across your network’s DMZ through a reverse tunnel.

Default-Rule-Anomaly: Excessive Database Connections

Anomaly Event True Reports an excessive number of successful database connections.

Default-Rule-Anomaly: Excessive Firewall Accepts Across Multiple Hosts

Anomaly Event False Reports excessive firewall accepts across multiple hosts. More than 100 events were detected across at least 100 unique destination IP addresses in 5 minutes.



Default-Rule-Anomaly: Excessive Firewall Denies from Single Source

Anomaly Event True Reports excessive firewall denies from a single host. Detects more than 400 firewall deny attempts from a single source to a single destination within 5 minutes.

Default-Rule-Anomaly: Long Duration Flow

Anomaly Event True Reports a flow communicating to or from the Internet with a sustained duration of more than 48 hours. This is not typical behavior for most applications. We recommend that you investigate the host for potential malware infections.

Default-Rule-Anomaly: Potential Honeypot Access

Anomaly Event False Reports an event that was targeting or sourced from a honeypot or tarpit defined address. Before enabling this rule, you must configure the Default-BB-HostDefinition: Honeypot like addresses building block and create the appropriate sentry from the Network Surveillance interface.

Default-Rule-Anomaly: Rate Analysis Marked Events

Anomaly Event False Reports a host emitting events at a rate greater than normal. This may be normal, but in some cases can be an early warning sign that the host has changed behavior. We recommend that you perform an event search and/or flow search to determine if the host is exhibiting other suspicious activity.

Default-Rule-Anomaly: Remote Access from Foreign Country

Anomaly Event False Reports successful logins or access from an IP address known to be in a country that does not have remote access right. Before you enable this rule, we recommend that you configure the Default-BB-CategoryDefinition: Countries with no Remote Access building block.

Default-Rule-Anomaly: Single IP with Multiple MAC Addresses

Anomaly Event False Reports when the MAC address of a single IP address changes multiple times over a period of time.

Default-Rule-Authentication: Login Failure to Disabled Account

Authentication Event True Reports a host login message from a disabled user account. If the user is no longer a member of the organization, we recommend that you investigate any other received authentication messages from the same user.

Default-Rule-Authentication: Login Failure to Expired Account

Authentication Event True Reports a host login failure message from an expired user account known. If the user is no longer a member of the organization, we recommend that you investigate any other received authentication messages.

Default-Rule - Authentication: Login Failures Across Multiple Hosts

Authentication Event True Reports authentication failures on the same source IP address more than three times, across more than three destination IP addresses within 10 minutes.

Table B-9 Default Rules (continued)



Default Rules 261

Default-Rule-Authentication: Login Failures Followed By Success

Authentication Event True Reports multiple log in failures to a single host, followed by a successful log in to the host.

Default-Rule-Authentication: Login Successful After Scan Attempt

Authentication, Compliance

Event True Reports a successful log in to a host after reconnaissance has been performed against this network.

Default-Rule-Authentication: Multiple VoIP Login Failures

Authentication Event True Reports multiple log in failures to a VoIP PBX.

Default-Rule-Authentication: Repeated Login Failures, Single Host

Authentication Event True Reports when a source IP address causes an authentication failure event at least seven times to a single destination within 5 minutes.

Default-Rule-Botnet: Potential Botnet Connection (DNS)

Botnet,Exploit Event False Reports a host connecting or attempting to connect to a DNS server on the Internet. This may indicate a host connecting to a Botnet. The host should be investigated for malicious code. Do not enable this rule until you have tuned the Default-BB-HostDefinition: DNS Servers building block. Note: Laptops that include wireless adapters may cause this rule to generate alerts since the laptops may attempt to communicate with another IDPs DNS server. If this occurs, define the ISPs DNS server in the Default-BB-HostDefinition: DNS Servers building block.

Default-Rule-Botnet: Potential Botnet Connection (IRC)

Botnet Event True Reports a host connecting or attempting to connect to an IRC server on the Internet. This may indicate a host connecting to a Botnet. The host should be investigated for malicious code.

Default-Rule-Botnet: Potential Botnet Events Become Offenses

Botnet Event True Reports exploit attacks on events. Enable this rule if you want all events categorized as exploits to create an offense.

Default-Rule-CategoryDefinitions: Access Denied

CategoryDefinition

Event True Reports events in different Access Denied categories.

Default-Rule-CategoryDefinitions: Session Closed

CategoryDefinition, Malware

Event True Reports all Session Closed events by categories.

Default-Rule-CategoryDefinitions: Session Opened


Event True Reports all Session Opened events by categories.





Default-Rule-CategoryDefinitions: Virus Detected


Event True Reports all virus detection events.

Default-Rule-CategoryDefinitions: VPN Access Denied

CategoryDefinition

Event True Reports VPN events that are considered Denied Access events.

Default-Rule-CategoryDefinitions: Database Access Denied

CategoryDefinition

Event True Reports database events indicate denied access activities.

Default-Rule-CategoryDefinitions: Database Access Permitted

CategoryDefinition

Event True Reports database events that indicate permitted access.

Default-Rule-CategoryDefinitions: System Errors and Failures

Category Definitions

Event True Rule detects events that may indicate a system error or failure.

Default-Rule-CategoryDefinitions: VPN Access Accepted

CategoryDefinition

Event True Reports VPN events that indicate permitted access.

Default-Rule-Compliance: Compliance Events Become Offenses

Compliance Event False Reports compliance-based events, such as, clear text passwords.

Default-Rule-Compliance: Excessive Failed Logins to Compliance IS

Compliance Event False Reports excessive authentication failures to a compliance server within 10 minutes.

Default-Rule-Database: Attempted Configuration Modification by a remote host

Compliance, Database

Event True Reports when a configuration modification is attempted to a database server from a remote network.

Default-Rule-Database: Concurrent Logins from Multiple Locations


Event True Reports when several authentications to a database server occur across many remote IP addresses.

Default-Rule-Database: Failures Followed by User Changes


Event True Reports when there are failures followed by the addition or change of a user account.

Default-Rule-Database: Groups changed from Remote Host


Event True Monitors changes to groups on a database when the change is initiated from a remote network.

Default-Rule-Database: Multiple Database Failures Followed by Success


Event True Reports when there are multiple database failures followed by a success within a short period of time.

Default-Rule-Database: Remote Login Failure


Event True Increases the severity of a failed login attempt to a database from a remote network.




Default Rules 263

Default-Rule-Database: Remote Login Success


Event True Reports when a successful authentication occurs to a database server from a remote network.

Default-Rule-Database: User Rights Changed from Remote Host


Event True Reports when changes to user privileges occurs to a database from a remote network.

Default-Rule-DDoS Attack Detected

D\DoS Event True Reports network Distributed Denial of Service (DDoS) attacks on a system.

Default-Rule-DDoS: DDoS Events with High Magnitude Become Offenses

D\DoS Event True Reports when offenses are created for DoS-based events with high magnitude.

Default-Rule-DeviceDefinition: Access/Authentication/Audit

DeviceDefinition

Event True Reports all access, authentication, and audit devices.

Default-Rule-DeviceDefinition: AntiVirus

DeviceDefinition

Event True Reports all antivirus services on the system.

Default-Rule-DeviceDefinition: Application

DeviceDefinition

Event True Reports all application and OS devices on the network.

Default-Rule-DeviceDefinition: FW/Router/Switch

DeviceDefinition

Event True Reports all firewall (FW), routers, and switches on the network.

Default-Rule-DeviceDefinition: IDS/IPS

DeviceDefinition

Event True Reports all IDS and IPS devices on the network.

Default-Rule-DeviceDefinition:VPN

DeviceDefinition

Event True Reports all VPNs on the network.

Default-Rule-DoS: Decrease Magnitude of Low Rate Attacks

D\DoS Event True If a low rate flow-based DoS attack is detected, this rule decreases the magnitude of the current event.

Default-Rule-DoS: DoS Events from Darknet

D/DoS Event False Reports when DoS attack events are identified on Darknet network ranges.

Default-Rule-DoS: DoS Events with High Magnitude Become Offenses

D\DoS Event True Rule forces the creation of an offense for DoS based events with a high magnitude.

Default-Rule-DoS: Increase Magnitude of High Rate Attacks

D\DoS Event True If a high rate flow-based DoS attack is detected, this rule increases the magnitude of the current event.

Default-Rule-DoS: Network DoS Attack Detected

D\DoS Event True Reports network Denial of Service (DoS) attacks on a system.

Default-Rule-DoS: Service DoS Attack Detected

D\DoS Event True Reports a DoS attack against a local target that is known to exist and the target port is open.





Default-Rule-Exploit:All Exploits Become Offenses

Exploit Event False Reports exploit attacks on events. By default, this rule is disabled. Enable this rule if you want all events categorized as exploits to create an offense.

Default-Rule-Exploit: Attack followed by Attack Response

Exploit Event False Reports when exploit or attack events are followed by typical responses, which may indicate a successful attack.

Default-Rule-Exploit: Attacker Vulnerable to any Exploit

Exploit Event False Reports an attack from a local host where the attacker has at least one vulnerability. It is possible the attacker was a target in an earlier offense.

Default-Rule-Exploit: Attacker Vulnerable to this Exploit

Exploit Event False Reports an attack from a local host where the attacker is vulnerable to the attack being used. It is possible that the attacker was a target in an earlier offense.

Default-Rule-Exploit: Exploit Followed by Suspicious Host Activity

Exploit Event False Reports an exploit or attack type activity from a source IP address followed by suspicious account activity on the destination host within 15 minutes.

Default-Rule-Exploit: Exploit/Malware Events Across Multiple Targets

Exploit Event True Reports a source IP address generating multiple (at least 5) exploits or malicious software (malware) events in the last 5 minutes. These events are not targeting hosts that are vulnerable and may indicate false positives generating from a device.

Default-Rule-Exploit: Exploits Events with High Magnitude Become Offenses

Exploit Event True Rule forces the creation of offenses for exploit-based events with a high magnitude.

Default-Rule-Exploit: Exploits Followed by Firewall Accepts

Exploit Event False Reports when exploit or attack events are followed by firewall accept events, which may indicate a successful attack.

Default-Rule-Exploit: Multiple Exploit Types Against Single Target

Exploit Event True Reports a target attempting to be exploited using multiple types of attacks from one or more attackers.

Default-Rule-Exploit: Multiple Vector Attacker

Exploit Event False Reports when an attacker attempts multiple attack vectors. This may indicate an attacker specifically targeting an asset.

Default-Rule-Exploit: Potential VoIP Toll Fraud

Exploit Event False Reports multiple failed logins to your VoIP hardware followed by sessions being opened. At least 3 events were detected within 30 seconds. This action could indicate that illegal users are executing VoIP sessions on your network.

Default-Rule-Exploit: Recon followed by Exploit

Exploit Event True Reports reconnaissance followed by an exploit from the same source IP address to the same destination port within 1 hour.




Default Rules 265

Default-Rule-Exploit: Target Vulnerable to Detected Exploit

Exploit Event True Reports an attack against a vulnerable local target, where the target is known to exist, and the host is vulnerable to the attack.

Default-Rule-Exploit: Target Vulnerable to Detected Exploit on a Different Port

Exploit Event True Reports an attack against a vulnerable local target, where the target is known to exist, and the host is vulnerable to the attack on a different port.

Default-Rule-Exploit: Target Vulnerable to Different Exploit than Attempted on Attacked Port

Exploit Event False Reports an attack against a vulnerable local target, where the target is known to exist, and the host is vulnerable to some attack but not the one being attempted.

Default-Rule-FalsePositive: False Positive Rules and Building Blocks

False Positive Event True Reports events that include false positive rules and building blocks, such as, Default-BB-FalsePositive: Windows Server False Positive Events. Events that match the above conditions are stored but also dropped. If you add any new building blocks or rules to remove events from becoming offenses, you must add these new rules or building blocks to this rule.

Default-Rule-Malware: Treat Backdoor, Trojans and Virus Events as Offenses

Malware Event False Enable this rule if you want all events categorized as backdoor, viruses, and trojans to create an offense.

Default-Rule-Malware: Treat Key Loggers as Offenses

Malware Event False Enable this rule if you want all events categorized as key loggers to create offenses.

Default-Rule-Malware: Treat Non-Spyware Malware as Offenses

Malware Event False Reports non-spyware malware attacks on events. Enable this rule if you want all events categorized as malware to create an offense.

Default-Rule-Malware: Treat Spyware and Virus as Offenses

Malware Event False Reports spyware and/or a virus on events. Enable this rule if you want all events categorized as Virus or Spyware to create an offense.

Default-Rule-Malware: Local Host Sending Malware

Malware, Policy Event False Reports malware being sent from local hosts.

Default-Rule-NetworkDefinition: Local to Local

Network Definition

Event True Reports events that are considered Local-to-Local (L2L).

Default-Rule-NetworkDefinition: Local to Remote

Network Definition

Event True Reports events that are considered Local-to-Remote (L2R).





Default-Rule-NetworkDefinition: Remote to Local

Network Definition

Event True Reports events that are considered Remote-to-Local (R2L).

Default-Rule-Policy: Create Offenses for All Instant Messenger Traffic

Policy Event False Reports Instant Messenger traffic or any event categorized as Instant Messenger traffic where the source is local and the destination is remote.

Default-Rule-Policy: Create Offenses for All P2P Usage

Policy Event False Reports P2P traffic or any event categorized as P2P.

Default-Rule-Policy: Create Offenses for All Policy Events

Policy Event False Reports policy events. By default, this rule is disabled. Enable this rule if you want all events categorized as policy to create an offense.

Default-Rule-Policy: Create Offenses for All Porn Usage

Policy Event False Reports any traffic that contains illicit materials or any event categorized as Porn. By default, this rule is disabled. Enable this rule if you want all events categorized as Porn to create an offense.

Default-Rule-Policy: Host has SANS Top 20 Vulnerability

Policy Event False Rule acts as a warning that the asset in which an event identifies is vulnerable to a vulnerability identified in the SANS Top 20 Vulnerabilities. (www.sans.org/top20/)

Default-Rule-Policy: Local P2P Server Detected

Policy Event True Reports local Peer-to-Peer (P2P) traffic or any event categorized as P2P. More than 10 hosts were detected connecting to a local host that appears to be operating as a P2P server.

Default-Rule-Policy: New Host Discovered

Policy Event False Reports when a new host has been discovered on the network.

Default-Rule-Policy: New Service Discovered

Policy Event False Reports when an existing host has a newly discovered service.

Default-Rule-Policy: Potential Tunneling

Policy Event False Rule identifies potential tunneling that can be used to bypass policy or security controls.

Default-Rule-Policy: Upload to Local WebServer

Policy Event False Reports potential file uploads to a local web server. To edit the details of this rule, edit the Default-BB-CategoryDefinition: Upload to Local WebServer building block.

Default-Rule-Recon: Aggressive Local Scanner Detected

Recon Event True Reports an aggressive scan from a local source IP address, scanning other local or remote IP addresses. More than 400 targets received reconnaissance or suspicious events in less than 2 minutes. This may indicate a manually driven scan, an exploited host searching for other targets, or a worm is present on the system.




