Strm Admin
-
Upload
shailendertavar -
Category
Documents
-
view
293 -
download
1
Transcript of Strm Admin
Security Threat Response Manager
STRM Administration Guide
Release 2008.3
Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, CA 94089USA408-745-2000
www.juniper.net
Part Number: 530-028824-01, Revision 1
2
Copyright NoticeCopyright © 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
FCC StatementThe following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with NetScreen’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.
DisclaimerTHE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.
Configuring DSMsRelease 2008.3
Copyright © 2008, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Revision History
January 2009—Revision 1
The information in this document is current as of the date listed in the revision history.
CONTENTS
ABOUT THIS GUIDEAudience 1Conventions 1Technical Documentation 1Contacting Customer Support 2
1 MANAGING USERSManaging Roles 3
Viewing Roles 3Creating a Role 4Editing a Role 8Deleting a Role 9
Managing User Accounts 10Creating a User Account 10Editing a User Account 11Disabling a User Account 12
Authenticating Users 12
2 MANAGING THE SYSTEMManaging Your License Keys 17
Updating your License Key 17Exporting Your License Key Information 19
Accessing the Embedded SNMP Agent 19Configuring Access Settings 20
Configuring Firewall Access 20STRMUpdating Your Host Set-up 22Configuring Interface Roles 23Changing Passwords 24Updating System Time 25
3 SETTING UP STRMCreating Your Network Hierarchy 29
Considerations 29Defining Your Network Hierarchy 30
Scheduling Automatic Updates 34Scheduling Automatic Updates 34
Updating Your Files On-Demand 36Configuring System Settings 37Configuring System Notifications 42Configuring the Console Settings 45Starting and Stopping STRM 48Resetting SIM 48
4 MANAGING AUTHORIZED SERVICESViewing Authorized Services 51Adding an Authorized Service 52Revoking Authorized Services 53
5 MANAGING BACKUP AND RECOVERYManaging Backup Archives 55
Viewing Back Up Archives 55Importing an Archive 56Deleting a Backup Archive 57
Backing Up Your Information 58Scheduling Your Backup 58Initiating a Backup 60
Restoring Your Configuration Information 61
6 USING THE DEPLOYMENT EDITORAbout the Deployment Editor 64
Accessing the Deployment Editor 65Using the Editor 65Creating Your Deployment 67Before you Begin 67Editing Deployment Editor Preferences 68
Building Your Flow View 68Adding STRM Components 69Connecting Components 71Connecting Deployments 72Renaming Components 75
Building Your Event View 75Adding Components 77Connecting Components 79Forwarding Normalized Events 79Renaming Components 82
Managing Your System View 82Setting Up Managed Hosts 83Using NAT with STRM 89Configuring a Managed Host 93Assigning a Component to a Host 93Configuring Host Context 94
Configuring STRM Components 97
Configuring a Flow Collector 97Configuring a Flow Processor 101Configuring a Classification Engine 107Configuring an Update Daemon 109Configuring a Flow Writer 111Configuring an Event Collector 112Configuring an Event Processor 113Configuring the Magistrate 115
7 MANAGING FLOW SOURCESAbout Flow Sources 117
NetFlow 117sFlow 118J-Flow 119Packeteer 119Flowlog File 120
Managing Flow Sources 120Adding a Flow Source 120Editing a Flow Source 122Enabling/Disabling a Flow Source 123Deleting a Flow Source 124
Managing Flow Source Aliases 124Adding a Flow Source Alias 125Editing a Flow Source Alias 125Deleting a Flow Source Alias 126
8 OVERVIEWAbout the Interface 127Accessing the Administration Console 128Using the Interface 128Deploying Changes 129
9 MANAGING SENTRIESAbout Sentries 131Viewing Sentries 132Editing Sentry Details 133Managing Packages 138
Creating a Sentry Package 138Editing a Sentry Package 140
Managing Logic Units 141Creating a Logic Unit 141Editing a Logic Unit 144
10 MANAGING VIEWSUsing STRM Views 145
About Views 145
About Global Views 146Defining Unique Objects 147
Managing Ports View 148Default Ports Views 148Adding a Ports Object 148Editing a Ports Object 150
Managing Application Views 152Default Application Views 152Adding an Applications Object 153Editing an Applications Object 155
Managing Remote Networks View 157Default Remote Networks Views 157Adding a Remote Networks Object 157Editing a Remote Networks Object 159
Managing Remote Services Views 160Default Remote Services Views 160Adding a Remote Services Object 161Editing a Remote Services Object 162
Managing Collector Views 164Adding a Flow Collector Object 164Editing a Flow Collector Object 165
Managing Custom Views 167About Custom Views 167Editing Custom Views 176Editing the Equation 177
Enabling and Disabling Views 178Using Best Practices 180
11 CONFIGURING RULESViewing Rules 182Enabling/Disabling Rules 183Creating a Rule 183
Event Rule Tests 193Offense Rule Tests 209
Copying a Rule 215Deleting a Rule 215Grouping Rules 216
Viewing Groups 216Creating a Group 216Editing a Group 218Copying an Item to Another Group(s) 218Deleting an Item from a Group 220Assigning an Item to a Group 220
Editing Building Blocks 220
12 DISCOVERING SERVERS
13 FORWARDING SYSLOG DATAAdding a Syslog Destination 225Editing a Syslog Destination 226Delete a Syslog Destination 227
A JUNIPER NETWORKS MIB
B ENTERPRISE TEMPLATE DEFAULTSDefault Sentries 241Default Custom Views 249
IP Tracking Group 249Threats Group 250Attacker Target Analysis Group 254Target Analysis Group 255Policy Violations Group 256ASN Source Group 257ASN Destination Group 258IFIndexIn Group 258IFIndexOut Group 258QoS Group 258Flow Shape Group 258
Default Rules 259Default Building Blocks 273
C UNIVERSITY TEMPLATE DEFAULTSDefault Sentries 289Default Custom Views 297
IP Tracking Group 297Threats Group 298Attacker Target Analysis Group 302Target Analysis Group 303Policy Violations Group 304ASN Source Group 305ASN Destination Group 306IFIndexIn Group 306IFIndexOut Group 306QoS Group 306Flow Shape Group 306
Default Rules 307Default Building Blocks 321
D VIEWING AUDIT LOGSLogged Actions 337
Viewing the Log File 341
ABOUT THIS GUIDE
The STRM Administration Guide provides you with information for managing STRM functionality requiring administrative access.
Audience This guide is intended for the system administrator responsible for setting up STRM in your network. This guide assumes that you have STRM administrative access and a knowledge of your corporate network and networking technologies.
Conventions Table 1 lists conventions that are used throughout this guide.
Technical Documentation
You can access technical documentation, technical notes, and release notes directly from the Juniper Customer Support web site at https://www.juniper.net/suport. Once you access the Technical support web site, locate the product and software release for which you require documentation.
Your comments are important to us. Please send your e-mail comments about this guide or any of the Juniper Networks documentation to:
Include the following information with your comments:• Document title
• Page number
Table 1 Icons
Icon Type DescriptionInformation note Information that describes important features or
instructions.
Caution Information that alerts you to potential loss of data or potential damage to an application, system, device, or network.
Warning Information that alerts you to potential personal injury.
STRM Administration Guide
2 ABOUT THIS GUIDE
Contacting Customer Support
To help you resolve any issues that you may encounter when installing or maintaining STRM, you can contact Customer Support as follows:• Open a support case using the Case Management link at
http://www.juniper.net/support.
• Call 1-888-314-JTAC (from the United States, Canada, or Mexico) or1-408-745-9500 (from elsewhere).
STRM Administration Guide
1
MANAGING USERSYou can add or remove user accounts for all users that you want to access STRM. Each user is associated with a role, which determines the privileges the user has to functionality and information within STRM. You can also restrict or allow access to areas of the network.
This chapter provides information on managing STRM users including:
• Managing Roles• Managing User Accounts
• Authenticating Users
Managing Roles You must create a role before you can create user accounts. By default, STRM provides a default administrative role, which provides access to all areas of STRM. A user that is assigned administrative privileges (including the default administrative role) cannot edit their own account. Another administrative user must make any desired changes.
Using the Administration Console, you can:• View existing user roles. See Viewing Roles.
• Create a role. See Creating a Role.
• Edit a role. See Editing a Role.• Delete a role. See Deleting a Role.
Viewing Roles To view roles:
Step 1 In the Administration Console, click the System Configuration tab.The System Configuration panel appears.
Step 2 Click the User Roles icon.
The Manage Roles window appears.
STRM Administration Guide
4 MANAGING USERS
The Manage Roles window provides the following information:
Creating a Role To create a role:
Step 1 In the Administration Console, click the System Configuration tab.The System Configuration panel appears.
Step 2 Click the User Roles icon.
The Manage User Roles window appears.
Step 3 Click Create Role.The Manage Permissions window appears.
Table 2-1 Manage Roles Parameters
Parameter DescriptionRole Specifies the defined user role. Devices Specifies the devices you want this role to access. This
allows you to restrict or grant access for users assigned to the role to view logs, events, and offense data received from assigned security and network devices or device groups. For non-administrative users, this column indicates a link that allows an administrative user to edit the permissions for the role. For more information on editing a user role, see Editing a Role.To view the list of devices that have been assigned to this role, move your mouse over the text in the Devices column.
Associated Users Specifies the users associated with this role. Action Allows you to edit or delete the user role.
STRM Administration Guide
Managing Roles 5
Step 4 Enter values for the parameters. You must select at least one permission to proceed.
Table 2-2 Create Roles Parameters
Parameter DescriptionRole Name Specify the name of the role. The name can be up to 15
characters in length and must only contain integers and letters.
Administrator Select the check box if you want to grant this user administrative access to the STRM interface. Within the administrator role, you can grant additional access to the following:• System Administrator - Select this check box if you
want to allow users access to all areas of STRM except Views. Users with this access are not able to edit other administrator accounts.
• Administrator Manager - Select this check box if you want to allow users the ability to create and edit other administrative user accounts. If you select this check box, the System Administrator check box is automatically selected.
• Views Administrator - Select this check box if you want to allow users the ability to create, edit, or delete Views. For example, the Application View and the Ports View.
STRM Administration Guide
6 MANAGING USERS
Offense Management Select the check box if you want to grant this user access to Offense Manager functionality. Within the Offense Manager functionality, you can grant additional access to the following:• Assign Offenses to Users - Select the check box if you
want to allow users to assign offenses to other users. • Customized Rule Creation - Select the check box if you
want to allow users to create custom rules. For more information on the Offense Manager, see the STRM Users Guide.
Event Viewer Select the check box if you want this user to have access to the Event Viewer. Within the Event Viewer, you can also grant users additional access to the following:• User Defined Event Properties - Select the check box if
you want to allow users the ability to create user-defined event properties.
• Event Search Restrictions Override - Select the check box if you want to allow users the ability to override event search restrictions.
• Customized Rule Creation functionality - Select the check box if you want to allow users to create rules using the Event Viewer.
For more information on the Event Viewer, see the STRM Users Guide.
Asset Management Select the check box if you want to grant this user access to Asset Management functionality. Within the Asset Management functionality, you can grant additional access to the following:• Server Discovery - Select the check box if you want to
allow users the ability to discover servers. • View VA Data - Select the check box if you want to allow
users access to vulnerability assessment data. • Perform VA Scans - Select the check box if you want to
allows users to perform vulnerability assessment scans.
Table 2-2 Create Roles Parameters (continued)
Parameter Description
STRM Administration Guide
Managing Roles 7
Step 5 Click Next. Step 6 Choose one of the following options:
a If you selected a role to include Event Viewer permissions role, go to Step 7.
b If you selected a role that does not include Event Viewer permissions, go to Step 10.
The Select Device Objects window appears.
Network Surveillance Select the check box if you want to grant this user access to Network Surveillance functionality. Within the Network Surveillance functionality, you can grant additional access to the following:• View Flows - Select the check box if you want to allow
users access to content captured using the View Flows function.
• View Flow Content - Select the check box if you want to allow users access to data accessed through the View Flow box.
• View Flows Restrictions Override - Select the check box if you want to allow users the ability to override sentry restrictions.
• Sentry Modification - Select the check box if you want to allows users to modify existing sentries.
For more information, see the STRM Users Guide. Reporting Select the check box if you want to grant this user access to
Reporting functionality. Within the Reporting functionality, you can grant users additional access to the following:• Distribute Reports via Email - Select the check box if
you want to allow users to distribute reports through e-mail.
• Maintain Templates - Select the check box if you want to allow users to maintain reporting templates.
For more information, see the STRM Users Guide.
Table 2-2 Create Roles Parameters (continued)
Parameter Description
STRM Administration Guide
8 MANAGING USERS
Step 7 From the left panel, click a device or device group that you want users assigned to this role to have access. The selected device moves to the Selected Device Objects field.
Step 8 Repeat for all devices.
Step 9 Click Next. Step 10 Click Return.
Step 11 Close the Manage Roles window.
The STRM Administration Console appears. Step 12 From the menu, select Configurations > Deploy Configuration Changes.
Editing a Role To edit a role:
Step 1 In the Administration Console, click the System Configuration tab.The System Configuration panel appears.
Step 2 Click the User Roles icon.
The Manage Role window appears. Step 3 For the role you want to edit, click the edit icon.
The Permissions for Role window appears.
Step 4 Update the permissions (see Table 2-2), as necessary.
Step 5 Click Next. The Select Device Objects window appears.
STRM Administration Guide
Managing Roles 9
Step 6 Update device permissions, as desired:
a To remove a device permission, select the device(s) in the Selected Device Objects field that you want to remove. Click Remove Selected Devices.
b To add a device permission, select an object you want to add from the left panel.
Step 7 Repeat for all devices you want to edit for this role.
Step 8 Click Next. Step 9 Click Return.
Step 10 Click Save.
Step 11 Close the Manage User Roles window. The STRM Administration Console appears.
Step 12 From the menu, select Configurations > Deploy Configuration Changes.
Deleting a Role To delete a role:Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the User Roles icon.
The Manage Role window appears. Step 3 For the role you want to delete, click the delete icon.
A confirmation window appears.
Step 4 Click Ok. Step 5 From the menu, select Configurations > Deploy Configuration Changes.
STRM Administration Guide
10 MANAGING USERS
Managing User Accounts
You can create a STRM user account, which allows a user access to selected network components using the STRM interface. You can also create multiple accounts for your system that include administrative privileges. Only the main administrative account can create accounts that have administrative privileges.
You can create and edit user accounts to access STRM including:
• Creating a User Account
• Editing a User Account• Disabling a User Account
Creating a UserAccount
To create an account for a STRM user:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.Step 2 Click the Users icon.
The Manage Users window appears.
Step 3 In the Manage Users area, click Add. The User Details window appears.
Step 4 Enter values for the following parameters:
Step 5 Click Next.
Table 2-3 User Details Parameters
Parameter DescriptionUsername Specify a username for the new user. The username must not
include spaces or special characters. Password Specify a password for the user to gain access. The password
must be at least five characters in length. Confirm Password Re-enter the password for confirmation.Email Address Specify the user’s e-mail address. Role Using the drop-down list box, select the role you want this user to
assume. For information on roles, see Managing Roles. If you select Admin, this process is complete.
STRM Administration Guide
Managing User Accounts 11
Step 6 Choose one of the following options:
a If you selected Admin as the user role, go to Step 9.b If you selected a non-administrative user role, go to Step 7.
The Selected Network Objects window appears.
Step 7 From the menu tree, select the network objects you want this user to be able to monitor.
The selected network objects appear in the Selected Network Object panel.
Step 8 Choose one of the following options:a Click Deploy Now to deploy new user information immediately.
b Click Cancel to cancel all updates and return to the Manage Users window.
Step 9 Close the Manage Users window. The STRM Administration Console appears.
Editing a UserAccount
To edit a user account:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the Users icon. The Manage Users window appears.
Step 3 In the Manage Users area, click the user account you want to edit.
The User Details window appears. Step 4 Update values (see Table 2-3), as necessary.
STRM Administration Guide
12 MANAGING USERS
Step 5 Click Next. If you are editing a non-administrative user account, the Selected Network Objects window appears. If you are editing an administrative user account, go to Step 9.
Step 6 From the menu tree, select the network objects you want this user to access. The selected network objects appear in the Selected Network Object panel.
Step 7 For all network objects you want to remove access, select the object from the Selected Network Objects panel. Click Remove.
Step 8 Choose one of the following options:
a Click Deploy Now to deploy new user information immediately.b Click Cancel to return to cancel all updates and return to the Manage Users
window. Step 9 Close the Manage Users window.
The STRM Administration Console appears.
Disabling a UserAccount
To disable a user account:
Step 1 In the Administration Console, click the System Configuration tab.The System Configuration panel appears.
Step 2 Click the Users icon.
The Manage Users window appears. Step 3 In the Manage Users area, click the user account you want to disable.
The User Details window appears.
Step 4 In the Role drop-down list box, select Disabled. Step 5 Click Next. Step 6 Close the Manage Users window.
The STRM Administration Console appears. This user no longer has access to the STRM interface. If this user attempts to log in to STRM, the following message appears: This account has been disabled.
Authenticating Users
You can configure authentication to validate STRM users and passwords. STRM supports the following user authentication types:
• System Authentication - Users are authenticated locally by STRM. This is the default authentication type.
• RADIUS Authentication - Users are authenticated by a Remote Authentication Dial-in User Service (RADIUS) server. When a user attempts to login, STRM encrypts the password only, and forwards the username and password to the RADIUS server for authentication.
STRM Administration Guide
Authenticating Users 13
• TACACS Authentication - Users are authenticated by a Terminal Access Controller Access Control System (TACACS) server. When a user attempts to login, STRM encrypts the username and password, and forwards this information to the TACACS server for authentication.
• LDAP/ Active Directory - Users are authenticated by a Lightweight Directory Access Protocol (LDAP) server using Kerberos.
If you want to configure RADIUS, TACACS, or LDAP/Active Directory as the authentication type, you must:
• Configure the authentication server before you configure authentication in STRM.
• Make sure the server has the appropriate user accounts and privilege levels to communicate with STRM. See your server documentation for more information.
• Make sure the time of the authentication server is synchronized with the time of the STRM server. For more information on setting STRM time, see Chapter 3 Setting Up STRM.
• Make sure all users have appropriate user accounts and roles in STRM to allow authentication with the third-party servers.
Once authentication is configured and a user enters an invalid username and password combination, a message appears indicating the login was invalid. If the user attempts to access the system multiple times using invalid information, the user must wait the configured amount of time before attempting to access the system again. For more information on configuring Console settings for authentication, see Chapter 3 Setting Up STRM - Configuring the Console Settings. An administrative user can always access STRM through a third-party authentication module or by using the local STRM Admin password.
To configure authentication:
Step 1 In the Administration Console, click the System Configuration tab.The System Configuration panel appears.
Step 2 Click the Authentication icon.
The Authentication window appears.
Step 3 From the Authentication Module drop-down list box, select the authentication type you want to configure.
Step 4 Configure the selected authentication type:
a If you selected System Authentication, go to Step 5
STRM Administration Guide
14 MANAGING USERS
b If you selected RADIUS Authentication, enter values for the following parameters:
c If you selected TACACS Authentication, enter values for the following parameters:
Table 2-4 RADIUS Parameters
Parameter DescriptionRADIUS Server Specify the hostname or IP address of the RADIUS server. RADIUS Port Specify the port of the RADIUS server. Authentication Type
Specify the type of authentication you want to perform. The options are:• CHAP (Challenge Handshake Authentication Protocol) -
Establishes a Point-to-Point Protocol (PPP) connection between the user and the server.
• MSCHAP (Microsoft Challenge Handshake Authentication Protocol) - Authenticates remote Windows workstations.
• ARAP (Apple Remote Access Protocol) - Establishes authentication for AppleTalk network traffic.
• PAP (Password Authentication Protocol) - Sends clear text between the user and the server.
Shared Secret Specify the shared secret that STRM uses to encrypt RADIUS passwords for transmission to the RADIUS server.
Table 2-5 TACACS Parameters
Parameter DescriptionTACACS Server Specify the hostname or IP address of the TACACS server. TACACS Port Specify the port of the TACACS server. Authentication Type
Specify the type of authentication you want to perform. The options are:• ASCII• PAP (Password Authentication Protocol) - Sends clear text
between the user and the server. • CHAP (Challenge Handshake Authentication Protocol) -
Establishes a PPP connection between the user and the server.
• MSCHAP (Microsoft Challenge Handshake Authentication Protocol) - Authenticates remote Windows workstations.
• MSCHAP2 - (Microsoft Challenge Handshake Authentication Protocol version 2)- Authenticates remote Windows workstations using mutual authentication.
• EAPMD5 (Extensible Authentication Protocol using MD5 Protocol) - Uses MD5 to establish a PPP connection.
Shared Secret Specify the shared secret that STRM uses to encrypt TACACS passwords for transmission to the TACACS server.
STRM Administration Guide
Authenticating Users 15
d If you selected LDAP/ Active Directory, enter values for the following parameters:
Step 5 Click Save.
Table 2-6 LDAP/ Active Directory Parameters
Parameter DescriptionServer URL Specify the URL used to connect to the LDAP server. For
example, ldap://<host>:<port>LDAP Context Specify the LDAP context you want to use, for example,
DC=Q1LABS,DC=INC.LDAP Domain Specify the domain you want to use, for example q1labs.inc
STRM Administration Guide
2
MANAGING THE SYSTEMThis chapter provides information for managing your system including:
• Managing Your License Keys
• Accessing the Embedded SNMP Agent• Configuring Access Settings
Managing Your License Keys
For your STRM Console, a default license key provides you access to the interface for 5 weeks. You must manage your license key using the System Management window in the STRM Administration Console. This interface provides the status of the license key for each system (host) in your deployment including:
• Valid - The license key is valid. • Expired - The license key has expired. To update your license key, see
Updating your License Key. • Override Console License - This host is using the Console license key. You
can use the Console key or apply a license key for this system. If you want to use the Console license for any system in your deployment, click Default License in the Manage License window. The license for that system will default to the Console license key.
This section provides information on managing your license keys including:
• Updating your License Key
• Exporting Your License Key Information
Updating yourLicense Key
For your STRM Console, a default license key provides you access to the interface for 5 weeks. Choose one of the following options for assistance with your license key:
• For a new or updated license key, please contact your local sales representative.
• For all other technical issues, please contact Juniper Networks Customer Support.
If you log in to STRM and your Console license key has expired, you are automatically directed to the System Management window. You must update the
STRM Administration Guide
18 MANAGING THE SYSTEM
license key before you can continue. However, if one of your non-Console systems includes an expired license key, a message appears when you log in indicating a system requires a new license key. You must navigate to the System Management window to update that license key.
To update your license key:Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the System Management icon. The System Management window appears providing a list of all hosts in your deployment.
Step 3 For the host that on which you want to update the license key, click the value that appears in the License column. Note: If you update the license key for your Console, all systems in your deployment default to the Console license key at that time.
The Current License Details window appears.
Step 4 Click Browse beside the New License Key File and locate the license key.
Step 5 Once you locate and select the license key, click Open.
The Current License Details window appears.
Step 6 Click Save. A message appears indicating the license key was successfully updated.
STRM Administration Guide
Accessing the Embedded SNMP Agent 19
Note: If you want to revert back to the previous license key, click Revert to Deployed. If you revert to the license key used by the STRM Console system, click Revert to Console.
Step 7 Close the license key window.
The Administration Console appears.
Step 8 From the menu, select Configurations > Deploy All. The license key information is updated in your deployment.
Exporting YourLicense KeyInformation
To export your license key information for all systems in your deployment:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the System Management icon. The System Management window appears providing a list of all hosts in your deployment.
Step 3 Click Export Licenses.
The export window appears.
Step 4 Select one of the following options:• Open - Opens the license key data in an Excel spreadsheet.
• Save - Allows you to save the file to your desktop.
Step 5 Click OK.
Accessing the Embedded SNMP Agent
To access the SNMP agent:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the System Management icon. The System Management window appears.
STRM Administration Guide
20 MANAGING THE SYSTEM
Step 3 In the View Agent column, click View Agent for the SNMP agent you want to access.
The SNMP Agent appears.
Configuring Access Settings
The System Configuration tab provides access to the web-based system administration interface, which allows you to configure firewall rules, interface roles, passwords, and system time. This section includes:
• Firewall access. See Configuring Firewall Access.
• Update your host set-up. See STRMUpdating Your Host Set-up.• Configure the interface roles for a host. See Configuring Interface Roles.
• Change password to a host. See Changing Passwords.
• Update the system time. See Updating System Time.
Configuring FirewallAccess
You can configure local firewall access to enable communications between devices and STRM. Also, you can define access to the web-based system administration interface.
To enable STRM managed hosts to access specific devices or interfaces:Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the System Management icon.
The System Management window appears. Step 3 For the host you want to configure firewall access, click Manage System. Step 4 Log-in to the System Administration interface. The default is:
Username: rootPassword: <your root password>Note: The username and password are case sensitive.
Step 5 From the menu, select Managed Host Config > Local Firewall. The Local Firewall window appears.
STRM Administration Guide
Configuring Access Settings 21
Step 6 In the Device Access box, you must include any STRM systems you want to have access to this managed host. Only managed hosts listed will have access. For example, if you enter one IP address, only that one IP address will be granted access to the managed host. All other managed hosts are blocked. To configure access:
a In the IP Address field, enter the IP address of the managed host you want to have access.
b From the Protocol list box, select the protocol you want to enable access for the specified IP address and port:
- UDP - Allows UDP traffic.
- TCP - Allows TCP traffic. - Any - Allows any traffic.
c In the Port field, enter the port on which you want to enable communications.
Note: If you change your External Flow Source Monitoring Port parameter in the QFlow Configuration, you must also update your firewall access configuration.
d Click Allow. Step 7 In the System Administration Web Control box, enter the IP address of managed
hosts that you want to allow access to the web-based system administration interface in the IP Address field. Only IP addresses listed will have access to the interface. If you leave the field blank, all IP addresses will have access. Click Allow. Note: Make sure you include the IP address of your client desktop you want to access the interface. Failing to do so may affect connectivity.
STRM Administration Guide
22 MANAGING THE SYSTEM
Step 8 Click Apply Access Controls.
Step 9 Wait for the interface to refresh before continuing.
STRMUpdating YourHost Set-up
You can use the web-based system administration interface to configure the mail server you want STRM to use, the global password for STRM configuration, and the IP address for the STRM Console:
To configure your host set-up:Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the System Management icon. The System Management window appears.
Step 3 For the host you want to update your host set-up, click Manage System. Step 4 Log-in to the System Administration interface. The default is:
Username: rootPassword: <your root password>Note: The username and password are case sensitive.
Step 5 From the menu, select Managed Host Config > STRM Setup.
The STRM Setup window appears.
Step 6 You must enable communications between the STRM Console and the current host. In the Enter the IP address of the STRM console field, enter the IP address of the managed host operating the STRM Console.
Step 7 In the Mail Server field, specify the address for the mail server you want STRM to use. STRM uses this mail server to distribute alerts and event messages. To use the mail server provided with STRM, enter localhost.
STRM Administration Guide
Configuring Access Settings 23
Step 8 In the Enter the global configuration password, enter the password you want to use to access the host. Confirm the entered password.
Note: The global configuration password must be the same throughout your deployment. If you edit this password, you must also edit the global configuration password on all systems in your deployment.
Step 9 In the Enter the web address of the console field, enter the IP address of the managed host operating the STRM Console.
Step 10 Click Apply Configuration.
Configuring InterfaceRoles
You can assign specific roles to the network interfaces on each managed host.
To assign roles:Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the System Management icon. The System Management window appears.
Step 3 For the host you want to configure interface roles, click Manage System. Step 4 Log-in to the System Administration interface. The default is:
Username: rootPassword: <your root password>Note: The username and password are case sensitive.
Step 5 From the menu, select Managed Host Config > Network Interfaces. The Network Interfaces window appears with a list of each interface on your managed host.
Note: For assistance with determining the appropriate role for each interface, please contact Juniper Networks Customer Support.
STRM Administration Guide
24 MANAGING THE SYSTEM
Step 6 For each interface listed, select the role you want to assign to the interface using the Role list box.
Step 7 Click Save Configuration.
Step 8 Wait for the interface to refresh before continuing.
Changing Passwords To change the passwords:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.Step 2 Click the System Management icon.
The System Management window appears.
Step 3 For the host you want to change passwords, click Manage System. Step 4 Log-in to the System Administration interface. The default is:
Username: rootPassword: <your root password>Note: The username and password are case sensitive.
Step 5 From the menu, select Managed Host Config > Root Password.
The Root Passwords window appears.
Step 6 Update the passwords and confirm:
Note: Make sure you record the entered values.
• New Root Password - Specify the root password necessary to access the web-based system administration interface.
• Confirm New Root Password - Re-enter the password for confirmation.
Step 7 Click Update Password.
STRM Administration Guide
Configuring Access Settings 25
Updating SystemTime
You are able to change the time for the following options:
• System time• Hardware time
• Time Zone
• Time Server
Note: All system time changes must be made within the System Time window. You must change the system time information on the host operating the Console only. The change is then distributed to all managed hosts in your deployment.
You can configure time for your system using one of the following methods:• Configuring Your Time Server Using RDATE
• Configuring Time Settings For Your System
Configuring Your Time Server Using RDATETo update the time settings using RDATE:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the System Management icon. The System Management window appears.
Step 3 For the host on which you want to configure time, click Manage System. Step 4 Log-in to the System Administration interface. The default is:
Username: rootPassword: <your root password>Note: The username and password are case sensitive.