Default Rules 267

Default-Rule-Recon: Aggressive Remote Scanner Detected

Recon Event True Reports an aggressive scan from a remote source IP address, scanning other local or remote IP addresses. More than 50 targets received reconnaissance or suspicious events in less than 3 minutes. This may indicate a manually driven scan, an exploited host searching for other targets, or a worm on a system.

Default-Rule-Recon: Excessive Firewall Denies From Local Hosts

Recon Event True Reports excessive attempts, from local hosts, to access the firewall and access is denied. More than 40 attempts are detected across at least 40 destination IP addresses in 5 minutes.

Default-Rule-Recon: Excessive Firewall Denies From Remote Hosts

Recon Event True Reports excessive attempts, from remote hosts, to access the firewall and access is denied. More than 40 attempts are detected across at least 40 destination IP addresses in 5 minutes.

Default-Rule-Recon: Host Port Scan Detected by Local Host

Recon Event True Reports a single source IP address scanning more than 50 ports in under 3 minutes.

Default-Rule-Recon: Host Port Scan Detected by Remote Host

Recon Event True Reports when more than 400 ports were scanned from a single source IP address in under 2 minutes.

Default-Rule-Recon: Increase Magnitude of High Rate Scans

Recon Event True If a high rate flow-based scanning attack is detected, this rule increases the magnitude of the current event.

Default-Rule-Recon: Increase Magnitude of Medium Rate Scans

Recon Event True If a medium rate flow-based scanning attack is detected, this rule increases the magnitude of the current event.

Default-Rule-Recon:Local LDAP Server Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common LDAP ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon:Local Database Scanner

Recon Event True Reports a scan from a local host against other local or remote targets. At least 30 host were scanned in 10 minutes.

Default-Rule-Recon: Local DHCP Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common DHCP ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local DNS Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes.





Default-Rule-Recon: Local FTP Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes.

Default-Rule-Recon: Local Game Server Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common game server ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local ICMP Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local IM Server Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local IRC Server Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes.

Default-Rule-Recon: Local Mail Server Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common mail server ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local P2P Server Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local Proxy Server Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common proxy server ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local RPC Server Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common RPC server ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local Scanner Detected

Recon Event True Reports a scan from a local host against other hosts or remote targets. At least 60 hosts were scanned within 20 minutes. This activity was using a protocol other than TCP, UDP, or ICMP.

Default-Rule-Recon: Local SNMP Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common SNMP ports to more than 60 hosts in 10 minutes.




Default Rules 269

Default-Rule-Recon: Local SSH Server Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes.

Default-Rule-Recon: Local Suspicious Probe Events Detected

Recon Event False Reports when various suspicious or reconnaissance events have been detected from the same local source IP address to more than 5 destination IP address in 4 minutes. This can indicate various forms of host probing, such as Nmap reconnaissance, which attempts to identify the services and operation systems of the target.

Default-Rule-Recon: Local TCP Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local UDP Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local Web Server Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common local web server ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local Windows Server Scanner to Internet

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common Windows server ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local Windows Server Scanner

Recon Event True Reports on events that are detected by the system and when the attack context is Local-to-Local (L2L).

Default-Rule-Recon: Recon Followed by Accept

Recon Event False Adds an additional event into the event stream when a host that has been performing reconnaissance also has a firewall accept following the reconnaissance activity.

Default-Rule-Recon: Remote Database Scanner

Recon Event True Reports a scan from a remote host against other local or remote targets. At least 30 hosts were scanned in 10 minutes.

Default-Rule-Recon: Remote DHCP Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common DHCP ports to more than 30 hosts in 10 minutes.

Default-Rule-Recon: Remote DNS Scanner






Default-Rule-Recon: Remote FTP Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes.

Default-Rule-Recon: Remote Game Server Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common game server ports to more than 30 hosts in 10 minutes.

Default-Rule-Recon: Remote ICMP Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes.


Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes.


Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes.

Default-Rule-Recon: Remote LDAP Server Scanner


Default-Rule-Recon: Remote Mail Server Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common mail server ports to more than 30 hosts in 10 minutes.

Default-Rule-Recon: Remote P2P Server Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Remote Proxy Server Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common proxy server ports to more than 30 hosts in 10 minutes.

Default-Rule-Recon: Remote RPC Server Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common RPC server ports to more than 30 hosts in 10 minutes.

Default-Rule-Recon: Remote Scanner Detected

Recon Event True Reports a scan from a remote host against other hosts or remote targets. At least 60 hosts were scanned within 20 minutes. This activity was using a protocol other than TCP, UDP, or ICMP.

Default-Rule-Recon: Remote SNMP Scanner

Recon Event True Reports scans from a remote host against local or remote targets. At least 30 hosts were scanned in 10 minutes.




Default Rules 271

Default-Rule-Recon: Remote SSH Server Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes.

Default-Rule-Recon: Remote Suspicious Probe Events Detected

Recon Event False Reports various suspicious or reconnaissance events from the same remote source IP address to more then 5 destination IP addresses in 4 minutes. This may indicate various forms of host probing, such as Nmap reconnaissance that attempts to identify the services and operating system of the targets.

Default-Rule-Recon: Remote TCP Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Remote UDP Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Remote Web Server Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common local web server ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Remote Windows Server Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common Windows server ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Single Merged Recon Events

Recon Event True Reports merged reconnaissance events generated by some devices. This rule causes all these events to create an offense. All devices of this type and their categories should be added to the Default-BB-ReconDetected: Devices which Merge Recon into Single Events building block.

Default-Rule-SuspiciousActivity: Common Non-Local to Remote Ports

Event False Rule identifies events that have common internal only ports, communicating outside of the local network.

Default-Rule-SuspiciousActivity: Communication with Known Hostile Networks

Anomaly Event False Reports events that are involved with known hostile networks.

Default-Rule-SuspiciousActivity: Communication with Known Online Services

Anomaly Event False Reports events that are involved with networks identified as possible sites that may involve data loss.





Default-Rule-SuspiciousActivity: Communication with Known Watched Networks

Anomaly Event False Reports events that are involved with networks that are defined as networks you wish to monitor.

Default-Rule-SuspiciousActivity: Consumer Grade Equipment

Compliance Event False Reports assets that appear to be customer grade equipment.

Default-Rule-System-Notification

Event True Rule ensures that notification events shall be sent to the notification framework.

Default-Rule-System: 100% Accurate Events

System Event True Creates an offense when an event matches a 100% accurate signature for successful comprises.

Default-Rule-System:Critical System Events

System Event False Reports when STRM detects critical event.

Default-Rule-System: Device Stopped Sending Events

System Event False Reports when an event source has not sent an event to the system in over 1 hour. Edit this rule to add devices you want to monitor.

Default-Rule-System: Host Based Failures

System Event False Reports when STRM detects events that indicate failures within services or hardware.

Default-Rule-System: Load Building Blocks

System Event True Loads BBs that need to be run to assist with reporting. This rule has no actions or responses.

Default-Rule-Recon: Multiple System Errors

System Event False Reports when as source has 10 system errors within 3 minutes.

Default-Rule-Vulnerabilities: Vulnerability Reported by Scanner

Compliance Event False Reports when a vulnerability is discovered on a local host.

Default-Rule-WormsDetection: Local Mass Mailing Host Detected

Worm Event True Reports a local host sending more than 20 SMTP flows in 1 minute. This may indicate a host being used as a spam relay or infected with a form of mass mailing worm.

Default-Rule-WormsDetection: Possible Local Worm Detected

Worm Event True Reports a local host generating reconnaissance or suspicious events across a large number of hosts (greater than 300) in 20 minutes. This may indicate the presence of a worm on the network or a wide spread scan.

Default-Rule-WormsDetection: Worm Detected (Events)

Worm Event True Reports exploits or worm activity on a system for local-to-local or local-to-remote traffic.




Default Building Blocks 273

Default Building Blocks

Default building blocks for the Enterprise template include:

Table B-10 Default Building Blocks

Building Block GroupBlock Type Description

Associated Building Blocks, if applicable

Default-BB-BehaviorDefinition: Compromise Activities


Event Edit this BB to include categories that are considered part of events detected during a typical compromise.

Default-BB-BehaviorDefinition: Post Compromise Activities


Event Edit this BB to include categories that are considered part of events detected after a typical compromise.

Default-BB-CategoryDefinition: Authentication Failures

Category Definitions, Compliance

Event Edit this BB to include all events that indicate an unsuccessful attempt to access the network.

Default-BB-CategoryDefinition: Authentication Success


Event Edit this BB to include all events that indicate successful attempts to access the network.

Default-BB-CategoryDefinition: Authentication to Disabled Account


Event Edit this BB to include all events that indicate failed attempts to access the network using a disabled account.

Default-BB-CategoryDefinition: Authentication to Expired Account


Event Edit this BB to include all events that indicate failed attempts to access the network using an expired account.

Default-BB-CategoryDefinition: Authentication User or Group Added or Changed


Event Edit this building block to include all events that indicate modification to accounts or groups.

Default-BB-CategoryDefinition: Countries with no Remote Access


Event Edit this BB to include any geographic location that typically would not be allowed remote access to the enterprise. Once configured, you can enable the Default-Rule-Anomaly: Remote Access from Foreign Country rule.

Default-BB-CategoryDefinition: Database Connections


Event Edit this BB to define successful logins to databases. You may need to add additional device types for this BB.

Default-BB-CategoryDefinition: DDoS Attack


Event Edit this BB to include all event categories that you want to categorize as a DDoS attack.

Default-BB-CategoryDefinition: Exploits, Backdoors, and Trojans


Event Edit this BB to include all events that are typically exploits, backdoor, or trojans.



Default-BB-CategoryDefinition: Failure Service or Hardware


Event Edit this BB that indicate failure within a service or hardware.

Default-BB-CategoryDefinition: Firewall or ACL Accept


Event Edit this BB to include all events that indicate access to the firewall.

Default-BB-CategoryDefinition: Firewall or ACL Denies


Event Edit this BB to include all events that indicate unsuccessful attempts to access the firewall.

Default-BB-CategoryDefinition: Firewall System Errors


Event Edit this BB to include all events that may indicate a firewall system error. By default, this BB applies when an event is detected by one or more of the following devices:• CheckPoint• Generic Firewall• Iptables• NetScreen Firewall• Cisco Pix

Default-BB-CategoryDefinition: Flow Events


Event Edit this BB to include all events that indicate flow events within your network. By default, this BB applies to events detected by the Classification Engine.

Default-BB-CategoryDefinition: High Magnitude Events


Event Edit this BB to the severity, credibility, and relevance levels you want to generate an event. The defaults are:• Severity = 6• Credibility = 7• Relevance = 7

Default-BB-CategoryDefinitions: KeyLoggers



Default-BB-CategoryDefinition: Mail Policy Violation


Event Edit this BB to define mail policy violations.

Default-BB-CategoryDefinition: Malware Annoyances


Event Edit this BB to include event categories that are typically associated with spyware infections.

Table B-10 Default Building Blocks (continued)





Default-BB-CategoryDefinition: Network DoS Attack


Event Edit this BB to include all event categories that you want to categorize as a network DoS attack.

Default-BB-CategoryDefinition: Policy Events


Event Edit this BB to include all event categories that may indicate a violation to network policy.

Default-BB-CategoryDefinition: Post Exploit Account Activity


Event Edit this BB to include all event categories that may indicate exploits to accounts.

Default-BB-CategoryDefinition: Rate Analysis Marked Events


Event STRM monitors event rates of all source IP addresses/QIDs and destination IP addresses/QIDs and marks events that exhibit abnormal rate behavior.Edit this BB to include events that are marked with rate analysis.

Default-BB-CategoryDefinition: Recon Events


Event Edit this BB to include all events that indicate reconnaissance activity.

Default-BB-CategoryDefinition: Service DoS


Event Edit this BB to define Denial of Service (DoS) attack events.

Default-BB-CategoryDefinition: Suspicious Events


Event Edit this BB to include all events that indicate suspicious activity.

Default-BB-CategoryDefinition: System Configuration

Category Definitions, Malware

Event Edits this BB to define system configuration events.

Default-BB-CategoryDefinition: Upload to Local WebServer


Event Typically, most networks are configured to restrict applications that use the PUT method running on their web application servers. This BB detects if a remote host has used this method on a local server. The BB could be duplicated to also detect other unwanted methods or for local hosts using the method connecting to remote servers. This building block is referenced by the Default-Rule-Policy: Upload to Local WebServer rule.

Default-BB-CategoryDefinition: VoIP Authentication Failure Events


Event Edit this BB to include all events that indicate a VoIP login failure.





Default-BB-CategoryDefinition: VoIP Session Opened


Event Edit this BB to include all events that indicate the start of a VoIP session.

Default-BB-CategoryDefinition: Windows Compliance Events


Event Edit this BB to include all event categories that indicate compliance events.

Default-BB-CategoryDefinition: Worm Events


Event Edit this BB to define worm events. This BB only applies to events not detected by a custom rule.

Default-BB-ComplianceDefinition: GLBA Servers

Compliance, Host Definitions

Event Edit this BB to include your GLBA IP systems. You must then apply this BB to rules related to failed logins, remote access, etc.

Default-BB-ComplianceDefinition: HIPAA Servers


Event Edit this BB to include your HIPAA Servers by IP address. You must then apply this BB to rules related to failed logins, remote access, etc.

Default-BB-ComplianceDefinition: SOX Servers


Event Edit this BB to include your SOX IP Servers. You must then apply this BB to rules related to failed logins, remote access, etc.

Default-BB-ComplianceDefinition: PCI DSS Servers

Compliance, Host Definitions, Response

Event Edit this BB to include your PCI DSS servers by IP address. You must apply this BB to rules related to failed logins, remote access, etc.

Default-BB-Database: System Action Allow


Event Edit this BB to include any events that indicates successful actions within a database.

Default-BB-Database: System Action Deny


Event Edit this BB to include any events that indicate unsuccessful actions within a database.

Default-BB-Database: User Addition or Change


Event Edit this BB to include events that indicate the successful addition or change of user privileges

Default-BB-DeviceDefinition: Consumer Grade Routers

Device Definitions

Event Edit this BB to include MAC addresses of known consumer grade routers.

Default-BB-DeviceDefinition: Consumer Grade Wireless APs

Device Definitions

Event Edit this BB to include MAC addresses of known consumer grade wireless access points.

Default-BB-DeviceDefinition: Database

Device Definitions

Event





Default-BB-DeviceDefinition: Devices to Monitor for High Event Rates

Device Definitions

Event Edit this BB to include devices you want to monitor for high event rates. The event rate threshold is controlled by the Default-Rule-Anomaly: Devices with High Event Rates.

Default-BB-FalseNegative: Events That Indicate Successful Compromise

False Positive

Event Edit this BB to include events that indicate a successful compromise. These events generally have 100% accuracy.

Default-BB-FalsePositive: All Default False Positive BBs

False Positive

Event Edit this BB to include all false positive building blocks.

All Default-BB-FalsePositive building blocks

Default-BB-FalsePositive: Broadcast Address False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from the broadcast address space.

Default-BB-FalsePositive: Database Server False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from database servers that are defined in the Default-BB-HostDefinition: Database Servers building block.

Default-BB-HostDefinition: Database Servers

Default-BB-FalsePositive: Database Server False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from database servers that are defined in the Default-BB-HostDefinition: Database Servers building block.


Default-BB-FalsePositive: Device and Specific Event

False Positive

Event Edit this BB to include the devices and QID of devices that continually generate false positives.

Default-BB-FalsePositive: DHCP Server False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from DHCP servers that are defined in the Default-BB-HostDefinition: DHCP Servers building block.

Default-BB-HostDefinition: DHCP Servers

Default-BB-FalsePositive: DHCP Server False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from DHCP servers that are defined in the Default-BB-HostDefinition: DHCP Servers building block.







Default-BB-FalsePositive: DNS Server False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from DNS based servers that are defined in the Default-BB-HostDefinition: DNS Servers building block.

Default-BB-HostDefinition: DNS Servers

Default-BB-FalsePositive: DNS Server False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from DNS-based servers that are defined in the Default-BB-HostDefinition: DNS Servers building block.


Default-BB-FalsePositive: Firewall Deny False Positive Events

False Positive

Event Edit this BB to define firewall deny events that are false positives

Default-BB-FalsePositive: FTP Server False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from FTP based servers that are defined in the Default-BB-HostDefinition: FTP Servers building block.

Default-BB-HostDefinition: FTP Servers

Default-BB-FalsePositive: FTP False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from FTP-based servers that are defined in the Default-BB-HostDefinition: FTP Servers building block.


Default-BB-FalsePositive: Global False Positive Events

False Positive

Event Edit this BB to include any event QIDs that you want to ignore.

Default-BB-FalsePositive: Internal Attacker to Internal Target False Positives

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from Local-to-Local (L2L) based servers.

Default-BB-FalsePositive: Internal Attacker to Remote Target False Positives

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from Local-to-Remote (L2R) based servers.

Default-BB-FalsePositive: Large Volume Local FW Events

False Positive

Event Edit this BB to define specific events that can create a large volume of false positives in general rules.






Default-BB-FalsePositive: LDAP Server False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from LDAP servers that are defined in the Default-BB-HostDefinition: LDAP Servers building block.

Default-BB-HostDefinition: LDAP Servers

Default-BB-FalsePositive: LDAP Server False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from LDAP servers that are defined in the Default-BB-HostDefinition: LDAP Servers building block.


Default-BB-FalsePositive: Mail Server False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from mail servers that are defined in the Default-BB-HostDefinition: Mail Servers building block.

Default-BB-HostDefinition: Mail Servers

Default-BB-FalsePositive: Mail Server False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from mail servers that are defined in the Default-BB-HostDefinition: Mail Servers building block.


Default-BB-FalsePositive: Network Management Servers Recon

False Positive

Event Edit this BB to define all the false positive categories that occur to or from network management servers that are defined in the Default-BB-HostDefinition: Network Management Servers building block.

Default-BB-HostDefinition: Network Management Servers

Default-BB-FalsePositive: Proxy Server False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from proxy servers that are defined in the Default-BB-HostDefinition: Proxy Servers building block.

Default-BB-HostDefinition: Proxy Servers

Default-BB-FalsePositive: Proxy Server False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from proxy servers that are defined in the Default-BB-HostDefinition: Proxy Servers building block.


Default-BB-FalsePositive: Remote Attacker to Internal Target False Positives

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from Remote-to-Local (R2L) based servers.

Default-BB-FalsePositive: RPC Server False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from RPC servers that are defined in the Default-BB-HostDefinition: RPC Servers building block.

Default-BB-HostDefinition: RPC Servers





Default-BB-FalsePositive: RPC Server False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from RPC servers that are defined in the Default-BB-HostDefinition: RPC Servers building block.


Default-BB-FalsePositive: SNMP Sender or Receiver False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from SNMP servers that are defined in the Default-BB-HostDefinition: SNMP Servers building block.

Default-BB-HostDefinition: SNMP Servers

Default-BB-FalsePositive: SNMP Sender or Receiver False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from SNMP servers that are defined in the Default-BB-HostDefinition: SNMP Servers building block.


Default-BB-FalsePositive: Source IP and Specific Event

False Positive

Event Edit this BB to include source IP addresses or specific events that you want to remove.

Default-BB-FalsePositive: SSH Server False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from SSH servers that are defined in the Default-BB-HostDefinition: SSH Servers building block.

Default-BB-HostDefinition: SSH Servers

Default-BB-FalsePositive: SSH Server False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from SSH servers that are defined in the Default-BB-HostDefinition: SSH Servers building block.


Default-BB-FalsePositive: Syslog Sender False Positive Categories

False Positive

Event Edit this BB to define all false positive categories that occur to or from syslog sources.

Default-BB-HostDefinition: Syslog Servers and Senders

Default-BB-FalsePositive: Syslog Sender False Positive Events

False Positive

Event Edit this BB to define all false positive events that occur to or from syslog sources or destinations.


Default-BB-FalsePositive: Virus Definition Update Categories

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from virus definition or other automatic update hosts that are defined in the Default-BB-HostDefinition: Virus Definition and Other Update Servers building block.

Default-BB-HostDefinition: Virus Definition

Default-BB-FalsePositive: Web Server False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from web servers that are defined in the Default-BB-HostDefinition: Web Servers building block.

Default-BB-HostDefinition: Web Servers





Default-BB-FalsePositive: Web Server False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from Web servers that are defined in the Default-BB-HostDefinition: Web Servers building block.


Default-BB-FalsePositive: Windows Server False Positive Categories Local

False Positive

Event Edit this BB to define all the false positive categories that occur to or from Windows servers that are defined in the Default-BB-HostDefinition: Windows Servers building block.

Default-BB-HostDefinition: Windows Servers

Default-BB-FalsePositive: Windows Server False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from Windows servers that are defined in the Default-BB-HostDefinition: Windows Servers building block.


Default-BB-HostBased: Critical Events


Event Edit this BB to define event categories that indicate critical events.


Host Definitions

Event Edit this BB to define typical database servers.

Default-BB-FalsePositive: Database Server False Positive CategoriesDefault-BB-FalsePositive: Database Server False Positive Events


Host Definitions

Event Edit this BB to define typical DHCP servers.

Default-BB-False Positive: DHCP Server False Positives CategoriesDefault-BB-FalsePositve: DHCP Server False Positive Events


Host Definitions

Event Edit this BB to define typical DNS servers.

Default-BB-False Positive: DNS Server False Positives Categories Default-BB-FalsePositve: DNS Server False Positive Events


Host Definitions

Event Edit this BB to define typical FTP servers.

Default-BB-False Positive: FTP Server False Positives CategoriesDefault-BB-FalsePositve: FTP Server False Positive Events






Default-BB-HostDefinition: Host with Port Open

Host Definitions

Event Edit this BB to include a host and port that is actively or passively seen.


Host Definitions

Event Edit this BB to define typical LDAP servers.

Default-BB-False Positive: LDAP Server False Positives CategoriesDefault-BB-FalsePositve: LDAP Server False Positive Events


Host Definitions

Event Edit this BB to define typical mail servers.

Default-BB-False Positive: Mail Server False Positives CategoriesDefault-BB-FalsePositve: Mail Server False Positive Events


Host Definitions

Event Edit this BB to define typical network management servers.


Host Definitions

Event Edit this BB to define typical proxy servers.

Default-BB-False Positive: Proxy Server False Positives CategoriesDefault-BB-FalsePositve: Proxy Server False Positive Events


Host Definitions

Event Edit this BB to define typical RPC servers.

Default-BB-False Positive: RPC Server False Positives CategoriesDefault-BB-FalsePositve: RPC Server False Positive Events

Default-BB-HostDefinition: Servers

Host Definitions

Event Edit this BB to define generic servers.

Default-BB-HostDefinition: SNMP Sender or Receiver

Host Definitions

Event Edit this BB to define SNMP senders or receivers.

Default-BB-PortDefinition: SNMP Ports


Host Definitions

Event Edit this BB to define typical SSH servers.

Default-BB-False Positive: SSH Server False Positives CategoriesDefault-BB-FalsePositve: SSH Server False Positive Events







Host Definitions

Event Edit this BB to define typical host that send or receive syslog traffic.

Default-BB-FalsePositive: Syslog Server False Positive CategoriesDefault-BB-FalsePositive: Syslog Server False Positive Events

Default-BB-HostDefinition: VA Scanner Source IP

Host Definitions

Event Edit this BB to include the source IP address of your VA scanner. By default, this BB applies when the source IP address is 127.0.0.2.

Default-BB-HostDefinition: Virus Definition and Other Update Servers

Host Definitions

Event Edit this BB to include all servers that include virus protection and update functions.

Default-BB-HostDefinition: VoIP IP PBX Server

Host Definitions

Event Edit this BB to define typical VoIP IP PBX servers.


Host Definitions

Event Edit this BB to define typical web servers.

Default-BB-False Positive: Web Server False Positives CategoriesDefault-BB-FalsePositve: Web Server False Positive Events


Host Definitions

Event Edit this BB to define typical Windows servers, such as domain controllers or exchange servers.

Default-BB-False Positive: Windows Server False Positives CategoriesDefault-BB-FalsePositve: Windows Server False Positive Events

Default-BB-NetworkDefinition: Broadcast Address Space

Network Definition

Event Edit this BB to include the broadcast address space of your network. This is used to remove false positive events that may be caused by the use of broadcast messages.

Default-BB-NetworkDefinition: Client Networks

Network Definition

Event Edit this BB to include all networks that include client hosts.

Default-BB-NetworkDefinition: Darknet Addresses

Network Definition

Event Edit this BB to include networks that you want to add to a Darket list.

Default-BB-NetworkDefinition: DLP Addresses

Network Definition

Event Edit this BB to include networks that you want to add to a data loss prevention (DLP) list.

Default-BB-NetworkDMZ Addresses

NetworkDefinition

Event Edit this BB to include addresses that are included in the DMZ.






Default-BB-NetworkDefinition: Honeypot like Addresses

Network Definition

Event Edit this BB by replacing the other network with network objects defined in your network hierarchy that are currently not in use in your network or are used in a honeypot or tarpit installation. Once these have been defined, you must enable the Default-Rule-Anomaly: Potential Honeypot Access rule. You must also add a security/policy sentry to these network objects to generate events based on attempted access.

Default-BB-NetworkDefinition: NAT Address Range

Network Definition

Event Edit this BB to define typical Network Address Translation (NAT) range you want to use in your deployment.

Default-BB-NetworkDefinition: Server Networks

Network Definition

Event Edit this BB to include the networks where your servers are located.

Default-BB-NetworkDefinition: Undefined IP Space

Network Definition

Event Edit this BB to include areas of your network that does not contain any valid hosts.

Default-BB-NetworkDefinition: Watch List Addresses

NetworkDefinition

Event Edit this BB to include networks that should be added to a watch list.

Default-BB-Policy: Application Policy Violation Events

Policy Event Edit this BB to define policy application and violation events.

Default-BB-Policy: IRC/IM Connection Violations

Policy Event Edit this BB to define all policy IRC/IM connection violations.

Default-BB-Policy: Policy P2P

Policy Event Edit this BB to include all events that indicate Peer-to-Peer (P2P) events.

Default-BB-PortDefinition: Authorized L2R Ports

Port\Protocol Definition

Event Edit this BB to include ports that are commonly detected in Local-to-Remote (L2R) traffic.

Default-BB-PortDefinition: Database Ports


Event Edit this BB to include all common database ports.

Default-BB-PortDefinition: DHCP Ports


Event Edit this BB to include all common DHCP ports.

Default-BB-PortDefinition: DNS Ports


Event Edit this BB to include all common DNS ports.






Default-BB-PortDefinition: FTP Ports


Event Edit this BB to include all common FTP ports.

Default-BB-PortDefinition: Game Server Ports


Event Edit this BB to include all common game server ports.

Default-BB-PortDefinition: IM Ports

Compliance, Port\Protocol Definition

Event Edit this BB to include all common IM ports.

Default-BB-PortDefinition: IRC Ports


Event Edit this BB to include all common IRC ports.

Default-BB-PortDefinition: LDAP Ports


Event Edit this BB to include all common ports used by LDAP servers.

Default-BB-PortDefinition: Mail Ports


Event Edit this BB to include all common ports used by mail servers.

Default-BB-PortDefinition: P2P Ports


Event Edit this BB to include all common ports used by Peer-to-Peer (P2P) servers.

Default-BB-PortDefinition: Proxy Ports


Event Edit this BB to include all common ports used by proxy servers.

Default-BB-PortDefinition: RPC Ports


Event Edit this BB to include all common ports used by RPC servers.



Event Edit this BB to include all common ports used by SNMP servers.

Default-BB-PortDefinition: SSH Ports


Event Edit this BB to include all common ports used by SSH servers.

Default-BB-PortDefinition: Syslog Ports


Event Edit this BB to include all common ports used by the syslog servers.

Default-BB-PortDefinition: Unauthorized L2R Ports


Event Edit this BB to include ports that are not typically detected in Local-to-Remote (L2R) traffic.

Default-BB-PortDefinition: Web Ports


Event Edit this BB to include all common ports used by Web servers.






Default-BB-PortDefinition: Windows Ports


Event Edit this BB to include all common ports used by Windows servers.

Default-BB-ProtocolDefinition: Windows Protocols


Event Edit this BB to include all common protocols (not including TCP) used by Windows servers that will be ignored for false positive tuning rules.

Default-BB-ReconDetected: All Recon Rules

Recon Event Define all Juniper Networks default reconnaissance tests. This BB is used to detect a host that has performed reconnaissance such that other follow on tests can be performed. For example, reconnaissance followed by firewall accept.

Default-BB-ReconDetected: Devices That Merge Recon into Single Events

Recon Event Edit this BB to include all devices that accumulate reconnaissance across multiple hosts or ports into a single event. This rule forces these events to become offenses.

Default-BB-ReconDetected: Host Port Scan

Recon Event Edit this BB to define reconnaissance scans on hosts in your deployment.

Default-BB-ReconDetected: Port Scan Detected Across Multiple Hosts

Recon Event Edit this BB to indicate port scanning activity across multiple hosts. By default, this BB applies when an attacker is performing reconnaissance against more than 5 hosts within 10 minutes. If internal, this may indicate an exploited machine or a worm scanning for targets.

User-BB-FalsePositive: User Defined False Positives Tunings

User Tuning Event This BB contains any events that you have tuned using the False Positive tuning function. For more information, see the STRM Users Guide.

User-BB-FalsePositive: User Defined Server Type 1 False Positive Categories

User Tuning Event Edit this BB to include any categories you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 1 building block.

User-BB-HostDefinition: User Defined Server Type 1






User-BB-FalsePositive: User Defined Server Type 1 False Positive Events

User Tuning Event Edit this BB to include any events you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 1 building block.















User Tuning Event Edit this BB to include the IP address of your custom server type. Once you have added the servers, add any events or categories you want to consider false positives to these servers as defined in the User-BB-FalsePositives: User Defined Server Type 1 False Positive Category or the User-BB-False Positives: User Defined Server Type 1 False Positive Events building blocks.

User-BB-FalsePositives: User Defined Server Type 1 False Positive CategoryUser-BB-False Positives: User Defined Server Type 1 False Positive Events
















C
UNIVERSITY TEMPLATE DEFAULTS
The University template includes settings with emphasis on internal network activities. This appendix provides the defaults for the University template including:

• Default Sentries

• Default Custom Views

• Default Rules• Default Building Blocks

Default Sentries The default sentries for the University template include:

Table C-1 Default Sentries

Sentry DescriptionBehavior - Flow Count Behavior Change

Monitors the number of flows on your network and alerts when a change is detected. By default, this activity must occur 10 times before an alert generates.