Step 5 From the menu, select Managed Host Config > System Time. The System Time window appears.
Caution: The time settings window is divided into four sections. You must save each setting before continuing. For example, when you configure System Time, you must click Apply within the System Time section before continuing.
STRM Administration Guide
26 MANAGING THE SYSTEM
Step 6 In the Time Zone box, select the time zone in which this managed host is located using the Change timezone to list box. Click Save.
Step 7 In the Time Server box, you must specify the following options:
• Timeserver hostnames or addresses - Specify the time server hostname or IP address.
• Set hardware time too - Select the check box if you want to set the hardware time as well.
• Synchronize on schedule? - Specify one of the following options:
- No - Select the option if you do not want to synchronize the time specified in the Run at selected time below options. Go to Step 8.
- Yes - Select the option if you want to synchronize the time. See options below.
• Simple Schedule - Specify if you want the time update to occur at a specific time. If not, select the Run at times selected below option.
• Times and dates are selected below - Specify the time you want the time update to occur.
Step 8 Click Sync and Apply.
STRM Administration Guide
Configuring Access Settings 27
Configuring Time Settings For Your SystemTo update the time settings for your system:
Step 1 In the Administration Console, click the System Configuration tab.The System Configuration panel appears.
Step 2 Click the System Management icon.
The System Management window appears. Step 3 For the host on which you want to configure time, click Manage System. Step 4 Log-in to the System Administration interface. The default is:
Username: rootPassword: <your root password>Note: The username and password are case sensitive.
Step 5 From the menu, select Managed Host Config > System Time. The System Time window appears.
Caution: The time settings window is divided into four sections. You must save each setting before continuing. For example, when you configure System Time, you must click Apply within the System Time section before continuing.
STRM Administration Guide
28 MANAGING THE SYSTEM
Step 6 In the Time Zone box, select the time zone in which this managed host is located using the Change timezone to list box. Click Save.
Step 7 In the System Time box, you must specify the current date and time you want to assign to the managed host. Click Apply.
If you want to set the System Time to the same as the Hardware time, click Set system time to hardware time.
Step 8 In the Hardware Time box, you must specify the current date and time you want to assign to the managed host. Click Save.
If you want to set the System Time to the same as the Hardware time, click Set hardware time to system time.
STRM Administration Guide
3
SETTING UP STRMThis chapter provides information on setting up STRM including:
• Creating Your Network Hierarchy
• Scheduling Automatic Updates• Configuring System Settings
• Configuring System Notifications
• Configuring the Console Settings• Starting and Stopping STRM
• Resetting SIM
Creating Your Network Hierarchy
STRM uses the network hierarchy to understand your network traffic and provide you with the ability to view network activity for your entire deployment.
When you develop your network hierarchy, you should consider the most effective method for viewing network activity. Note that the network you configure in STRM does not have to resemble the physical deployment of your network. STRM supports any network hierarchy that can be defined by a range of IP addresses. You can create your network based on many different variables, including geographical or business units.
Considerations Consider the following when defining your network hierarchy:
• Group together systems and user groups that have similar behavior. This provides you with a clear view of your network.
• Create multiple top-level groups if your deployment is processing more than 600,000 flows.
• Organize your systems/network by role or similar traffic patterns. For example, mail servers, departmental users, labs, development groups, or geographically disperse locations. This allows you to differentiate network behavior and enforce network management security policies.
• Do not group together servers that have unique behavior with other servers on your network. For example, placing a unique server alone provides the server greater visibility in STRM allowing you to enact specific policies.
STRM Administration Guide
30 SETTING UP STRM
• Within a group, place servers with high volumes of traffic, such as mail servers, at the top of the group. This provides you a clear visual representation when a discrepancy occurs. We recommend that you extend this practice to all views.
• Combine multiple Classless Inter-Domain Routings (CIDRs) or subnets into a single network/group to conserve disk space. For example:
Note: We recommend that you do not configure a network group with more than 15 objects. This may cause you difficulty in viewing detailed information for each group.
You may also want to define an all encompassing group so when you define new networks, the appropriate policies and behavioral monitors are applied. For example:
If you add a new network to the above example, such as 10.10.50.0/24, which is an HR department, the traffic appears as Cleveland-based and any policies or sentries applied to the Cleveland group is applied by default.
Defining YourNetwork Hierarchy
To define your network hierarchy:
Step 1 In the Administration Console, click the System Configuration tab.The System Configuration panel appears.
Step 2 Click the Network Hierarchy icon.
The Network Views window appears.
Group Description IP Address1 Marketing 10.10.5.0/242 Sales 10.10.8.0/213 Database Cluster 10.10.1.3/32
10.10.1.4/3210.10.1.5/32
Group Subgroup IP AddressCleveland Cleveland misc 10.10.0.0/16Cleveland Cleveland Sales 10.10.8.0/21Cleveland Cleveland Marketing 10.10.1.0/24
STRM Administration Guide
Creating Your Network Hierarchy 31
Step 3 From the menu tree, select the areas of the network you want to add a network component. The Manage Group window appears for the selected network component.
Step 4 Click Add.
The Add Network Object window appears.
Step 5 Enter your network object values:
Table 4-1 Add New Object Parameters
Parameter ActionGroup Specify the group for the new network object. Click Add Group
to specify the group.Name Specify the name for the object.Weight Specify the weight of the object. The range is 0 to 100 and
indicates the importance of the object in the system.IP/CIDR(s) Specify the CIDR range(s) for this object. For more information
on CIDR values, see Accepted CIDR Values.Description Specify a description for this network object.Color Specify a color for this object.Database Length Specify the database length.
STRM Administration Guide
32 SETTING UP STRM
Step 6 Click Save.
Step 7 Repeat for all network objects.Step 8 Click Re-Order.
The Reorder Group window appears.
Step 9 Order the network objects in the desired order. Step 10 Click Save.
Note: We recommend adding key servers as individual objects and grouping other major but related servers into multi-CIDR objects.
Accepted CIDR ValuesThe following table provides a list of the CIDR values that STRM accepts:
Table 4-2 Accepted CIDR Values
CIDR Length Mask
Number of Networks Hosts
/1 128.0.0.0 128 A 2,147,483,392/2 192.0.0.0 64 A 1,073,741,696/3 224.0.0.0 32 A 536,870,848/4 240.0.0.0 16 A 268,435,424/5 248.0.0.0 8 A 134,217,712/6 252.0.0.0 4 A 67,108,856/7 254.0.0.0 2 A 33,554,428/8 255.0.0.0 1 A 16,777,214/9 255.128.0.0 128 B 8,388,352/10 255.192.0.0 64 B 4,194,176/11 255.224.0.0 32 B 2,097,088/12 255.240.0.0 16 B 1,048,544/13 255.248.0.0 8 B 524,272/14 255.252.0.0 4 B 262,136/15 255.254.0.0 2 B 131,068/16 255.255.0.0 1 B 65,534/17 255.255.128.0 128 C 32,512/18 255.255.192.0 64 C 16,256/19 255.255.224.0 32 C 8,128/20 255.255.240.0 16 C 4,064/21 255.255.248.0 8 C 2,032/22 255.255.252.0 4 C 1,016/23 255.255.254.0 2 C 508
STRM Administration Guide
Creating Your Network Hierarchy 33
For example, a network is called a supernet when the prefix boundary contains fewer bits than the network's natural (such as, classful) mask. A network is called a subnet when the prefix boundary contains more bits than the network's natural mask:
• 209.60.128.0 is a class C network address with a natural mask of /24.
• 209.60.128.0 /22 is a supernet that yields:209.60.128.0 /24
209.60.129.0 /24
209.60.130.0 /24209.60.131.0 /24
• 192.0.0.0 /25
Subnet Host Range0 192.0.0.1-192.0.0.126
1 192.0.0.129-192.0.0.254
• 192.0.0.0 /26Subnet Host Range
0 192.0.0.1 - 192.0.0.62
1 192.0.0.65 - 192.0.0.126
2 192.0.0.129 - 192.0.0.1903 192.0.0.193 - 192.0.0.254
• 192.0.0.0 /27
Subnet Host Range0 192.0.0.1 - 192.0.0.30
1 192.0.0.33 - 192.0.0.62
/24 255.255.255.0 1 C 254/25 255.255.255.128 2 subnets 124/26 255.255.255.192 4 subnets 62/27 255.255.255.224 8 subnets 30/28 255.255.255.240 16 subnets 14/29 255.255.255.248 32 subnets 6/30 255.255.255.252 64 subnets 2/31 255.255.255.254 none none/32 255.255.255.255 1/256 C 1
Table 4-2 Accepted CIDR Values (continued)
CIDR Length Mask
Number of Networks Hosts
STRM Administration Guide
34 SETTING UP STRM
2 192.0.0.65 - 192.0.0.94
3 192.0.0.97 - 192.0.0.1264 192.0.0.129 - 192.0.0.158
5 192.0.0.161 - 192.0.0.190
6 192.0.0.193 - 192.0.0.2227 192.0.0.225 - 192.0.0.254
Scheduling Automatic Updates
STRM uses system configuration files to provide useful characterizations of network data flows. You can update your configuration files automatically or manually using the STRM interface to make sure your configuration files contain the latest network security information. The updates, located on the Technical support web site, include threats, vulnerabilities, and geographic information from various security-related web sites. The managed host must be connected to the Internet to receive the updates.
Note: We do not guarantee the accuracy of the third-party information contained on the above-mentioned web sites.
STRM allows you to either replace your existing configuration files or integrate the updates with your existing files to maintain the integrity of your current configuration and information.
You can also update the configuration files for all systems in your STRM deployment. However, the views must be currently created in your deployment editor. For more information on, see Chapter 6 Using the Deployment Editor.
Caution: Failing to build your deployment map before you configure automatic or manual updates results in your remote systems not being updated.
SchedulingAutomatic Updates
To schedule automatic updates:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the Auto Update icon. The Auto-Update Configuration window appears.
STRM Administration Guide
Scheduling Automatic Updates 35
Step 3 In the Update Method list box, select the method you want to use for updating your files:
• Auto Integrate - Integrates the new configuration files with your existing files to maintain the integrity of your information.
• Auto Update - Replaces your existing configuration files with the new configuration files.
Step 4 By default, all views are updated. To prevent views from being updated, select the check box(es) in the Protected Views section for the views you do not want to update with the new configuration files. The configuration files for the selected views are not updated.
Step 5 Schedule automatic updates:
a Select the Schedule Autoupdates check box to enable automatic updates based on the frequency configured in the next step.
b In the Frequency list boxes, select the frequency of the automatic updates. You must select the frequency (Monthly, Daily, Weekly), date, and time. You must select the Schedule Autoupdates check box to save the configured frequency. Otherwise, the frequency defaults to weekly.
Step 6 Click Save.
Step 7 From the menu, select Configurations > Deploy Configuration Changes. The updates are enforced through your deployment.
Note: STRM automatic updates are not enforced through your deployment automatically. After each automatic update, you must log in to STRM and from the
STRM Administration Guide
36 SETTING UP STRM
Administration Console menu, select Configurations > Deploy Configuration Changes.
Updating Your FilesOn-Demand
You can update your files, whenever necessary, using the Auto-Update window.
To update your files:Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the Auto Update icon. The Auto-Update Configuration window appears.
Step 3 In the Update Method list box, select the method you want to use for updating your files:
• Auto Integrate - Integrates the new configuration files with your existing files to maintain the integrity of your information.
• Auto Update - Replaces your existing configuration files with the new configuration files.
Step 4 In the Protected views section, select the check box(s) for the views you do not want to update with the new configuration files. The configuration files for the selected views are not updated.
Step 5 Click Save and Update Now.
Your views are updated.
Step 6 From the menu, select Configurations > Deploy Configuration Changes. The updates are enforced through your deployment.
STRM Administration Guide
Configuring System Settings 37
Configuring System Settings
Using the Administration Console, you can configure the system, database, and sentry settings.
To configure system settings:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the System Settings icon. The System Settings window appears.
Step 3 Enter values for the parameters:
Table 4-3 System Settings Parameters
Parameter DescriptionSettingsAdministrative Email Address
Specify the e-mail address of the designated system administrator. The default is root@localhost.
Alert Email From Address Specify the e-mail address from which you want to receive e-mail alerts.
Resolution Interval Length Specify the interval length, in minutes. The default is 1 minute.
Delete Root Mail Root mail is the default location for host context messages. Specify one of the following:• Yes - Delete the local administrator e-mail. This is the
default.• No - Do not delete local administrator e-mail.
Temporary Files Retention Period
Specify the time period the system stores temporary files. The default is 6 hours.
Asset Profile Reporting Interval
Specify the interval, in seconds, that the database stores new asset profile information. The default is 900 seconds.
Asset Profile Views Specify the views you want the system to use when accumulating asset profile data.
VIS passive Asset Profile Interval
Specify the interval, in seconds, that the database stores all passive asset profile information. The default is 86,400 seconds.
Audit Log Enable Enables or disables the ability to collect audit logs. You can view audit log information using the Event Viewer. The default is Yes.
TNC Recommendation Enable
Trusted Network Computing (TNC) recommendations enable you to restrict or deny access to the network based on user name or other credentials. Specify one of the following:• Yes - Enables the TNC recommendation functionality. • No - Disables the TNC recommendation functionality.
STRM Administration Guide
38 SETTING UP STRM
Coalescing Events Enables or disables the ability for a sensor device to coalesce (bundle) events. This value applies to all sensor devices. However, if you want to alter this value for a specific sensor device, edit the Coalescing Event parameter in the sensor device configuration. For more information, see the Managing Sensor Devices Guide. The default is Yes.
Store Event Payload Enables or disables the ability for a sensor device to store event payload information. This value applies to all sensor devices. However, if you want to alter this value for a specific sensor device, edit the Event Payload parameter in the sensor device configuration. For more information, see the Managing Sensor Devices Guide. The default is Yes.
Global Iptables Access Specify the IP address of a non-Console system that does not have IP tables configuration to which you want to enable direct access. To enter multiple systems, enter a comma-separated list of IP addresses.
Dynamic Custom View Deploy Interval
Specify the interval period, in seconds, you want to deploy changes for any dynamic custom view, such as, ASN or ifIndex Views. When the Classification Engine collects dynamic view information and reports this information to configuration services, this is the interval that configuration services component deploys the changes. The default is 15 seconds.
Database SettingsUser Data Files Specify the location of the user profiles. The default is
/store/users.Database Storage Location
Specify the location of the database files. The default location is /store/db.
Sentry Database Location Specify the location of the sentry database. The default is /store/sentry/db.
Network View Graph Retention Period
Using the drop-down list box, select the period of time you want to store the network view graph information. The default is 4 weeks.
All Views - Group Database Retention Period
Using the drop-down list box, select the period of time you want to store the group views information. The default is 1 week.
All Views - Object Database Retention Period
Using the drop-down list box, select the period of time you want to store the object views information. The default is 1 week.
Offense Retention Period Using the drop-down list box, select the period of time you want to retain offense information. The default is 3 days.
Table 4-3 System Settings Parameters (continued)
Parameter Description
STRM Administration Guide
Configuring System Settings 39
Identity History Retention Period
Using the drop-down list box, select the length of time you want to store asset profile history records. The default is 1 week.
Attacker History Retention Period
Specify the amount of time that you want to store the attacker history. The default is 6 months.
Ariel Database SettingsFlow Data Storage Location
Specify the location that you want to store the flow log information. The default location is /store/ariel/flows.
Flow Data Retention Period
Specify the period of time you want to store flow data. The default is 1 week.
Asset Profile Storage Location
Specify the location that you want to store the asset profile storage location. The default location is /store/ariel/hprof.
Asset Profile Retention Period
Specify the period of time, in days, that you want to store the asset profile information. The default is 30 days.
Device Log Storage Location
Specify the location that you want to store the device log information. The default location is /store/ariel/events.
Device Log Data Retention Period
Specify the amount of time that you want to store the device log data. The default is 30 days.
Custom View Retention Period
Specify the amount of time, in seconds, that you want to store custom view information. The default is 259,2000 seconds.
Maximum Real Time Results
Specify the maximum number of results you want to view in the Event Viewer and Flow Viewer. The default is 10,000.
Reporting Max Matched Results
Specify the maximum number of results you want a report to return. This value applies to the search results in the Event Viewer and Flow Viewer. The default is 1,000,000.
Command Line Max Matched Results
Specify the maximum number of results you want the command line to return. The default is 0.
Web Execution Time Limit Specify the maximum amount of time, in seconds, you want a query in the interface to process before a time-out occurs. This value applies to the search results in the Event Viewer and Flow Viewer. The default is 600 seconds.
Reporting Execution Time Limit
Specify the maximum amount of time, in seconds, you want a reporting query to process before a time-out occurs. The default is 57,600 seconds.
Command Line Execution Time Limit
Specify the maximum amount of time, in seconds, you want a query in the command line to process before a time-out occurs. The default is 0 seconds.
Flow Log Hashing Enables or disables the ability for STRM to store a hash file for every stored flow log file. The default is No.
Table 4-3 System Settings Parameters (continued)
Parameter Description
STRM Administration Guide
40 SETTING UP STRM
Event Log Hashing Enables or disables the ability for STRM to store a hash file for every stored event log file. The default is No.
Hashing Algorithm You can use a hashing algorithm for database storage and encryption. You can use one of the following hashing algorithms:• Message-Digest Hash Algorithm - Transforms digital
signatures into shorter values called Message-Digests (MD).
• Secure Hash Algorithm (SHA) Hash Algorithm - Standard algorithm that creates a larger (60 bit) MD.
Specify the log hashing algorithm you want to use for your deployment. The options are:• MD2 - Algorithm defined by RFC 1319. • MD5 - Algorithm defined by RFC 1321.• SHA-1 - Default. Algorithm defined by Secure Hash
Standard (SHS), NIST FIPS 180-1.• SHA-256 - Algorithm defined by the draft Federal
Information Processing Standard 180-2, SHS. SHA-256 is a 255-bit hash algorithm intended for 128 bits of security against security attacks.
• SHA-384 - Algorithm defined by the draft Federal Information Processing Standard 180-2, SHS. SHA-384 is a bit hash algorithm is provided by truncating the SHA-512 output.
• SHA-512 - Algorithm defined by the draft Federal Information Processing Standard 180-2, SHS. SHA-512 is a bit hash algorithm intended to provide 256 bits of security.
Sentry SettingsAlert Directory Specify the location you want to store active alerts for
each user. The default is /store/sentry/alerts. Default Sentry Scripts Specify the default sentry scripts you want to execute.
The default is /opt/STRM/triggerbin/system.jsList of Sentry Scripts Specify the sentry scripts you want to execute, in the
order of execution. Separate each entry with a comma. The default is system.js,activity_anomaly.js, learn_policy.js,threshold.js,behavioral.js.
Sentry Properties Specify the sentry properties location. The default is /store/sentry/persistent_properties.xml
Sentry Response Queue Specify the sentry response queue file. The default is /store/sentry/response_queue.xml.
Sentry Database Location Specify the location of the sentry database. The default is /store/sentry/qc_persistentstorage.
Table 4-3 System Settings Parameters (continued)
Parameter Description
STRM Administration Guide
Configuring System Settings 41
Transaction Sentry SettingsTransaction Max Time Limit
A transaction sentry detects unresponsive applications using transaction analysis. If an unresponsive application is detected, the transaction sentry attempts to return the application to a functional state. Using the drop-down list box, select the length of time you want the system to check for transactional issues in the database. The default is 10 minutes.
Resolve Transaction on Non-Encrypted Host
Using the drop-down list box, select whether you want the transaction sentry to resolve all erroneous conditions detected on the Console or non-encrypted managed hosts. If you select No, the conditions are detected and logged but you must manually intervene and correct the error. The default is Yes.
Resolve Transaction on Encrypted Host
Using the drop-down list box, select whether you want the transaction sentry to resolve all erroneous conditions detected on the encrypted managed host. If you select No, the conditions are detected and logged but you must manually intervene and correct the error. The default is Yes.
SNMP SettingsEnable Enables or disables Simple Network Management
Protocol (SNMP) responses in the STRM custom rules engine. The default is No, which means you do not want to accept events using SNMP.
Destination Host Specify the IP address to which you want to send SNMP notifications.
Destination Port Specify the port to which you want to send SNMP notifications. The default is 162.
Community (V2) Specify the SNMP community, such as public. This parameter only applies if you are using SNMPv2.
User Name Specify the name of the user you want to access SNMP related properties.
Security Level Specify the security level for SNMP. The options are:• NOAUTH_NOPRIV - Indicates no authorization and no
privacy. This the default. • AUTH_NOPRIV - Indicates authorization is permitted
but no privacy.• AUTH_PRIV - Allows authorization and privacy.
Authentication Protocol Specify the algorithm you want to use to authenticate SNMP traps.
Table 4-3 System Settings Parameters (continued)
Parameter Description
STRM Administration Guide
42 SETTING UP STRM
Step 4 Click Save.
The STRM Administration Console appears. Step 5 From the menu, select Configurations > Deploy All.
Configuring System Notifications
You can configure system performance alerts for thresholds using the STRM Administration Console. This section provides information for configuring your system thresholds.
To configure system thresholds:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.Step 2 Click the Global System Notifications icon.
The Global System Notifications window appears.
Step 3 Enter values for the parameters. For each parameter, you must select the following options:
• Enabled - Select the check box to enable the option.• Respond if value is - Specify one of the following options:
- Greater Than - An alert occurs if the parameter value exceeds the configured value.
- Less Than - An alert occurs if the parameter value is less than the configured value.
• Resolution Message - Specify a description of the preferred resolution to the alert.
Authentication Password Specify the password you want to use to authenticate SNMP.
Privacy Protocol Specify the protocol you want to use to decrypt SNMP traps.
Privacy Password Specify the password used to decrypt SNMP traps. Embedded SNMP Agent SettingsEnabled Enables or disables access to data from the SNMP Agent
using SNMP requests. The default is No.Community String Specify the SNMP community, such as public. This
parameter only applies if you are using SNMPv2 and SNMPv3.
IP Access List Specify the systems that can access data from the SNMP agent using SNMP request. If the Enabled option is set to Yes, this option is enforced.
Table 4-3 System Settings Parameters (continued)
Parameter Description
STRM Administration Guide
Configuring System Notifications 43
Table 4-4 System Thresholds Parameters
Parameter DescriptionUser CPU usage Specify the threshold percentage of user CPU usage.Nice CPU usage Specify the threshold percentage of user CPU usage at
the nice priority.System CPU usage Specify the threshold percentage of CPU usage while
operating at the system level.Idle CPU usage Specify the threshold percentage of idle CPU time.Percent idle time Specify the threshold percentage of idle time. Run queue length Specify the threshold number of processes waiting for
run time. Number of processes in the process list
Specify the threshold number of processes in the process list.
System load over 1 minute
Specify the threshold system load average over the last minute.
System load over 5 minutes
Specify the threshold system load average over the last 5 minutes.
System load over 15 minutes
Specify the threshold system load average over the last 15 minutes.
Kilobytes of memory free Specify the threshold amount, in kilobytes, of free memory.
Kilobytes of memory used Specify the threshold amount, in kilobytes, of used memory. This does not consider memory used by the kernel.
Percentage of memory used
Specify the threshold percentage of used memory.
Kilobytes of cached swap memory
Specify the threshold amount of memory, in kilobytes, shared by the system.
Kilobytes of buffered memory
Specify the threshold amount of memory, in kilobytes, used as a buffer by the kernel.
Kilobytes of memory used for disc cache
Specify the threshold amount of memory, in kilobytes, used to cache data by the kernel.
Kilobytes of swap memory free
Specify the threshold amount of free swap memory, in kilobytes.
Kilobytes of swap memory used
Specify the threshold amount, in kilobytes, of used swap memory.
Percentage of swap used Specify the threshold percentage of used swap space. Number of interrupts per second
Specify the threshold number of received interrupts per second.
Received packets per second
Specify the threshold number of packets received per second.
Transmitted packets per second
Specify the threshold number of packets transmitted per second.
STRM Administration Guide
44 SETTING UP STRM
Step 4 Click Save.The STRM Administration Console appears.
Step 5 From the menu, select Configurations > Deploy Configuration Changes.
Received bytes per second
Specify the threshold number of bytes received per second.
Transmitted bytes per second
Specify the threshold number of bytes transmitted per second.
Received compressed packets
Specify the threshold number of compressed packets received per second.
Transmitted compressed packets
Specify the threshold number of compressed packets transmitted per second.
Received multicast packets
Specify the threshold number of received Multicast packets per second.
Receive errors Specify the threshold number of corrupt packets received per second.
Transmit errors Specify the threshold number of corrupt packets transmitted per second.
Packet collisions Specify the threshold number of collisions that occur per second while transmitting packets.
Dropped receive packets Specify the threshold number of received packets that are dropped per second due to a lack of space in the buffers.
Dropped transmit packets Specify the threshold number of transmitted packets that are dropped per second due to a lack of space in the buffers.
Transmit carrier errors Specify the threshold number of carrier errors that occur per second while transmitting packets.
Receive frame errors Specify the threshold number of frame alignment errors that occur per second on received packets.
Receive fifo overruns Specify the threshold number of First In First Out (FIFO) overrun errors that occur per second on received packets.
Transmit fifo overruns Specify the threshold number of First In First Out (FIFO) overrun errors that occur per second on transmitted packets.
Transactions per second Specify the threshold number of transfers per second sent to the system.
Sectors written per second
Specify the threshold number of sectors transferred to or from the system
Table 4-4 System Thresholds Parameters (continued)
Parameter Description
STRM Administration Guide
Configuring the Console Settings 45
Configuring the Console Settings
The STRM Console provides the interface for STRM. The Console provides real time views, reports, alerts, and in-depth investigation of flows for network traffic and security threats. You can also manage the Console to manage distributed STRM deployments.
You can access the Console from a standard web browser. When you access the system, a prompt appears for a user name and password, which must be configured in advance by the STRM administrator. STRM supports the following web browsers:
• Internet Explorer 6.0 or 7.0
• Mozilla Firefox 3.0
To configure STRM Console settings:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.Step 2 Click the Console icon.
The STRM Console Settings window appears.
Step 3 Enter values for the parameters:
Table 4-5 STRM Console Management Parameters
Parameter DescriptionConsole Settings
STRM Administration Guide
46 SETTING UP STRM
ARP - Safe Interfaces Specify the interface you want to be excluded from ARP resolution activities.
Enable 3D graphs in the user interface
Using the drop-down list box, select one of the following:• Yes - Displays Flow Viewer, Event Viewer, and
Dashboard graphics in 3-dimensional format.• No - Displays Flow Viewer, Event Viewer, and
Dashboard graphics in 2-dimensional format. Authentication SettingsPersistent Session Timeout (in days)
Specify the length of time, in days, that a user system will be persisted, in days. The default is 0, which disables this features and the remember me option upon login.
Maximum Login Failures Specify the number of times a login attempt may fail. The default is 5.
Login Failure Attempt Window (in minutes)
Specify the length of time during which a maximum login failures may occur before the system is locked. The default is 10 minutes.
Login Failure Block Time (in minutes)
Specify the length of time that the system is locked if the the maximum login failures value is exceeded. The default is 30 minutes.
Login Host Whitelist Specify a list of hosts who are exempt from being locked out of the system. Enter multiple entries using a comma-separated list.
Inactivity Timeout (in minutes)
Specify the amount of time that a user will be automatically logged out of the system if no activity occurs.
Login Message File Specify the location and name of a file that includes content you want to appear on the STRM login window. This file may be in text or HTML format and the contents of the file appear below the current log in window.
Table 4-5 STRM Console Management Parameters (continued)
Parameter Description
STRM Administration Guide
Configuring the Console Settings 47
Step 4 Click Save.
Event Permission Precedence
Using the drop-down list box, specify the level of network permissions you want to assign users. This affects the events that appear in the Event Viewer. The options include:• Network Only - A user must have access to either the
source network or the destination network of the event to have the event appear in the Event Viewer.
• Devices Only - A user must have access to either the device or device group that created the event to have the event appear in the Event Viewer.
• Networks and Devices - A user must have access to both the source or the destination network and the device or device group to have an event appear in the Event Viewer.
• None - All events appear in the Event Viewer. Any user with Event Viewer role permissions are able to view all events.
Note: For more information on managing users, see Chapter 1 Managing Users.
DNS SettingsEnable DNS Lookups for Asset Profiles
Enable or disable the ability for STRM to search for DNS information in asset profiles. When enabled, this information is available using the right-mouse button (right-click) on the IP address or host name located in the Host Name (DNS Name) field in the asset profile. The default is False.
Enable DNS Lookups for Host Identity
Enable or disable the ability for STRM to search for host identity information. When enabled, this information is available using the right-mouse button (right-click) on any IP address or asset name in the interface. The default is True.
WINS SettingsWINS Server Specify the location of the Windows Internet Naming
Server (WINS) server. Reporting SettingsReport Retention Period Specify the period of time, in days, that you want the
system to maintain reports. The default is 30 days. Data Export SettingsInclude Header in CSV Exports
Specify whether you want to include a header in a CSV export file.
Maximum Simultaneous Exports
Specify the maximum number of exports you want to occur at one time.
Table 4-5 STRM Console Management Parameters (continued)
Parameter Description
STRM Administration Guide
48 SETTING UP STRM
Step 5 From the Administration Console menu, select Configurations > Deploy Configuration Changes.
Starting and Stopping STRM
To start, stop, or restart STRM:
Step 1 In the main STRM interface, click Config.