Behavior - Host Count Behavior Change

Learns the number of local and remote active hosts in the network over a weekly period. If the number of hosts increases dramatically outside the projected behavior for at least 5 intervals, an event generates.

Behavior - Threat Traffic Packet Rate Behavior Change

Detects a behavioral change, within the last 5 minutes, in the packet rate of traffic considered to be threatening, compared to what has been learned over the past weeks. This may indicate an attack is in progress. By default, the minimum number of times, in flows, this activity must occur before an event generates is 5.

Suspicious - Internal - Inbound Unidirectional Flows Threshold


DoS - External - Distributed DoS Attack (High Number of Hosts)



290 UNIVERSITY TEMPLATE DEFAULTS

DoS - External - Distributed DoS Attack (Low Number of Hosts)


DoS - External - Distributed DoS Attack (Medium Number of Hosts)


DoS - External - Flood Attack (High)


DoS - External - Flood Attack (Medium)


DoS - External - Flood Attack (Low)


DoS - External - Potential ICMP DoS


DoS - External - Potential TCP DoS


DoS - External - Potential UDP DoS


DoS - External - Potential Unresponsive Service or Distributed DoS

Detects a low number of hosts sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offense Manager.

Suspicious - Internal - Inbound Unidirectional Flows Threshold


DoS - Internal - Distributed DoS Attack (High Number of Hosts)


DoS - Internal - Distributed DoS Attack (Low Number of Hosts)


DoS - Internal - Distributed DoS Attack (Medium Number of Hosts)


DoS - Internal - Flood Attack (High)


Table C-1 Default Sentries (continued)

Sentry Description



DoS - Internal - Flood Attack (Medium)


DoS - Internal - Flood Attack (Low)


DoS - Internal - Potential ICMP DoS


DoS - Internal - Potential TCP DoS


DoS - Internal - Potential UDP DoS


DoS - Internal - Potential Unresponsive Service or Distributed DoS


Malware - External - Client Based DNS Activity to the Internet

Detects a host attempting to connect to a DNS server that is not defined as a local network. With the exception of your DNS servers or other hosts specifically configured to communicate with external DNS servers, this is suspicious activity and may be the sign of a bot net connection. If this is a false positive, add the external DNS server to the BB DNS Servers building block in custom rules. By default, this sentry generates an event 30 seconds after the first instance of the event.

Malware - External Communication with BOT Control Channel

Detects an IP address being communicated with was a control channel for a BOTNET. The local machine may be infected with a bot and should be investigated.

Policy - External - Clear Text Application Usage


Policy - External - Hidden FTP Server


Policy - Internal - Clear Text Application Usage


Policy - Internal - Hidden FTP Server



Sentry Description



Policy - External - IM/Chat Detects an excessive amount of IM/Chat traffic from a single source. By default, the minimum number of times, in flows, this activity must occur before an event generates is 20.

Policy - External - IRC Connections

Detects a local host issuing an excessive number of IRC connections to the Internet. By default, the minimum number of times, in flows, this activity must occur before an event generates is 20.

Policy - Local P2P Server Detected

Detects local hosts operating as a Peer-to-Peer (P2P) server. This indicates a violation of local network policy and may indicate illegal activities, such as, copyright infringement.

Policy - External - Long Duration Flow Detected

Detects a flow communicating to or from the Internet with a sustained duration of more than 48 hours. This is not typical behavior for most applications. We recommend that you investigate the host for potential malware infections. By default, this parameter is set to 3600 seconds, which means that an event generates after 3600 seconds of the first instance of the event.

Policy - External - P2P Communications Detected

Detects Peer-to-Peer (P2P) communications.

Policy - External - Possible Tunneling

Detects possible tunneling, which can indicate a bypass of policy, or an infected system.

Policy - External - Remote Desktop Access from the Internet

Detects the Microsoft Remote Desktop Protocol from the Internet to a local host. Most companies consider this a violation of corporate policy. If this is normal activity on your network, you should remove this sentry.

Policy - External - SMTP Mail Sender

Detects an internal host sending a large number of SMTP flows from the same source to the Internet, in one interval. This may indicate a mass mailing, worm, or spam relay is present. By default, the minimum number of times, in flows, this activity must occur before an event generates is 10.

Policy - External - SSH or Telnet Detected on Non-Standard Ports


Policy - Internal - SSH or Telnet Detected on Non-Standard Ports



Sentry Description



Policy - External - Usenet Usage

Detects flows to or from a Usenet server. It is uncommon for legitimate business communications to use Usenet or NNTP services. The hosts involved may be violating corporate policy.

Policy - External - VNC Access From the Internet to a Local Host

Detects VNC (a remote desktop access application) from the Internet to a local host. Many companies consider this an policy issue that should be addressed. If this is normal activity on your network, remove this sentry.

Policy - P2P Policy Threshold Detects more than 100 KB/s of Peer-to-Peer (P2P) traffic within 5 minutes.

Recon - External - ICMP Scan (High)


Recon - External - ICMP Scan (Low)

Detects a host scanning more than 500 hosts per minute using ICMP. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not be exhibiting this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation.

Recon - External - ICMP Scan (Medium)


Recon - External - Potential Network Scan


Recon - External - Scanning Activity (High)



Sentry Description



Recon - External - Scanning Activity (Low)

Detects a host performing reconnaissance activity at a rate of 500 hosts per minute. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not be exhibiting this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation.

Recon - External - Scanning Activity (Medium)


Recon - Internal - ICMP Scan (High)


Recon - Internal - ICMP Scan (Low)

Detects a host scanning more than 500 hosts per minute using ICMP. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not exhibit this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation.

Recon - Internal - ICMP Scan (Medium)


Recon - Internal - Potential Network Scan


Recon - Internal - Scanning Activity (High)



Sentry Description



Recon - Internal - Scanning Activity (Low)

Detects a host performing reconnaissance activity at a rate of 500 hosts per minute. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not exhibit this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation.

Recon - Internal - Scanning Activity (Medium)


Suspicious - External - Anomalous ICMP Flows


Suspicious - External - Invalid TCP Flag usage


Suspicious - External - Port 0 Flows Detected


Suspicious - External - Rejected Communication Attempts


Suspicious - External - Unidirectional ICMP Detected


Suspicious - External - Unidirectional ICMP Responses Detected



Sentry Description



Suspicious - External - Unidirectional TCP Flows


Suspicious - Internal - Anomalous ICMP Flows


Suspicious - Internal - Invalid TCP Flag usage


Suspicious - External - Outbound Unidirectional Flows Threshold

Detects an excessive rate of outbound unidirectional (remote host not responding) flows within 5 minutes.

Suspicious - Internal - Port 0 Flows Detected


Suspicious - Internal - Rejected Communication Attempts


Suspicious - Internal - Unidirectional ICMP Detected


Suspicious - Internal - Unidirectional ICMP Responses Detected


Suspicious - Internal - Unidirectional TCP Flows



Sentry Description



Default Custom Views

This section provides the default custom views for the Enterprise template including:• IP Tracking Group

• Threats Group

• Attacker Target Analysis Group• Target Analysis Group

• Policy Violations Group

• ASN Source Group• ASN Destination Group

• IFIndexIn Group

• IFIndexOut Group• QoS Group

• Flow Shape Group

IP Tracking Group Pre-configured groups that specify traffic flows from your local and remote IP addresses including:

Excessive Unidirectional UDP or Misc Flows



Sentry Description

Table C-2 Custom Views - IP Tracking View

IP Tracking Group Group ObjectsLocals Specifies traffic flows originating from specific local IP addresses

or CIDR ranges. Configure to specify traffic flows for your local IP addresses.

Remotes Specifies traffic flows originating from specific remote IP addresses or CIDR ranges. Configure to specify traffic flows for your remote IP addresses.



Threats Group Pre-configured groups that specify traffic flows from suspicious IP addresses, protocols, server ports, and network sweeps including:

Table C-3 Custom Views - Threats View

Group ObjectsExceptions This group includes:

Network_Management_Hosts - Defines network management servers or other system responsible for reconnaissance, SNMP, large numbers of ICMP requests, or other attacks, such as, traffic on your network such as vulnerability assessment (VA) scanners.



DoS The Denial of Service (DoS) group includes: • Inbound_Flood_NoResponse_High - Defines a remote

source sending packets, which are not being responded to, at a rate greater than 100,000 packets per second.

• Inbound_Flood_NoResponse_Medium - Defines a remote source sending packets, which are not being responded to, at a rate greater than 5,000 packets per second.

• Inbound_Flood_NoResponse_Low - Defines a remote source sending packets, which are not being responded to, at a rate greater than 500 packets per second.

• Outbound_Flood_NoResponse_High - Defines a local source sending packets, which are not being responded to, at a rate greater than 100,000 packets per second.

• Outbound_Flood_NoResponse_Medium - Defines a local source sending packets, which are not being responded to, at a rate greater than 500 packets per second.

• Outbound_Flood_NoResponse_Low - Defines a local source sending packets, which are not being responded to, at a rate greater than 500 packets per second.

• Multihost_Attack_High - Defines a scan of more than 100,000 hosts per minute.

• Multihost_Attack_Medium - Defines a scan of more than 5,000 hosts per minute.

• Multihost_Attack_Low - Defines a scan of more than 500 hosts per minute.

• Potential_TCP_DoS - Detects TCP Syn flood flows with a packet arrival rate of more then 300 packets per second and have lasted for at least 5 seconds. This may indicate an attempted TCP DoS attack.

• Potential_UDP_DoS - Detects UDP Flows with a packet arrival rate of more then 750 packets per second and have lasted for at least 3 seconds. This may indicate an attempted ICMP DoS attack.

• Potential_ICMP_DoS - Detects ICMP flows with a packet arrival rate of more then 300 packets per second and have lasted for at least 2 seconds. This may indicate an attempted ICMP DoS attack.

• Potential_Multihost_Attack - Detects type B superflows. This may indicate a service failure or an attack.

Table C-3 Custom Views - Threats View (continued)

Group Objects



Scanning This scanning group includes: • ICMPScan_High - Detects a host sending ICMP packets to

more than 100,000 hosts more minute. • ICMPScan_Medium - Detects a host sending ICMP packets

to more than 5,000 hosts more minute. • ICMPScan_Low - Detects a host sending ICMP packets to

more than 500 hosts more minute. • Scan_High - Defines a scan of more than 100,000 hosts per

minute.• Scan_Medium - Defines a scan of more than 5,000 hosts per

minute.• Scan_Low - Defines a scan of more than 500 hosts per

minute.• Empty_Responsive_Flows_High - Defines traffic with more

than 100,000 packets per second that contain little, if any, payload. These can be the result of scans where the target responds to the attack.

• Empty_Responsive_Flows_Medium - Defines traffic with more than 5,000 packets per second that contain little, if any, payload. These can be the result of scans where the target responds to the attack.

• Empty_Responsive_Flows_Low - Defines traffic with more than 500 packets per second that contain little, if any, payload. These can be the result of scans where the target responds to the attack.

• Potential_Scan - Defines a type A superflow. This may indicate a host performing scanning activity.

PortScans This PortScans group includes: • Host_Scans - Detects a host attempting to make multiple

connections, using TCP, to another host targeting multiple unique ports.

• UDPPortScan - Detects a host attempting to make multiple connections, using UDP, to another host targeting multiple unique ports.


Group Objects



Suspicious_IP_Protocol_Usage

This group includes: • Illegal_TCP_Flag_Combination - Detects flows with illegal

TCP flag combinations. This may indicate malicious activity, such as port scanning or operating system detection.

• Suspicious_ICMP_Type_Code - Detects flows entering or leaving your network from the Internet, using ICMP types or codes generally accepted to be suspicious or malicious. For more information, see http://techrepublic.com.com /5100-1035_11-5087087.html

• TCP_UDP_Port_0 - Detects flows with a source or destination port of 0. This is illegal according to Internet RFCs and should be considered malicious.

• Unidirectional_TCP_Flows - Detects unidirectional TCP flows. This may indicate application failures to connect to a service, but an indicate other issues if the quantity or rate of these flows is high.

• Unidirectional_ICMP_Reply - Detects unidirectional ICMP replies or unreachable flows. This may be expected network behavior, however, an excessive quantity may indicate that a host is scanning the network attempting to enumerate hosts.

• Unidirectional_ICMP_Flows - Detects unidirectional ICMP flows. This may be expected network behavior, however, an excessive quantity of these flows from a single source may indicate a host scanning the network attempting to enumerate hosts.

• Unidirectional_UDP_And_Misc_Flows - Detects unidirectional UDP (or other flows not including TCP or ICMP) flows. This may be expected network behavior, however, an excessive quantity should be considered suspicious.

• Zero_Payload_Bidirectional_Flows - Detects flows that contain small amounts (if any) payload. This may be the result of scans where the target responds with reset packets.

• Long_Duration_Flow - Detects a flow communicating to or from the Internet with a sustained duration of more than 48 hours. This is not typical behavior for most applications. We recommend that you investigate the host for potential malware infections.

• Large_DNS_Packets - Detects UDP DNS packets that are larger than 1K in size.

• Large_ICMP_Packets - Detects ICMP packets that are larger than 1K in size.


Group Objects



Attacker TargetAnalysis Group

Pre-configured groups that specify traffic flows from attackers, responses, and events including:

Remote_Access_Violation

This group includes:• Hidden_Telnet_SSH - Detects flows where the application

type is Telnet or SSH but the destination server port is not one of the common ports for this application. This may indicate that a system has been altered to provide a backdoor for unauthorized access.

• Hidden_FTP - Detects flows to a local host where the application type is FTP but the destination server port is not one of the common ports of this application. This may indicate that the server is hosting illegal data, such as pirated applications or other media.

• Remote_Desktop_Access_From_Internet - Detects Remote Desktop Protocol (RDP) access to the local network from the Internet. If you want to allow this activity on your network, delete this view. Otherwise, you should consider this activity suspicious and we recommend investigating the accessed server.

• VNC_Activity_From_Internet - Detects Virtual Network Computing (VNC) access to the local network from the Internet. If you want to allow this activity on your network, delete this view. Otherwise, you should consider this activity suspicious and we recommend investigating the accessed server.

Suspicious_IRC Detects suspicious IRC activity.


Group Objects

Table C-4 Custom Views - AttackerTargetAnalysis

Group ObjectsAttackResponseAnalysis

This group includes:• Target_Did_Not_Respond - The network flow that appears to

have carried the attack event that triggered this analysis indicates that the target host did not respond to the attack.

• Target_Responded - The network flow analysis indicates a target responded to the event from the attacker, and therefore increases the likelihood the attacker was successful.



Target AnalysisGroup

Pre-configured groups that specify traffic flows from back door entries, scanning behaviors, malicious software (malware), spam relay including:


This group includes:• Activity_Before_Event - The network flow analysis indicates

a target and attacker were communicating prior to the event that triggered this analysis. This can indicate a false positive, or that this attacker is concentrating on breaking this host. Many typical attacks fire an exploit at the target with little or no prior host investigation.

• Activity_After_Event - The network flow analysis indicates a target and attacker were communicating after the event that triggered this analysis. This can indicate a false positive if the attacker/target were also seen communicating before the event, and the device emitting these events has a high false positive rate. Conversely, if this is a serious event and the device is credible, it can indicate a successful attack has occurred.

• Target_Initiating_Comms_To_Attacker - The network flow analysis indicates a target was seen initiating connections back to the attacker before or after the event. This can sometimes indicate the attacker has been able to force the target to communicate back to the attacker, therefore bypassing some firewall rules.

Table C-4 Custom Views - AttackerTargetAnalysis (continued)

Group Objects

Table C-5 Custom Views - TargetAnalysis

Group ObjectsBotNetAnalysis BotNet_Connect - The network flow analysis indicates a target

host is connected to IRC servers on the Internet. This may indicate the attacker has installed an IRC Bot on the target and instructed the target to connect to an IRC Channel that is under the control and await instructions. Large numbers of such exploited machines form a BotNet and can be used by the attacker to coordinate large scale Distributed Denial of Service attacker (DDoS).

MalwareAnalysis Malware_Server_Connection - Network flow analysis indicates a target is aggressively attempting (and failing) to connect to many other hosts on the network (or Internet). This behavior is being seen in the presence of security events aimed at this host, and therefore is possible the attacker has infected the target with a worm, or other hostile malware, and it is attempting to spread from this host.



Policy ViolationsGroup

Pre-configured groups that specify traffic flows from your internal and external policies, such as mail policies, web polices, P2P, games, applications, and compliance policies including:


This group includes:• Service_Unresponsive_After_Attack - The network flow

analysis indicates that the service on the target that was attacked is unresponsive to other hosts on the network. This may indicate that the attack has intentionally, or inadvertently crashed the service running on this host.

• Spam_Relay_Possible - The network flow analysis indicates that a target is accepting and servicing SMTP mail server connections. Given this activity is occurring in the presence of security events targeting this host, it is possible the attacker has installed an SMTP server to operate as a spam relay. If this target is a mail server, this behavior is to be expected.

• Outbound_Mail_Relay_Possible - The network flow analysis indicates that a target is sending mail to SMTP servers on the Internet. Given this activity is occurring in the presence of a security event targeting this host, it is possible the attacker has installed mass mailing malware on the target. This behavior is also to be expected if the target is a known mail server.

Table C-5 Custom Views - TargetAnalysis (continued)

Group Objects

Table C-6 Custom Views - PolicyViolations

Group ObjectsMail_Policy_Violation

This group includes:• Outbound_Mail_Sender - Detects flows sent from local hosts

to the Internet on port 25 (SMTP) or detected with the SMTP application signature. This may indicate hosts violating network mail policy, or that a host is infected with a mass mailing agent. We recommend updating this equation to not include network mail servers.

• Remote_Connection_to_Internal_Mail_Server - Detects bidirectional flows inbound into the local network on port 25 (SMTP). This indicates communication with a local SMTP server. Additionally, such servers may be the result of an infected host which is inadvertently running a SPAM relay. We recommend updating this equation to not include network mail servers.



ASN Source Group STRM detects the ASN values from network flows. When STRM detects a ASN source values in a flow, STRM creates a new object in the ASN Source group. For example, if STRM detects an ASN 238 flow within the source traffic, the object ASN238 is created in the ASNSource group.

IRC_IM_Policy_Violation

This group includes:• IRC_Connection_to_Internet - Detects bidirectional flows

from local client hosts to the Internet on common IRC port or detected though an application signature. This indicates an active IRC connection. This can simply be a user disregarding corporate policy, or can indicate a host that has been exploited and is connected to an IRC botnet. IRC botnets are used to remotely control exploited hosts to perform DoS attacks and other illegal activities.

• IM_Communications - Detects bidirectional flows from client hosts on the network indicating the use of common Instant Messaging clients (IM), such as MSN.

Remote_Access_Policy_Violation

Remote_Access_Shell - Detects bidirectional flows, where remote hosts were connecting to local remote access servers. Detection of any of the following access technologies include: Citrix, PCAnywhere, SSH, Telnet, or VNC.

P2P_Policy_Violation

This group includes:• Local_P2P__Server - Detects flows indicating a P2P server is

operating on the local network. This can be in violation of local network policy.

• Local_P2P_Client - Detects flows indicating a P2P client is operating on the local network. This can be in violation of local network policy.

Application_Policy_Violation

This group includes:• NNTP_to_Internet - Detects flows indicating an NNTP news

client is operating on the local network. This may be in violation of local network policy.

• Unknown_Local_Service - Detects an active service on a local host.

Compliance_Policy_Violations

This group includes:• Clear_Text_Application_Usage - Detects flows where the

application types use clear text passwords. Applications that usage for this view include Telnet, FTP, and POP. We recommend that you tune this view to add or remove additional applications.

• Large_Outbound_Transfer - Detects large outbound file transfers.

Table C-6 Custom Views - PolicyViolations (continued)

Group Objects



ASN DestinationGroup

STRM detects the ASN values from network flows. When STRM detects a ASN destination values in a flow, STRM creates a new object in the ASN destination group. For example, if STRM detects an ASN 238 flow within the destination traffic, the object ASN238 is created in the ASNDestination group.

IFIndexIn Group STRM detects the IFIndex values from network flows. When STRM detects IFIndex values in a flow, STRM creates a new object in the respective group.

IFIndexOut Group STRM detects the IFIndex values from network flows. When STRM detects IFIndex values in a flow, STRM creates a new object in the respective group.

QoS Group Default QoS groups include:

Flow Shape Group Default FlowShape groups include:

Table C-7 Custom Views - QoS View

QoS Group Group ObjectsNetworkControl Object

Specifies QoS values related to link layer and routing protocols.

IPRoutingControl Specifies QoS values used by IP routing protocols. Expedited Specifies values related to expedited forwarding, such as, a

virtual leased line or premium service. Class 4 Specifies values related to Class 4 traffic. Class 3 Specifies values related to Class 3 traffic. Class 2 Specifies values related to Class 2 traffic. Class 1 Specifies values related to Class 1 traffic. Best Effort Specifies traffic related to best effort QoS traffic. Best effort

services does not guarantee delivery.

Table C-8 Custom Views - Flow Shape View

Flow Shape Group Group ObjectsInbound_Only Specifies traffic flows originating from a host on the Internet

and is not responded to by a local host. Outbound_Only Specifies traffic flows originating from a local host attempting

to communicate with a host on the Internet in which the remote host does not respond.

Mostly_Inbound Specifies traffic flows that sends 5 times more data into the network than received.

Mostly_Outbound Specifies traffic flows that sends 5 times more bytes out of the network than received.

NearSame_Internet Specifies traffic to and from hosts on the Internet that have around the same amount of bytes sent and received.


Default Rules 307

Default Rules Default rules for the University template include:

Local_Unidirectional Specifies a one-sided flow with a source and destination within the local network.

Local_SRC_Bias Specifies internal traffic that has 5 times more bytes transferred by the source than the destination.

Local_DST_Bias Specifies internal traffic that has 5 times more bytes transferred by the destination than the source.

NearSame_Internal Specifies internal traffic that has a balance of source and destination bytes.

Table C-8 Custom Views - Flow Shape View (continued)

Flow Shape Group Group Objects

Table C-9 Default Rules


Default-Response-E-mail: Offense E-mail Sender

Response Offense False Reports any offense matching the severity, credibility, and relevance minimums to e-mail. You must configure the e-mail address. You can limit the number of e-mails sent by tuning the severity, credibility, and relevance limits. Also, this rule only sends one e-mail every hour, per offense.

Default-Response-Sylog: Offense SYSLOG Sender

Response Offense False Reports any offense matching the severity, credibility, or relevance minimum to syslog.

Default-Rule-Anomaly: Devices with High Event Rates

Anomaly Event False Monitors devices for high event rates. Typically, the default threshold is low for most networks and we recommend that you adjust this value before enabling this rule. To configure which devices will be monitored, edit the Default-BB-DeviceDefinition: Devices to Monitor for High Event Rates building block.

Default-Rule-Anomaly: DMZ Jumping

Anomaly Event False Reports when connections are bridged across your network’s Demilitarized Zone (DMZ).

Default-Rule-Anomaly: Excessive Database Connections

Anomaly Event True Reports an excessive number of successful database connections.

Default-Rule-Anomaly: Excessive Firewall Accepts Across Multiple Hosts

Anomaly Event False Reports excessive firewall accepts across multiple hosts. More than 100 events were detected across at least 100 unique destination IP addresses in 5 minutes.

Default-Rule-Anomaly: Excessive Firewall Denies from Single Source

Anomaly Event True Reports excessive firewall denies from a single host. Detects more than 400 firewall deny attempts from a single source to a single destination within 5 minutes.



Default-Rule-Anomaly: Long Duration Flow

Anomaly Event False Reports a flow communicating to or from the Internet with a sustained duration of more than 48 hours. This is not typical behavior for most applications. We recommend that you investigate the host for potential malware infections.

Default-Rule-Anomaly: Potential Honeypot Access

Anomaly Event False Reports an event that was targeting or sourced from a honeypot or tarpit defined address. Before enabling this rule, you must configure the Default-BB-HostDefinition: Honeypot like addresses building block and create the appropriate sentry from the Network Surveillance interface.

Default-Rule-Anomaly: Rate Analysis Marked Events

Anomaly Event False Reports a host emitting events at a rate greater than normal. This may be normal, but in some cases can be an early warning sign that the host has changed behavior. We recommend that you perform an event search and/or flow search to determine if the host is exhibiting other suspicious activity.

Default-Rule-Anomaly: Remote Access from Foreign Country

Anomaly Event False Reports successful logins or access from an IP address known to be in a country that does not have remote access right. Before you enable this rule, we recommend that you configure the Default-BB-CategoryDefinition: Countries with no Remote Access building block.

Default-Rule-Authentication: Login Failure to Disabled Account

Authentication Event True Reports a host login message from a disabled user account. If the user is no longer a member of the organization, we recommend that you investigate any other received authentication messages from the same user.

Default-Rule-Authentication: Login Failure to Expired Account

Authentication Event False Reports a host login failure message from an expired user account known. If the user is no longer a member of the organization, we recommend that you investigate any other received authentication messages.

Default-Rule - Authentication: Login Failures Across Multiple Hosts

Authentication Event True Reports authentication failures on the same source IP address more than three times, across more than three destination IP addresses within 10 minutes.

Default-Rule-Authentication: Login Failures Followed By Success

Authentication Event True Reports multiple log in failures to a single host, followed by a successful log in to the host.

Table C-9 Default Rules (continued)



Default Rules 309

Default-Rule-Authentication: Login Successful After Scan Attempt


Event True Reports on events detected by the system when at least one of the configured rules is detected with the same source IP address followed by successful authentication with the same IP address, within 30 minutes.

Default-Rule-Authentication: Multiple VoIP Login Failures

Authentication Event True Reports multiple log in failures to a VoIP PBX.

Default-Rule-Authentication: Repeated Login Failures, Single Host

Authentication Event True Reports when a source IP address causes an authentication failure event at least seven times to a single destination within 5 minutes.

Default-Rule-Botnet: Potential Botnet Connection (DNS)

Botnet,Exploit Event False Reports a host connecting or attempting to connect to a DNS server on the Internet. This may indicate a host connecting to a Botnet. The host should be investigated for malicious code. Do not enable this rule until you have tuned the Default-BB-HostDefinition: DNS Servers building block. Note: Laptops that include wireless adapters may cause this rule to generate alerts since the laptops may attempt to communicate with another IDPs DNS server. If this occurs, define the ISPs DNS server in the Default-BB-HostDefinition: DNS Servers building block.

Default-Rule-Botnet: Potential Botnet Connection (IRC)

Botnet Event False Reports a host connecting or attempting to connect to an IRC server on the Internet. This may indicate a host connecting to a Botnet. The host should be investigated for malicious code.

Default-Rule-Botnet: Potential Botnet Events Become Offenses

Botnet Event True Reports exploit attacks on events. Enable this rule if you want all events categorized as exploits to create an offense.

Default-Rule-CategoryDefinitions: Access Denied

CategoryDefinition

Event True Reports events in different Access Denied categories.

Default-Rule-CategoryDefinitions: Session Closed


Event True Reports all Session Closed events by categories.

Default-Rule-CategoryDefinitions: Session Opened


Event True Reports all Session Opened events by categories.

Default-Rule-CategoryDefinitions: Virus Detected


Event True Reports all virus detection events.





Default-Rule-CategoryDefinitions: System Errors and Failures


Event True Reports events that may indicate a system error or failure.

Default-Rule-CategoryDefinitions: VPN Access Denied

CategoryDefinition

Event True Reports VPN events that are considered Denied Access events.

Default-Rule-CategoryDefinitions: Database Access Denied

CategoryDefinition

Event True Reports database events indicate denied access activities.

Default-Rule-CategoryDefinitions: Database Access Permitted

CategoryDefinition

Event True Reports database events that indicate permitted access.

Default-Rule-CategoryDefinitions: VPN Access Accepted

CategoryDefinition

Event True Reports VPN events that indicate permitted access.

Default-Rule-Compliance: Compliance Events Become Offenses

Compliance Event False Reports compliance-based events, such as, clear text passwords.

Default-Rule-Compliance: Excessive Failed Logins to Compliance IS

Compliance Event False Reports excessive authentication failures to a compliance server within 10 minutes.

Default-Rule-Database: Attempted Configuration Modification by a remote host

Database, Compliance

Event False Reports when a configuration modification is attempted to a database server from a remote network.

Default-Rule-Database: Concurrent Logins from Multiple Locations


Event True Reports when several authentications to a database server occur across many remote IP addresses.

Default-Rule-Database: Failures Followed by User Changes


Event True Reports when there are failures followed by the addition or change of a user account.

Default-Rule-Database: Groups changed from Remote Host


Event True Monitors changes to groups on a database when the change is initiated from a remote network.

Default-Rule-Database: Multiple Database Failures Followed by Success


Event True Reports when there are multiple database failures followed by a success within a short period of time.

Default-Rule-Database: Remote Login Failure


Event True Increases the severity of a failed login attempt to a database from a remote network.

Default-Rule-Database: Remote Login Success


Event True Reports when a successful authentication occurs to a database server from a remote network.




Default Rules 311

Default-Rule-Database: User Rights Changed from Remote Host


Event True Reports when changes to user privileges occurs to a database from a remote network.

Default-Rule-DDoS Attack Detected

D\DoS Event False Reports network Distributed Denial of Service (DDoS) attacks on a system.

Default-Rule-DeviceDefinitions: Access/Authentication/Audit

DeviceDefinition

Event True Reports all access, authentication, and audit devices.

Default-Rule-DeviceDefinitions: AntiVirus

DeviceDefinition

Event True Reports all antivirus services on the system.

Default-Rule-DeviceDefinitions: Application

DeviceDefinition

Event True Reports all application and OS devices on the network.

Default-Rule-DeviceDefinitions: Database

DeviceDefinition

Event True Reports all databases on the system.

Default-Rule-DeviceDefinitions: FW/Router/Switch

DeviceDefinition

Event True Reports all firewall (FW), routers, and switches on the network.

Default-Rule-DeviceDefinitions: IDS/IPS

DeviceDefinition

Event True Reports all IDS and IPS devices on the network.