The STRM Administration Console appears.
Step 2 From the System menu, select one of the following options:a STRM Start
b STRM Stop
c STRM Restart
Resetting SIM Using the Administration Console, you can reset the SIM module, which allows you to remove all offenses, attackers, and target information from the database and the disk. This option is useful after tuning your deployment to avoid receiving any additional false positive information.
To reset the SEM module:
Step 1 In the Administration Console, click the SIM Configuration tab.
The SIM Configuration panel appears.Step 2 Click the Clean SIM Model icon.
The Reset SIM Data Module window appears.
Step 3 Read the information in the window.
Step 4 Select one of the following options:• Soft Clean - Closes all offenses in the database.
STRM Administration Guide
Resetting SIM 49
• Hard Clean - Closes all active SIM data including offenses, targets and attackers.
Step 5 If you want to continue, select the Are you sure you want to reset the data model? check box.
Step 6 Click Proceed.
A message appears indicating that the SIM reset process has started. This process may take several minutes, depending on the amount of data in your system.
Step 7 Once the SIM reset process is complete, reset your browser.
Note: If you attempt to navigate to other areas of the user interface during the SIM reset process, an error message appears.
STRM Administration Guide
4
MANAGING AUTHORIZED SERVICESYou can configure authorized services in the Administration Console to pre-authenticate a customer support service for your STRM deployment. Authenticating a customer support service allows the service to connect to your STRM interface and either dismiss or update notes to an offense using a web service. You can add or revoke an authorized service at any time.
Note: To access the authorized services functionality, a user role must exist with only the Offense Management check box selected. The Assign Offenses to Users and the Customized Rule Creation check boxes must be clear. For more information on creating user roles, see Chapter 4 Managing Users.
This chapter provides information for managing authorized services including:
• Viewing Authorized Services• Adding an Authorized Service
• Revoking Authorized Services
Viewing Authorized Services
To view authorized services for your STRM deployment:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the Authorized Services icon. The Manage Authorized Services window appears providing the following information:
Table 5-1 Manage Authorized Services Parameters
Parameter DescriptionService Name Specifies the name of the authorized service. Authorized By Specifies the name of the user or administrator that
authorized the addition of the service. Authentication Token Specifies the token associated with this authorized service. User Role Specifies the user role associated with this authorized
service.
STRM Administration Guide
52 MANAGING AUTHORIZED SERVICES
Step 3 To select a token from an authorized service, select the appropriate authorized service. The token appears in the Selected Token field in the top bar. This allows you to copy the desired token into your third-party application to authenticate with STRM
Adding an Authorized Service
To add an authorized service:
Step 1 In the Administration Console, click the System Configuration tab.The System Configuration panel appears.
Step 2 Click the Authorized Services icon.
The Manage Authorized Services window appears.
Step 3 Click Add Authorized Service. The Add Authorized Service window appears.
Step 4 Enter values for the parameters:
Created Specifies the date that this authorized service was created. Expired Specifies the date and time that the authorized service will
expire. Also, this field indicates when a service has expired.
Table 5-1 Manage Authorized Services Parameters (continued)
Parameter Description
Table 5-2 Add Authorized Services Parameters
Parameter DescriptionService Name Specify a name for this authorized service. The name can be
up to 255 characters in length.User Role Using the drop-down list box, select the user role you want to
assign to this authorized service. The user roles assigned to an authorized service determines the functionality in the STRM interface this service can access.
Expiry Date Specify a date you want this service to expire or select the No Expiry check box if you do not want this service to expire. By default, the authorized service if valid for 30 days.
STRM Administration Guide
Revoking Authorized Services 53
Step 5 Click Create Service.
A confirmation message appears. This message contains a token field that you must copy into your third-party application to authenticate with STRM. For more information about setting up your third-party application to integrate with STRM, contact your system administrator.
Revoking Authorized Services
To revoke an authorized service:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.Step 2 Click the Authorized Services icon.
The Manage Authorized Services window appears.
Step 3 Select the service you want to revoke.
Step 4 Click Revoke Authorization. A confirmation window appears.
Step 5 Click Ok.
STRM Administration Guide
5
MANAGING BACKUP AND RECOVERYUsing the Administration Console, you can backup and recover configuration information and data for STRM. You can backup and recover the following information for your system:
• License key information• Sentry configuration
• Rules configuration
• Configuration database information• User profile information
• Views configuration
This chapter provides information on managing backup and recover of including:• Managing Backup Archives
• Backing Up Your Information
• Restoring Your Configuration Information
Managing Backup Archives
Using the Administration Console, you can:
• View your successful backup archives. See Viewing Back Up Archives.
• Import an archive file. See Importing an Archive.• Delete an archive file. See Deleting a Backup Archive.
Viewing Back UpArchives
To view all successful backups:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.Step 2 Click the Backup Recovery icon.
The Backup Archives window appears.
STRM Administration Guide
56 MANAGING BACKUP AND RECOVERY
The list of archives includes backup files that exist in the database. If a backup file is deleted, it is removed from the disk and from the database. Also, the entry is removed from this list and an audit event is generated to indicate the removal. If a backup is in progress, a status window appears to indicate the duration of the current backup, which user/process initiated the backup, and provides you with the option to cancel the backup.
Each archive file includes the data from the previous day. The Backup Archives window provides the following information for each backup archive.
Importing an Archive To import a STRM backup archive file:Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the Backup Recovery icon. The Backup Archives window appears.
Table 6-1 Backup Archive Window Parameters
Parameter DescriptionHost Specifies the host that initiated the backup process. Name Specifies the name of the backup archive. To download the
backup file, click the name of the backup. Type Specifies the type of backup. The options are:
• db (database)• config (configuration data)• data (events, flows, and asset profile information)
Size Specifies the size of the archive file. Time Initiated Specifies the time that the backup file was created. Duration Specifies the time to complete the backup process. Initialized By Specifies whether the backup file was created by a user or
through a scheduled process.
STRM Administration Guide
Managing Backup Archives 57
Step 3 In the Upload Archive field, click Browse.
The File Upload window appears. Step 4 Select the archive file you want to upload. Click Open.
Step 5 Click Upload.
Deleting a BackupArchive
To delete a backup archive:
Note: To delete a backup archive file, the backup archive file and the Host Context component must reside on the same system. The system must also be in communication with the Console.
Step 1 In the Administration Console, click the System Configuration tab.The System Configuration panel appears.
Step 2 Click the Backup Recovery icon.
The Backup Archives window appears.
Step 3 Select the archive you want to delete.
Step 4 Click Delete. Step 5 A confirmation window appears.
Step 6 Click Ok.
STRM Administration Guide
58 MANAGING BACKUP AND RECOVERY
Backing Up Your Information
You can backup your configuration information and data using the Backup Recovery Configuration window. You can backup your configuration information using a manual process. Also, you can also backup your configuration information and data using a scheduled process. By default, STRM creates a backup archive of your configuration information every night at midnight and the backup includes configuration and/or data from the previous day. This section provides on both methods of backing up your data including:• Scheduling Your Backup
• Initiating a Backup
Scheduling YourBackup
To schedule your backup process:
To configure your backup settings:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.Step 2 Click the Backup Recovery icon.
The Backup Archives window appears.
Step 3 Click Configure.The Backup Recovery Configuration window appears.
Step 4 Enter values for the parameters:
Table 6-2 Backup Recovery Configuration Parameters
Parameter DescriptionGeneral Backup Configuration
STRM Administration Guide
Backing Up Your Information 59
Step 5 Click Save.
Backup Repository Path
Specifies the location you want to store your backup file. This path must exist before the backup process is initiated. If this path does not exist, the backup process aborts. The default is /store/backup.Note: If you modify this path, make sure the new path is valid on every system in your deployment.
Backup Retention Period
Specify the length of time, in days, that you want to maintain backup files. The default is 2 days. Note: This period of time only affects backup files generated as a result of a scheduled process. Manually initiated backup processes are not affected by this value.
Nightly Backup Schedule
Select one of the following options:• No Nightly Backups - Disables the creation of a backup
archive on a daily basis. • Configuration Backup Only - Enables the creation of a daily
backup at midnight that includes configuration information only.
• Configuration and Data Backups - Enables the creation of a daily backup at midnight that includes configuration information and data. If you select the Configuration and Data Backups option, you can select the hosts you want to backup. This option backs up all database table information including:- Offenses (including targets and attacker information)- Asset data
- Categories
- Vulnerability data. Once you select the host, you can select one of the following options: Event Data, Flow Data, and Asset Profile Data.
Configuration Only BackupBackup Time Limit Specify the length of time, in minutes, that you want to allow the
backup to process. Backup Priority Specify the level of importance (low, medium, high) you want the
system to place on the configuration information backup process compared to other processes.
Data BackupBackup Time Limit (min)
Specify the length of time, in minutes, that you want to allow the backup to process.
Backup Priority Specify the level of importance (low, medium, high) you want the system to place on the data backup process compared to other processes.
Table 6-2 Backup Recovery Configuration Parameters (continued)
Parameter Description
STRM Administration Guide
60 MANAGING BACKUP AND RECOVERY
Step 6 From the Administration Console menu, select Configurations > Deploy All.
Initiating a Backup To manually initiate a backup:Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the Backup Recovery icon. The Backup Archives window appears.
Step 3 Click On Demand Backup.
The Create a Backup window appears.
Step 4 Enter values for the following parameters:• Name - Specify a unique name you want to assign to this backup file. The name
must be a maximum of 100 alphanumeric characters. Also, the name may contain following characters: underscore (_), dash (-), or period (.).
• Description - Specify a description for this backup. The name can be up to 255 characters in length.
Step 5 Click Run Backup. A confirmation window appears.
Step 6 Click OK.
STRM Administration Guide
Restoring Your Configuration Information 61
Restoring Your Configuration Information
You can restore configuration information from existing backup archives using the Restore Backup window. Note the following requirements when you are restoring configuration information:
• You can only restore a backup archive created within the same release of software. For example, if you are running STRM 6.1.2, the backup archive must of been created in STRM 6.1.2. You can not restore configuration information archived in a previous release.
• Each backup archive includes IP address information of the system from which the backup archive was created. The IP address of the system on which you want to restore the information must match the IP address of the backup archive. If the IP addresses do not match, the restore process will fail.
To restore your configuration information using a backup archive:
Note: If the deployment you are restoring includes non-Console systems, make sure you re-add the managed hosts to your deployment and deploy all changes before you initiate the restore process.
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the Backup Recovery icon. The Backup Archives window appears.
Step 3 Select the archive you want to restore.
Step 4 Click Restore. The Restore a Backup window appears.
Step 5 To restore specific items in the archive:
a Clear the All Items check box.
b The list of archived items appears. c Select the check box for each item you want to restore.
Step 6 Click Restore.
A confirmation window appears.
Step 7 Click Ok. The restore process begins. This process may take an extended period of time.
Step 8 From the Administration Console menu, select Configurations > Deploy All.
STRM Administration Guide
62 MANAGING BACKUP AND RECOVERY
Note: The restore process only restores your configuration information. For assistance in restoring your data, contact Juniper Networks Customer Support.
STRM Administration Guide
6
USING THE DEPLOYMENT EDITORThe deployment editor allows you to manage the individual components of your STRM, and SIM deployment. Once you configure your Flow, Event, and System Views, you can access and configure the individual components of each managed host.
Note: The Deployment Editor requires Java Runtime Environment. Download JRE5.0 at www.java.sun.com. Also, If you are using the Firefox browser, you must configure your browser to accept Java Network Language Protocol (JNLP) files.
Caution: Many third-party web browsers that use the Internet Explorer engine, such as Maxthon or MyIE, install components that may be incompatible with the STRM Administration Console. You must disable any third-party web browsers installed on your system. For further assistance, please contact customer support.
If you want to access the STRM Administration Console from behind a proxy server or firewall, you must configure the appropriate proxy settings on your desktop. This allows the software to automatically detect the proxy settings from your browser. To configure the proxy settings, open the Java configuration located in your Control Panel and configure the IP address of your proxy server. For more information on configuring proxy settings, see your Microsoft documentation.
This chapter provides information on managing your views including:
• About the Deployment Editor
• Editing Deployment Editor Preferences• Building Your Flow View
• Building Your Event View
• Managing Your System View• Configuring STRM Components
STRM Administration Guide
64 USING THE DEPLOYMENT EDITOR
About the Deployment Editor
You can access the deployment editor using the STRM Administration Console. You can use the deployment editor to create your deployment, assign connections, and configure each component.
The deployment editor provides the following views of your deployment:
• Flow View - Allows you to create a view that outlines how flows are processed in your deployment by allocating and connecting flow-based components, for example, connecting a Flow Collector to a Flow Processor.
• System View - Allows you to assign software components, such as a Flow Collector, to systems (managed hosts) in your deployment. The System View includes all managed hosts in your deployment. A managed host is a system in your deployment that has STRM software installed. By default, the System View also includes the Host Context component, which monitors all STRM components to ensure that each component is operating as expected.
• Event View - Allows you to create a view for your SIM components including Event Processor, Event Collector, and Magistrate components.
Each view is divided into two panels.
In the Flow View, the left panel provides a list of components that you can add to your view and the right panel provides the existing view of your deployment.
In the Event View, the left panel provides a list of SIM components you can add to the view and the right panel provides an existing view of your SIM deployment.
In the System View, the left panel provides a list of managed hosts, which you can view and configure. The deployment editor polls your deployment for updates to
STRM Administration Guide
About the Deployment Editor 65
managed hosts. If the deployment editor detects a change to a managed host in your deployment, a message appears notifying you of the change. For example, if you remove a managed host, a message appears indicating that the assigned components to that host must be re-assigned to another host. Also, if you add a managed host to your deployment, the deployment editor displays a message indicating that the managed host has been added.
Accessing theDeployment Editor
In the Administration Console, click the deployment editor icon. The deployment editor appears. Once you update your configuration settings using the deployment editor, you must save those changes to the staging area. You must either manually deploy all changes using the Administration Console Deploy menu option or, upon exiting the Administration Console, a window appears prompting you to deploy changes before you exit. All deployed changes are then enforced throughout your deployment.
Using the Editor The deployment editor provides you with several menu and toolbar options when configuring your views including:
• Menu Options
• Toolbar Options
Menu OptionsThe menu options that appear depend on the selected component in your view. Table 7-1 provides a list of the menu options and the component for which they appear.
Table 7-1 Deployment Editor Menu Options
Menu Option Sub Menu Option DescriptionFile Save to staging Saves deployment to the staging area.
Save and close Save deployment to the staging area and closes the deployment editor.
Open staged deployment
Opens a deployment that was previously saved to the staging area.
Open production deployment
Opens a deployment that was previously saved.
Close current deployment
Closes the current deployment.
Revert Reverts current deployment to the previously saved deployment.
Edit Preferences Opens the preferences window. Close editor Closes the deployment editor.
Edit Delete Deletes a component, host, or connection. Actions Add a managed host Opens the Add a Managed Host wizard.
STRM Administration Guide
66 USING THE DEPLOYMENT EDITOR
Toolbar OptionsThe toolbar options include:
Manage NATed Networks
Opens the Manage NATed Networks window, which allows you to manage the list of NATed networks in your deployment.
Rename component Renames an existing component. This option is only available when a component is selected.
Configure Configure a STRM components. This option is only available when a Flow Collector, Flow Processor, Classification Engine, Event Collector, Event Processor, Magistrate, or Update Daemon is selected.
Assign Assigns a component to a managed host.This option is only available when a Flow Collector, Flow Processor, Classification Engine, Event Collector, Event Processor, Magistrate, or Update Daemon is selected.
Unassign Unassigns a component from a managed host. This option is only available when the selected component has a managed host running a compatible version of STRM software. This option is only available when a Flow Collector, Flow Processor, Classification Engine, Event Collector, Event Processor, or Update Daemon is selected.
Help Help and Support Opens user documentation.
Table 7-2 Toolbar Options
Icon DescriptionSaves deployment to the staging area and closes the deployment editor.
Opens current production deployment.
Opens a deployment that was previously saved to the staging area.
Discards recent changes and reloads last saved model.
Table 7-1 Deployment Editor Menu Options (continued)
Menu Option Sub Menu Option Description
STRM Administration Guide
About the Deployment Editor 67
Creating YourDeployment
To create your deployment, you must:
Step 1 Build your Flow View. See Building Your Flow View.
Step 2 Build your System View. See Managing Your System View.
Step 3 Configure added components. See Configuring STRM Components.Step 4 Build your Event View. See Building Your Event View.
Step 5 Configure SIM components. See Configuring STRM Components.
Step 6 Stage the deployment. From the deployment editor menu, select File > Save to Staging.
Step 7 Deploy all configuration changes. From the Administration Console menu, select Configurations > Deploy All. For more information on the Administration Console, see Chapter 8 Overview.
Before you Begin Before you begin, you must:
• Install all necessary hardware and STRM software.
• Install Java Runtime Environment. You can download Java version 1.5.0_12 at the following web site: http://java.com/en/download/index.jsp
• If you are using the Firefox browser, you must configure your browser to accept Java Network Language Protocol (JNLP) files.
• Plan your STRM deployment including the IP addresses and login information for all devices in your STRM deployment.
Deletes selected item from the deployment view. This option is only available when the selected component has a managed host running a compatible version of STRM software. Opens the Add a Managed Host wizard, which allows you to add a managed host to your deployment.
Opens the Manage NATed Networks window, which allows you to manage the list of NATed networks in your deployment.
Resets the zoom to the default.
Zoom in.
Zoom out.
Table 7-2 Toolbar Options (continued)
Icon Description
STRM Administration Guide
68 USING THE DEPLOYMENT EDITOR
Note: If you require assistance with the above, please contact Juniper Networks Customer Support.
Editing DeploymentEditor Preferences
To edit the deployment editor preferences:
Step 1 From the deployment editor main menu, select File > Edit Preferences.
The Deployment Editor Setting window appears.
Step 2 Enter values for the following parameters:• Presence Poll Frequency - Specify how often, in milliseconds, that the
managed host monitors your deployment for updates, for example, a new or updated managed host.
• Zoom Increment - Specify the increment value when the zoom option is selected. For example. 0.1 indicates 10%.
Step 3 Close the windowThe Deployment Editor appears.
Building Your Flow View
The Flow View allows you to create and manage the flow-based software components of your STRM deployment, for example, a Flow Collector or Flow Processor. If you are using a STRM appliance, a default Flow View appears with the appropriate components. You can edit or update the view, as necessary.
To build your Flow View, you must:Step 1 Add STRM components to your view. See Adding STRM Components.
Step 2 Connect the added components. See Connecting Components.
Step 3 Connect the deployments, if necessary. See Connecting Deployments.Step 4 Rename the components so each component has a unique name. See Renaming
Components
Once you have completed building your Flow View, you can use the Event View to manage your SIM components. See Building Your Event View.
STRM Administration Guide
Building Your Flow View 69
Adding STRMComponents
You can add the following STRM components to your Flow View:
• Flow Collector - Collects data from devices and various live and recorded feeds.
• Flow Processor - Collects and consolidates data from one or more Flow Collector(s).
• Classification Engine - Receives input from one or more Flow Processor(s) as well as classifies and accumulates statistical data on flows.
• Update Daemon - Stores TopN and database data once the Classification Engine has processed the flows for an interval.
• Flow Writer - Stores the flow and asset profile data once the Classification Engine has processed the flows for an interval.
Note: The procedures in the section provide information on adding STRM components using the Flow View. You can also add components using the System View. For information on the System View, see Managing Your System View.
To add STRM components to your Flow View:
Step 1 In the deployment editor, click the Flow View tab. The Flow View appears.
Step 2 In the Flow Components panel, select a component you want to add to your deployment.
The Adding a New Component Wizard appears.
STRM Administration Guide
70 USING THE DEPLOYMENT EDITOR
Step 3 Enter a unique name for the component you want to add. The name can be up to 15 characters in length and may include underscores or hyphens. Make sure you record the assigned name and Click Next. Note: If the message “There are no hosts to which you can assign this component.” appears, your deployment does not include hosts with the capabilities to support the selected component or the host already has a full compliment of components installed.
The Assign Component window appears.
Step 4 From the Select a host drop-down list box, select the managed host to which you want to assign the new component. Click Next. The component ready to be added window appears.
Step 5 Click Finish.
STRM Administration Guide
Building Your Flow View 71
The component appears in your Flow View.
Step 6 Repeat for each component you want to add to your view. Step 7 From the menu, select File > Save to staging.
ConnectingComponents
Once you add all the necessary components in your Flow View, you must connect them together. The Flow View only allows you to connect appropriate components together. For example, you can connect a Flow Processor to a Flow Collector and not an Update Daemon.
To connect components:Step 1 In the Flow View, select the component for which you want to establish a
connection. Step 2 From the menu, select Actions > Add Connection.
Note: You can also use the right mouse button (right-click) to access the Actions menu item.
An arrow appears in your map.
Step 3 Drag the end of the arrow to the component on which you want to establish a connection. You can only connect appropriate components, for example, you can connect a Classification Engine to an Update Daemon. Table 7-3 provides a list of components you are able to connect.
The arrow connects the two components.
Step 4 Repeat for all remaining components in your deployment that you want to establish a connection.
Step 5 From the menu, select File > Save to Staging.
Table 7-3 Component Connections
You can connect a... ToFlow Collector Flow ProcessorFlow Processor Flow Processor
Classification EngineOff-site TargetOff-site Source
Classification Engine Update DaemonFlow Writer - Multiple Classification Engines may be connected to a single Flow Writer.
STRM Administration Guide
72 USING THE DEPLOYMENT EDITOR
ConnectingDeployments
You can connect deployments in your network to allow deployments to share flow data. To connect your deployments, you must configure an off-site Flow Processor (target) in your current deployment and the associated off-site Flow Processor in the receiving deployment (source). You can add the following components to your Flow View:
• Off-site Source - Indicates an off-site Flow Processor from which you want to receive data. The source must be configured with appropriate permissions to send flows to the off-site target.
• Off-site Target - Indicates an off-site Flow Processor to which you want to send data.
Note: The procedures in the section provide information on adding flow sources using the Flow View. You can also add sources using the System View. For information on the System View, see Managing Your System View.
Figure 7-1 shows an example of connecting two deployments, A and B. In this example, deployment B wants to receive flows from deployment A. To connect these deployments, you must configure deployment A with an off-site target to provide the IP address of the managed host that includes Flow Processor B. You must then connect Flow Processor A to the off-site target. In deployment B, you must configure an off-site source with the IP address of the managed host that includes Flow Processor A and the port to which Flow Processor A is monitoring.
If you want to disconnect the off-site source, you must remove the connections from both deployments. From deployment A, you must remove the off-site target and in deployment B, you must remove the off-site source.
If you want to enable encryption between deployments, you must enable encryption on both off-site source and target. Also, you must ensure both the off-site source and target include the public keys to ensure appropriate access. For example, in the example below, if you want to enable encryption between the off-site source and Flow Processor B, you must copy the public key (located at /root/.ssh/id_rsa.pub) from the Flow Processor to the off-site source (copy the file to /root/.ssh/authorized_keys).
Note: To enable encryption between two managed hosts, each managed host must be running at least STRM 5.1.
STRM Administration Guide
Building Your Flow View 73
Figure 7-1 Example of Connecting Deployments
To connect your deployments:
Step 1 In the deployment editor, click the Flow View tab. The Flow View appears.
Step 2 In the Flow Components panel, select either Add Off-site Source or Add Off-site Target. The Adding a New Component Wizard appears.
STRM Administration Guide
74 USING THE DEPLOYMENT EDITOR
Step 3 Specify a unique name for the source or target. The name can be up to 15 characters in length and may include underscores or hyphens. Click Next. The flow source/target information window appears.
Step 4 Enter values for the parameters:
• Enter a name for the off-site host - Specify the name of the off-site host. The name can be up to 15 characters in length and may include underscores or hyphens.
• Enter the IP address of the server - Specify the IP address of the managed host to which you want to connect.
• Enter port of managed host - Specify the off-site managed host port number.
STRM Administration Guide
Building Your Event View 75
• Encrypt traffic from off-site source - Select the check box if you want to encrypt traffic from an off-site source. To enable encryption, you must select this check box on the associated off-site source and target. For more information regarding encryption, see Managing Your System View.
Step 5 Click Next. Step 6 Click Finish.
Step 7 Repeat for all remaining off-site sources and targets.
Step 8 From the main menu, select File > Save to staging.
Note: If you update your Flow Processor configuration or the monitoring ports, you must manually update your source and target configurations to maintain the connection between deployments.
RenamingComponents
You may want to rename a component in your view to uniquely identify components through your deployment.
To rename a component:Step 1 Select the component you want to rename.
Step 2 From the menu, select Actions > Rename component.Note: You can also use the right mouse button (right-click) to access the Actions menu items.
The Rename component window appears.
Step 3 Enter a new name for the component. The name must be alphanumeric with no special characters.
Step 4 Click Ok.
Building Your Event View
The Event View allows you to create and manage the SIM components for your deployment including:• Event Collector - Collects security events from various types of security
devices in your network. The Event Collector gathers events from local, remote, and device sources. The Event Collector then normalizes the events and sends the information to the Event Processor. The Event Collector also bundles all virtually identical events to conserve system usage.
• Event Processor - An Event Processor processes flows collected from one or more Event Collector(s). The events are bundled once again to conserve network usage. Once received, the Event Processor correlates the information
STRM Administration Guide
76 USING THE DEPLOYMENT EDITOR
from STRM and distributes to the appropriate area, depending on the type of event. The Event Processor also includes information gathered by STRM to indicate any behavioral changes or policy violations for that event. Rules are then applied to the events that allow the Event Processor to process according to the configured rules. Once complete, the Event Processor sends the events to the Magistrate. You must connect the Event Processor to a Classification Engine or another Event Processor in your deployment. The Classification Engine is responsible for sending the latest event information to the Event Processor. See Figure 7-2 for an example.
• Magistrate - The Magistrate component provides the core processing components of SIM. You can add one Magistrate component for each deployment. The Magistrate provides views, reports, alerts, and analysis of network traffic and security events. The Magistrate processes the event against the defined custom rules to create an offense. If no custom rules exist, the Magistrate uses the default rules to process the event. An offense is an event that has been processed through STRM using multiple inputs, individual events, and events combined with analyzed behavior and vulnerabilities. Magistrate prioritizes the offenses and assigns a magnitude value based on several factors, including number of events, severity, relevance, and credibility.
Once processed, Magistrate also produces a list for each attacker, which provides you with a list of attackers for each event. Once the Magistrate establishes the magnitude for an event, the Magistrate provides multiple options for resolution.
By default, the Event View includes a Magistrate component. Figure 7-2 shows an example of STRM deployment that includes the SIM components. The example shows that the Event Processor is connected to the Classification Engine, which allows for the exchange of flow information.
STRM Administration Guide
Building Your Event View 77
Figure 7-2 Example of SIM Components in your STRM Deployment
To build your Event View, you must:
Step 1 Add SIM components to your view. See Adding Components.
Step 2 Connect the components. See Connecting Components.Step 3 Forward normalized events. See Forwarding Normalized Events.
Step 4 Rename the components so each component has a unique name. See Renaming Components.
Adding Components To add components to your Event View:
Step 1 In the deployment editor, click the Event View tab. The Event View appears.
Step 2 In the Event Tools panel, select a component you want to add to your deployment.
The Adding a New Component Wizard appears.
STRM Administration Guide
78 USING THE DEPLOYMENT EDITOR
Step 3 Enter a unique name for the component you want to add. The name can be up to 15 characters in length and may include underscores or hyphens. Click Next. The Assign Component window appears.
Step 4 From the Select a host to assign to list box, select a managed host to which you want to assign the new component. Click Next.
Step 5 Click Finish. Step 6 Repeat for each component you want to add to your view.
Step 7 From the main menu, select File > Save to staging.
STRM Administration Guide
Building Your Event View 79
ConnectingComponents
Once you add all the necessary components in your Event View, you must connect them together. The Event View only allows you to connect appropriate components together. For example, you can connect an Event Collector to an Event Processor and not a Magistrate component.
To connect components:Step 1 In the Event View, select the component for which you want to establish a
connection. Step 2 From the menu, select Actions > Add Connection.
Note: You can also use the right mouse button (right-click) to access the Action menu item.
An arrow appears in your map.
Step 3 Drag the end of the arrow to the component on which you want to establish a connection. You can only connect appropriate components, for example, you can connect an Event Collector to an Event Processor. Table 7-4 provides a list of components you are able to connect.
The arrow connects the two components.
Step 4 Repeat for all remaining components that you want to establish a connection.
ForwardingNormalized Events
To forward normalized events, you must configure an off-site Event Collector (target) in your current deployment and the associated off-site Event Collector in the receiving deployment (source).
You can add the following components to your Event View:
• Off-site Source - Indicates an off-site Event Collector from which you want to receive data. The source must be configured with appropriate permissions to send events to the off-site target.
• Off-site Target - Indicates an off-site Event Collector to which you want to send data.
For example, if you want to forward normalized events between two deployments (A and B), where deployment B wants to receive events from deployment A you must configure deployment A with an off-site target to provide the IP address of the managed host that includes Event Collector B. You must then connect Event Collector A to the off-site target. In deployment B, you must configure an off-site source with the IP address of the managed host that includes Event Collector A and the port to which Event Collector A is monitoring.