Default-Rule-DeviceDefinitions:VPN

DeviceDefinition

Event True Reports all VPNs on the network.



Default-Rule-DoS: DoS Events from Darknet

D/DoS Event False Reports when DoS attack events are identified on Darknet network ranges.

Default-Rule-DDoS: DDoS Events with High Magnitude Become Offenses

D\DoS Event False Reports when offenses are created for DoS-based events with high magnitude.



Default-Rule-DoS: DoS Events with High Magnitude Become Offenses

D\DoS Event True Rule forces the creation of an offense for DoS based events with a high magnitude.

Default-Rule-DoS: Increase Magnitude of High Rate Attacks

D\DoS Event True If a high rate flow-based DoS attack is detected, this rule increases the magnitude of the current event.

Default-Rule-DoS: Network DoS Attack Detected

D\DoS Event True Reports network Denial of Service (DoS) attacks on a system.





Default-Rule-DoS: Service DoS Attack Detected

D\DoS Event True Reports a DoS attack against a local target that is known to exist and the target port is open.

Default-Rule-Exploit: All Exploits Become Offenses

Exploit Event False Reports exploit attacks on events. By default, this rule is disabled. Enable this rule if you want all events categorized as exploits to create an offense.

Default-Rule-Exploit: Attacker Vulnerable to any Exploit

Exploit Event False Reports an attack from a local host where the attacker has at least one vulnerability. It is possible the attacker was a target in an earlier offense.

Default-Rule-Exploit: Attack followed by Attack Response

Exploit Event False Reports when exploit or attack events are followed by typical responses, which may indicate a successful attack.

Default-Rule-Exploit: Attacker Vulnerable to this Exploit

Exploit Event False Reports an attack from a local host where the attacker is vulnerable to the attack being used. It is possible that the attacker was a target in an earlier offense.

Default-Rule-Exploit: Exploit Followed by Suspicious Host Activity

Exploit Event False Reports an exploit or attack type activity from a source IP address followed by suspicious account activity on the destination host within 15 minutes.

Default-Rule-Exploit: Exploit/Malware Events Across Multiple Targets

Exploit Event True Reports a source IP address generating multiple (at least 5) exploits or malicious software (malware) events in the last 5 minutes. These events are not targeting hosts that are vulnerable and may indicate false positives generating from a device.

Default-Rule-Exploit: Exploits Events with High Magnitude Become Offenses

Exploit Event False Rule forces the creation of offenses for exploit-based events with a high magnitude.

Default-Rule-Exploit: Exploits Followed by Firewall Accepts

Exploit Event False Reports when exploit or attack events are followed by firewall accept events, which may indicate a successful attack.

Default-Rule-Exploit: Multiple Exploit Types Against Single Target

Exploit Event True Reports a target attempting to be exploited using multiple types of attacks from one or more attackers.

Default-Rule-Exploit: Multiple Vector Attacker

Exploit Event False Reports when an attacker attempts multiple attack vectors. This may indicate an attacker specifically targeting an asset.

Default-Rule-Exploit: Potential VoIP Toll Fraud

Exploit Event False Reports multiple failed logins to your VoIP hardware followed by sessions being opened. At least 3 events were detected within 30 seconds. This action could indicate that illegal users are executing VoIP sessions on your network.




Default Rules 313

Default-Rule-Exploit: Recon followed by Exploit

Exploit Event True Reports reconnaissance followed by an exploit from the same source IP address to the same destination port within 1 hour.

Default-Rule-Exploit: Target Vulnerable to Detected Exploit

Exploit Event True Reports an attack against a vulnerable local target, where the target is known to exist, and the host is vulnerable to the attack.

Default-Rule-Exploit: Target Vulnerable to Detected Exploit on a Different Port

Exploit Event True Reports an attack against a vulnerable local target, where the target is known to exist, and the host is vulnerable to the attack on a different port.

Default-Rule-Exploit: Target Vulnerable to Different Exploit than Attempted on Attacked Port

Exploit Event False Reports an attack against a vulnerable local target, where the target is known to exist, and the host is vulnerable to some attack but not the one being attempted.

Default-Rule-FalsePositive: False Positive Rules and Building Blocks

False Positive Event True Reports events that include false positive rules and building blocks, such as, Default-BB-FalsePositive: Windows Server False Positive Events. Events that match the above conditions are stored but also dropped. If you add any new building blocks or rules to remove events from becoming offenses, you must add these new rules or building blocks to this rule.

Default-Rule-Malware: Treat Backdoor, Trojans and Virus Events as Offenses

Malware Event False Enable this rule if you want all events categorized as backdoor, viruses, and trojans to create an offense.

Default-Rule-Malware: Local Host Sending Malware

Malware, Policy Event False Reports malware being sent from local hosts.

Default-Rule-Malware: Treat Key Loggers as Offenses

Malware Event False Enable this rule if you want all events categorized as key loggers to create offenses.

Default-Rule-Malware: Treat Non-Spyware Malware as Offenses

Malware Event False Reports non-spyware malware attacks on events. Enable this rule if you want all events categorized as malware to create an offense.

Default-Rule-Malware: Treat Spyware and Virus as Offenses

Malware Event False Reports spyware and/or a virus on events. Enable this rule if you want all events categorized as Virus or Spyware to create an offense.

Default-Rule-NetworkDefinition: Local to Local

Network Definition

Event True Reports events that are considered Local-to-Local (L2L).





Default-Rule-NetworkDefinition: Local to Remote

Network Definition

Event True Reports events that are considered Local-to-Remote (L2R).

Default-Rule-NetworkDefinition: Remote to Local

Network Definition

Event True Reports events that are considered Remote-to-Local (R2L).

Default-Rule-Policy: Create Offenses for All Instant Messenger Traffic

Policy Event False Reports Instant Messenger traffic or any event categorized as Instant Messenger traffic where the source is local and the destination is remote.

Default-Rule-Policy: Create Offenses for All P2P Usage

Policy Event False Reports P2P traffic or any event categorized as P2P.

Default-Rule-Policy: Create Offenses for All Policy Events

Policy, Compliance

Event False Reports policy events. By default, this rule is disabled. Enable this rule if you want all events categorized as policy to create an offense.

Default-Rule-Policy: Create Offenses for All Porn Usage

Policy Event False Reports any traffic that contains illicit materials or any event categorized as Porn. By default, this rule is disabled. Enable this rule if you want all events categorized as Porn to create an offense.

Default-Rule-Policy: Host has SANS Top 20 Vulnerability

Policy Event False Rule acts as a warning that the asset in which an event identifies is vulnerable to a vulnerability identified in the SANS Top 20 Vulnerabilities. (www.sans.org/top20/)

Default-Rule-Policy: Local P2P Server Detected

Policy Event False Reports local Peer-to-Peer (P2P) traffic or any event categorized as P2P. More than 10 hosts were detected connecting to a local host that appears to be operating as a P2P server.

Default-Rule-Policy: New Host Discovered

Policy Event False Reports when a new host has been discovered on the network.

Default-Rule-Policy: New Host Discovered in DMZ


Event False Reports when a new host has been discovered in the DMZ.

Default-Rule-Policy: New Service Discovered

Policy Event False Reports when an existing host has a newly discovered service.

Default-Rule-Policy: Potential Tunneling

Policy Event False Rule identifies potential tunneling that can be used to bypass policy or security controls.

Default-Rule-Policy: New Service Discovered in DMZ


Event False Reports when a new service has been discovered in the DMZ.




Default Rules 315

Default-Rule-Policy: Upload to Local WebServer

Policy Event False Reports potential file uploads to a local web server. To edit the details of this rule, edit the Default-BB-CategoryDefinition: Upload to Local WebServer building block.

Default-Rule-Recon: Aggressive Local Scanner Detected

Recon Event True Reports an aggressive scan from a local source IP address, scanning other local or remote IP addresses. This may indicate a manually driven scan, an exploited host searching for other targets, or a worm is present on the system.

Default-Rule-Recon: Aggressive Remote Scanner Detected

Recon Event True Reports an aggressive scan from a remote source IP address, scanning other local or remote IP addresses. This may indicate a manually driven scan, an exploited host searching for other targets, or a worm on a system.

Default-Rule-Recon: Excessive Firewall Denies From Local Host

Recon Event True Reports excessive attempts, from a local host, to access the firewall and access is denied. More than 40 attempts are detected across at least 40 destination IP addresses in 5 minutes.

Default-Rule-Recon: Excessive Firewall Denies From Remote Host

Recon Event True Reports excessive attempts, from a remote host, to access the firewall and access is denied. More than 40 attempts are detected across at least 40 destination IP addresses in 5 minutes.

Default-Rule-Recon: Host Port Scan Detected by Local Host

Recon Event True Reports a single source IP address scanning more than 50 ports in under 3 minutes.

Default-Rule-Recon: Host Port Scan Detected by Remote Host

Recon Event True Reports when more than 50 ports were scanned from a single source IP address in under 3 minutes.

Default-Rule-Recon: Increase Magnitude of High Rate Scans

Recon Event True If a high rate flow-based scanning attack is detected, this rule increases the magnitude of the current event.

Default-Rule-Recon: Increase Magnitude of Medium Rate Scans

Recon Event True If a medium rate flow-based scanning attack is detected, this rule increases the magnitude of the current event.

Default-Rule-Recon:Local LDAP Server Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common LDAP ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon:Local Database Scanner

Recon Event True Reports a scan from a local host against other local or remote targets. At least 30 host were scanned in 10 minutes.





Default-Rule-Recon: Local DHCP Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common DHCP ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local DNS Scanner


Default-Rule-Recon: Local FTP Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes.

Default-Rule-Recon: Local Game Server Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common game server ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local ICMP Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes.


Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes.


Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes.

Default-Rule-Recon: Local Mail Server Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common mail server ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local P2P Server Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local Proxy Server Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common proxy server ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local RPC Server Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common RPC server ports to more than 60 hosts in 10 minutes.




Default Rules 317

Default-Rule-Recon: Local Scanner Detected

Recon Event True Reports a scan from a local host against other hosts or remote targets. At least 60 hosts were scanned within 10 minutes. This activity was using a protocol other than TCP, UDP, or ICMP.

Default-Rule-Recon: Local SNMP Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common SNMP ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local SSH Server Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes.

Default-Rule-Recon: Local Suspicious Probe Events Detected

Recon Event False Reports when various suspicious or reconnaissance events have been detected from the same local source IP address to more than 5 destination IP address in 4 minutes. This can indicate various forms of host probing, such as Nmap reconnaissance, which attempts to identify the services and operation systems of the target.

Default-Rule-Recon: Local TCP Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local UDP Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local Web Server Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common local web server ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Local Windows Scanner to Internet

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on the same source IP address more than 5 times, across more than 60 destination IP address(es) within 20 minutes.

Default-Rule-Recon: Local Windows Server Scanner

Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common Windows server ports with the same source IP address more than 5 times, across more than 200 destination IP address(es) within 20 minutes.





Default-Rule-Recon: Recon Followed by Accept

Recon Event False Adds an additional event into the event stream when a host that has been performing reconnaissance also has a firewall accept following the reconnaissance activity.

Default-Rule-Recon: Remote Database Scanner


Default-Rule-Recon: Remote DHCP Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common DHCP ports to more than 30 hosts in 10 minutes.

Default-Rule-Recon: Remote DNS Scanner


Default-Rule-Recon: Remote FTP Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes.

Default-Rule-Recon: Remote Game Server Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common game server ports to more than 30 hosts in 10 minutes.

Default-Rule-Recon: Remote ICMP Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes.


Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes.


Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes.

Default-Rule-Recon: Remote LDAP Server Scanner


Default-Rule-Recon: Remote Mail Server Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common mail server ports to more than 30 hosts in 10 minutes.

Default-Rule-Recon: Remote P2P Server Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes.




Default Rules 319

Default-Rule-Recon: Remote Proxy Server Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common proxy server ports to more than 30 hosts in 10 minutes.

Default-Rule-Recon: Remote RPC Server Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common RPC server ports to more than 30 hosts in 10 minutes.

Default-Rule-Recon: Remote Scanner Detected

Recon Event True Reports a scan from a remote host against other hosts or remote targets. At least 60 hosts were scanned within 20 minutes. This activity was using a protocol other than TCP, UDP, or ICMP.

Default-Rule-Recon: Remote SNMP Scanner

Recon Event True Reports scans from a remote host against local or remote targets. At least 30 hosts were scanned in 10 minutes.

Default-Rule-Recon: Remote SSH Server Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes.

Default-Rule-Recon: Remote Suspicious Probe Events Detected

Recon Event False Reports various suspicious or reconnaissance events from the same remote source IP address to more then 5 destination IP addresses in 4 minutes. This may indicate various forms of host probing, such as Nmap reconnaissance that attempts to identify the services and operating system of the targets.

Default-Rule-Recon: Remote TCP Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Remote UDP Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Remote Web Server Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common local web server ports to more than 60 hosts in 10 minutes.

Default-Rule-Recon: Remote Windows Server Scanner

Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common Windows server ports to more than 60 hosts in 10 minutes.





Default-Rule-Recon: Single Merged Recon Events

Recon Event True Reports merged reconnaissance events generated by some devices. This rule causes all these events to create an offense. All devices of this type and their categories should be added to the Default-BB-ReconDetected: Devices which Merge Recon into Single Events building block.

Default-Rule-System-Notification

Event True Rule ensures that notification events shall be sent to the notification framework.

Default-Rule-System: 100% Accurate Events

System Event True Creates an offense when an event matches a 100% accurate signature for successful comprises.

Default-Rule-System:Critical System Events

System Event False Reports when STRM detects critical event.

Default-Rule-System: Device Stopped Sending Events

System Event False Reports when an event source has not sent an event to the system in over 1 hour. Edit this rule to add devices you want to monitor.

Default-Rule-System: Host Based Failures

System Event False Reports when STRM detects events that indicate failures within services or hardware.

Default-Rule-System: Load Building Blocks

System Event True Loads BBs that need to be run to assist with reporting. This rule has no actions or responses.

Default-Rule-Recon: Multiple System Errors

System Event False Reports when as source has 10 system errors within 3 minutes.

Default-Rule-Vulnerabilities: Vulnerability Reported by Scanner

Compliance Event False Reports when a vulnerability is discovered on a local host.

Default-Rule-WormsDetection: Local Mass Mailing Host Detected

Worms Event False Reports a local host sending more than 20 SMTP flows in 1 minute. This may indicate a host being used as a spam relay or infected with a form of mass mailing worm.

Default-Rule-WormsDetection: Possible Local Worm Detected

Worms Event True Reports a local host generating reconnaissance or suspicious events across a large number of hosts (greater than 300) in 20 minutes. This may indicate the presence of a worm on the network or a wide spread scan.

Default-Rule-WormsDetection: Worm Detected (Events)

Worms Event True Reports exploits or worm activity on a system for local-to-local or local-to-remote traffic.





Default Building Blocks

Default building blocks for the University template include:

Table C-10 Default Building Blocks



Default-BB-BehaviorDefinition: Post Compromise Activities


Event Edit this BB to include categories that are considered part of events detected after a typical compromise.

Default-BB-CategoryDefinition: Authentication Failures


Event Edit this BB to include all events that indicate an unsuccessful attempt to access the network.

Default-BB-CategoryDefinition: Authentication Success


Event Edit this BB to include all events that indicate successful attempts to access the network.