Table 7-4 Component Connections
You can connect a... ToEvent Processor MagistrateEvent Collector Event Processor
STRM Administration Guide
80 USING THE DEPLOYMENT EDITOR
If you want to disconnect the off-site source, you must remove the connections from both deployments. From deployment A, you must remove the off-site target and in deployment B, you must remove the off-site source.
If you want to enable encryption between deployments, you must enable encryption on both off-site source and target. Also, you must ensure both the off-site source and target include the public keys to ensure appropriate access. For example, in the example below, if you want to enable encryption between the off-site source and Event Collector B, you must copy the public key (located at /root/.ssh/id_rsa.pub) from the Event Collector to the off-site source (copy the file to /root/.ssh/authorized_keys).
Figure 7-3 Example of Connecting Deployments
To forward normalized events:Step 1 In the deployment editor, click the Event View tab.
The Event View appears.
Step 2 In the Components panel, select either Add Off-site Source or Add Off-site Target. The Adding a New Component Wizard appears.
Off-site
Target
Event Collector A
Magistrate
Event Processor
Event Collector B
Magistrate
Event Processor
Off-site
Source
STRM Administration Guide
Building Your Event View 81
Step 3 Specify a unique name for the source or target. The name can be up to 15 characters in length and may include underscores or hyphens. Click Next. The event source/target information window appears.
Step 4 Enter values for the parameters:• Enter a name for the off-site host - Specify the name of the off-site host. The
name can be up to 15 characters in length and may include underscores or hyphens.
• Enter the IP address of the server - Specify the IP address of the managed host to which you want to connect.
• Encrypt traffic from off-site source - Select the check box if you want to encrypt traffic from an off-site source. To enable encryption, you must select this check box on the associated off-site source and target.
STRM Administration Guide
82 USING THE DEPLOYMENT EDITOR
Step 5 Click Next. Step 6 Click Finish.Step 7 Repeat for all remaining off-site sources and targets.
Step 8 From the main menu, select File > Save to staging.
Note: If you update your Event Collector configuration or the monitoring ports, you must manually update your source and target configurations to maintain the connection between deployments.
RenamingComponents
You may want to rename a component in your view to uniquely identify components through your deployment.
To rename a component:
Step 1 Select the component you want to rename.Step 2 From the menu, select Actions > Rename Component.
Note: You can also use the right mouse button (right-click) to access the Action menu items.
The Rename component window appears.
Step 3 Enter a new name for the component. The name must be alphanumeric with no special characters.
Step 4 Click Ok.
Managing Your System View
The System View allows you to manage all managed hosts in your network. A managed host is a component in your network that includes STRM software. If you are using a STRM appliance, the components for that appliance model appear. If your STRM software is installed on your own hardware, the System View includes a Host Context component. The System View allows you to select which component(s) you want to run on each managed host.
Using the System View, you can:• Set up managed hosts in your deployment. See Setting Up Managed Hosts.
• Use STRM with NATed networks in your deployment. See Using NAT with STRM.
• Update the managed host port configuration. See Configuring a Managed Host.
• Assign a component to a managed host. See Assigning a Component to a Host.
STRM Administration Guide
Managing Your System View 83
• Configure Host Context. See Configuring Host Context.
Setting Up ManagedHosts
Using the deployment editor you can manage all hosts in your deployment including:
• Add a managed host to your deployment. See Adding a Managed Host.• Edit an existing managed host. See Editing a Managed Host.
• Remove a managed host. See Removing a Managed Host.
When adding a managed host, you can also enable encryption between managed hosts running at least STRM 5.1. The deployment editor determines the version of STRM software running on a managed host. You can only add a managed host to your deployment when the managed host is running a compatible version of STRM software. For more information, contact Juniper Networks Customer Support.
You also can not assign or configure components on a non-Console managed host when the STRM software version is incompatible with the software version that the Console is running. If a managed host has previously assigned components and is running an incompatible software version, you can still view the components, however, you are not able to update or delete the components.
Note: To enable encryption between two managed hosts, each managed host must be running at least STRM 5.1.
Encryption provides greater security for all STRM traffic between managed hosts. To provide enhanced security, STRM also provides integrated support for OpenSSh and attachmateWRQ® Reflection SSH software. Reflection SSH software provides a FIPS 140-2 certified encryption solution. When integrated with STRM, Reflection SSH provides secure communication between STRM components. For information on Reflection SSH, see the following web site:
www.wrq.com/products/reflection/ssh
Note: You must have Reflection SSH installed on each managed host you want to encrypt using Reflection SSH. Also, Reflection SSH is not compatible with other SSH software, such as, Open SSH.
Since encryption occurs between managed hosts in your deployment, your deployment must consist of more than one managed host before encryption is possible. Encryption is enabled using SSH tunnels (port forwarding) initiated from the client. A client is the system that initiates a connection in a client/server relationship. When encryption is enabled for a managed host, encryption tunnels are created for all client applications on a managed host to provide protected access to the respective servers. If you enable encryption on a non-Console managed host, encryption tunnels are automatically created for databases and other support service connections to the Console.
Figure 7-4 shows the flow of traffic within a STRM deployment including flows, flow context, and event traffic. The figure also displays the client/server relationships
STRM Administration Guide
84 USING THE DEPLOYMENT EDITOR
within the deployment. When enabling encryption on a managed host, the encryption SSH tunnel is created on the client’s host. For example, if you enable encryption for the Event Collector in the below deployment, the connection between the Event Processor and Classification Engine as well as the connection between the Event Processor and Magistrate would be encrypted. The below graphic also displays the client/server relationship between the Console and the Ariel database. When you enable encryption on the Console, an encryption tunnel is used when performing event searches through the Offense Manager.
Note: Enabling encryption reduces the performance of a managed host by at least 50%.
Figure 7-4 Encryption Tunnels
Adding a Managed HostTo add a managed host:
Note: Before you add a managed host, make sure the managed host includes STRM software.
Step 1 From the menu, select Actions > Add a managed host.The Add new host wizard appears.
STRM Administration Guide
Managing Your System View 85
Step 2 Click Next. The Enter the host’s IP window appears.
Step 3 Enter values for the parameters:• Enter the IP of the server or appliance to add - Specify the IP address of the
host you want to add to your System View.• Enter the root password of the host - Specify the root password for the host.
• Confirm the root password of the host - Specify the password again, for confirmation.
• Host is NATed - Select the check box if you want to use an existing Network Address Translation (NAT) on this managed host. For more information on NAT, see Using NAT with STRM.
STRM Administration Guide
86 USING THE DEPLOYMENT EDITOR
Note: If you want to enable NAT for a managed host, the NATed network must be using static NAT translation. For more information on using NAT, see Using NAT with STRM.
• Enable Encryption - Select the check box if you want to create an encryption tunnel for the host. To enable encryption between two managed hosts, each managed host must be running at least STRM 5.1.
If you selected the Host is NATed check box, the Configure NAT settings window appears. Go to Step 4. Otherwise, go to Step 5.
Step 4 To select a NATed network, enter values for the following parameters:• Enter public IP of the server or appliance to add - Specify the public IP
address of the managed host. The managed host uses this IP address to communicate with another managed host that belongs to a different network using NAT.
• Select NATed network - Using the drop-down list box, select network you want this managed host to use.
Note: For information on managing your NATed networks, see Using NAT with STRM.
Step 5 Click Next. Step 6 Click Finish.
Note: If your deployment included undeployed changes, a window appears enabling you to deploy all changes.
The System View appears with the host in the Managed Hosts panel.
Editing a Managed HostTo edit an existing managed host:
Step 1 Click the System View tab. Step 2 Use the right mouse button (right-click) on the managed host you want to edit and
select Edit Managed Host. The Edit a managed host wizard appears.
Note: This option is only available when the selected component has a managed host running a compatible version of STRM software.
STRM Administration Guide
Managing Your System View 87
Step 3 Click Next. The attributes window appears.
Step 4 Edit the following values, as necessary:• Host is NATed - Select the check box if you want to use existing Network
Address Translation (NAT) on this managed host. For more information on NAT, see Using NAT with STRM.
Note: If you want to enable NAT for a managed host, the NATed network must be using static NAT translation. For more information on using NAT, see Using NAT with STRM.
STRM Administration Guide
88 USING THE DEPLOYMENT EDITOR
• Enable Encryption - Select the check box if you want to create an encryption tunnel for the host. To enable encryption between two managed hosts, each managed host must be running at least STRM 5.1.
If you selected the Host is NATed check box, the Configure NAT settings window appears. Go to Step 5. Otherwise, go to Step 6.
Step 5 To select a NATed network, enter values for the following parameters:
• Enter public IP of the server or appliance to add - Specify the public IP address of the managed host. The managed host uses this IP address to communicate with another managed host that belongs to a different network using NAT.
• Select NATed network - Using the drop-down list box, select network you want this managed host to use.
Note: For information on managing your NATed networks, see Using NAT with STRM.
Step 6 Click Next. Step 7 Click Finish.
The System View appears with the updated host in the Managed Hosts panel.
Removing a Managed HostYou can only remove non-Console managed hosts from your deployment. You can not remove a managed host that is hosting the STRM Console.
To remove a managed host:Step 1 Click the System View tab.
Step 2 Use the right mouse button (right-click) on the managed host you want to delete and select Remove host.Note: This option is only available when the selected component has a managed host running a compatible version of STRM software.
A confirmation window appears.
Step 3 Click Ok. Step 4 From the Administration Console menu, select Configurations > Deploy All.
STRM Administration Guide
Managing Your System View 89
Using NAT withSTRM
Network Address Translation (NAT) translates an IP address in one network to a different IP address in another network. NAT provides increased security for your deployment since requests are managed through the translation process and essentially hides internal IP address.
Before you enable NAT for a STRM managed host, you must set-up your NATed networks using static NAT translation. This ensures communications between managed hosts that exist within different NATed networks. For example, in Figure 7-5 the QFlow 1101 in Network 1 has an internal IP address of 10.100.100.0. When the QFlow 1101 wants to communicate with the Event Collector in Network 2, the NAT router translates the IP address to 192.15.2.1.
Figure 7-5 Using NAT with STRM
Note: Your static NATed networks must be set-up and configured on your network before you enable NAT using STRM. For more information, see your network administrator.
You can add a non-NATed managed host using inbound NAT for the public IP address and dynamic for outbound NAT but are located on the same switch as the Console or managed host. However, you must configure the managed host to use the same IP address for the public and private IP addresses.
When adding or editing a managed host, you can enable NAT for that managed host. You can also use the deployment editor to manage your NATed networks including: • Adding a NATed Network to STRM
• Editing a NATed Network
• Deleting a NATed Network From STRM• Changing the NAT Status for a Managed Host
10.1
00.1
00.1
Network 1
Classification Engine
Update Daemon
QFlow 1101
Magistrate
Network 2
Event Collector
Event Collector
NAT
Router 192.15.2.1
STRM Administration Guide
90 USING THE DEPLOYMENT EDITOR
Adding a NATed Network to STRM To add a NATed network to your STRM deployment:
Step 1 In the deployment editor, click the NATed networks icon. Note: You can also use the Actions > Managed NATed Networks menu option to access the Managed NATed Networks window.
The Manage NATed Networks window appears.
Step 2 Click Add.The Add New Nated Network window appears.
Step 3 Enter a name of a network you want to use for NAT.
Step 4 Click Ok. The Manage NATed Networks window appears.
Step 5 Click Ok.
A confirmation window appears. Step 6 Click Yes.
Editing a NATed NetworkTo edit a NATed network:
Step 1 In the deployment editor, click the NATed networks icon.
Note: You can also use the Actions > Managed NATed Networks menu option to access the Managed NATed Networks window.
The Manage NATed Networks window appears.
STRM Administration Guide
Managing Your System View 91
Step 2 Select the NATed network you want to edit and click Edit.The Edit NATed Network window appears.
Step 3 Update the name of the network you want to use for NAT.
Step 4 Click Ok.
The Manage NATed Networks window appears.
Step 5 Click Ok. A confirmation window appears.
Step 6 Click Yes.
Deleting a NATed Network From STRMTo delete a NATed network from your deployment:
Step 1 In the deployment editor, click the NATed networks icon.
Note: You can also use the Actions > Managed NATed Networks menu option to access the Managed NATed Networks window.
The Manage NATed Networks window appears.
Step 2 Select the NATed network you want to delete. Step 3 Click Delete.
A confirmation window appears.
Step 4 Click Ok. Step 5 Click Yes.
STRM Administration Guide
92 USING THE DEPLOYMENT EDITOR
Changing the NAT Status for a Managed HostTo change your NAT status for a managed host, make sure you update the managed host configuration within STRM before you update the device. This prevents the host from becoming unreachable and allows you to deploy changes to that host.
To change the status of NAT (enable or disable) for an existing managed host:Step 1 In the deployment editor, click the System View tab.
Step 2 Use the right mouse button (right-click) on the managed host you want to edit and select Edit Managed Host. The Edit a managed host wizard appears.
Step 3 Click Next. The networking and tunneling attributes window appears.
Step 4 Choose one of the following:
a If you want to enable NAT for the managed host, select the check box. Go to Step 5
Note: If you want to enable NAT for a managed host, the NATed network must be using static NAT translation.
b If you want to disable NAT for the managed host, clear the check box. Go to Step 6
Step 5 To select a NATed network, enter values for the following parameters:• Change public IP of the server or appliance to add - Specify the public IP
address of the managed host. The managed host uses this IP address to communicate with another managed host that belongs to a different network using NAT.
• Select NATed network - Using the drop-down list box, select network you want this managed host to use.
• Manage NATs List - Update the NATd network configuration. For more information see, Using NAT with STRM.
Step 6 Click Next. Step 7 Click Finish.
The System View appears with the updated host in the Managed Hosts panel.
Note: Once you change the NAT status for an existing managed host error messages may appear. Ignore all error messages.
Step 8 Update the configuration for the device (firewall) to which the managed host is communicating.
Step 9 From the STRM Administration Console menu, select Configurations > Deploy All.
STRM Administration Guide
Managing Your System View 93
Configuring aManaged Host
To configure a managed host:
Step 1 From the System View, use the right mouse button (right-click) on the managed host you want to configure and select Configure.
The Configure host window appears.
Step 2 Enter values for the parameters:• Minimum port allowed - Specify the minimum port for which you want to
establish communications. • Maximum port allowed - Specify the maximum port for which you want to
establish communications.• Ports to exclude - Specify the port you want to exclude from communications.
You can enter multiple ports you want to exclude. Separate multiple ports using a comma.
Step 3 Click Save.
Assigning aComponent to a Host
You can assign the STRM components added in the Flow or Event Views to the managed hosts in your deployment. This section provides information on assigning a component to a host using the System View, however, you can also assign components to a host in the Flow or Event Views.
To assign a host:
Step 1 Click the System View tab. Step 2 From the Managed Host list, select the managed host to which you want to assign
a STRM component. The System View of the host appears.
Step 3 Select the component you want to assign to a managed host.
Step 4 From the menu, select Actions > Assign. Note: You can also use the right mouse button (right-click) to access the Actions menu items.
The Assign Component wizard appears.
STRM Administration Guide
94 USING THE DEPLOYMENT EDITOR
Step 5 From the Select a host drop-down list box, select the host that you want to assign to this component. Click Next. Note: The drop-down list box only displays managed hosts that are running a compatible version of STRM software.
Step 6 Click Finish.
Configuring HostContext
The Host Context component monitors all STRM components to make sure that each component is operating as expected.
To configure Host Context:Step 1 In the Deployment Editor, click the System View tab.
The System View appears.
Step 2 Select the Managed Host that includes the Host Context you want to configure. Step 3 Select the Host Context component.
Step 4 From the menu, select Actions > Configure.
Note: You can also use the right mouse button (right-click) to access the Actions menu item.
The Host Context Configuration window appears.
STRM Administration Guide
Managing Your System View 95
Step 5 Enter values for the parameters:
Table 7-5 Host Context Parameters
Parameter DescriptionDisk Usage Sentinal SettingsWarning Threshold When the configured threshold of disk usage is exceeded,
an e-mail is sent to the administrator indicating the current state of disk usage. The default is 0.75, therefore, when disk usage exceeds 75%, an e-mail is sent indicating that disk usage is exceeding 75%. If disk usage continues to increase above the configured threshold, a new e-mail is sent after every 5% increase in usage. By default, Host Context monitors the below partitions for disk usage:• /• /store• /store/tmpSpecify the desired warning threshold for disk usage. Note: Notification e-mails are send to the Administrative Email Address and are sent from the Alert Email From Address, which is configured in the System Settings. For more information, see Chapter 3 Setting Up STRM.
Shutdown Threshold When the system exceeds the shutdown threshold, all STRM processes are stopped. An e-mail is sent to the administrator indicating the current state of the system. The default is 0.95, therefore, when disk usage exceeds 95%, all STRM processes stop. Specify the shutdown threshold. Note: Notification e-mails are send to the Administrative Email Address and are sent from the Alert Email From Address, which is configured in the System Settings. For more information, see Chapter 3 Setting Up STRM.
STRM Administration Guide
96 USING THE DEPLOYMENT EDITOR
Step 6 Click Save.
The System View appears.
Recovery Threshold Once the system has exceeded the shutdown threshold, disk usage must fall below the recovery threshold before STRM processes are restarted. The default is 0.90, therefore, processes will not be restarted until the disk usage is below 90%.Specify the recovery threshold. Note: Notification e-mails are send to the Administrative Email Address and are sent from the Alert Email From Address, which is configured in the System Settings. For more information, see Chapter 3 Setting Up STRM.
Inspection Interval Specify the frequency, in milliseconds, that you want to determine disk usage.
SAR Sentinel SettingsInspection Interval Specify the frequency, in milliseconds, that you want to
inspect SAR output. The default is 300,000 ms. Alert Interval Specify the frequency, in milliseconds, that you want to be
notified that the thresholds have been exceeded. The default is 7,200,000 ms.
Time Resolution Specify the time, in seconds, that you want the SAR inspection to be engaged. The default is 60 seconds.
Log Monitor Settings Inspection Interval Specify the frequency, in milliseconds, that you want to
monitor the log files. The default is 60,000 ms. Monitored SYSLOG File Name
Specify a filename for the SYSLOG file. The default is /var/log/STRM.error.
Alert Size Specify the maximum number of lines you want to monitor from the log file. The default is 1000.
Table 7-5 Host Context Parameters (continued)
Parameter Description
STRM Administration Guide
Configuring STRM Components 97
Configuring STRM Components
This section provides information on configuring STRM components and includes:
• Configuring a Flow Collector
• Configuring a Flow Processor
• Configuring a Classification Engine• Configuring an Update Daemon
• Configuring a Flow Writer
• Configuring an Event Collector• Configuring an Event Processor
• Configuring the Magistrate
Configuring a FlowCollector
The Flow Collector collects data from devices and various live and recorded feeds, such as, network taps, span/mirror ports, NetFlow, and STRM flow logs. The Flow Collector then groups related individual packets into a flow. A flow starts when the Flow Collector detects the first packet with a unique source IP address, destination IP address, source port, and destination port as well as other specific protocol options, which may determine the start of a communication. Each additional packet is evaluated and counts of bytes and packets are added to the statistical counters in the flow record. At the end of an interval a status record of the flow is sent to a Flow Processor and statistical counters for the flow are reset. A flow ends when no activity for the flow is seen within the configured period of time.
Flow reporting generates records of all the active or expired flows during a specified period of time. STRM defines these flows as a communication session between two pairs of unique IP address/ports that use the same protocol. If the protocol does not support port-based connections, STRM combines all packets between the two hosts into a single flow record. However, a Flow Collector does not record flows until a connection is made to another STRM component and data is retrieved.
To configure a Flow Collector:
Step 1 In either the Flow or System View, select the Flow Collector you want to configure. Step 2 From the menu, select Actions > Configure.
Note: You can also use the right mouse button (right-click) to access the Actions menu items.
The QFlow Configuration window appears.
STRM Administration Guide
98 USING THE DEPLOYMENT EDITOR
Step 3 Enter values for the parameters:
Table 7-6 Flow Collector Parameters
Parameter DescriptionServer Listen Port The Flow Collector passes data to the next component
in the process. Once the link is established, all collected data is passed for further processing. Specify the port that the Flow Collector monitors for incoming Flow Processor connections. The default range is from 32000 to 65535.
Flow Collector ID In larger installations, several Flow Collectors can be installed throughout the deployment. As several Flow Collectors can function simultaneously, you must provide each Flow Collector a unique name. You can use that name to determine where data is originating from in the Collector View, if configured. Specify the Flow Collector ID.
Maximum Content Capture Flow Collectors capture a configurable number of bytes at the start of each flow. Transferring large amounts of content across the network may affect network and STRM performance. On managed hosts where the Flow Collectors are located on close high-speed links, you can increase the content capture length. Specify the capture length, in bytes, to attach to a flow. A value of 0 disables content capture. The default is 64 bytes.Note: Increasing content capture length will increase disk storage requirements for recommended disk allotment.
STRM Administration Guide
Configuring STRM Components 99
Step 4 In the toolbar, click Advanced to display the advanced parameters. The advanced configuration parameters appear.
Step 5 Enter values for the parameters, as necessary:
Alias Autodetection Specify one of the following options:• Yes - Allows the Flow Collector to detect external flow
source aliases. When a Flow Collector receives traffic from a device with an IP address but no current alias, the Flow Collector attempts a reverse DNS lookup to determine the hostname of the device. If the lookup is successful, the Flow Collector adds this information to the database and reports this information to all Flow Collector in your deployment.
• No - Disables the Flow Collector from detecting external flow sources aliases.
For more information on flow sources, see Chapter 7 Managing Flow Sources.
Table 7-6 Flow Collector Parameters (continued)
Parameter Description
Table 7-7 Flow Collector Parameters
Parameter DescriptionMaximum Data Capture/Packet
Specify the amount of bytes/packets you want the Flow Collector to capture.
Time Synchronization Server IP Address
Specify the IP address or hostname of the time server.
Time Synchronization Timeout Period
Specify the length of time you want the managed host to continue attempting to synchronize the time before timing out. The default is 15 minutes.
STRM Administration Guide
100 USING THE DEPLOYMENT EDITOR
Endace DAG Interface Card Configuration
Specify the Endace Network Monitoring Interface card parameters. For more information, see the Technical support web site or contact Juniper Networks Customer Support.
Flow Buffer Size Specify the amount of memory, in MB, that you want to reserve for flow storage. The default is 400 MB.
Maximum Number of Flows
Specify the maximum number of flows you want to send from the Flow Collector to Flow Processors.
Remove duplicate flows Enables or disables the ability to remove duplicate flows. External Flow De-duplication method
Specify the method you want to use to remove duplicate external flow sources (de-duplication). Options include:• Source - Compares originating flow sources. This
method of removing duplicate external flows compares the IP address of the device that exported the current external flow record to that of the IP address of the device that exported the first external record of the particular flow. If the IP addresses do not match the current external flow record is discarded.
• Record - Compares individual external flow records. This method of removing duplicate external flows logs a list of every external flow record detected by a particular device and compares each subsequent record to that list. If the current record is found in the list, that record is discarded.
External flow record comparison mask
This parameter is only valid if you configure the External Flow De-duplication method parameter to Record. Specify the external flow record fields you want to use to remove duplicate flows. Valid options include: D (Direction), B (ByteCount), or P (PacketCount). Possible combinations of the options include:• DBP - Uses direction, byte count, and packet count when
comparing flow records. • XBP - Uses byte count and packet count when
comparing flow records. • DXP - Uses direction and packet count when comparing
flow records. • DBX - Uses direction and byte count when comparing
flow records. • DXX - Uses direction when comparing flow records. • XBX - Uses byte count when comparing records. • XXP - Uses packet count when comparing records.
Flow Carry-over Window
Specify the number of seconds before the end of an interval that you want one-sided flows to be held over until the next interval if the flow. This allows time for the inverse side of the flow to arrive before being reported.
Table 7-7 Flow Collector Parameters (continued)
Parameter Description
STRM Administration Guide
Configuring STRM Components 101
Step 6 Click Save. The deployment editor appears.
Step 7 Repeat for all Flow Collectors in your deployment you want to configure.
Configuring a FlowProcessor
A Flow Processor collects and consolidates data from one or more Flow Collector(s). Flow Processors are located between the Classification Engine, Flow Collectors, and other Flow Processors. You can connect multiple Flow Processors in a series.
A Flow Processor removes duplicate flows and creates superflows (aggregate flows) before the flows reach the main Classification Engine. A superflow is multiple flows with the same properties combined into one flow, which details one-sided communications and security events, such as scanning and attacks, without losing the information stored in the thousands of individual flows created by an infected host or attacker. The flow contains only the communications that received no response. Valid communications from the attacking or infected hosts are stored in the flow logs. Using superflows, STRM is able to scale to larger environments and manage large attacks without overloading.
Superflows can last long periods of time, just like normal flows. STRM manages superflows in the same manner as regular flows. Superflows are logged every interval and detail the state of the flow during that time period. You can also investigate flows using the Network Surveillance interface to further expand superflows into more traditional flows, which allows for flexible analysis.
Some normally occurring network communications generate flows for which there are no responses, such as web requests to a failed web server or to a host that is down. One-sided flows are generally not a high risk threat and should not apply to superflows. For this reason, there is a configurable threshold for superflow generation, which a host has to breach before the flows are bundled into superflows.
Minimum Buffer Data Specify the minimum amount of data, in bytes, that you want the Endace Dag Interface Card to receive before the captured data is returned to the Flow Collector process. For example, if this parameter is 0 and no data is available, the Endace Dag Interface Card allows non-blocking behavior.
Maximum Wait Time Specify the maximum amount of time, in microseconds, that you want the Endace Dag Interface Card to wait for the minimum amount of data, as specified in the Minimum Buffer Data parameter.
Polling Interval Specify the interval, in microseconds, that you want the Endace Dag Interface Card to wait before checking for additional data. A polling interval avoids excessive polling traffic to the card and therefore conserves bandwidth and processing time.
Table 7-7 Flow Collector Parameters (continued)
Parameter Description
STRM Administration Guide
102 USING THE DEPLOYMENT EDITOR
You can also configure branch filtering in the Flow Processor, which allows you to distribute network processing across multiple Classification Engines. A branch filter consists of a branch and a flow class definition. The branch filter configuration controls which flows a component receives. When configuring branch filtering, you must use groups located at the top of your network hierarchy. For the Flow Processor, the branch filter specifies which flows the Flow Processor receives from flow sources.
To configure a Flow Processor:Step 1 In either the Flow or System View, select the Flow Processor you want to
configure. Step 2 From the menu, select Actions > Configure.
Note: You can also use the right mouse button (right-click) to access the Actions menu items.
The Flow Processor window appears.
Step 3 Enter values for the parameters:
Table 7-8 Flow Processor Parameters
Parameter DescriptionFlow Processor Listen Port
The Classification Engine connects to the Flow Processor to accept flows through a TCP/IP link. Specify the port that the Flow Processor monitors for incoming connections. The default range is from 32000 to 65535.
STRM Administration Guide
Configuring STRM Components 103
Step 4 In the toolbar, click Advanced to display advanced parameters.
The configuration parameters appear.
Flow Collectors When the Flow Processor starts, it attempts to establish a link with one or more Flow Collector(s). If the Flow Collector cannot be reached, the Flow Processor attempts to establish the link periodically, until it succeeds. You can have multiple Flow Collectors in your deployment and each Flow Collector can be connected to a different time server. This parameter also indicates whether the Flow Collector either is local or remote. Specifies the list of default Flow Collectors to which the Flow Processor will connect. The information is entered in the following format:<hostname>:<port>:[L|R]Where:<hostname> is the hostname of the Flow Collector.<port> is the port on which communications are established. [L|R] indicates whether the Flow Collector is local (L) or remote (R).Where each Flow Collector is separated with a comma. The default is localhost:32000.
Flow Processors Specifies the list of Flow Processors attached to this Flow Processor. You can have multiple Flow Processors in your deployment and each Flow Processor can be connected to a different time server. This parameter also indicates whether the Flow Processor is either local or remote. If a component is identified as remote, any flows sent to the local Flow Processor are tagged with local interval time. This parameter is for information purposes only and is not amendable. The values are entered in the following format:<hostname>:<port>:[L|R]Where:<hostname> is the hostname of the Flow Processor.<port> is the port on which communications are established.[L|R] indicates whether the Flow Collector is local (L) or remote (R).Each Flow Processor is separated with a comma.
Table 7-8 Flow Processor Parameters (continued)
Parameter Description
STRM Administration Guide
104 USING THE DEPLOYMENT EDITOR
Step 5 Enter values for the parameters:
Table 7-9 Flow Processor Parameters
Parameter DescriptionCreate Flow Bundles Specify one of the following options:
• Yes - Allows the Flow Processor to group flows that have similar properties.
• No - Disables the bundling of flowsMaximum Number of Flows
Specify the maximum number of flows you want to send from the Flow Processor to the Classification Engines. If set to 0, the number of flows is unlimited.
Time Difference for Duplicate Flows
Specify the time difference threshold that determines if duplicate flows are present, in microseconds. The default is 500000.
Type A Superflows Specify the threshold for type A superflows, which is one host sending data to many hosts. A unidirectional flow that is an aggregate of all flows that have the same protocol, source bytes, source hosts, destination network, destination port (TCP and UDP flows only), TCP flags (TCP flows only), ICMP type, and code (ICMP flows only) but different destination hosts.
Type B Superflows Specify the threshold for type B superflows, which is many hosts sending data to one host. A unidirectional flow that is an aggregate of all flows that have the same protocol, source bytes, source packets, destination host, source network, destination port (TCP and UDP flows only), TCP flags (TCP flows only), ICMP type, and code (ICMP flows only), but different source hosts.
STRM Administration Guide
Configuring STRM Components 105
Type C Superflows Specify the threshold for type C superflows, which is one host sending data to another host. A unidirectional flow that is an aggregate of all non-ICMP flows that have the same protocol, source host, destination host, source bytes, destination bytes, source packets, and destination packets but different source or destination ports.
IP Address(es) Range Conversion
Specify an IP address or CIDR range to convert to another IP address or CIDR range from the Flow Processor. This allows STRM to identify data sources on networks with similar IP addresses when a single Flow Processor is used to process many data sources. Enter the information in the following format:<IP address>:<convert>Where: <IP address> specifies the IP address or CIDR range to be converted.<convert> specifies the desired conversion range.This option is also available in the Flow Collector.
Maximum Content for Destination STRM Components
A content filter controls where content is denied/allowed. Apply filters in the following format:<CIDR>:<bytes of content>Where:<CIDR> specifies a CIDR range<bytes of content> specifies how much content is allowed. For example, 64 bytes of content or 128 bytes of content.The filter is case sensitive. You must use either all uppercase or lowercase characters. For example:If CIDR=10.100.100.0/24 and you want to allow 64 bytes of content, enter:10.100.100.0/24:64If CIDR=10.100.100.0/24 and you want to deny the content, enter:10.100.100.0/24:0If CIDR=10.100.100.0/24 and you want to allow content only to this CIDR, enter:default:0, 10.100.100.0/24:64
Table 7-9 Flow Processor Parameters (continued)
Parameter Description
STRM Administration Guide
106 USING THE DEPLOYMENT EDITOR
Step 6 Click Save.
Branch Filtering By default, branch filtering is disabled and all traffic is forwarded to all Classification Engines. Filtering does not begin unless the Flow Processor receives a branch filter definition from the Classification Engine. Specify the branch filter using the following syntax:brc1,brc2,..,brc-N
Where:brc-1,brc-2,....,brc-N specifies any branch of the local network hierarchy. If a specified branch does not belong to the network hierarchy, the branch is ignored. For example:ComputingServices,Manufacturing_facilitesCorporate_HQ,other
Recombine Asymmetric Flows
In some networks, traffic is configured to take alternate paths for inbound and outbound traffic. This is asymmetric routing. You can combine flows received from either a single or multiple Flow Collectors. However, if you want to combine flows from multiple Flow Collectors, you must configure flow sources in the Asymmetric Flow Source Interface(s) parameters in the Flow Collector configuration. For more information, see Configuring a Flow Collector. Choose one of the following options:• Yes - Asymmetric flows are combined. • No - Asymmetric flows are not combined.
Ignore Asymmetric Superflows
Specify whether you want to enable the creation of superflows while asymmetric flows are enabled. The default is Yes, which means superflows are created.
Enable Application Mapping
Choose one of the following:• Yes - Application mapping is applied, as defined in your
mapping file. For more information, see the STRM Default Application Configuration Guide. This is the default.
• No - Application mapping is not applied. User Application Mapping
Specify the name of the file that contains your custom application mappings. For more information, see the STRM Default Application Configuration Guide.
Block Content Choose one of the following options:• Yes - All content captured in the flows is removed from
the Flow Processor. • No - Content capture is not removed from flows.
Payload Modification Specify a string to which you want all content to be changed.
Table 7-9 Flow Processor Parameters (continued)
Parameter Description
STRM Administration Guide
Configuring STRM Components 107
The deployment editor appears.
Step 7 Repeat for all Flow Processors in your deployment you want to configure.
Configuring aClassification Engine
The Classification Engine receives inputs from one or more Flow Processor(s), classifies the flows into views and objects, and outputs the resulting database entries and flow logs to the Update Daemon to be stored on disk. Using the deployment map, you can either enable or disable views and configure a Classification Engine. To configure a Classification Engine:
Step 1 In either the Flow or System View, select the Classification Engine you want to configure.
Step 2 From the menu, select Actions > Configure.
Note: You can also use the right mouse button (right-click) to access the Actions menu items. The Classification Engine window appears.
Step 3 Enter values for the parameters:
Table 7-10 Classification Engine Parameters
Parameter DescriptionClassification Engine Server Listen Port
Specify the port that the Classification Engine monitors for incoming connections.The default range is from 32000 to 65535.
Flow Processor Connections
When the Classification Engine starts, it attempts to establish a TCP/IP communications link with one or more Flow Processor(s) to retrieve flows. If the Flow Processors cannot be reached, the Classification Engine attempts to establish the link periodically until it succeeds. This parameter is for information purposes only and is not amendable.Specifies the list of Flow Processor connections using the following format:<hostname>:<port>The default is localhost:32001. Each entry is separated with a comma.
STRM Administration Guide
108 USING THE DEPLOYMENT EDITOR
Step 4 In the toolbar, click Advanced to display advanced parameters.
The configuration parameters appear.
Step 5 Enter values for the parameters:
Update Daemon Connections
Specifies the hostname and port of the Update Daemon to which the Classification Engine sends data for storage. This parameter is for information purposes only and is not amendable. The information appears in the following format:<hostname>:<port>The default is localhost:32002.
Flow Writer connection Specifies the hostname and port of the Flow Writer that sends the Classification Engine data for storage. This parameter is for information purposes only and is not amendable. The information appears in the following format:<hostname>:<port>The default is localhost:32010.
Event Collector Connections
Specifies the hostname and port of the Event Collector that sends the Classification Engine data. This parameter is for information purposes only and is not amendable.
Table 7-10 Classification Engine Parameters (continued)
Parameter Description
Table 7-11 Classification Engine Parameters
Parameter DescriptionForward Flow Data Specify one of the following options:
• Yes - Process view data only and does not forward flows. This is the default.
• No - Process and forward all data.
STRM Administration Guide
Configuring STRM Components 109
Step 6 Click Save.
The deployment map appears. Step 7 Repeat for all Classification Engines in your deployment you want to configure.
Configuring anUpdate Daemon
Once the Classification Engine has processed the flows for an interval, the Update Daemon stores the database and TopN data. Depending on the size of your deployment, you may have multiple Update Daemons.
To configure an Update Daemon:Step 1 In either the Flow or System View, select the Update Daemon you want to
configure. Step 2 From the menu, select Actions > Configure.
Note: You can also use the right mouse button (right-click) to access the Actions menu items.
The Update Daemon Configuration window appears.
Process Defined Views Only
If you are using a distributed processing Console, specify the processing information. This requires each involved managed host to have a list of views to process. For assistance, contact Juniper Networks Customer Support.
Branch Filtering By default, branch filtering is disabled and all traffic is forwarded to all Classification Engines. Filtering does not begin unless the Flow Processor receives a branch filter definition from the Classification Engine. Specify the branch filter using the following syntax:brc1,brc2,..,brc-N
Where:brc-1,brc-2,....,brc-N specifies any branch of the local network hierarchy. If a specified branch does not belong to the network hierarchy, the branch is ignored. For example:ComputingServices,Manufacturing_facilitesCorporate_HQ,other
Network Object Limit Specify the maximum number of network objects you want to allow.
Asset Profile Threshold Specify the maximum number of asset profiles you want to monitor. The default is 25,000.
Remote Host Cache Clear Interval
Specify the period of time, in seconds, that you want to retain the log files, which are stored result of a remote view lookup.
Table 7-11 Classification Engine Parameters (continued)
Parameter Description
STRM Administration Guide
110 USING THE DEPLOYMENT EDITOR
Step 3 For the Server listen port parameter, specify the Update Daemon listening port values. Separate each entry with a comma. This port monitors requests from the Classification Engine. The entered values must match the values configured for the Classification Engine.
Step 4 In the toolbar, click Advanced to display advanced parameters.
The configuration parameters appear.
Step 5 Enter values for the parameters:
Step 6 Click Save.
The deployment map appears. Step 7 Repeat for all Update Daemons in your deployment you want to configure.
Table 7-12 Update Daemon Parameters
Parameter DescriptionDatabase Storage Location
Specify the directory that you want to store the database information. The default is /store/db.
TopN Database Storage Location
Specify the directory that you want to store the TopN database. The default is /store/STRM-tmp/topn.
STRM Administration Guide
Configuring STRM Components 111
Configuring a FlowWriter
Once the Classification Engine has processed the flows for an interval, the Flow Writer stores the flow and asset profile data. You can only have one Flow Writer per host, which must be connected to the Classification Engine.
To configure a Flow Writer:
Step 1 In either the Flow or System View, select the Flow Writer you want to configure.
Step 2 From the menu, select Actions > Configure.Note: You can also use the right mouse button (right-click) to access the Actions menu items.
The Flow Writer Configuration window appears.
Step 3 Enter values for the parameters:
Step 4 In the toolbar, click Advanced to display the advanced parameters.
The advanced configuration parameter appear.
Step 5 Enter values for the parameters:
Step 6 Click Save.
Table 7-13 Flow Writer Parameters
Parameter DescriptionServer listen port Specify the Flow Writer listening port values. Seperate each
entry with a comma. This port monitors requests from the Classification Engine. The entered values must match the values configured for the Classification Engine.
Table 7-14 Flow Writer Advanced Parameters
Parameter DescriptionMaximums Hosts Count Before a Reset
Specify the maximum number of hosts you want the system to store before all counters are reset. The lower the reset threshold the more efficiency of disk space your system offers, however, the query time may be extended.
STRM Administration Guide
112 USING THE DEPLOYMENT EDITOR
The deployment map appears.
Configuring an EventCollector
The Event Collector collects security events from various types of security devices in your network.
To configure an Event Collector:Step 1 From either the Event View or System View, select the Event Collector you want to
configure. Step 2 From the menu, select Actions > Configure.
Note: You can also use the right mouse button (right-click) to access the Action menu items.
The Event Collector Configuration window appears.
Step 3 Enter values for the parameters:
Step 4 In the toolbar, click Advanced to display the advanced parameters.
The advanced configuration parameter appear.
Table 7-15 Event Collector Parameters
Parameter DescriptionEvent Collector Server Listen Port
The Event Collector monitors at least one device per instance of the component.
Destination Event Processor
Specify the destination Event Processor for communications.
Listen Port Specifies the listening port for event forwarding. Event Targets If the Event Collector includes an off-site target, this
parameter specifies the normalized event forwarding device, separated by commas, using the following format:<device>:<type>This parameter is for informational purposes only and is not amendable.
STRM Administration Guide
Configuring STRM Components 113
Step 5 Enter values for the parameters:
Step 6 Click Save.
The deployment editor appears. Step 7 Repeat for all Event Collectors in your deployment you want to configure.
Configuring an EventProcessor
The Event Processor processes flows collected from one or more Event Collector(s).
To configure an Event Processor:
Step 1 From either the Event View or System View, select the Event Processor you want to configure.
Step 2 From the menu, select Actions > Configure.
Note: You can also use the right mouse button (right-click) to access the Action menu items.
The Event Processor Configuration window appears.
Table 7-16 Event Collector Advanced Parameters
Parameter DescriptionReceives Flow Context Specifies the first Event Collector installed in your
deployment. This parameter is for informational purposes only and is not amendable.
Auto Detection Enabled
Specify if you want the Event Collector to auto analyze and accept traffic from previously unknown sensor devices. The default is true, which means that the Event Collector detects sensor devices in your network. Also, when set to True, the appropriate firewall ports are opened to enable auto detection to receive events. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.
STRM Administration Guide
114 USING THE DEPLOYMENT EDITOR
Step 3 Enter values for the parameters:
Step 4 In the toolbar, click Advanced to display the advanced parameters.
The advanced configuration parameters appear.
Step 5 Enter values for the parameters, as necessary:
Table 7-17 Event Processor Parameters
Parameter DescriptionEvent Processor Server Listen Port
Specify the port that the Event Processor monitors for incoming connections. The default range is from 32000 to 65535.
Destination Magistrate Specifies the Magistrate to which events are sent. This parameter is for informational purposes only and is not amendable.
Classification Engines All Event Processors are connected to all Classification Engines in your deployment. Specifies all Classification Engines in your deployment.This parameter is for informational purposes only and is not amendable.
ESA Server Specifies the Event Statistical Aggregation (ESA) server to which the Event Processor is connected. This parameter is for informational purposes only and is not amendable.
STRM Administration Guide
Configuring STRM Components 115
Step 6 Click Save.
The deployment editor appears. Step 7 Repeat for all Event Processors in your deployment you want to configure.
Configuring theMagistrate
The Magistrate component provides the core processing components of the SIM option.
To configure the Magistrate component:
Step 1 From either the Event View or System View, select the Magistrate component you want to configure.
Step 2 From the menu, select Actions > Configure.Note: You can also use the right mouse button (right-click) to access the Action menu items.
The Magistrate Configuration window appears.
Step 3 Enter values for the parameters:
Table 7-18 Event Processor Parameters
Parameter DescriptionOverflow Routing Threshold
Specify the events per second threshold that the Event Processor can manage events. Events over this threshold are placed in the cache.
Path to Ariel Events Database
Specify the location you want to store events. The default is /store/ariel/events.
Path to Ariel Payloads Database
Specify the location you want to store payload information. The default is /store/ariel/payloads.
Table 7-19 Magistrate Parameters
Parameter DescriptionMagistrate Server Listen Port
Specify the port that the Magistrate monitors for incoming connections. The default range is 32000 to 65535.
ESA Server Specifies the Event Statistical Aggregation (ESA) server to which the Magistrate is connected. This parameter is for informational purposes only and is not amendable.
STRM Administration Guide
116 USING THE DEPLOYMENT EDITOR
Step 4 In the toolbar, click Advanced to display the advanced parameters.
The advanced configuration parameters appear.
Step 5 For the Overflow Routing Threshold, specify the events per second threshold that the Magistrate can manage events. Events over this threshold are placed in the cache. The default is 20000.
Step 6 Click Save.
The deployment editor appears.
STRM Administration Guide
7
MANAGING FLOW SOURCESThis chapter provides information on managing flows sources in your deployment including:
• About Flow Sources
• Managing Flow Sources
• Managing Flow Source Aliases
About Flow Sources
STRM allows you to integrate internal and external flow sources:
• Internal flow sources - Includes any additional hardware installed on a managed host, such as a Network Interface Card (NIC). Depending on the hardware configuration of your managed host, the options may include:- Network interface card
- Endace Network Monitoring Interface Card.
• External flow sources - Configures an external flow source for the Flow Collector. If your Flow Collector receives multiple flow sources, you can assign each source a distinct name, providing the ability to distinguish one source of external flow data from another when received on the same Flow Collector. To assign names to multiple flow sources, you must configure the External Flow Source Interface Name parameter in the Flow Collector component. External flow sources may include:- NetFlow
- sFlow
- J-Flow- Packeteer
- Flowlog File
NetFlow A proprietary accounting technology developed by Cisco Systems® Inc. that monitors traffic flows through a switch or router, interprets the client, server, protocol, and port used, counts the number of bytes and packets, and sends that data to a NetFlow collector. The process of sending data from NetFlow is often referred to as a NetFlow Data Export (NDE). You can configure STRM to accept NDE's and thus become a NetFlow collector. STRM supports NetFlow versions 1,
STRM Administration Guide
118 MANAGING FLOW SOURCES
5, 7, and 9. For more information on NetFlow, see www.cisco.com. While NetFlow expands the amount of the network that is monitored, the following details some NetFlow limitations including:• NetFlow classifies only application traffic from the TCP port (for example, HTTP
on port 80). This layer 4 analysis of traffic does not consider the actual layer 7 identification of application traffic that is available in STRM.
• NetFlow uses a connection-less protocol (UDP) to deliver NDEs. Once an NDE is sent from a switch or router, the NetFlow record is purged. As UDP is used to send this information and does not guarantee the delivery of data, NetFlow records inaccurate recording and reduced alerting capabilities. This can result in inaccurate presentations of both traffic volumes and bi-directional flows.
Once you configure an external flow source for NetFlow, you must:• Make sure the appropriate firewall rules are configured. Note that if you change
your External Flow Source Monitoring Port parameter in the Flow Collector configuration, you must also update your firewall access configuration.
• Make sure the appropriate ports are configured for your Flow Collector.
If you are using NetFlow version 9, make sure the NetFlow template from the NetFlow source includes the following fields:• FIRST_SWITCHED
• LAST_SWITCHED
• PROTOCOL• IPV4_SRC_ADDR
• IPV4_DST_ADDR
• L4_SRC_PORT• L4_DST_PORT
• IN_BYTES and/or OUT_BYTES
• IN_PKTS and/or OUT_BYTES• TCP_FLAGS (TCP flows only)
sFlow A multi-vendor and end-user standard for sampling technology that provides continuous monitoring of application level traffic flows on all interfaces simultaneously. sFlow combines interface counters and flow samples into sFlow datagrams that are sent across the network to an sFlow collector. STRM supports sFlow versions 2, 4, and 5. Note that sFlow traffic is based on sampled data and, therefore, may not represent all network traffic. For more information on sFlow, see www.sflow.org.
sFlow uses a connection-less protocol (UDP). Once data is sent from a switch or router, the sFlow record is purged. As UDP is used to send this information and does not guarantee the delivery of data, sFlow records inaccurate recording and
STRM Administration Guide
About Flow Sources 119
reduced alerting capabilities. This can result in inaccurate presentations of both traffic volumes and bi-directional flows.
Once you configure an external flow source for sFlow, you must:
• Make sure the appropriate firewall rules are configured. • Make sure the appropriate ports are configured for your Flow Collector.
J-Flow A proprietary accounting technology used by Juniper® Networks that allows you to collect IP traffic flow statistics. J-Flow enables you to export data to a UDP port on a J-FLow collector. Using J-Flow, you can also enable J-Flow on a router or interface to collect network statistics for specific locations on your network. Note that J-Flow traffic is based on sampled data and, therefore, may not represent all network traffic. For more information on J-Flow, see www.juniper.net.
J-Flow uses a connection-less protocol (UDP). Once data is sent from a switch or router, the J-Flow record is purged. As UDP is used to send this information and does not guarantee the delivery of data, J-Flow records inaccurate recording and reduced alerting capabilities. This can result in inaccurate presentations of both traffic volumes and bi-directional flows.
Once you configure an external flow source for J-Flow, you must:
• Make sure the appropriate firewall rules are configured.
• Make sure the appropriate ports are configured for your Flow Collector.
Packeteer Packeteer devices collect, aggregate, and store network performance data. Once you configure an external flow source for Packeteer, you can send flow information from a Packeteer device to STRM.
Packeteer uses a connection-less protocol (UDP). Once data is sent from a switch or router, the Packeteer record is purged. As UDP is used to send this information and does not guarantee the delivery of data, Packeteer records inaccurate recording and reduced alerting capabilities. This can result in inaccurate presentations of both traffic volumes and bi-directional flows.
To configure Packeteer as an external flow source, you must:• Make sure the appropriate firewall rules are configured.
• Make sure that you configure Packeteer devices to export flow detail records and configure the Flow Collector as the destination for the data export.
• Make sure the appropriate ports are configured for your Flow Collector.
• Make sure the class IDs from the Packeteer devices will automatically be detected by the Flow Collector.
• For additional information on mapping Packeteer applications into STRM, see the Mapping Packeteer Applications into STRM Technical Note available on Technical support web site.
STRM Administration Guide
120 MANAGING FLOW SOURCES
Flowlog File A file generated from the STRM flow logs.
Managing Flow Sources
For STRM appliances, STRM automatically adds default flow sources for the physical ports on the appliance. Also, STRM also includes a default NetFlow v5 flow source. If you have installed STRM on your own hardware, STRM attempts to automatically detect and add default flow sources for any physical devices (such as a NIC card). Also, once you assign a Flow Collector, STRM includes a default NetFlow flow source.
Using the Administration Console, you can:
• Adding a Flow Source• Editing a Flow Source
• Enabling/Disabling a Flow Source
• Deleting a Flow Source
Adding a FlowSource
To add a flow source:
Step 1 In the Administration Console, click the Flow Configuration tab.
The Flow Configuration panel appears.
Step 2 Click the Manage Flow Sources icon. The Flow Source window appears.
Step 3 Click Add.
The Add Flow Source window appears.
STRM Administration Guide
Managing Flow Sources 121
Step 4 Enter values for the parameters:
Step 5 Choose one of the following:
Table 8-1 Add Flow Source
Parameter DescriptionBuild from existing flow source
Select the check box if you want to create this flow source using an existing flow source as a template. Once the check box is selected, use the drop-down list box to select the desired flow source and click Use as Template.
Flow Source Name Specify the name of the flow source. We recommend that for an external flow source that is also a physical device, use the device name as the flow source name. If the flow source is not a physical device, make sure you use a meaningful name. For example, if you want to use NetFlow traffic, enter nf1.
Target Flow Collector Using the drop-down list box, select the Flow Collector you want to use for this flow source.
Flow Source Type Using the drop-down list box, select the flow source type for this flow source. The options are:• Flowlog File• JFlow• Netflow v.1, v5, v7, or v9• Network Interface• Packeteer FDR• SFlow v.2, v.4, or v5
Enable Asymmetric Flows In some networks, traffic is configured to take alternate paths for inbound and outbound traffic. This is asymmetric routing. Select the check box is you want to enable asymmetric flows for this flow source.
STRM Administration Guide
122 MANAGING FLOW SOURCES
a If you selected Flowlog File as the Flow Source Type, configure the Source File Path, which is the source path location for the flow log file.
b If you selected JFlow, Netflow, Packeteer FDR, or sFlow as the Flow Source Type, configure the following:
c If you selected Network Interface as the Flow Source Type, configure the following:
Step 6 Click Save.
Step 7 From the Administration Console menu, select Configurations > Deploy Configuration Changes.
Editing a FlowSource
To edit a flow source:
Step 1 In the Administration Console, click the Flow Configuration tab.
The Flow Configuration panel appears.Step 2 Click the Manage Flow Sources icon.
The Flow Source window appears.
Table 8-2 External Flow parameters
Parameter DescriptionMonitoring Interface Using the drop-down list box, select the monitoring interface
you want to use for this flow source. Monitoring Port Specify the port you want this flow source to use. Enable Flow Forwarding
Select the check box to enable flow forwarding for this flow source. Once the check box is selected, the following options appear:• Forwarding Port - Specify the port you wish to forward
flows. The default is 1025. • Forwarding Destinations - Specify the destinations you
wish to forward flows. You can add or remove addresses from the list using the Add and Remove buttons.
Table 8-3 Network Interface Parameters
Parameter DescriptionDevice Using the drop-down list box, select the device interface you
want to assign to this flow source. Note: You can only configure one device per Ethernet Interface. Also, you cannot send different flow types to the same port.
Filter String Specify the filter string for this flow source.
STRM Administration Guide
Managing Flow Sources 123
Step 3 Click Edit. The Edit Flow Source window appears.
Step 4 Edit values, as necessary. For more information on values for flow source types, see Adding a Flow Source.
Step 5 Click Save.
Step 6 From the Administration Console menu, select Configurations > Deploy Configuration Changes.
Enabling/Disabling aFlow Source
To enable or disable a flow source:
Step 1 In the Administration Console, click the Flow Configuration tab.
The Flow Configuration panel appears.
Step 2 Click the Manage Flow Source icon. The Flow Source window appears.
Step 3 Select the flow source you want to enable or disable.
STRM Administration Guide
124 MANAGING FLOW SOURCES
Step 4 Click Enable/Disable.
The Enabled column indicates if the flow source is enabled or disabled. If the flow source was previously disabled, the column now indicates True to indicate the flow source is now enabled. If the flow source was previously enabled, the column now indicates False to indicate the flow source is now disabled.
Step 5 From the Administration Console menu, select Configurations > Deploy Configuration Changes.
Deleting a FlowSource
To delete a flow source:
Step 1 In the Administration Console, click the Flow Configuration tab.
The Flow Configuration panel appears.
Step 2 Click the Manage Flow Source icon. The Flow Source window appears.
Step 3 Select the flow source you want to delete.
Step 4 Click Delete. A confirmation window appears.
Step 5 Click Ok.
Step 6 From the Administration Console menu, select Configurations > Deploy Configuration Changes.
Managing Flow Source Aliases
You can configure a virtual name (or alias) for flow sources. You can identify multiple sources being sent to the same Flow Collector, using the sources’ IP address and virtual name. An alias allows a Flow Collector to uniquely identify and process data sources being sent to the same port.
When a Flow Collector receives traffic from a device with an IP address but no current alias, the Flow Collector attempts a reverse DNS lookup to determine the hostname of the device. If the lookup is successful, the Flow Collector adds this information to the database and includes this information is reported to all Flow Collector in your deployment.
Note: Using the deployment editor, you can configure the Flow Collector to automatically detect flow source aliases. For more information, see Chapter 6 Managing Flow Sources.
Using the Administration Console, you can:• Adding a Flow Source Alias
• Editing a Flow Source Alias
• Deleting a Flow Source Alias
STRM Administration Guide
Managing Flow Source Aliases 125
Adding a FlowSource Alias
To add a flow source alias:
Step 1 In the Administration Console, click the Flow Configuration tab.
The Flow Configuration panel appears.Step 2 Click the Manage Flow Source Aliases icon.
The Flow Source Alias window appears.
Step 3 Click Add. The Flow Source Alias Management window appears.
Step 4 Enter values for the parameters:
• IP - Specify the IP address of the flow source alias.
• Name - Specify the name of the flow source alias. Step 5 Click Save.
Step 6 From the Administration Console menu, select Configurations > Deploy Configuration Changes.
Editing a FlowSource Alias
To edit a flow source alias:
Step 1 In the Administration Console, click the Flow Configuration tab.
The Flow Configuration panel appears.Step 2 Click the Manage Flow Source Aliases icon.
The Flow Source Alias window appears.
Step 3 Select the flow source alias you want to edit. Step 4 Click Edit.
The Flow Source Alias Management window appears.
Step 5 Update values, as necessary. Step 6 Click Save.
Step 7 From the Administration Console menu, select Configurations > Deploy Configuration Changes.
STRM Administration Guide
126 MANAGING FLOW SOURCES
Deleting a FlowSource Alias
To delete a flow source alias:
Step 1 In the Administration Console, click the Flow Configuration tab.
The Flow Configuration panel appears.Step 2 Click the Manage Flow Source Aliases icon.
The Flow Source Aliases window appears.
Step 3 Select the flow source alias you want to delete. Step 4 Click Delete.
A confirmation window appears.
Step 5 Click Ok. Step 6 From the Administration Console menu, select Configurations > Deploy
Configuration Changes.
STRM Administration Guide
8
OVERVIEWThis chapter provides an overview of the STRM Administration Console and STRM administrative functionality including:
• About the Interface
• Accessing the Administration Console
• Using the Interface• Deploying Changes
About the Interface You must have administrative privileges to access the Administration Console. The STRM Administration Console provides access to following administrative functionality:• Manage users. See Chapter 1 Managing Users.
• Manage your network settings. See Chapter 2 Managing the System.
• Manage STRM settings. See Chapter 3 Setting Up STRM.• Manage authorized services. See Chapter 4 Managing Authorized Services
• Backup and recover your data. See Chapter 5 Managing Backup and Recovery.
• Manage your deployment views. See Chapter 6 Using the Deployment Editor.
• Manage flow sources. See Chapter 7 Managing Flow Sources.• Configure sentries. See Chapter 9 Managing Sentries.
• Configure views. See Chapter 10 Managing Views.
• Configure syslog forwarding. See Chapter 13 Forwarding Syslog Data
All configuration updates using the Administration Console are saved to a staging area. Once all changes are complete, you can deploy the configuration changes or all configuration settings to the remainder of your deployment.
STRM Administration Guide
128 OVERVIEW
Accessing the Administration Console
You can access the STRM Administration Console through the main STRM interface. To access the Administration Console, click Config in the main STRM interface. The Administration Console appears.
Using the Interface The Administration Console provides several tab and menu options that allow you to configure STRM including:
• System Configuration - Provides access to administrative functionality, such as, user management, automatic updates, license key, network hierarchy, sentries, system settings, system notifications, authorized services, backup and recovery, and Console configuration.
• Views Configuration - Provides access to STRM views. • SIM Configuration - Provides access to scanners, sensor device
management, syslog forwarding, and reset the SIM model. • Flow Configuration - Provides access to flow source configuration, such as
NetFlow.
The Administration Console also includes several menu options including:
Table 1-1 Administrative Console Menu Options
Menu Option Sub-Menu DescriptionFile Close Closes the Administration Console.Configurations Deployment Editor Opens the deployment editor
interface. Deploy Configuration Changes
Deploys any configuration changes from the current session to your deployment.
Deploy All Deploys all configuration settings to your deployment.
System System Start Starts the STRM application.
STRM Administration Guide
Deploying Changes129
The Administration Console provides several toolbar options including:
Deploying Changes Once you update your configuration settings using the Administration Console, you must save those changes to the staging area. You must either manually deploy all changes using the Deploy menu option or, upon exit, a window appears prompting you to deploy changes before you exit. All deployed changes are then enforced throughout your deployment.
Using the Administration Console menu, you can deploy changes as follows:
• Deploy All - Deploys all configuration settings to your deployment.
• Deploy Configuration Changes - Deploys any configuration changes from the current session to your deployment.
System Stop Stops the STRM application. System Restart Restarts the STRM application.
Help Help Contents Opens user documentation. About Displays version information.
Table 1-2 Administration Console Toolbar Options
Icon DescriptionOpens the deployment editor interface.
Deploys all changes made through the Administration Console.