Default-BB-CategoryDefinition: Authentication to Disabled Account


Event Edit this BB to include all events that indicate failed attempts to access the network using a disabled account.

Default-BB-CategoryDefinition: Authentication to Expired Account


Event Edit this BB to include all events that indicate failed attempts to access the network using an expired account.

Default-BB-CategoryDefinition: Authentication User or Group Added or Changed


Event Edit this building block to include all events that indicate modification to accounts or groups.

Default-BB-CategoryDefinition: Countries with no Remote Access


Event Edit this BB to include any geographic location that typically would not be allowed remote access to the enterprise. Once configured, you can enable the Default-Rule-Anomaly: Remote Access from Foreign Country rule.

Default-BB-CategoryDefinition: Database Connections


Event Edit this BB to define successful logins to databases. You may need to add additional device types for this BB.

Default-BB-CategoryDefinition: DDoS Attack


Event Edit this BB to include all event categories that you want to categorize as a DDoS attack.

Default-BB-CategoryDefinition: Exploits, Backdoors, and Trojans



Default-BB-CategoryDefinition: Failure Service or Hardware


Event Edit this BB that indicate failure within a service or hardware.



Default-BB-CategoryDefinition: Firewall or ACL Accept


Event Edit this BB to include all events that indicate access to the firewall.

Default-BB-CategoryDefinition: Firewall or ACL Denies


Event Edit this BB to include all events that indicate unsuccessful attempts to access the firewall.

Default-BB-CategoryDefinition: Firewall System Errors


Event Edit this BB to include all events that may indicate a firewall system error. By default, this BB applies when an event is detected by one or more of the following devices:• CheckPoint• Generic Firewall• Iptables• NetScreen Firewall• Cisco Pix

Default-BB-CategoryDefinition: Flow Events


Event Edit this BB to include all events that indicate flow events within your network. By default, this BB applies to events detected by the Classification Engine.

Default-BB-CategoryDefinition: High Magnitude Events


Event Edit this BB to the severity, credibility, and relevance levels you want to generate an event. The defaults are:• Severity = 6• Credibility = 7• Relevance = 7

Default-BB-CategoryDefinitions: KeyLoggers



Default-BB-CategoryDefinition: Mail Policy Violation


Event Edit this BB to define mail policy violations.

Default-BB-CategoryDefinition: Malware Annoyances


Event Edit this BB to include event categories that are typically associated with spyware infections.

Default-BB-CategoryDefinition: Network DoS Attack


Event Edit this BB to include all event categories that you want to categorize as a network DoS attack.

Table C-10 Default Building Blocks (continued)





Default-BB-CategoryDefinition: Policy Events


Event Edit this BB to include all event categories that may indicate a violation to network policy.

Default-BB-CategoryDefinition: Post Exploit Account Activity


Event Edit this BB to include all event categories that may indicate exploits to accounts.

Default-BB-CategoryDefinition: Rate Analysis Marked Events


Event STRM monitors event rates of all source IP addresses/QIDs and destination IP addresses/QIDs and marks events that exhibit abnormal rate behavior.Edit this BB to include events that are marked with rate analysis.

Default-BB-CategoryDefinition: Recon Events


Event Edit this BB to include all events that indicate reconnaissance activity.

Default-BB-CategoryDefinition: Service DoS


Event Edit this BB to define Denial of Service (DoS) attack events.

Default-BB-CategoryDefinition: Suspicious Events


Event Edit this BB to include all events that indicate suspicious activity.

Default-BB-CategoryDefinition: System Configuration

Category Definitions, Malware

Event Edits this BB to define system configuration events.

•

Default-BB-CategoryDefinition: Upload to Local WebServer


Event Typically, most networks are configured to restrict applications that use the PUT method running on their web application servers. This BB detects if a remote host has used this method on a local server. The BB could be duplicated to also detect other unwanted methods or for local hosts using the method connecting to remote servers. This building block is referenced by the Default-Rule-Policy: Upload to Local WebServer rule.

Default-BB-CategoryDefinition: VoIP Authentication Failure Events


Event Edit this BB to include all events that indicate a VoIP login failure.

Default-BB-CategoryDefinition: VoIP Session Opened


Event Edit this BB to include all events that indicate the start of a VoIP session.





Default-BB-CategoryDefinition: Windows Compliance Events


Event Edit this BB to include all event categories that indicate compliance events.

Default-BB-CategoryDefinition: Worm Events


Event Edit this BB to define worm events. This BB only applies to events not detected by a custom rule.

Default-BB-ComplianceDefinition: GLBA Servers


Event Edit this BB to include your GLBA IP systems. You must then apply this BB to rules related to failed logins, remote access, etc.

Default-BB-ComplianceDefinition: HIPAA Servers


Event Edit this BB to include your HIPAA Servers by IP address. You must then apply this BB to rules related to failed logins, remote access, etc.

Default-BB-ComplianceDefinition: SOX Servers


Event Edit this BB to include your SOX IP Servers. You must then apply this BB to rules related to failed logins, remote access, etc.

Default-BB-ComplianceDefinition: PCI DSS Servers

Compliance, Host Definitions, Response

Event Edit this BB to include your PCI DSS servers by IP address. You must apply this BB to rules related to failed logins, remote access, etc.

Default-BB-Database: System Action Allow


Event Edit this BB to include any events that indicates successful actions within a database.

Default-BB-Database: System action Deny


Event Edit this BB to include any events that indicate unsuccessful actions within a database.

Default-BB-Database: User Addition or Change


Event Edit this BB to include events that indicate the successful addition or change of user privileges

Default-BB-DeviceDefinition: Devices to Monitor for High Event Rates


Event Edit this BB to include devices you want to monitor for high event rates. The event rate threshold is controlled by the Default-Rule-Anomaly: Devices with High Event Rates.

Default-BB-FalseNegative: Events That Indicate Successful Compromise

False Positive

Event Edit this BB to include events that indicate a successful compromise. These events generally have 100% accuracy.

Default-BB-FalsePositive: All Default False Positive Building Blocks

False Positive

Event Edit this BB to include all false positive building blocks.

All Default-BB-FalsePositive building blocks

Default-BB-FalsePositive: Broadcast Address False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from the broadcast address space.





Default-BB-FalsePositive: Database Server False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from database servers that are defined in the Default-BB-HostDefinition: Database Servers building block.


Default-BB-FalsePositive: Database Server False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from database servers that are defined in the Default-BB-HostDefinition: Database Servers building block.


Default-BB-FalsePositive: Device and Specific Event

False Positive

Event Edit this BB to include the devices and QID of devices that continually generate false positives.

Default-BB-FalsePositive: DHCP Server False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from DHCP servers that are defined in the Default-BB-HostDefinition: DHCP Servers building block.


Default-BB-FalsePositive: DHCP Server False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from DHCP servers that are defined in the Default-BB-HostDefinition: DHCP Servers building block.


Default-BB-FalsePositive: DNS Server False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from DNS based servers that are defined in the Default-BB-HostDefinition: DNS Servers building block.


Default-BB-FalsePositive: DNS Server False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from DNS-based servers that are defined in the Default-BB-HostDefinition: DNS Servers building block.


Default-BB-FalsePositive: Firewall Deny False Positive Events

False Positive

Event Edit this BB to define firewall deny events that are false positives

Default-BB-FalsePositive: FTP Server False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from FTP based servers that are defined in the Default-BB-HostDefinition: FTP Servers building block.







Default-BB-FalsePositive: FTP False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from FTP-based servers that are defined in the Default-BB-HostDefinition: FTP Servers building block.


Default-BB-FalsePositive: Global False Positive Events

False Positive

Event Edit this BB to include any event QIDs that you want to ignore.

Default-BB-FalsePositive: Internal Attacker to Internal Target False Positives

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from Local-to-Local (L2L) based servers.

Default-BB-FalsePositive: Internal Attacker to Remote Target False Positives

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from Local-to-Remote (L2R) based servers.

Default-BB-FalsePositive: LDAP Server False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from LDAP servers that are defined in the Default-BB-HostDefinition: LDAP Servers building block.


Default-BB-FalsePositive: LDAP Server False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from LDAP servers that are defined in the Default-BB-HostDefinition: LDAP Servers building block.


Default-BB-FalsePositive: Large Volume Local FW Events

False Positive

Event Edit this BB to define specific events that can create a large volume of false positives in general rules.

Default-BB-FalsePositive: Mail Server False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from mail servers that are defined in the Default-BB-HostDefinition: Mail Servers building block.


Default-BB-FalsePositive: Mail Server False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from mail servers that are defined in the Default-BB-HostDefinition: Mail Servers building block.







Default-BB-FalsePositive: Network Management Servers Recon

False Positive

Event Edit this BB to define all the false positive categories that occur to or from network management servers that are defined in the Default-BB-HostDefinition: Network Management Servers building block.


Default-BB-FalsePositive: Proxy Server False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from proxy servers that are defined in the Default-BB-HostDefinition: Proxy Servers building block.


Default-BB-FalsePositive: Proxy Server False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from proxy servers that are defined in the Default-BB-HostDefinition: Proxy Servers building block.


Default-BB-FalsePositive: Remote Attacker to Internal Target False Positives

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from Remote-to-Local (R2L) based servers.

Default-BB-FalsePositive: RPC Server False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from RPC servers that are defined in the Default-BB-HostDefinition: RPC Servers building block.


Default-BB-FalsePositive: RPC Server False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from RPC servers that are defined in the Default-BB-HostDefinition: RPC Servers building block.


Default-BB-FalsePositive: SNMP Sender or Receiver False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from SNMP servers that are defined in the Default-BB-HostDefinition: SNMP Servers building block.


Default-BB-FalsePositive: SNMP Sender or Receiver False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from SNMP servers that are defined in the Default-BB-HostDefinition: SNMP Servers building block.


Default-BB-FalsePositive: Source IP and Specific Event

False Positive

Event Edit this BB to include source IP addresses or specific events that you want to remove.






Default-BB-FalsePositive: SSH Server False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from SSH servers that are defined in the Default-BB-HostDefinition: SSH Servers building block.


Default-BB-FalsePositive: SSH Server False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from SSH servers that are defined in the Default-BB-HostDefinition: SSH Servers building block.


Default-BB-FalsePositive: Syslog Sender False Positive Categories

False Positive

Event Edit this BB to define all false positive categories that occur to or from syslog sources.


Default-BB-FalsePositive: Syslog Sender False Positive Events

False Positive

Event Edit this BB to define all false positive events that occur to or from syslog sources or destinations.


Default-BB-FalsePositive: Virus Definition Update Categories

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from virus definition or other automatic update hosts that are defined in the Default-BB-HostDefinition: Virus Definition and Other Update Servers building block.

Default-BB-HostDefinition: Virus Definition

Default-BB-FalsePositive: Web Server False Positive Categories

False Positive

Event Edit this BB to define all the false positive categories that occur to or from web servers that are defined in the Default-BB-HostDefinition: Web Servers building block.


Default-BB-FalsePositive: Web Server False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from Web servers that are defined in the Default-BB-HostDefinition: Web Servers building block.


Default-BB-FalsePositive: Windows Server False Positive Categories Local

False Positive

Event Edit this BB to define all the false positive categories that occur to or from Windows servers that are defined in the Default-BB-HostDefinition: Windows Servers building block.


Default-BB-FalsePositive: Windows Server False Positive Events

False Positive

Event Edit this BB to define all the false positive QIDs that occur to or from Windows servers that are defined in the Default-BB-HostDefinition: Windows Servers building block.







Default-BB-HostBased: Critical Events


Event Edit this BB to define event categories that indicate critical events.


Host Definitions

Event Edit this BB to define typical database servers.

Default-BB-FalsePositive: Database Server False Positive CategoriesDefault-BB-FalsePositive: Database Server False Positive Events


Host Definitions

Event Edit this BB to define typical DHCP servers.

Default-BB-False Positive: DHCP Server False Positives CategoriesDefault-BB-FalsePositve: DHCP Server False Positive Events


Host Definitions

Event Edit this BB to define typical DNS servers.

Default-BB-False Positive: DNS Server False Positives Categories Default-BB-FalsePositve: DNS Server False Positive Events


Host Definitions

Event Edit this BB to define typical FTP servers.

Default-BB-False Positive: FTP Server False Positives CategoriesDefault-BB-FalsePositve: FTP Server False Positive Events

Default-BB-HostDefinition: Host with Port Open

Host Definitions

Event Edit this BB to include a host and port that is actively or passively seen.


Host Definitions

Event Edit this BB to define typical LDAP servers.

Default-BB-False Positive: LDAP Server False Positives CategoriesDefault-BB-FalsePositve: LDAP Server False Positive Events


Host Definitions

Event Edit this BB to define typical mail servers.

Default-BB-False Positive: Mail Server False Positives CategoriesDefault-BB-FalsePositve: Mail Server False Positive Events







Host Definitions

Event Edit this BB to define typical network management servers.


Host Definitions

Event Edit this BB to define typical proxy servers.

Default-BB-False Positive: Proxy Server False Positives CategoriesDefault-BB-FalsePositve: Proxy Server False Positive Events


Host Definitions

Event Edit this BB to define typical RPC servers.

Default-BB-False Positive: RPC Server False Positives CategoriesDefault-BB-FalsePositve: RPC Server False Positive Events

Default-BB-HostDefinition: Servers

Host Definitions

Event Edit this BB to define generic servers.

Default-BB-HostDefinition: SNMP Sender or Receiver

Host Definitions

Event Edit this BB to define SNMP senders or receivers.



Host Definitions

Event Edit this BB to define typical SSH servers.

Default-BB-False Positive: SSH Server False Positives CategoriesDefault-BB-FalsePositve: SSH Server False Positive Events


Host Definitions

Event Edit this BB to define typical host that send or receive syslog traffic.

Default-BB-FalsePositive: Syslog Server False Positive CategoriesDefault-BB-FalsePositive: Syslog Server False Positive Events

Default-BB-HostDefinition: VA Scanner Source IP

Host Definitions

Event Edit this BB to include the source IP address of your VA scanner. By default, this BB applies when the source IP address is 127.0.0.2.

Default-BB-HostDefinition: Virus Definition and Other Update Servers

Host Definitions

Event Edit this BB to include all servers that include virus protection and update functions.

Default-BB-HostDefinition: VoIP IP PBX Server

Host Definitions

Event Edit this BB to define typical VoIP IP PBX servers.







Host Definitions

Event Edit this BB to define typical web servers.

Default-BB-False Positive: Web Server False Positives CategoriesDefault-BB-FalsePositve: Web Server False Positive Events


Host Definitions

Event Edit this BB to define typical Windows servers, such as domain controllers or exchange servers.

Default-BB-False Positive: Windows Server False Positives CategoriesDefault-BB-FalsePositve: Windows Server False Positive Events

Default-BB-NetworkDefinition: Broadcast Address Space

Network Definition

Event Edit this BB to include the broadcast address space of your network. This is used to remove false positive events that may be caused by the use of broadcast messages.

Default-BB-NetworkDefinition: Client Networks

Network Definition

Event Edit this BB to include all networks that include client hosts.

Default-BB-NetworkDefinition: Darknet Addresses

Network Definition

Event Edit this BB to include networks that you want to add to a Darket list.