Table 1-1 Administrative Console Menu Options (continued)
Menu Option Sub-Menu Description
STRM Administration Guide
9
MANAGING SENTRIESSentries provide an alerting function for your network. A sentry can monitor any number of views and generate an alert when traffic in one of the monitored views meets the specified criteria. A non-administrative user can create sentries, however, only an administrative user can configure advanced sentries on a system-wide basis.
Note: For information on creating sentries using the Network Surveillance interface, see the STRM Users Guide.
This chapter provides information on managing STRM sentries including:
• About Sentries
• Viewing Sentries• Editing Sentry Details
• Managing Packages
• Managing Logic Units
About Sentries You can create sentries that perform actions when certain specified conditions are met. These actions may include sending an e-mail notification or storing sentry event information. You can also add sentry alerts for a specific traffic type.
You can save Packages and Logic Units for use with other sentries. For example, if you create a DDoS package, you can create sentries at different locations in your network using the DDoS package. Similarly, an administration user can create a package for other non-administration users to use.
Sentries contain the following components:
• Logic Unit - Includes specific algorithm used to test objects. The Logic Unit contains the default variables for the sentry.
• Package - Contains the view objects (default variables) that are forwarded to the Logic Unit and default variables to be used by the sentry. All variables in the Package configuration have priority over the Logic Unit variables. The objects are created from any defined STRM view, with the exception of the main network view. For example, a package may contain all applications that you want to monitor for inappropriate use.
STRM Administration Guide
132 MANAGING SENTRIES
• Sentry - Specifies which network location you want the sentry to apply. The network location component of the sentry can also specify any restrictions that you want to enforce. The variables in the sentry component have priority over the Package and Logic Unit variables. For example, you can configure a sentry to monitor the accounting department network location between 8 am and 5 pm. However, you can also specify that you only want to be notified of any misuse if the activity continues for more than 10 minutes.
Viewing Sentries To view the default or deployed sentries:
Step 1 In the Administration Console, click the System Configuration tab.The System Configuration panel appears.
Step 2 Click the Sentries icon.
If this is the first time you have accessed the Sentries window, the Sentry Initialization window appears. Go to Step 3.
If this is not the first time you have accessed the Sentries window, go to Step 4.
Step 3 Choose one of the following options:a If you want to include default sentries in your sentry list, click Create Sentries.
If you want to use the default sentries, you must tune these sentries for your system.
The default sentries that appear depend on the template chosen during the installation process. For more information on the defaults, see:
- Enterprise Template - See Appendix B Enterprise Template Defaults.- University Template - See Appendix C University Template Defaults
b If you do not want to include pre-configured sentries in your list, click Cancel.The Sentries window appears.
Step 4 From the View By drop-down list box, select the desired view. The options are:
• Objects - View the available sentries or sentry components including:
- Sentry- Package
- Logical Units
• Users - View the available sentries by the user who created the sentry. Step 5 Select the sentry you want to view.
STRM Administration Guide
Editing Sentry Details 133
Table 2-1 provides the details of the Sentry List window:
Editing Sentry Details
To edit an existing sentry:
Note: You must create a sentry using the Sentry Wizard. For more information, see the STRM Users Guide.
Step 1 In the STRM interface, click Config.
The STRM Administration Console appears. Step 2 Click the System Configuration tab.
The System Configuration panel appears.
Step 3 Click the Sentries icon. The Sentries window appears.
Step 4 From the View By drop-down list box, select Object. The Sentry Objects menu tree appears.
Step 5 For the sentry you want to edit, click the icon.
The Edit panel appears. The below window shows an example of the parameters available for a Security/Policy sentry.
Table 2-1 Sentry List
Parameter DescriptionName Specifies the name of the configured item. Owner Specifies the name of the user who created the sentry.Action Provides one of the following options:
Allows you to edit the details. You can only edit sentries that you have created.Allows you delete the selected item. You can only delete sentries that you have created.
Enabled Allows you to enable or disable the sentry. To enable the sentry, select the check box. To disable the sentry, clear the check box.
STRM Administration Guide
134 MANAGING SENTRIES
Step 6 Update values for the parameters, as necessary:
a If you are editing a Security/Policy sentry:
Table 2-2 Edit Security/Policy Sentry
Parameter DescriptionName Specify a name for this sentry.Description Specify a description for this sentry. This description appears as
an annotation in the Offense Manager if this sentry results in an offense being generated.
Minimum number of flows before emitting events
Specify the minimum number of times, in flows, this activity must occur before an event generates.
Delay between emitting events
Specify the number of seconds, after the first occurrence of this event, before the next occurrence of this event. For example, if you set the value to 3, an event generates after three seconds of the first instance of the event.
Maximum emitted events per IP
Specify the maximum number of times you want this event to generate per IP address. For example, if you set the maximum alerts to 2, only two alerts generate per event.
Is Enabled Select the check box to enable this sentry. Clear the check box to disable the sentry.
STRM Administration Guide
Editing Sentry Details 135
b If you are editing a Behavior, Anomaly, or Threshold sentry:
Options Select the check box if you want this event to be included with other events to create an offense. Use the Address to mark as the target drop-down list box to identify if you want the destination or source IP address to be used as the target. Note: This option only appears for a Security/Policy sentry.
Permissions Specify the users you want to allow access to edit this sentry.Package Using the drop-down list box, select the sentry package you want
to apply to this sentry. To edit an existing package, click Edit or to create a new package, click Create New. For more information on sentry packages, see Managing Packages.
QRL Specifies the details of the current view for this sentry.
Table 2-3 Edit Behavior, Anomaly, or Threshold Sentry
Parameter DescriptionName Specify a name for this sentry.Description Specify a description for this sentry. This description appears as
an annotation in the Offense Manager if this sentry results in an offense being generated.
Minimum activations before alert
Specify the minimum number intervals this activity must occur before an alert generates.
Delay between alerts
Specify the number of intervals after the first occurrence of this event, before the next occurrence of this event.
Maximum responses per events
Specify the maximum number of times you want this event to generate a response.
Is Enabled Select the check box to enable this sentry. Clear the check box to disable the sentry.
Weight Specify the weight of the object. The range is 1 to 100 and indicates the importance of the object in the system.
Test as group Select the check box if you want all objects to add together to be tested. Clear the check box if you want each object to be evaluated separately.
Table 2-2 Edit Security/Policy Sentry (continued)
Parameter Description
STRM Administration Guide
136 MANAGING SENTRIES
Step 7 Edit the variables, as necessary. The list of variables includes all configured values for this sentry. Only the variables that apply to this sentry appear. When creating a custom sentry, you can create your own variable.
Restrictions Select the check box for one or more restrictions you want to enforce for an active sentry including:• Date is relevant - Select the check box to indicate that this
sentry must consider the date. When selected, date fields appear. Enter the relevant dates you want this sentry to monitor.
• Day of week is relevant - Select the check box to indicate that this sentry must consider the day of the week. When selected, day of the week fields appear. Using the drop-down list boxes, select the relevant days you want this sentry to consider.
• Time of day is relevant - Select the check box to indicate that this sentry must consider time of day. When selected, time of day fields appear. Using the drop-down list box, select the time of day you want this sentry to consider.
Permissions Specify the users you want to allow access to edit this sentry.Package Using the drop-down list box, select the sentry package you want
to apply to this sentry. To edit an existing package, click Edit or to create a new package, click Create New. For more information on sentry packages, see Managing Packages.
Responses Specify the method you want to be notified if this sentry generates an event. The options are:• Email• Log - Sends event information to standard syslog on STRM
Console. QRL Specifies the details of the current view for this sentry.
Table 2-3 Edit Behavior, Anomaly, or Threshold Sentry (continued)
Parameter Description
Table 2-4 Default Variables
Parameter Description$$Base Specify the current traffic level weight that you want to assign to
the current traffic levels against the learned behaviors and the current trend. This variable is for behavioral sentries. The higher the value indicates more weight on the previously recorded value. When you configure a sentry, you must enter a value between 0 to 100, however, when you view a sentry, this value appears in decimal format as 0.01 to 1.
STRM Administration Guide
Editing Sentry Details 137
$$Trend Specify the current traffic trend weight that you want to assign to current traffic trends against the calculated behavior. This variable is for behavioral sentries. The higher the value indicates more weight on traffic trends than the calculated behavior. When you configure a sentry, you must enter a value between 1 to 100, however, when you view a sentry, this value appears in decimal format as 0.01 to 1.
$$Season Specify the weight applied to the seasonal component of the behavior sentry. The range is 1 to 100. This variable is for behavioral sentries. When you configure a sentry, you must enter a value between 1 to 100, however, when you view a sentry, this value appears in decimal format as 0.01 to 1.
$$SeasonTime Specify the length of time, in seconds, you want this sentry to consider a season. A season indicates the cycle of data, which STRM uses to determine future data flow. This variable is for behavioral sentries.
$$Scale Specify the alert sensitivity level for this alert. This level indicates how far outside the predicted values before a violation generates. A value of zero indicates the measured value cannot be outside the predicted value and a value of 100 indicates the traffic is more than four times larger than the predicted value. When you configure a sentry, you must enter a value between 1 to 100, however, when you view a sentry, this value appears in decimal format as 0.01 to 1.
$$Counter Specify the layers you want this sentry to consider. This variable is for all sentry types. The options include: in (bytes in), out (bytes out), pin (packet in), pount (packet count), hlocal (host local), hremote (host remote), plocal (packet local), premote (packet remote), and count. Separate each entry with a colon.
$$AsSet Specify 0 if you want all objects to add together to be tested. Specify 1 if you want each object to be evaluated seperately. This variable is for all sentry types.
$$Value For each threshold, specify the number that must be exceeded for this sentry to generate an alert. This variable is for all sentry types.
$$Percent Specify the percentage change in behavior this view must experience before the sentry generates an alert. This variable is for anomaly sentries.
$$SmallWindow Specify an extended period of time you want to the system to monitor flows in your network. This allows the system a basis of comparison for traffic over an extended period of time. If the large window and small window values exceed a certain threshold, the sentry generates an alert. This variable is for anomaly sentries.
Table 2-4 Default Variables (continued)
Parameter Description
STRM Administration Guide
138 MANAGING SENTRIES
Step 8 Click Save.
Step 9 Close the Sentries window.
The STRM Administration Console appears. Step 10 From the menu, select Configurations > Deploy Configuration Changes.
Managing Packages
Sentries contain packages. You can create packages to reuse with multiple sentries. Using a saved package allows you to apply the same objects to multiple areas of your network. For example, you can create a package to monitor for network misuse. You can use the saved package to apply the same objects to all areas of your network.
You must apply a package to a sentry through the sentry panel. For more information, see, Editing Sentry Details. By default, STRM does apply these packages. You must apply these packages to the appropriate area of your network.
This section includes:
• Creating a Sentry Package
• Editing a Sentry Package
Creating a SentryPackage
To create a new sentry package:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the Sentries icon. The Sentries window appears.
Step 3 From the View By drop-down list box, select Objects.
The Sentry Objects menu tree appears.
Step 4 From the menu tree, select Sentry Objects > Packages.
$$LargeWindow Specify a period of time you want to the system to monitor flows in your network. This allows the system a basis of comparison for traffic over an smaller period of time. If the large window and small window values exceed a certain threshold, the sentry generates an alert.
$$Upperbound/Lowerbound
For each threshold, specify the number that must be exceeded for this sentry to generate an alert. This variable is for threshold sentries.
$$AutoLearnTime Specify the time stamp of the time when you want the system to stop learning. This variable is for threshold sentries.
Table 2-4 Default Variables (continued)
Parameter Description
STRM Administration Guide
Managing Packages 139
The Package List appears.
Step 5 Click Create New Package. The Create New Package panel appears.
Step 6 Enter values for the parameters:
Table 2-5 Create Sentry Package Parameters
Parameter DescriptionName Specify the name of the sentry package. Description Specify a description for the sentry package. Weight Specify the relative importance of this package. This determines
the ranking of the offense that appears in the Offense Manager.
STRM Administration Guide
140 MANAGING SENTRIES
Step 7 Click Save.
Editing a SentryPackage
To edit a new sentry package:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the Sentries icon. The Sentries window appears.
Step 3 From the View By drop-down list box, select Object. The Sentry Objects menu tree appears.
Step 4 From the menu tree, select Sentry Objects > Packages.
The Package List appears.
Step 5 For the package you want to edit, click the icon.
The Edit panel appears.
Components In the menu tree, select the components you want this package to monitor. The added components appear under the Selected Components column.
Permissions Specify the users you want to be able to use this package. Categories For each event, you must select a high-level and low-level event
category. From the High-Level Category drop-down list box, specify the high-level event category. Once you select the high-level event category, the appropriate low-level event categories appear. Using the Low-Level Category, select the low-level event category you want to apply to this event. Note: For detailed information on high-level and low-level event categories, see the Event Category Correlation Reference Guide.
Logic Unit Using the drop-down list box, select the Logic Unit you want to apply to this sentry. To edit an existing Logic Unit, click Edit or to create a new Logic Unit, click Create New. For more information on sentry packages, see Managing Logic Units.
Variable Defaults Specifies the variable default values for this sentry package. These values are overwritten by variables of the same name in the sentry.
Table 2-5 Create Sentry Package Parameters (continued)
Parameter Description
STRM Administration Guide
Managing Logic Units 141
Step 6 Update parameters (see Table 2-5), as necessary.
Step 7 Click Save.
Managing Logic Units
A Logic Unit determines if a violation has occurred and if an alert needs to be generated. A Logic Unit contains the algorithm that a sentry uses to monitor your network for suspicious behavior. You can use Logic Units to create custom sentries. You must apply a Logic Unit to a package through the package panel. For more information, see Managing Packages.
This section includes:
• Creating a Sentry Package
• Editing a Sentry Package
Creating a Logic Unit To create a Logic Unit:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.Step 2 Click the Sentries icon.
The Sentries window appears.
Step 3 From the View By drop-down list box, select Object. The Sentry Objects menu tree appears.
Step 4 From the menu tree, select Sentry Objects > Logic Units.
The Logic Unit List appears. Step 5 Click Create New Logic Unit.
The Create New Logic Unit panel appears.
STRM Administration Guide
142 MANAGING SENTRIES
Step 6 Enter values for the parameters:
Step 7 Create your own equation in the Equation field using JavaScript code. The entry must include the following format:
var testObj = new CustomFunction( $$Counter, other_custom_vars);
function test()
{
return testObj.test();
}
You can use all the functions available with JavaScript functionality as well as the following functions:
Table 2-6 Create new Logic Unit Parameters
Parameter ActionName Specify a name for this Logic Unit.Description Specify a description for this Logic Unit,
STRM Administration Guide
Managing Logic Units 143
Step 8 Click Share Logic to access the Select Users window. This window allows you to specify users you want to share this logic.
Step 9 Click Save.
Table 2-7 JavaScript Functions
Function DescriptionthresholdCheck Monitors policy and threshold objects. By default, this value
monitors each object separately. If you want to test objects as group, you must add the value set. This function includes:• components - String of component names from one or more
layers, separated by colons. For example, in:out.• funcT - Instance of comparison object including above,
greatThanEq, below, lessThanEq, Eq, notEq, and range. • isTotal - Set this function to 0 if you want to test objects
seperately. Set this function to 1 if you want to test all objects as a group.
• time - Indicates time to make a comparison. If no time is supplied, current time is used.
learnPolicy During the learning period, this function selects only object that did not include traffic. The sentry then generates an alert on those objects. This function includes:• components - String of component names from one or more
layers, separated by colons. For example, in:out.• lockTime - Indicates the time in which you want to stop the
learning process. activityAnomaly Detects changes in the activity level for selected databases. This
function includes:• largewindowsize - Specifies the time range for the large
observation window. • smallwindowsize - Specifies the time range for small
observation window. • percentrequired - Specifies the required percentage change
required before the sentry generates an alert. • layer - Specifies the layer you want to monitor. • type - Specifies the test objects as a group. • intervalsize - Specifies the interval size, in seconds.
STRM Administration Guide
144 MANAGING SENTRIES
Editing a Logic Unit To edit a Logic Unit:
Step 1 In the Administration Console, click the System Configuration tab.The System Configuration panel appears.
Step 2 Click the Sentries icon.
The Sentries window appears. Step 3 From the View By drop-down list box, select Object.
The Sentry Objects menu tree appears.
Step 4 From the menu tree, select Sentry Objects > Logic Units. The Logic Unit List appears.
Step 5 For the Logic Unit you want to edit, click the icon.
The Edit panel appears.
Step 6 Update parameters, as necessary.Step 7 Click Save.
STRM Administration Guide
10
MANAGING VIEWSYou can display network traffic with many different views. A view represents traffic activity on your network for a specific profile. The Local Network View has n-levels of depth that is specific to your network hierarchy. All views, with the exception of the Network View, have group levels and leaf object levels. You can also create Custom Views to display the types of traffic you want to identify, monitor, and be alerted to, when specific flows appear across your network.
This chapter includes:• Using STRM Views
• Managing Ports View
• Managing Application Views• Managing Remote Networks View
• Managing Remote Services Views
• Managing Collector Views• Managing Custom Views
• Enabling and Disabling Views
• Using Best Practices
Using STRM Views This section provides information regarding views including:
• About Views
• About Global Views• Defining Unique Objects
About Views STRM includes default views that captures and displays your network activity. Each view filters traffic and displays the data from many perspectives. You can use these default views to display your network activity from various perspectives.
You can configure views with an identifiable color scheme. Each color appearing on your graph represents the activity taking place on your network. Each color is also displayed in the dynamic legend beside the graph. You can point your mouse to the color on the legend to identify the traffic type.
STRM Administration Guide
146 MANAGING VIEWS
Each view is assigned a weight. Configured for traffic alerting purposes, weight is the numeric value assigned to a flow property. STRM adds the weight value to the sentry flow property weight value and assigns a sequence of ranking events. An alert may be signalled when STRM interprets the combination of the numerical weight values. For more information on weights, see Chapter 9 Managing Sentries.
A view is a property of flows divided into the following:
• Group - A collection of objects configured to display the network data that appears on the graphs in a specific view.
• Object - Assigned flow properties configured to identify specific traffic.
• Layer - Property used to count traffic.
You can create a Custom View to identify more complex traffic patterns. You must configure Custom Views with equations that identify your network activity and match the properties built into an equation. You can create Custom Views to:
• Identify protocol misuse from any geographic location.• Identify traffic from partner sites using applications you have deemed
out-of-policy.• Create an alternate network hierarchy.
You can also use equations to identify network traffic flows. When traffic flows match the assigned property-set, STRM identifies and displays the traffic on the graphs, enabling you to monitor and investigate the activity. An equation is constructed from the following:
• Objects - Network objects that are currently present on your network. When choosing an object, you can select the network object, or any one of the leaf nodes that is associated with the object. The selected object (or leaf node) becomes part of an equation.
• Elements - Tests of specific flow properties, such as, an IP address, protocol, or byte count. This specifies the criteria the traffic flow must match to identify traffic flows. Traffic flows matching the assigned criteria are displayed when viewing the Custom View on the STRM graphs.
About Global Views You can access Global Views using the Global Views menu option in the Network Surveillance interface. Configurable Global Views include: • Local Networks View - Displays traffic by network objects.
• Ports View - Displays traffic originating from identified destination ports.
• Applications View - Displays traffic originating from the application layer by the client connection and the server connection.
• Remote Networks View - Displays user defined traffic originating from named remote networks.
STRM Administration Guide
Using STRM Views 147
• Remote Services View - Displays traffic originating from user defined network ranges or, if desired, the Juniper Networks automatic update server.
• Collector View - Displays traffic seen by each Flow Collector
• Protocol - Displays traffic originating from protocol usage.
Note: For more information on default groups and objects, see the STRM Default Application Configuration Guide.
You can edit several Global Views by adding objects to existing groups or changing pre-existing properties to suit your environment. STRM does not allow you to configure Geographic, or Protocol Views. Contact Juniper Networks Customer Support for assistance.
Caution: You cannot move an existing object to another group (select a new group and click Add Group), the object name moves from the existing group to the newly selected group; however, when the configuration changes are deployed, the object data stored in the database is lost and the object ceases to function. You must create a new view and recreate the object (that exists with another group).
Defining UniqueObjects
Some groups within views include objects that are unique to specific views. For example, InverseIsknown is unique to the Ports View. This group captures the server traffic when displaying the client view, and displays client traffic when displaying the server view.
Some groups within views, such as superflows, are for informational purposes only and cannot be edited. However, you can create a Custom View based on an existing view and configure the Custom View properties to resemble the groups that cannot be edited. For more information, see Managing Custom Views.
Unique groups include:
• InverseIsKnown - Specifies traffic for both client and server application traffic activity. When displaying the client view, InverseIsKnown captures and displays the server traffic; when displaying the server view, captures and displays displays the client traffic.
• Other - Specifies traffic that does not match a property-set or is not defined in the configuration. Traffic that is classified as Other may be used to capture miscellaneous traffic.
• Unknown - Specifies traffic that is unidentifiable.
• Superflows - Specifies traffic that has been grouped into superflows; where one superflow is a group of aggregate flows that have a number of similar properties.
• Known_ to_ client_or_server - Similar to InverseIsKnown. When viewing client data, this group represents the server data. When viewing server data, this group represents the client data.
STRM Administration Guide
148 MANAGING VIEWS
Managing Ports View
Ports Views display traffic originating from identified destination ports. Using the Ports View, you can view traffic by port. This section provides information on managing the Ports View including:
• Default Ports Views
• Adding a Ports Object• Editing a Ports Object
Default Ports Views Ports View includes the following default groups:
Adding a PortsObject
To add a ports object:
Step 1 In the Administration Console, click the Views Configuration tab.The Views Configuration panel appears.
Step 2 Click the Ports icon.
The Manage Group window appears.Step 3 Click Add.
The Add New Object window appears.
Table 3-1 Ports Views
Ports Groups DescriptionInverseIsKnown Specifies traffic for both client and server application traffic
activity. When displaying client view, InverseIsKnown captures and displays the server traffic; when displaying server view, captures and displays displays the client traffic.
MailPorts Specifies e-mail traffic flows originating from each mail port. Superflows This group is non-configurable. A superflow is a flow that is an
aggregate of a number of flows that have a similar pre-determined set of elements.
TargetedPorts Specifies traffic flows destined for specific ports. UnnamedPorts Specifies traffic flows not destined for a specific port.WebPorts Specifies traffic flows destined for the port assigned for Internet
traffic. p2pports Specifies traffic flows to and from ports assigned for the
Peer-to-Peer (P2P) traffic within your network.
STRM Administration Guide
Managing Ports View 149
Step 4 Enter values for the following parameters:
Step 5 Click Save.
Step 6 Click Return.
Step 7 Close the Ports View window.Step 8 From the Administration Console menu, select Configuration > Deploy
Configuration Changes.All changes are deployed.
Table 3-2 Ports - Add New Object Parameters
Parameter DescriptionGroup Select the group for this object. Using the drop-down list box,
select a group or click Add Group to add a new group.Name Specify object name.Weight Specify the object weight or use the arrows to change the existing
numeric value. The range is 1 to 100.Ports Specify the port number for the object or use the arrows to
change the existing numeric value. Click Add.Description Specify a description for this object.Color Specify a color for this object. Enter the RGB alpha-numeric
value or click Select Color to access the color palette.Database Length Using the drop-down list box, select the database length.
STRM Administration Guide
150 MANAGING VIEWS
Editing a PortsObject
To edit an existing object:
Step 1 In the Administration Console, click the Views Configuration tab.
The Views Configuration panel appears.Step 2 Click the Ports icon.
The Manage Group window appears.
Step 3 Click the group you want to edit.The Manage Group window appears.
Step 4 From the Manage Group table, or from the tree menu, click the name of the object you want to edit. The Properties window appears.
Table 3-3 Manage Group
Parameter DescriptionName Specifies the name assigned to the object. Weight Specifies the weight assigned to the object.Color Specifies the color displayed when viewed on the graphs. Actions Specifies the action available for each group including:
Open object properties window.
Table 3-4 Manage Group
Parameter DescriptionName Specifies the name assigned to the object.Value Specifies ports assigned to this object. Weight Specifies the weight assigned to the object.Color Specifies the color displayed when viewed on the Network
Surveillance graphs.Actions Specifies the actions available for each object including:
Edit view properties.
Delete object.
STRM Administration Guide
Managing Ports View 151
Step 5 Edit values as necessary. See Table 3-2.
Step 6 Click Save.
Step 7 Click Return.
Step 8 Close the Ports View window.Step 9 From the Administration Console menu, select Configuration > Deploy
Configuration Changes.All changes are deployed.
STRM Administration Guide
152 MANAGING VIEWS
Managing Application Views
Application Views display traffic originating from the application server by the client connection and the server connection. Using the Application Views, you can view traffic by application identification. This section provides information on managing Application Views including:
• Default Application Views
• Adding an Applications Object
• Editing an Applications Object
Default ApplicationViews
Application View includes the following default groups:
Table 3-5 Application Views
Sub-Component DescriptionChat Specifies traffic originating from chat sources, such as AOL,
ICQ, IRC, MISN, and MSN.ClientServer Specifies traffic originating from a client server such as
Meeting Maker, NetIQ, FIX, MATIP, or CVSup. ContentDelivery Specifies traffic originating from content delivery applications,
such as, EntryPoint, BackWeb, or Webshots.DataTransfer DataTransfer group displays traffic originating from data being
transferred from traffic of common file/data transfer protocols, such as FTP, Misc-Transfer-Ports, NFS, NNTPNews, TFTP, WindowsFileSharing, WindowsNetworkPorts, and XFER.
DataWarehousing Specifies traffic originating from database applications.DirectoryServices Specifies traffic originating from directory services, such as
WINS, CRS, or RRP. FilePrint Specifies traffic originating from file print applications, such as,
a printer or IPP. Games Specifies traffic originating from game applications, such as,
Doom, Quake, Half-Life, or Kali.Healthcare Specifies traffic originating from health care related
applications, such as, DICOM or HL7.InnerSystem Specifies traffic originating from the STRM application, such
as, Common Ports, Flowgen, and UpdateDaemon.InternetProtocol Specifies traffic originating from Internet protocol related
applications, such as, ActiveX or SOAP-HTTP. Known_to_client_or_ server
When viewing client data, this group captures the server data. When viewing server data, this group captures the client data.
Legacy Specifies traffic originating from legacy applications, such as, SNA, LAT, FNA, or SLP.
Mail Specifies all traffic originating from e-mail application traffic, such as, ESMTP, IMAP, MISC-MAIL-Port, POP, POP-Port, SMTP, and SMTP-Port.
STRM Administration Guide
Managing Application Views 153
Note: The default views are automatically updated with the Automatic Update function. For more information regarding automatic updates, see Scheduling Automatic Updates.
Adding anApplications Object
To add an applications object:
Step 1 In the Administration Console, click the Views Configuration tab.The Views Configuration panel appears.
Step 2 Click the Application icon.
Step 3 Click Add. The Add New Object window appears.window appears.
Misc Specifies identified miscellaneous application traffic, such as, Appletalk-IP, Authentication, DHCP, DNS, DNS-Port, ManagementService, Misc-Ports, MiscApp, Network-Config-Ports, RPC, SNMP-Ports, Syslog, and Time.
Multimedia Specifies traffic originating from multimedia application traffic, such as, WebEx, video frames, or Intellex.
NetworkManagement Specifies traffic originating from network management application traffic, such as, ICMP, SMS, NetFlow, or flow records.
No_Detect_Attempt Specifies traffic that is void of content within a packet.P2P Specifies traffic originating from Peer-to-Peer (P2P)
application traffic, such as, BitTorent, Blubster, Common P2P Port, DirectConnect, Gnutella, Kazaa, LimeWire, OpenNap, Peerenabler, Piolet, and eDonkey.
Remote Access Specifies traffic originating from applications accessed remotely, such as, CitrixICA, PCAnywhere, SSH, SSH Ports, Telnet, Telnet-Port, and VNC.
RoutingProtocols Specifies traffic originating from routing protocols, such as, RIP, ICMP, ICP, or AURP.
SecurityProtocol Specifies traffic originating from security protocols, such as, SOCKS, L2TP, SWIPE, or DPA.
Streaming Specifies traffic originating from streaming applications, such as, MicrosoftMediaServer, StreamingAudio, and WindowsMediaPlayer.
Unknown_apps Specifies pre-defined flows classed as Unknown traffic.VoIP Specifies traffic originating from Voice over IP (VoIP)
applications, such as, Skype, I-Phone, SIP, or Clarent-CC. Web Specifies traffic originating from web applications, such as,
HTTP, JAVA, SecureWeb, WebFile, WebMedia, and Web Port.
Table 3-5 Application Views (continued)
Sub-Component Description
STRM Administration Guide
154 MANAGING VIEWS
Step 4 Enter values for the following parameters:
Step 5 Click Save.
Step 6 Click Return.
Step 7 Close the Applications View window.
Table 3-6 Applications - Add New Object Parameters
Parameter DescriptionGroup Select the group for this object. Using the drop-down list box,
select a group or click Add Group to add a new group.Name Specify the name for the object.Weight Specify the object weight or use the arrows to change the existing
numeric value. The range is 1 to 100.AppsIDs Specify the application ID for the object or use the arrows to
change the existing numeric value. Click Add. Note: The applications identification must be defined in the mapping file before adding to this object. For more information on the mapping file, see the STRM Default Application Configuration Guide.
Description Specify a description for this object. Color Specify a color for this object. Enter the RGB alpha-numeric
value or click Select Color to access the color palette.Database Length Using the drop-down list box, select the database length.
STRM Administration Guide
Managing Application Views 155
Step 8 From the Administration Console menu, select Configuration > Deploy Configuration Changes.All changes are deployed.
Editing anApplications Object
To edit an applications object:
Step 1 In the Administration Console, click the Views Configuration tab.The Views Configuration panel appears.
Step 2 Click the Applications icon.
The Manage Group window appears.
Step 3 Click the group you want to display.The Manage Group window appears.
Step 4 Click the name of the object you want to edit.
The Properties window appears.
Table 3-7 Manage Group
Parameter DescriptionName Specifies the name assigned to the group. Weight Specifies the weight assigned to the object.Color Specifies the color displayed when viewed on the Network
Surveillance graphs.Actions Specifies the action available for each group including:
Open view properties window.
Table 3-8 Manage Group
Parameter DescriptionName Specifies the group name.Value Specifies application IDs assigned to the group. Weight Specifies the weight assigned to the object.Color Specifies the color displayed when viewed on the Network
Surveillance graphs.Actions Specifies the actions available for each object including:
Edit view properties.
Delete object.
STRM Administration Guide
156 MANAGING VIEWS
Step 5 Edit values as necessary, see Table 3-6.
Step 6 Click Save.
Step 7 Click Return. Step 8 Close the Applications View window.
Step 9 From the Administration Console menu, select Configuration > Deploy Configuration Changes.All changes are deployed.
STRM Administration Guide
Managing Remote Networks View 157
Managing Remote Networks View
Remote Networks View displays user traffic originating from named remote networks. Using the Remote Networks View, you can view traffic by known remote networks. This section provides information on managing the Remote Networks View including:
• Default Remote Networks Views
• Adding a Remote Networks Object
• Editing a Remote Networks Object
Default RemoteNetworks Views
Remote Networks includes the following default groups:
Note: Groups and objects that include superflows are for informational purposes only and cannot be edited. Groups and objects that include bogons are configured by the Automatic Update function.
Adding a RemoteNetworks Object
To add a Remote Networks object:
Step 1 From the Administration Console, click the Views Configuration tab.The Views Configuration panel appears.
Step 2 Click the Remote Networks icon.
Step 3 Click Add.The Add New Object window appears.
Table 3-9 Remote Networks Views
Parameter DescriptionBOT Specifies traffic originating from BOT applications. Bogon Specifies traffic originating from un-assigned IP addresses.
Note: Bogon reference: http://completewhois.com/bogons/HostileNets Specifies the traffic originating from known hostile networks.
HostileNets has a set of 20 (Rank 1 to 20 inclusive) configurable CIDR ranges.
Neighbours This group is blank by default. You must configure this group to classify traffic originating from neighboring networks.
Superflows This group is non-configurable. A superflow is a flow that is an aggregate of a number of flows that have a similar pre-determined set of elements.
TrustedNetworks This group is blank by default. You must configure this group to classify traffic originating from trusted networks.
STRM Administration Guide
158 MANAGING VIEWS
Step 4 Enter values for the following parameters:
Step 5 Click Save.
Step 6 Click Return. Step 7 Close the Remote Networks View window.
Step 8 From the Administration Console menu, select Configuration > Deploy Configuration Changes.All changes are deployed.
Table 3-10 Remote Networks - Add New Object Parameters
Parameter DescriptionGroup Select the group for this object. Using the drop-down list box,
select a group or click Add Group to add a new group.Name Specify the name for the object.Weight Specify the object weight or use the arrows to change the
existing numeric value. The range is 1 to 100.IP/CIDR(s) Specify the IP address or CIDR range for the object. Click Add. Description Specify a description for the object.Color Specify a color for this object. Enter the RGB alpha-numeric
value or click Select Color to access the color palette.Database Length Using the drop-down list box, select the database length.
STRM Administration Guide
Managing Remote Networks View 159
Editing a RemoteNetworks Object
To edit an existing Remote Networks object:
Step 1 From the Administration Console, click the Views Configuration tab.
The Views Configuration panel appears.Step 2 Click the Remote Networks icon.
The Manage Group window appears.
Step 3 Click the group you want to display.The Manage Group window appears.
Step 4 Click the object you want to edit.
The Properties window appears.
Table 3-11 Manage Group
Parameter DescriptionName Specifies the name assigned to the view. Weight Specifies the weight assigned to the object.Color Specifies the color displayed when viewed on the Network
Surveillance graphs.Actions Specifies the action available for each group including:
Open view properties window.
Table 3-12 Manage Group
Parameter DescriptionName Specifies the name assigned to the object.Value Specifies ports assigned to this object. Weight Specifies the weight assigned to the object.Color Specifies the color displayed when viewed on the Network
Surveillance graphs.Actions Specifies the actions available for each object including:
Edit view properties.
Delete object.
STRM Administration Guide
160 MANAGING VIEWS
Step 5 Edit values as necessary. See Table 3-10.
Step 6 Click Save.
Step 7 Click Return.
Step 8 Close the Remote Networks View window.Step 9 From the Administration Console menu, select Configuration > Deploy
Configuration Changes.All changes are deployed.
Managing Remote Services Views
Remote Services Views display traffic originating from user defined network ranges, or, if desired the Juniper Networks automatic update server. Using the Remote Services Views, you can view remote service providers. This section provides information on managing the Remote Services Views including:
• Default Remote Services Views• Adding a Remote Services Object
• Editing a Remote Services Object
Default RemoteServices Views
Remote Services view includes the following default groups:
Table 3-13 Remote Services - Manage Group Parameters
Parameter DescriptionIRC_Servers Specifies traffic originating from addresses commonly known to
produce superflows. Porn Specifies traffic originating from addresses commonly known to
contain explicit pornographic material.Proxies Specifies traffic originating from commonly known open proxy
servers.
STRM Administration Guide
Managing Remote Services Views 161
Adding a RemoteServices Object
To add a Remote Services Object:
Step 1 From the Administration Console, click the Views Configuration tab.
The Views Configuration panel appears.
Step 2 Click the Remote Services icon.The Manage Group window appears.
Step 3 Click Add.
The Add New Object window appears.
Step 4 Enter values for the following parameters:
Reserved_IP_Ranges
Specifies traffic originating from reserved IP address ranges.
Spam Specifies traffic originating from addresses commonly known to produce SPAM or unwanted e-mail.
Spy_Adware Specifies traffic originating from addresses commonly known to contain spyware or adware.
Superflows Specifies traffic originating from addresses commonly known to produce superflows.
Warez Specifies traffic originating from addresses commonly known to contain pirated software.
Table 3-13 Remote Services - Manage Group Parameters (continued)
Parameter Description
STRM Administration Guide
162 MANAGING VIEWS
Step 5 Click Save.
Step 6 Click Return. Step 7 Close the Applications View window.
Step 8 From the Administration Console menu, select Configuration > Deploy Configuration Changes.
Step 9 All changes are deployed.
Editing a RemoteServices Object
To edit an existing Remote Services object:
Step 1 From the Administration Console, click the Views Configuration tab.The Views Configuration panel appears.
Step 2 Click the Remote Services icon.
The Manage Group window appears.
Step 3 Click the group you want to display.
Table 3-14 Remote Services - Add New Object Parameters
Parameter DescriptionGroup Select the group for this object. Using the drop-down list box,
select a group or click Add Group to add a new group.Name Specify the name for the object.Weight Specify the object weight or use the arrows to change the existing
numeric value. The range is 1 to 100.IP/CIDR(s) Specify the IP address/CIDR range for the object. Click Add.Color Specify a color for this object. Enter the RGB alpha-numeric
value or click Select Color to access the color palette.Database Length Using the drop-down list box, select the database length.
Table 3-15 Manage Group
Parameter DescriptionName Specifies the name assigned to the group. Weight Specifies the weight assigned to the object.Color Specifies the color displayed when viewed on the Network
Surveillance graphs.Actions Specifies the action available for each group including:
Open view properties window.
STRM Administration Guide
Managing Remote Services Views 163
The Manage Group window appears.
Step 4 Click the object you want to edit. The Properties window appears.
Step 5 Edit values as necessary. See Table 3-14. Step 6 Click Save.
Step 7 Click Return.
Step 8 Close the Remote Services View window.
Table 3-16 Manage Group
Parameter DescriptionName Specifies the name assigned to the object.Value Specifies ports assigned to this object. Weight Specifies the weight assigned to the object.Color Specifies the color displayed when viewed on the Network
Surveillance graphs.Actions Specifies the actions available for each object including:
Edit view properties.
Delete object.
STRM Administration Guide
164 MANAGING VIEWS
Step 9 From the Administration Console menu, select Configuration > Deploy Configuration Changes.All changes are deployed.
Managing Collector Views
The Collector Views display traffic seen from the Flow Collector and provides the AllCollectors group. This group specifies the traffic originating from all Flow Collectors that reside on your network.
This section provides information on configuring the Flow Collector view including:
• Adding a Flow Collector Object• Editing a Flow Collector Object
Adding a FlowCollector Object
To add a Flow Collector object:
Step 1 From the Administration Console, click the Views Configuration tab.
The Views Configuration panel appears.Step 2 Click the Collector icon.
Step 3 Click Add.
The Add New Object window appears.
Step 4 Enter values for the following parameters:
Table 3-17 Flow Collector - Add New Object Parameters
Parameter Description Group Select the group for this object. Using the drop-down list box,
select a group or click Add Group to add a new group.Name Specify the name for the object.Weight Specify the object weight or use the arrows to change the existing
numeric value. The range is 1 to 100.
STRM Administration Guide
Managing Collector Views 165
Step 5 Click Save.
Step 6 Click Return. Step 7 Close the Collector View window.
Step 8 From the Administration Console menu, select Configuration > Deploy Configuration Changes.All changes are deployed.
Editing a FlowCollector Object
To edit an existing Flow Collector Object:
Step 1 From the Administration Console, click the Views Configuration tab.The Views Configuration panel appears.
Step 2 Click the Collector icon.
The Manage Group window appears.
Step 3 Click the group you want to display.
The Manage Group window appears.
Collector ID Using the drop-down list box, select the Flow Collector you want to use as the source.
Color Specify a color for this object. Enter the RGB alpha-numeric value or click Select Color to access the color palette.
Database Length Using the drop-down list box, select the database length.
Table 3-17 Flow Collector - Add New Object Parameters (continued)
Parameter Description
Table 3-18 Manage Group
Parameter DescriptionName Specifies the name assigned to the group. Weight Specifies the weight assigned to the object.Color Specifies the color displayed when viewed on the Network
Surveillance graphs.Actions Specifies the action available for each group including:
Open view properties window.
STRM Administration Guide
166 MANAGING VIEWS
Step 4 Click the object you want to edit.
The Properties window appears.
Step 5 Edit values as necessary. See Table 3-17.
Step 6 Click Save.
Step 7 Click Return.
Step 8 Close the Collector View window.
Step 9 From the Administration Console menu, select Configuration > Deploy Configuration Changes.All changes are deployed.
Table 3-19 Manage Group
Parameter DescriptionName Specifies the name assigned to the object.Value Specifies ports assigned to this object. Weight Specifies the weight assigned to the object.Color Specifies the color displayed when viewed on the Network
Surveillance graphs.Actions Specifies the actions available for each object including:
Edit view properties.
Delete object.
STRM Administration Guide
Managing Custom Views 167
Managing Custom Views
Custom Views uniquely identify specific traffic flows, such as SSH traffic on a non-standard port, or traffic originating from another country. Each Custom View object must be configured with an equation, which creates a set of properties that applies a filter for each network flow.
Custom Views provide you with several advantages. For example, you can use Custom Views for the following scenarios:• Define a view to isolate and display traffic relevant to your enterprise.
• Rebuild any default view and configure to suit your enterprise.
• Use a view to remap data in different ways. • Use a view for an alternate network hierarchy
• Apply Other traffic in a view for reporting purposes.
• Apply the Boolean Logic to the Equation Editor when creating a view.• Classification Engine can interpret the view information as RPN.
• Build a Custom View object to detect the following sequence:
- Src (source) sends a Syn (synchronize) packet to a Dst- Dst (destination) sends back an Ack (acknowledge) packet
- Src (source) sends a Syn-Ack (synchronize-acknowledge) or a Syn-Rst (synchronize-reset) packet to the Dst (destination)
- The initial packet cannot have an empty payload
This section provides information on creating and configuring Custom Views including:
• About Custom Views• Editing Custom Views
• Editing the Operators
• Editing the Equation
About Custom Views Custom Views includes the following default groups:
• IP Tracking Group
• Threats Group • Attacker Target Analysis Group
• Target Analysis Group
• Policy Violations Group• ASN Source
• ASN Destination
• IFIndex In
STRM Administration Guide
168 MANAGING VIEWS
• IFIndex Out
• QoS• FlowShape
The objects for the IP Tracking, Threats, Attacker Target Analysis, Target Analysis, and Policy Violations groups depend on the template chosen during the installation process. For more information on the defaults, see:• Enterprise Template - See Appendix B Enterprise Template Defaults.
• University Template - See Appendix C University Template Defaults.
STRM detects the ASN and IFIndex values from network flows. When STRM detects ASN or IFIndex values in a flow, STRM creates a new object in the respective group. For example, if STRM detects an ASN 238 flow within the source traffic, the object ASN238 is created in the ASNSource group. However, for STRM to detect and create objects for ASN and IFIndex values in a flow, you must enable the respective views. Fore more information on enabling views, see Enabling and Disabling Views
STRM also detects Quality of Service (QoS) values from your network flows. QoS provides priority for traffic enabling your network to provide various levels of service for flows. QoS provides the following basic levels of service:
• Best Effort - This level of service does not guarantee delivery. The delivery of the flow is considered best effort.
• Differentiated Service - Certain flows are granted priority over other flows. This priority is granted by classification of traffic.
• Guaranteed Service - This level of service guarantees the reservation of network resources for certain flows.
To create Custom Views: Step 1 From the Administration Console, click the Views Configuration tab.
The Views Configuration panel appears.
Step 2 Click the Custom Views icon. The Manage Group window appears.
Step 3 Click Create New View.
The Properties window appears.
STRM Administration Guide
Managing Custom Views 169
:
Step 4 Enter values for the following parameters:
Step 5 Click Save.
The Custom View Management window appears.
Step 6 Click Return.
Step 7 From the Manage Group Window, select the view and click Add Equation.The Properties window appears.
Table 3-20 Custom View - Properties for New View: Staging/Globalconfig
Parameter DescriptionName Specify a name for the new view.Description Specify a description for the new view.
STRM Administration Guide
170 MANAGING VIEWS
Step 8 Enter values for the following parameters:
Step 9 Click Equation Editor.The Equation Editor window appears.
Step 10 From the Objects box, select the view you want to assign.
Table 3-21 Properties Views
Parameter DescriptionGroup Using the drop-down list box, select the group you want to add
the object. Click Add Group. Name Specify the name for the object.Weight Specify the object weight or use the arrows to change the existing
numeric value. The range is 1 to 100.Color Specify a color for this object. Enter the RGB alpha-numeric
value or click Select Color to access the color palette.Database Length Using the drop-down list box, select the database length.Equation Click Equation Editor to specify your equation for this object.
STRM Administration Guide
Managing Custom Views 171
Step 11 From the Elements panel, select an element and enter the parameter values to configure the element. See Table 3-22.
The element is assigned to the selected object. This creates the first instance on the Equation Editor.
Step 12 Select another object from the Objects box and assign an associated element.
By default, the objects are joined with the AND operator.Step 13 Continue selecting the objects and assigning elements until you have completed
your equation. Click Save. Note: If you want to calculate two values before STRM adds the next consecutive object, insert brackets around the values. For more information on operators, see Editing the Operators.
You equation should resemble this window:
Table 3-22 Element Options
Parameter DescriptionCount Element TypeName Specify the element name.Object Using the drop-down list box, select the targeted traffic flow. Options
include: Src (source), Dst (destination), Local, Remote, and Total. Note: When ports are counted, the number of unique destination ports is returned.
Parameter Using the drop-down list box, select the parameter you are testing. Options include: Bytes, Packets, and ContentLength.
Test Using the drop-down list box, select how to test the numeric value. Options include: Above, Below, and Equals.
Value Enter a numeric value for the option you have selected. The number of bytes, number of packets or the content length. This value is based on a flow stats record reported in a single interval.Using the drop-down list box, select the byte size unit of measurement. Options include: K (kilobyte), M (megabyte), G (gigabyte, and T (terabyte). Click Add.
Protocol Element Type
STRM Administration Guide
172 MANAGING VIEWS
Name Specify the element name.Protocol Specify the protocol identification number. You must enter the protocol
number and not the name. Click Add.Note: For a list of default protocol identification numbers, see STRM Default Application Configuration Guide.
Super Flow Count Element TypeName Specify the element name.Unit Using the drop-down list box, select the element unit. Options include:
Hosts and Ports. Test Using the drop-down list box, select how to test the numeric Super
Flow Count value. Options include: Above, Below, and Equals. Value Enter the number of hosts or ports. Click Add. Flow Stat Element TypeName Specify the element name.Object Using the drop-down list box, select the targeted traffic flow. Options
include: Src (Source), Dst (Destination), Local, Remote, and Total. Unit Using the drop-down list box, select the element unit. The unit is
specific to the stats record in one interval. Options include: BytesPacketRatio, PacketArrivalRate, ByteArrivalRate, ByteRatio, and PacketRatio.
Test Using the drop-down list box, select how to test the numeric Flow Stat value. Options include: Above, Below, and Equals.
Value Specify the numeric value of unit measurements. Click Add.Content Element TypeName Specify the element name.Object Using the drop-down list box, select the targeted traffic flow. Options
include: Src (Source), Dst (Destination), Local, Remote, and Total. Note: Only the content that is captured is counted.
Value Enter the content string. Click Add.Flags Element TypeName Specify the element name.Object Using the drop-down list box, select the targeted traffic flow. Options
include: Src (Source), Dst (Destination), Local, Remote, and Total.
Table 3-22 Element Options (continued)
Parameter Description
STRM Administration Guide
Managing Custom Views 173
Value Enter the character that represents the TCP/IP flags element type you want to add. STRM accepts the following:A, ACK - (Acknowledge) - Receiver sends an acknowledgement that equals the senders sequence. S, SYN - (Synchronize) - Agreement on sequence numbers during session setup. Sequence numbers are random. F, FIN - (Finish) - Sender has no more data to send. R, RST - (Reset) - Instantaneous abort in both directions. This is an abnormal session disconnection. P, PSH - (Push) - Forces data delivery without waiting for buffers to fill. The data will also be delivered to the application on the receiving end without buffering. U, Urg - (Urgent) - Indicates the packet data should be processed as soon as possible.7 - Illegal flag that represents the seventh bit of the TCP flag field. Typically, this flag is not used in normal operations and may be used by malicious users. 8 - Illegal flag that represents the eight bit of the TCP flag field. Typically, this flag is not used in normal operations and may be used by malicious users. Click Add.Note: The order in which you enter the TCP/IP Flags is not important; however, when viewing content capture, STRM displays the flags in the following order: FSRPAU78
Flow Properties Element TypeName Specify the element name.
Table 3-22 Element Options (continued)
Parameter Description
STRM Administration Guide
174 MANAGING VIEWS
Property Using the drop-down list box, select the flow property. Options include: • ClassL2L - Traffic between two local objects on your network.• ClassL2R - Traffic between one local object and one remote object.• ClassOther - Traffic between hosts not defined in your network.• SuperFlow - Flow of traffic that is an aggregate of the number of
flows that have a similar predetermined set of elements, such as protocol, source bytes, source packets, source host, or destination network. In some cases, other properties may be similar, such as destination ports, TCP/IP flags, ICMP types, and code; however, the destination hosts can differ.
• SuperFlowTypeA - SuperFlow identified as one host destined to many host.
• SuperFlowTypeB - SuperFlow identified as many hosts destined to one host.
• SuperFlowTypeC - SuperFlow identified as one host to one host.• StealthPorts - Traffic located outside the normal application ports.• SrcLocal - Traffic originating from a local source.• DstLocal - Traffic originating from a remote network destined for
your network.• NoAppDetect - Traffic with zero application detection that may be
caused by not enough payload; or, traffic originating from ICMP messages.
• UnknownApp - Non-defined application traffic. • FlowShapeInOnly - Traffic or flows destined in the network (from
the Flowtype View). • FlowShapeOutOnly - Traffic or flows destined out from the network
(from the Flowtype View). Click Add.
Port Element TypeName Specify the element name.Object Using the drop-down list box, select the targeted traffic flow. Options
include: Src (Source), Dst (Destination), Local, Remote, and Total. Value Specify the port number. Click Add.CIDR Element TypeName Specify the element name.Object Using the drop-down list box, select the targeted traffic flow. Options
include: Src (Source), Dst (Destination), Local, Remote, and Total. Value Enter the IP address or CIDR range. Click Add.Application ID Element TypeName Specify the element name.
Table 3-22 Element Options (continued)
Parameter Description
STRM Administration Guide
Managing Custom Views 175
Value Specify the application identification number. Click Add.Collector Element TypeName Specify the element name.Property Using the drop-down list box, select the element property. Options
include: CollectorID and CollectorInterface. Value Specify the user-defined Flow Collector Identification or Collector
Interface name. Click Add. Date Element TypeName Specify the element name.Test Using the drop-down list box, select when to test the value. Options
include: After and Before. Value Click the Calendar icon and select a date. Click Add. The value default
is the current date.Time Element TypeName Specify the element name.Test Using the drop-down list box, select when to test the value. Options
include: After and Before. Value Using the drop-down list box, select the hour and minutes. Click Add.Day Element TypeName Specify the element name.Type Using the drop-down list box, select the amount of time. Options
include: Week and Month.Value Specify the day of the week or enter the month. Click Add.Flow Length Element TypeName Specify the element name.Test Using the drop-down list box, select how to test the numeric Flow
Length value based on a single flow stat record. Options include: Above, Below, and Equals.
Value Specify the numeric value for the precise flow length. Click Add.ICMP Element TypeName Specify the element name.Property Using the drop-down list box, select the ICMP Type property. Options
include: Type and Code. Value Specify the numeric value for the ICMP Type or Code. Click Add.
Note: For a list of STRM default ICMP Types or Codes, see the STRM Default Application Configuration Guide; or, for a reference on the current RFC Standards, go to: http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/icmp-code.html
Table 3-22 Element Options (continued)
Parameter Description
STRM Administration Guide
176 MANAGING VIEWS
Editing CustomViews
To edit Custom Views:
Step 1 From the Administration Console, click the Views Configuration tab.The Views Configuration panel appears.
Step 2 Click the Custom Views icon.
The Manage Group window appears.
Step 3 Click the group <Name> or access the group from the navigation menu. The Manage window appears.
Step 4 Click the object name to edit the object properties.
The Properties window appears.
Flow Context PropertyName Specify the element name.Property Using the drop-down list box, select the flow text property. Options
include: PortIsNew, TargetIsSrc, AttackerIsSrc, TargetIsDst, AttackerIsDst, TargetIsKnownLocal, AttackerIsKnownLocal, TargetIsLocal, AttackerIsLocal, TargetPort, AttackerPort, BeforeEvent, and AfterEvent. Click Add.
Flow Context Target PortName Specify the element name.Port Specify the port number. Click Add.Interface Index (ifIndex)Name Specify the element name.Direction Specifies the direction of the traffic. The options are Input or Output. Value Specify the numeric value for the ifIndex. Click Add.Quality of ServiceName Specify the element name.Side Using the drop-down list box, select the targeted traffic flow. Options
include: Src (Source), Dst (Destination), Local, or Remote. Field Using the drop-down list box, select the Quality of Service (QoS) field
you want to test. Options include: IP_Precedence, Type of Service (TOS), Differentiated Service Code Point (DSCP), or Explicit Congestion Notification (ECN).
Test Using the drop-down list box, select how to test the QoS value. Options include: Above, Below, and Equals.
Value Specify the numeric value for the QoS. Click Add.
Table 3-22 Element Options (continued)
Parameter Description
STRM Administration Guide
Managing Custom Views 177
Step 5 Edit the necessary parameters, see Table 3-22.
Step 6 Click Save.
Step 7 Click Return. Step 8 Close the Custom View window.
Step 9 From the Administration Console menu, select Configuration > Deploy Configuration Changes.All changes are deployed.
Editing the Equation You can change how an equation is calculated, see Editing the Equation. The Drop Area of the Equation Editor features a drag and drop method of changing how the equation is calculated.
To edit the equation using the same objects and elements:
Step 1 Select the object or element and hold.Step 2 Drag the item to another part of the equation.
As you pass over another item in the Drop Area of the panel, the item becomes highlighted. This signifies you can drop the item into the equation. This is placed ahead of the highlighted item. and is joined with the AND operator. This affects the calculation in two places. The next logical calculation from where the item was moved and the logical calculation of where the item is placed.
Step 3 Click Save.
Step 4 Close the Custom Views window.
Step 5 From the Administration Console menu, select Configuration > Deploy Configuration Changes.All changes are deployed.
STRM Administration Guide
178 MANAGING VIEWS
Editing the Operators You can edit the operators as they appear in the Drop Area of the Equation Editor. You can access the following using the right mouse button (right-click) on each operator:• And Operator - To change the default AND operator to OR, use the right
mouse button (right-click) on the operator and select OR from the menu. • Excluding Objects - To exclude an object from part of an equation, use the
right mouse button (right-click) on the object and select NOT from the menu. An exclamation mark (!) appears before the object.
• Excluding Elements - To exclude an element from part of an equation, use the right mouse button (right-click) on the object and select NOT from the menu. An exclamation mark (!) appears before the element.
• Removing Objects - To remove an object from an equation, use the right mouse button (right-click) on the object and select Remove Object. Click OK to confirm.
• Removing Elements - To remove an element from an equation, use the right mouse button (right-click) on the object and select Remove Element. Click OK to confirm.
• Group Objects - To create grouped objects to apply an action to, hold down on the Alt key and click the objects you want to include. Use the right mouse button (right-click) and select Group Selected Objects. You can also include elements in a group.
• Group Elements - To create grouped elements to apply an action to, hold down on the Alt key and click the elements you want to include. Use the right mouse button (right-click) and select Group Selected Objects. You can also include objects in a group.
• Remove Grouped Objects or Elements - Use the right mouse button (right-click) on a group and select Remove Brackets.
Enabling and Disabling Views
You can enable or disable views using the Administration Console. Disabling views saves processing power on large structured networks. Depending on your current network activity, or the type of traffic you are monitoring traffic, some views may be of more value than others during specific times.
To enable or disable views:Step 1 From the Administration Console, click the Views Configuration tab.
The Views Configuration panel appears.
Step 2 Click Enable/Disable View icon.The View Management window appears.
STRM Administration Guide
Enabling and Disabling Views 179
Step 3 Using the drop-down list box, select one of the following for each view:
Table 3-23 View Management
Parameter DescriptionEnabled Using the drop-down list box, select Enabled to enable this view.
This enables the Classification Engine, data collection, data storage, graphing capabilities, and enables access from the interface.
Virtual Using the drop-down list box, select Virtual to allow the Classification Engine to classify each flow. This enables the Classification Engine to classify the flows; however, this disables data collection, data storage, graphing capabilities, and removes the view from the interface. Objects in a virtual view can still be referenced in a Custom View equation. Also, a Security/Policy sentry applied to a virtual view will generate events, as necessary. To enable access from the interface, select Enabled.Note: Selecting the Virtual mode can save processing power on your system.
STRM Administration Guide
180 MANAGING VIEWS
Step 4 From the Administration Console menu, select Configurations > Deploy Configuration Changes.
Using Best Practices
Given the complexities and network resources required for STRM in large structured networks, we recommend the following best practices:• Disable views you are not required to access and display. Disabling views
requires fewer CPU cycles and will not impact processing power in large structured networks.
• Bundle objects and use the Network Surveillance interface to analyze your network data. Fewer objects create less I/O to your disk.
- Bundled flows include bi-directional traffic with single source and destination hosts, multiple source and destination ports.
- All original flows are sent but marked as a bundle.- One Flow Bundle record is sent every interval.
- Classify processes only the bundle and not the flows.
• Typically, no more than 200 objects per view (for standard system requirements). More objects may impact your processing power when investigating your traffic.
Disabled Using the drop-down list box, select Disabled to disable the view. This disables the Classification Engine, data collection, data storage, graphing capabilities, and removes the view from the interface. To enable access from the interface, select Enabled.Note: Selecting the Disabled mode can save processing power on your system.
Table 3-23 View Management (continued)
Parameter Description
STRM Administration Guide
11
CONFIGURING RULESRules match events or offenses by performing a series of tests. If all the conditions of a test are true, the rule generates a response. Using the Offense Manager, you can configure rules or building blocks. Building blocks are rules without a response. Possible responses to a rule include:
• Create an offense.
• Generate a response to an external system (syslog or SNMP).• Send an e-mail.
• Block the incident.
• System notifications using the Dashboard
The tests in each rule can also reference other building blocks and rules. You do not need to create rules in any specific order since the system will check for dependencies each time a new rule is added, edited, or deleted. If a rule that is referenced by another rule is deleted or disabled, a warning appears and action is not taken.
Each rule may contain the following components:
• Functions - With functions, you can use building blocks and other rules to create a multi-event or multi-offense function. You can also OR rules together, using the when we see an event match any of the following rules function.