Default-BB-NetworkDefinition: DLP Addresses

Network Definition

Event Edit this BB to include networks that you want to add to a data loss prevention (DLP) list.

Default-BB-NetworkDefinition: Honeypot like Addresses

Network Definition

Event Edit this BB by replacing the other network with network objects defined in your network hierarchy that are currently not in use in your network or are used in a honeypot or tarpit installation. Once these have been defined, you must enable the Default-Rule-Anomaly: Potential Honeypot Access rule. You must also add a security/policy sentry to these network objects to generate events based on attempted access.

Default-BB-NetworkDefinition: NAT Address Range

Network Definition

Event Edit this BB to define typical Network Address Translation (NAT) range you want to use in your deployment.






Default-BB-NetworkDefinition: Server Networks

Network Definition

Event Edit this BB to include the networks where your servers are located.

Default-BB-NetworkDefinition: Undefined IP Space

Network Definition

Event Edit this BB to include areas of your network that does not contain any valid hosts.

Default-BB-NetworkDefinition: Watch List Addresses

NetworkDefinition

Event Edit this BB to include networks that should be added to a watch list.

Default-BB-Policy: Application Policy Violation Events

Policy Event Edit this BB to define policy application and violation events.

Default-BB-Policy: IRC/IM Connection Violations

Policy Event Edit this BB to define all policy IRC/IM connection violations.

Default-BB-Policy: Policy P2P

Policy Event Edit this BB to include all events that indicate Peer-to-Peer (P2P) events.

Default-BB-PortDefinition: Database Ports


Event Edit this BB to include all common database ports.

Default-BB-PortDefinition: DHCP Ports


Event Edit this BB to include all common DHCP ports.

Default-BB-PortDefinition: DNS Ports


Event Edit this BB to include all common DNS ports.

Default-BB-PortDefinition: FTP Ports


Event Edit this BB to include all common FTP ports.

Default-BB-PortDefinition: Game Server Ports


Event Edit this BB to include all common game server ports.

Default-BB-PortDefinition: IM Ports

Compliance, Port\Protocol Definition

Event Edit this BB to include all common IM ports.

Default-BB-PortDefinition: IRC Ports


Event Edit this BB to include all common IRC ports.

Default-BB-PortDefinition: LDAP Ports


Event Edit this BB to include all common ports used by LDAP servers.






Default-BB-PortDefinition: Mail Ports


Event Edit this BB to include all common ports used by mail servers.

Default-BB-PortDefinition: P2P Ports


Event Edit this BB to include all common ports used by Peer-to-Peer (P2P) servers.

Default-BB-PortDefinition: Proxy Ports


Event Edit this BB to include all common ports used by proxy servers.

Default-BB-PortDefinition: RPC Ports


Event Edit this BB to include all common ports used by RPC servers.



Event Edit this BB to include all common ports used by SNMP servers.

Default-BB-PortDefinition: SSH Ports


Event Edit this BB to include all common ports used by SSH servers.

Default-BB-PortDefinition: Syslog Ports


Event Edit this BB to include all common ports used by the syslog servers.

Default-BB-PortDefinition: Web Ports


Event Edit this BB to include all common ports used by Web servers.

Default-BB-PortDefinition: Windows Ports


Event Edit this BB to include all common ports used by Windows servers.

Default-BB-ProtocolDefinition: Windows Protocols


Event Edit this BB to include all common protocols (not including TCP) used by Windows servers that will be ignored for false positive tuning rules.

Default-BB-ReconDetected: All Recon Rules

Recon Event Define all Juniper Networks default reconnaissance tests. This BB is used to detect a host that has performed reconnaissance such that other follow on tests can be performed. For example, reconnaissance followed by firewall accept.

Default-BB-ReconDetected: Devices That Merge Recon into Single Event

Recon Event Edit this BB to include all devices that accumulate reconnaissance across multiple hosts or ports into a single event. This rule forces these events to become offenses.






Default-BB-ReconDetected: Host Port Scan

Recon Event Edit this BB to define reconnaissance scans on hosts in your deployment.

Default-BB-ReconDetected: Port Scan Detected Across Multiple Hosts

Recon Event Edit this BB to indicate port scanning activity across multiple hosts. By default, this BB applies when an attacker is performing reconnaissance against more than 5 hosts within 10 minutes. If internal, this may indicate an exploited machine or a worm scanning for targets.

User-BB-FalsePositive: User Defined False Positives Tunings

User Tuning Event This BB contains any events that you have tuned using the False Positive tuning function. For more information, see the STRM Users Guide.





































D
VIEWING AUDIT LOGS
Changes made by STRM users are recorded in the audit logs. You can view the audit logs to monitor changes to STRM and the users performing those changes.

All audit logs are stored in plain text and are archived and compressed once the audit log file reaches a size of 200 MB. The current log file is named audit.log. Once the file reaches a size of 200 MB, the file is compressed and renamed as follows: audit.1.gz, audit.2.gz, etc with the file number incrementing each time a log file is archived. STRM stores up to 50 archived log files.

This appendix provides information on using the audit logs including:

• Logged Actions

• Viewing the Log File

Logged Actions STRM logs the following categories of actions in the audit log file:

Table D-1 Logged Actions

Category ActionUser Authentication Log in to STRM.User Authentication Log out of STRM.Administrator Authentication Log in to the STRM Administration Console.Administrator Authentication Log out of the STRM Administration Console.Session Authentication Create a new administration session.

Terminate an administration session.Deny an invalid authentication session. Expire a session authentication. Create an authentication session. Terminate an authentication session.


338 VIEWING AUDIT LOGS

User Authentication Ariel Deny a login attempt. Add an Ariel property. Delete an Ariel property. Edit an Ariel property. Add an Ariel property extension. Delete an Ariel property extension. Edit an Ariel property extension.

Root Login Log in to STRM, as root.Log out of STRM, as root.

Rules Add a rule.Delete a rule.Edit a rule.

Sentry Add a sentry.Edit a sentry.Delete a sentry.Edit a sentry package.Edit sentry logic.

User Accounts Add an account.Edit an account.Delete an account.

User Roles Add a role.Edit a role.Delete a role.

Sensor Devices Add a sensor device.Edit a sensor device.Delete a sensor device.Add a sensor device group.Edit a sensor device group.Delete a sensor device group.Edit the DSM parsing order.

Table D-1 Logged Actions (continued)

Category Action


Logged Actions 339

Sensor Device Extension Add an sensor device extension.Edit the sensor device extension.Delete a sensor device extension.Upload a sensor device extension.Upload a sensor device extension successfully.Upload an invalid sensor device extension. Download a sensor device extension.Report a sensor device extension.Modify a sensor devices association to a device or device type.

Protocol Configuration Add a protocol configuration.Delete a protocol configuration.Edit a protocol configuration.

Flow Sources Add a flow source.Edit a flow source.Delete a flow source.

Offense Manager Hide an offense.Close an offense.Close all offenses.

TNC Recommendations Create a recommendation.Edit a recommendation.Delete a recommendation.

Syslog Forwarding Add a syslog forwarding.Delete a syslog forwarding.Edit a syslog forwarding.

Reports Add a template.Delete a template.Edit a template.Execute a template.Delete a report.

Groups Add a group.Delete a group.Edit a group.


Category Action


340 VIEWING AUDIT LOGS

Backup and Recovery Edit the configuration.Initiate the backup.Complete the backup.Fail the backup.Delete the backup.Synchronize the backup.Cancel the backup.Initiate the restore.Upload a backup.Upload an invalid backup.Delete the backup.Purge the backup.

VIS Discover a new host. Discover a new operating system. Discover a new port. Discover a new vulnerability.

Scanner Add a scanner.Delete a scanner.Edit a scanner.

Scanner Schedule Add a schedule.Edit a schedule.Delete a schedule.

SIM Clean a SIM model. Asset Delete all assets.QIDmap Add a QID map entry.

Edit a QID map entry. Ariel Properties Add a custom event property.

Edit a custom event property. Delete a custom property.

Ariel Property Extensions Add a custom event property expression. Edit a custom event property expression. Delete a custom event property expression.

Installation Install a .rpm package, such as a DSM update. License Add a license key.

Edit a license key.


Category Action


Viewing the Log File 341

Viewing the Log File

To view the audit logs:

Step 1 Log in to STRM, as root.

Step 2 Go to the following directory:/var/log/audit

Step 3 Open the desired audit log file. Each entry in the log file displays using the following format:

Note: The maximum size of any audit message (not including date, time, and host name) is 1024 characters.<date_time> <host name> <user>@<IP address> (thread ID) [<category>] [<sub-category>] [<action>] <payload>

Where:

<date_time> is the date and time of the activity in the format: Month Date HH:MM:SS.

<host name> is the host name of the Console where this activity was logged.

<user> is the name of the user that performed the action.

<IP address> is the IP address of the user that performed the action. (thread ID) is the identifier of the Java thread that logged this activity.

<category> is the high-level category of this activity.

<sub-category> is the low-level category of this activity. <action> is the activity that occurred.

<payload> is the complete record that has changed, if any. This may include a user record or an event rule.

For example:Nov 6 12:22:31 localhost.localdomain [email protected] (Session) [Authentication] [User] [Login]

Nov 6 12:22:31 localhost.localdomain [email protected] (0) [Configuration] [User Account] [Account Modified] username=james, password=/oJDuXP7YXUYQ, networks=ALL, [email protected], userrole=Admin

Nov 13 10:14:44 localhost.localdomain [email protected] (0) [Configuration] [FlowSource] [FlowSourceModified] Flowsource( name="tim", enabled="true", deployed="false", asymmetrical="false", targetQflow=DeployedComponent(id=3), flowsourceType=FlowsourceType(id=6), flowsourceConfig=FlowsourceConfig(id=1))


Aadministration console

about 127accessing 128using 128

administrative e-mail address 37administrator role 5aeriel database settings 39alert directory 40alert e-mail from address 37Ariel database 115asset management role 6asset profile reporting interval 37asset profile view 37asymmetric flows 106, 121audience 1audit log 37

viewing 341authentication

configuring 13LDAP 13RADIUS 12system 12TACACS 13user 12

authorized services 51adding 52revoking 53token 51viewing 51

auto detection 99, 113automatic update

about 34on demand 36scheduling 34

Bbackup and recovery 55branch filtering 106, 109building blocks

about 181editing 220

Cchanges

deploying 129Classification Engine 107

343

344

configuring 107coalescing events 38command line max matched results 39components 97

connecting 71connecting deployments 72console

settings 45content capture 98content filter 105conventions 1Custom Views

about 167Attacker Target Analysis Group 254, 302creating 168editing 176equation

editing 177equation editor 170IP Tracking 249, 297managing 167operators

editing 178Policy Violations Group 256, 304Target Analysis Group 255, 303Threats Group 250, 298

customer supportcontacting 2

Ddatabase settings 38database storage location 38delete root mail 37deploying changes 129deployment editor 63

about 63accessing 65creating your deployment 67event view 75flow view 68preferences 68requirements 67system view 82toolbar 66using 65

deployment STRM components 97

deploymentsconnecting 72

device access 20device management 23discover servers 223dynamic custom view deploy interval 38Eelement types 171enabling and disabling views 178encryption 72, 75, 80, 81, 83enterprise template 241

building blocksdefault 273, 321

rulesdefault 259

equation editor 170element type 171

equationsediting 177elements 146objects 146

Event Collectorabout 75configuring 112

Event Processorabout 75configuring 113

event rule 182about 182data/time tests 208device tests 209event property tests 195host profile tests 205IP/port tests 198network property tests 193test 193

event viewabout 64adding components 77building 75connecting components 79renaming components 82

event viewer role 6external flow sources 117

345

346

Ffirewall access 20flow configuration 120Flow Processor

configuring 101flow source

about 117adding 120alias 124

adding 125deleting 126editing 125

deleting 124editing 122enabling/disabling 123external 117internal 117managing 117virtual name 124

flow viewabout 64adding components 69building 68components 69, 72, 79connecting components 71renaming components 75

Flow Writerconfiguring 111

flowlog file 120functions 181Gglobal IPtables access 38Hhashing

alogrithm 40event log 40flow log 39

hlocal 137host

adding 84host context 64, 94hremote 137Iinterface roles 23internal flow sources 117

IP range conversion 105JJavaScript 142J-Flow 119LLDAP/Active directory 13license key

exporting 19managing 17

logic unit 131, 141MMagistrate

about 76configuring 115

managed hostadding 84assigning components 93editing 86removing 88set-up 22

maximum real-time results 39MIB 229NNAT

editing 90enabling 88removing 91using with STRM 89

NetFlow 97, 117Network Address Translation. See NATnetwork hierarchy

creating 29network surveillance role 7network taps 97network view graph retention period 38NTP 27Ooffense management role 6offense rule

about 182date/time tests 211device tests 212host profile tests 210IP/port tests 209offense property tests 212

347

348

off-site source 73, 80off-site target 73, 80operators

editing 178Ppackage 131, 138

creating 138Packeteer 119passwords

changing 24pin 137plocal 137ports view 148pount 137QQFlow Collector

configuring 97QFlow ID 98RRADIUS authentication 12RDATE 25recovery 55reporting max matched results 39reset SIM 19, 48resolution interval length 37restarting STRM 48retention period

asset profile 39attacker history 39custom view 39device log data 39flow data 39identity history 39offense 38views

group 38object 38

role 3administrator 5asset management 6creating 4editing 8event viewer 6managing 3network surveillance 7

offense management 6reporting 7

rules 181copying 215creating 183deleting 215enabling/disabling 183group 216

assigning 220copying 218create 216deleting 220editing 218

viewing 182Sscripts

default sentry 40list of sentry 40

sentry 131about 131database location 40editing 133enterprise

defaults 241logic unit 131

creating 141editing 144

package 131creating 138editing 140managing 138

properties 40response queue 40university

defaults 289variables 136viewing 132

sentry database location 38sentry layers 137sentry settings 40servers

discovering 223services

authorized 51sFlow 118

349

350

SIMreset 19, 48

SNMPembedded SNMP agent settings 42

SNMP agentaccessing 19

SNMP settings 41source

off-site 72, 73, 79, 80starting STRM 48stopping STRM 48storage 110storage location

asset profile 39device log 39flow data 39

store event payload 38STRM components 97superflows 101, 104syslog

forwarding 225adding 225deleting 227editing 226

system authentication 12system settings 37

configuring 37system thresholds 42system time 25system view

about 64adding a host 84assigning components 93Host Context 94managed host 93managing 82

TTACACS authentication 13target

off-site 72, 73, 79, 80templates 132

enterprise 241university 289

temporary files retention period 37tests

about 181thresholds 42time 25time limit

command like execution 39reporting execution 39web execution 39

TNC recommendation 37transaction sentry 41Uuniversity template 289Update Daemon

configuring 109user

authentication 12creating account 10editing account 11, 12managing 3roles 3

user accountsmanaging 10

user data files 38Vviews

applications objectediting 155

Applications View 152adding 153

best practices 180Custom Views 167defining unique groups and objects 147enable and disable 178ports 148ports object

adding 148editing 150

Ports View 148QFlow Collector object

adding 164QFlow Collectors 164Remote Networks 157Remote Networks object

adding 157editing 159

Remote Services 160

351

352

Remote Services objectadding 161editing 162

VIS passive host profile interval 37

Strm Admin

Documents