• Building blocks - A building block is a rule without a response and is commonly used as a common variable in multiple rules or used to build complex rules or logic that you want to use in other rules. You can save a group of tests as building blocks for use with other functions. Building blocks allow you to re-use specific rule tests in other rules. For example, you can save a building block that includes the IP addresses of all mail servers in your network and then use that building block to exclude those hosts from another rule. The building block defaults are provided as guidelines, which should be reviewed and edited based on the needs of your network.
• Tests - Property of an event or an offense, such as, source IP address, severity of event, or rate analysis.
A user with non-administrative access can create rules for areas of the network that they have access. You must have the appropriate role access to manage rules.
STRM Administration Guide
182 CONFIGURING RULES
You can configure the following rule types:
• Event Rule - An event rule performs tests on events as they are processed in real-time by the Event Processor. You can create an event rule to detect a single event (within certain properties) or event sequences. For example, if you want to monitor your network for invalid login attempts, access multiple hosts, or a reconnaissance event followed by an exploit, you can create an event rule. It is common for event rules to create offenses as a response.
• Offense Rule - An offense rule processes offenses only when changes are made to the offense, such as, when new events are added or the system scheduled the offense for reassessment.
This chapter includes:
• Viewing Rules
• Enabling/Disabling Rules• Creating a Rule
• Copying a Rule
• Deleting a Rule• Grouping Rules
• Editing Building Blocks
Viewing Rules To view deployed rules, rule type, and status:
Step 1 Select the Offense Manager tab.
The Offense Manager window appears. Step 2 In the navigation menu, click Rules.
The rules window appears.
Step 3 In the Display drop-down list box, select Rules.
STRM Administration Guide
Enabling/Disabling Rules 183
The list of deployed rules appear.
Step 4 Select the rule you want to view. In the Rule and Notes fields, descriptive information appears.
The default rules that appear depends on the template chosen during the installation process. For more information on the defaults, see:
• Enterprise Template - See Appendix B Enterprise Template Defaults.
• University Template - See Appendix C University Template Defaults.
Enabling/Disabling Rules
To enable or disable a rule:
Step 1 Select the Offense Manager tab. The Offense Manager window appears.
Step 2 In the navigation menu, click Rules.
The rules window appears.
Step 3 In the Display drop-down list box, select Rules. The list of deployed rules appear.
Step 4 Select the rule you want to enable or disable.
For more information on each rule, see:• Enterprise Template - See Appendix B Enterprise Template Defaults.
• University Template - See Appendix C University Template Defaults.
Step 5 Using the Actions drop-down list box, select Enable/Disable.The Enabled column indicates the status.
Creating a Rule To create a new rule:
Step 1 Select the Offense Manager tab.
The Offense Manager window appears. Step 2 In the navigation menu, click Rules.
The rules window appears.
STRM Administration Guide
184 CONFIGURING RULES
Step 3 Choose one of the following options:
a Using the Actions drop-down list box, select New Event Rule to configure a rule for events.
b Using the Actions drop-down list box, click New Offense Rule to configure a rule for offenses.
The Custom Rule wizard appears.
Note: If you do not want to view the Welcome to the Custom Rules Wizard window again, select the Skip this page when running the rules wizard check box.
Step 4 Read the introductory text. Click Next. The Rules Test Stack Editor window appears.
STRM Administration Guide
Creating a Rule 185
Step 5 To add a test to a rule:
a In the Test Group drop-down list box, select the type of test you want to apply to this rule.
The resulting list of tests appear. For information on tests, see Event Rule Tests or Offense Rule Tests.
b For each test you want to add to the rule, select the + sign beside the test.
The selected test(s) appear in the Rule field. c For each test added to the Rule field that you want to identify as an excluded
test, click and at the beginning of the test. The and appears as and not.
d For each test added to the Rule field, you must customize the variables of the test. Click the underlined configurable parameter to configure. See Event Rule Tests or Offense Rule Tests.
Step 6 In the enter rule name here field, enter a name you want to assign to this rule.
Step 7 To export the configured tests as building blocks to use with other rules:
a Click Export as Building Block.
The Save Building Block window appears.
STRM Administration Guide
186 CONFIGURING RULES
b Enter the name you want to assign to this building block.
c Click Save.
Step 8 In the groups area, select the check box(es) of the groups to which you want to assign this rule. For more information on grouping rules, see Grouping Rules.
Step 9 In the Notes field, enter any notes you want to include for this rule. Click Next. The Rule Responses window appears, which allows you to configure the action STRM takes when the event sequence is detected.
Step 10 Choose one of the following:a If you are configuring an Event Rule:
Table 4-1 Event Rule Response Parameters
Parameter DescriptionSeverity Select the check box if you want this rule to set or
adjust severity to the configured level. Once selected, you can configure the desired level.
Credibility Select the check box if you want this rule to set or adjust credibility to the configured level. Once selected, you can configure the desired level.
Relevance Select the check box if you want this rule to set or adjust relevance to the configured level. Once selected, you can configure the desired level.
STRM Administration Guide
Creating a Rule 187
Ensure the detected event is part of an offense.
Select the check box if you want the event to be forwarded to the Magistrate component. If no offense has been created in the Offense Manager, a new offense is created. If an offense exist, this event will be added. If you select the check box, the following options appear:• Include detected events from this attacker
from this point forward, for second(s), in the offense - Select the check box and configure the number of seconds you want to include detected events from the attacker in the Offense Manager.
• Perform realtime flow analysis on flows between the attacker and target for seconds(s) - Select the check box and configure the number of seconds you want to perform realtime flow analysis on flows between the attacker and this target.
Drop the detected event Select the check box to force an event, which would normally be sent to the Magistrate component be sent to the Aerial database for reporting or searching. This event does not appear in the Offense Manager.
Dispatch New Event Select the check box to dispatch a new event in addition to the original event, which will be processed like all other events in the system. The Dispatch New Event parameters appear when you select the check box. By default, the check box is clear.
Event Name Specify the name of the event you want to display in the Offense Manager.
Event Description Specify a description for the event. The description appears in the Annotations of the event details.
Table 4-1 Event Rule Response Parameters (continued)
Parameter Description
STRM Administration Guide
188 CONFIGURING RULES
Offense Naming Select one of the following options:• This information should contribute to the
name of the associated offense(s) - Select this option if you want the Event Name information to contribute to the name of the offense(s).
• This information should set or replace the name of the associated offense(s) - Select this option if you want the configured Event Name to be the name of the offense(s).
• This information should not contribute to the naming of the associated offense(s) - Select this option if you do not want the Event Name information to contribute to the name of the offense(s).
Severity Specify the severity for the event. The range is 1 (lowest) to 10 (highest) and the default is 1. The Severity appears in the Annotation of the event details.
Credibility Specify the credibility of the event. The range is 1 (lowest) to 10 (highest) and the default is 10. Credibility appears in the Annotation of the event details.
Relevance Specify the relevance of the event. The range is 1 (lowest) to 10 (highest) and the default is 1. Relevance appears in the Annotation of the event details.
High-Level Category Specify the high-level event category you want this rule to use when processing events. For more information on event categories, see the Event Category Correlation Reference Guide.
Low-Level Category Specify the low-level event category you want this rule to use when processing events. For more information on event categories, see the Event Category Correlation Reference Guide.
Ensure the dispatched event is part of an offense
Select the check box if you want, as a result of this rule, the event is forwarded to the Magistrate component. If no offense has been created in the Offense Manager, a new offense is created. If an offense exist, this event will be added. If you select the check box, the following option appears:Include detected events from this attacker from this point forward, for second(s), in the offense - Select the check box and configure the number of seconds you want to include detected events from the attacker in the Offense Manager.
Table 4-1 Event Rule Response Parameters (continued)
Parameter Description
STRM Administration Guide
Creating a Rule 189
Action Name Specify the name of the Resolver Action you want to deploy for the event.
Action Duration Specify the days, minutes, and hours you want to Resolver Action to be active. Select the Indefinite check box if you want to specify an indefinite time period.
Allowed Resolution Methods
Select the All Resolver Types check box if you want the event to be resolved, if available. You can also select the check box(es) of the Resolver Types you want to resolve events.
Blocking Rule Specify the blocking rules you want to apply to this event. The list contains all blocking options available for the selected Resolver Type. The possible options include:• Source to all• Source to destination• Source to destination on detected port• Destination to all• Destination to source• Destination to all on detected port• All source and destination traffic
Email Select the check box to display the email options. By default, the check box is clear.
Enter e-mail address to notify
Specify the e-mail address(es) to send notification if the event generates. Separate multiple e-mail addresses using a comma.
Table 4-1 Event Rule Response Parameters (continued)
Parameter Description
STRM Administration Guide
190 CONFIGURING RULES
b If you are configuring an Offense Rule:
SNMP Trap This parameter only appears when the SNMP Settings parameters are configured in the STRM System Management window. For more information, see Chapter 3 Setting Up STRM. Select the check box to send an SNMP trap. For an event rule, the SNMP trap output includes system time, the trap OID, and the notification data, as defined by the Juniper Networks MIB. For more information on the Juniper Networks MIB, see Appendix A Juniper Networks MIB.For example, the SNMP notification may resemble:"Wed Sep 28 12:20:57 GMT 2005, STRM Custom Rule Engine Notification - Rule 'SNMPTRAPTest' Fired. 172.16.20.98:0 -> 172.16.60.75:0 1, Event Name: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited, QID: 1000156, Category: 1014, Notes: Offense description"
Send to SysLog Select the check box if you want to log the event. By default, the check box is clear.For example, the syslog output may resemble:Sep 28 12:39:01 localhost.localdomain ECS: Rule 'Name of Rule' Fired: 172.16.60.219:12642 -> 172.16.210.126:6666 6, Event Name: SCAN SYN FIN, QID: 1000398, Category: 1011, Notes: Event description
Notify Select the check box if you want events that generate as a result of this rule to appear in the System Notifications item in the Dashboard. For more information on the Event Viewer and the Dashboard, see the STRM Users Guide.
Response Limiter Specify the frequency you want this rule to respond.Enable Rule Select the check box to enable this rule. By default,
the check box is selected.
Table 4-2 Offense Rule Response Parameters
Parameter DescriptionName Select the check box to display Name options.
New Offense Name Specify the name you want to assign to the offense.
Table 4-1 Event Rule Response Parameters (continued)
Parameter Description
STRM Administration Guide
Creating a Rule 191
Offense Annotation Specify the offense annotation you want to appear in the Offense Manager.
Offense Name Select one of the following options:• This information should contribute to the
name of the associated offense(s) - Select this option if you want the Event Name information to contribute to the name of the offense(s).
• This information should set or replace the name of the associated offense(s) - Select this option if you want the configured Event Name to be the name of the offense(s).
Action Name Specify the name of the Resolver Action you want to deploy for the event.
Action Duration Specify the days, minutes, and hours you want to Resolver Action to be active. Select the Indefinite check box if you want to specify an indefinite time period.
Allowed Resolution Methods
Select the All Resolver Types check box if you want the event to be resolved, if available. You can also select the check box(es) of the Resolver Types you want to resolve events.
Blocking Rule Specify the blocking rules you want to apply to this event. The list contains all blocking options available for the selected Resolver Type. The possible options include:• Source to all• Source to destination• Source to destination on detected port• Destination to all• Destination to source• Destination to all on detected port• All source and destination traffic
Email Select the check box to display the email options. By default, the check box is clear.
Enter e-mail address to notify
Specify the e-mail address(es) to send notification if the event generates. Separate multiple e-mail addresses using a comma.
Table 4-2 Offense Rule Response Parameters (continued)
Parameter Description
STRM Administration Guide
192 CONFIGURING RULES
Step 11 Click Next. The Rule Summary window appears.
SNMP Trap This parameter only appears when the SNMP Enabled parameter is enabled in the STRM System Management window. For more information, see Chapter 3 Setting Up STRM. Select the check box to send an SNMP trap. For an offense rule, the SNMP trap output includes system time, the trap OID, and the notification data, as defined by the Juniper Networks MIB. For more information on the Juniper Networks MIB, see Appendix A Juniper Networks MIB.For example, the SNMP notification may resemble:"Wed Sep 28 12:20:57 GMT 2005, STRM Custom Rule Engine Notification - Rule 'SNMPTRAPTest' Fired. 172.16.20.98:0 -> 172.16.60.75:0 1, Event Name: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited, QID: 1000156, Category: 1014, Notes: Offense description"
Send to SysLog Select the check box if you want to log the offense. By default, the check box is clear.For example, the syslog output may resemble:Sep 28 12:30:29 localhost.localdomain ECS: Offense CRE Rule SYSLOGTest fired on offense #59
Notify Select the check box if you want offenses that generate as a result of this rule to appear in the System Notifications item in the Dashboard. For more information on the Offense Manager and the Dashboard, see the STRM Users Guide.
Response Limiter Specify the frequency you want this rule to respond for each offense that the rules matches.
Enable Rule Select the check box to enable this rule. By default, the check box is selected.
Table 4-2 Offense Rule Response Parameters (continued)
Parameter Description
STRM Administration Guide
Creating a Rule 193
Step 12 Review the configured rule. Click Finish.
Event Rule Tests This section provides information on the tests you can apply to the rules including:• Network Property Tests
• Event Property Tests
• IP/Port Tests• Function Tests
• Host Profile Tests
• Date/Time Tests• Device Tests
Network Property TestsThe network property test group includes:
Table 4-3 Network Property Tests
Test Description Default Test Name ParametersNetwork Vulnerability Risk
Valid when the source or destination Vulnerability Assessment risk is greater than, less than, or equal the configured value.
when the overall source network VA risk is greater than this value
Configure the following parameters:• source - Specify whether the test
considers a source or destination of the event.
• greater than - Specify whether the risk is greater than, less than, or equal to the configured value.
• this value - Specify the Vulnerability Assessment risk value, which is a value from 0 to 10.
STRM Administration Guide
194 CONFIGURING RULES
Network Threat Posing
This test is valid when the amount of threat a network is posing to local and remote networks is greater than, less than, or equal to the configured value.
when the amount of threat the network is posing is greater than this value
Configure the following parameters:• greater than - Specify whether the
risk is greater than, less than, or equal to the configured value.
• this value - Specify the amount of risk you want this test to consider. The range is from 0 to 10.
Network Exposure
Threat under is the value applied to the threat a network is under over time. This is calculated based on the average weighted value of the threat under over time. This test is valid when the amount of threat a network is under to local and remote networks is greater than, less than, or equal to the configured value.
when the amount of threat the network is under is greater than this value
Configure the following parameters:• greater than - Specify whether the
risk is greater than, less than, or equal to the configured value.
• this value - Specify the amount of risk you want this test to consider. The range is from 0 to 10.
Remote Networks
Valid when an IP address is part of any or all of the configured remote network locations.
when the source IP is a part of any of the following remote network location(s)
Configure the following parameters:• source IP - Specify if you want this
test to consider the source IP address, destination IP address, or any IP address.
• remote network location(s) - Specify the network locations you want this test to consider.
Remote Services Networks
Valid when an IP address is part of any or all of the configured remote services network locations.
when the source IP is a part of any of the following remote services network location(s)
Configure the following parameters:• source IP - Specify if you want this
test to consider the source IP address, destination IP address, or any IP address.
• remote services network location(s) - Specify the services network locations you want this test to consider.
Geographic Networks
Valid when an IP address is part of any or all of the configured geographic network locations.
when the Source IP is a part of any of the following geographic network location(s)
Configure the following parameters:• Source IP - Specify if you want this
test to consider the source IP address, destination IP address, or any IP address.
• geographic network location(s) - Specify the network locations you want this test to consider.
Table 4-3 Network Property Tests (continued)
Test Description Default Test Name Parameters
STRM Administration Guide
Creating a Rule 195
Event Property TestsThe event property test group includes:
Table 4-4 Event Property Tests
Test Description Default Test Name ParametersLocal Network Object
Valid when the event occurs in the specified network.
when the local network is one of the following networks
one of the following - Specify the areas of the network you want this test to apply.
IP Protocol Valid when the IP protocol of the event is one of the configured protocols.
when the IP protocol is one of the following protocols
protocols - Specify the protocols you want to add to this test.
Event Payload Search
Each event contains a copy of the original unnormalized event. This test is valid when the entered search string is included anywhere in the event payload.
when the Event Payload contains this string
this string - Specify the text string you want include for this test.
QID of Event A QID is a unique identifier for events. This test is valid when the event identifier is a configured QID.
when the event QID is one of the following QIDs
QIDs - Use of the following options to locate QIDs:• Select the Browse By Category
option and using the drop-down list boxes, select the high and low-level category QIDs you want to locate.
• Select the QID Search option and enter the QID or name you want to locate. Click Search.
Attack Context Attack Context is the relationship between the attacker and target. For example, a local attacker to a remote target. Valid if the attack context is one of the following:• Local to Local• Local to Remote• Remote to Local• Remote to Remote
when the attack context is this context
this context - Specify the context you want this test to consider. The options are:• Local to Local• Local to Remote• Remote to Local• Remote to Remote
Event Category
Valid when the event category is the same as the configured category, for example, Denial of Service (DoS) attack.
when the event category for the event is one of the following categories
categories - Specify the event category you want this test to consider. For more information on event categories, see the Event Category Correlation Reference Guide.
STRM Administration Guide
196 CONFIGURING RULES
Severity Valid when the event severity is greater than, less than, or equal to the configured value. The default is 5.
when the event severity is greater than 5 {default}
Configure the following parameters:• greater than - Specify whether the
severity is greater than, less than, or equal to the configured value.
• this value - Specify the index, which is a value from 0 to 10.
Credibility Valid when the event credibility is greater than, less than, or equal to the configured value. The default is 5.
when the event credibility is greater than 5 {default}
Configure the following parameters:• greater than - Specify whether the
credibility is greater than, less than, or equal to the configured value.
• this value - Specify the index, which is a value from 0 to 10.
Relevance Valid when the event relevance is greater than, less than, or equal to the configured value. The default is 5.
when the event relevance is greater than 5 {default}
Configure the following parameters:• greater than - Specify whether the
relevance is greater than, less than, or equal to the configured value.
• this value - Specify the index, which is a value from 0 to 10.
Source Location
Valid when the source IP address of the event is either local or remote.
when the source is local or remote {default: remote}
local or remote - Specify either local or remote traffic.
Destination Location
Valid when the destination IP address of the event is either local or remote.
when the destination is local or remote {default: remote}
local or remote - Specify either local or remote traffic.
Rate Analysis STRM monitors event rates of all source IP addresses/QIDs and destination IP addresses/QIDs and marks events that exhibit abnormal rate behavior.Valid when the event has been marked for rate analysis.
when the event has been marked with rate analysis
Table 4-4 Event Property Tests (continued)
Test Description Default Test Name Parameters
STRM Administration Guide
Creating a Rule 197
False Positive Tuning
When you tune false positive events in the Event Viewer, the resulting tuning values appear in this test. If you want to remove a false positive tuning, you can edit this test to remove the necessary tuning values.
when the false positive signature matches one of the following signatures
signatures - Specify the false positive signature you want this test to consider. Enter the signature in the following format:<CAT|QID|ANY>:<value>:<source IP>:<dest IP>Where:<CAT|QID|ANY> - Specify whether you want this false positive signature to consider a category (CAT), Juniper Networks Identifier (QID), or any value. <value> - Specify the value for the <CAT|QID|ANY> parameter. For example, if you specified QID, you must specify the QID value. <source IP> - Specify the source IP address you want this false positive signature to consider. <dest IP> - Specify the destination IP address you want this false positive signature to consider.
Username Valid when the configured username is associated with an event.
when the event(s) username is this string
Configure the following parameters:• is - Specify the value you want to
associate with this test. Options include: is, contains, starts with, or ends with.
• this string - Specify a username you want this test to consider.
Regex Valid when the configured MAC address, username, hostname, or operating system is associated with a particular regular expressions (regex) string. Note: This test assumes knowledge of regular expressions (regex). When you define custom regex patterns, adhere to regex rules as defined by the Java programming language. For more information, see the following web site: http://java.sun.com/docs/books/tutorial/extra/regex/
when the username matches the following regex
Configure the following parameters:• username - Specify the value you
want to associate with this test. This test may consider the MAC address, username, hostname, or operating system.
• regex - Specify the regex string you want this test to consider.
Table 4-4 Event Property Tests (continued)
Test Description Default Test Name Parameters
STRM Administration Guide
198 CONFIGURING RULES
IP/Port Tests The IP/Port tests include:
IPv6 Valid when the source or destination IPv6 address is the configured IP address.
when the source IP(v6) is one of the following IPv6 addresses
Configure the following parameters:• source IP(v6) - Specify whether
you want this test to consider the source or destination IP(v6) address.
• IPv6 addresses - Specify the IPv6 addresses you want this test to consider.
Table 4-4 Event Property Tests (continued)
Test Description Default Test Name Parameters
Table 4-5 IP / Port Test Group
Test Description Default Test Name ParametersSource Port Valid when the source port
of the event is one of the configured source port(s).
when the source port is one of the following ports
ports - Specify the ports you want this test to consider.
Destination Port Valid when the destination port of the event is one of the configured destination port(s).
when the destination port is one of the following ports
ports - Specify the ports you want this test to consider.
Local Port Valid when the local port of the event is one of the configured local port(s).
when the local port is one of the following ports
ports - Specify the ports you want this test to consider.
Remote Port Valid when the remote port of the event is one of the configured remote port(s).
when the remote port is one of the following ports
ports - Specify the ports you want this test to consider.
Source IP Address
Valid when the source IP address of the event is one of the configured IP address(es).
when the source IP is one of the following IP addresses
IP addresses - Specify the IP address(es) you want this test to consider.
Destination IP Address
Valid when the destination IP address of the event is one of the configured IP address(es).
when the destination IP is one of the following IP addresses
IP addresses - Specify the IP address(es) you want this test to consider.
Local IP Address
Valid when the local IP address of the event is one of the configured IP address(es).
when the local IP is one of the following IP addresses
IP addresses - Specify the IP address(es) you want this test to consider.
Remote IP Address
Valid when the remote IP address of the event is one of the configured IP address(es).
when the remote IP is one of the following IP addresses
IP addresses - Specify the IP address(es) you want this test to consider.
STRM Administration Guide
Creating a Rule 199
Function TestsThe function tests include:
IP Address Valid when the source or destination IP address of the event is one of the configured IP address(es).
when either the source or destination IP is one of the following IP addresses
IP addresses - Specify the IP address(es) you want this test to consider.
Table 4-5 IP / Port Test Group (continued)
Test Description Default Test Name Parameters
Table 4-6 Functions Group
Test Description Default Test Name ParametersMulti-Rule Event Function
Allows you to use saved building blocks and other rules to populate this test. The event has to match either all or any of the selected rules. If you want to create an OR statement for this rule test, specify the any parameter.
when an event matches any|all of the following rules
Configure the following parameters:• any|all - Specify either any or all
of the configured rules apply to this test.
• rules - Specify the rules you want this test to consider.
STRM Administration Guide
200 CONFIGURING RULES
Multi-Rule Event Function
Allows you to use saved building blocks or other rules to populate this test. This function allows you to detect a specific sequence of selected rules involving a source and destination within a configured time period.
when all of these rules, in|in any order, from the same|any source IP to the same|any destination IP, over this many seconds
Configure the following parameters:• these rules - Specify the rules you
want this test to consider. • in| in any - Specify whether you
want this rule to consider in or in any order.
• the same|any - Specify if you want this rule to consider the same or any of the source to destination port or IP address.
• source IP - Specify the source you want this test to consider. The default is the source IP address, however, you can configure this test to consider other options, such as, source port, destination IP, destination port, QID, or event ID.
• the same|any - Specify if you want this rule to consider the same or any of the source to destination port or IP address.
• destination IP - Specify whether you want this rule to consider a destination IP address, username, or destination port.
• this many - Specify the number of time intervals you want this rule to consider.
• seconds - Specify the time interval you want this rule to consider. The options are: seconds, minutes, hours, or days.
Table 4-6 Functions Group (continued)
Test Description Default Test Name Parameters
STRM Administration Guide
Creating a Rule 201
Multi-Rule Event Function
Allows you to use saved building blocks or other rules to populate this test. You can use this function to detect a number of specified rules, in sequence, involving a source and destination within a configured time interval.
when at least this number of these rules, in|in any order, from the same| any source IP to the same|any destination IP, over this many seconds
Configure the following parameters:• this number - Specify the number
of rules you want this function to consider.
• in|in any - Specify whether you want this rule to consider in or in any order.
• the same|any - Specify if you want this rule to consider the same or any of the source to destination port or IP address.
• source IP - Specify the source you want this test to consider. The default is the source IP address, however, you can configure this test to consider other options, such as, source port, destination IP, destination port, QID, or event ID.
• the same| any - Specify if you want this rule to consider the same or any of the source to destination port or IP address.
• destination IP - Specify whether you want this rule to consider a destination IP address, username, or destination port.
• this many - Specify the number of time intervals you want this rule to consider.
• seconds - Specify the time interval you want this rule to consider. The options are: seconds, minutes, hours, or days.
Multi-Event Sequence Function Between Hosts
Allows you to detect a sequence of selected rules involving the same source and destination hosts within the configured time intervals. You can also use saved building blocks and other rules to populate this test.
when this sequence of rules, involving the same source and destination hosts in this many seconds
Configure the following parameters:• of rules - Specify the rules you
want this test to consider• this many - Specify the number of
time intervals you want this test to consider.
• seconds - Specify the time interval you want this rule to consider.
Table 4-6 Functions Group (continued)
Test Description Default Test Name Parameters
STRM Administration Guide
202 CONFIGURING RULES
Multi-Event Counter Function
Allows you to test the number of events from configured conditions, such as, source IP address. You can also use building blocks and other rules to populate this test.
when a source IP emitting/receiving more than|exactly this many of these rules across more than| exactly this many destination IP, over this many minutes
Configure the following parameters:• source IP - Specify the source you
want this test to consider. The default is the source IP address, however, you can configure this test to consider other options, such as, source port, destination IP, destination port, QID, or event ID.
• more than|exactly - Specify if you want this test to consider more than or exactly the number of rules.
• this many - Specify the number of rules you want this test to consider.
• these rules - Specify the rules you want this test to consider.
• more than|exactly - Specify if you want this test to consider more than or exactly the number of destination IP address(es), destination port(s), QID(s), device event ID(s), or device(s) that you selected in the source IP option above.
• this many - Specify the number of IP addresses, ports, QIDs, events, devices, or categories you want this test to consider.
• destination IP - Specify the destination you want this test to consider. The default is destination IP, however, you can also configure this test to consider other options, such as, destination IP(s), destination port(s), QID(s), device event ID(s), or device(s).
• this many - Specify the time value you want to assign to this test.
• minutes - Specify the time interval you want this rule to consider.
Table 4-6 Functions Group (continued)
Test Description Default Test Name Parameters
STRM Administration Guide
Creating a Rule 203
Multi-Rule Function
Allows you to detect a series of rules for a specific IP address or port followed by a series of specific rules for a specific port or IP address. You can also use building blocks or existing rules to populate this test.
when any of these rules with the same source IP more than this many times, across more than| exactly this many destination IP within this many minutes
Configure the following parameters:• rules - Specify the rules you want
this test to consider. • source IP - Specify the source you
want this test to consider. The default is the source IP address, however, you can configure this test to consider other options, such as, source port, destination IP, destination port, QID, or event ID.
• this many - Specify the number of time intervals you want this rule to consider.
• more than|exactly - Specify if you want this test to consider more than or exactly the number of destination IP address(es), destination port(s), QID(s), device event ID(s), or device(s) that you selected in the source IP option.
• this many - Specify the number you want this test to consider, depending on the option you configured in the source IP.
• destination IP - Specify the destination you want this test to consider. The default is destination IP, however, you can also configure this test to consider other options, such as, destination IP(s), destination port(s), QID(s), device event ID(s), or device(s).
• this many - Specify the time value you want to assign to this test.
• minutes - Specify the time interval you want this rule to consider.
Table 4-6 Functions Group (continued)
Test Description Default Test Name Parameters
STRM Administration Guide
204 CONFIGURING RULES
Multi-Rule Function
Allows you to detect a number of specific rules for a specific IP address or port followed by a number of specific rules for a specific port or IP address. You can also use building blocks or existing rules to populate this test.
when at least this many of these rules, in|in any order, with the same username followed by at least this many of these rules in| in any order with the same destination IP from the previous sequence, within this many minutes
Configure the following parameters:• this many - Specify the number of
rules you want this test to consider.
• rules - Specify the rules you want this test to consider.
• in|in any - Specify if you want this test to consider rules in a specific order.
• username - Specify whether you want this test to consider the username, source IP, source port, destination IP, or destination port.
• this many - Specify the number of rules you want this test to consider.
• rules - Specify the rules you want this test to consider.
• in| in any - Specify if you want this test to consider rules in a specific order.
• destination IP - Specify whether you want this test to consider the username, source IP, source port, destination IP, or destination port.
• this many - Specify the number of time intervals you want this rule to consider.
• minutes - Specify the time interval you want this rule to consider.
Username Function
Allows you to detect multiple updates to usernames on a single host.
when the username changes more than this many times within this many hours on a single host.
Configure the following parameters:• username - Specify if you want
this test to consider username, MAC address, or hostname.
• this many - Specify the number of changes you want this rule to consider.
• this many - Specify the number of time intervals you want this rule to consider.
• hours - Specify the time interval you want this rule to consider. The options are: seconds, minutes, hours, or days.
Table 4-6 Functions Group (continued)
Test Description Default Test Name Parameters
STRM Administration Guide
Creating a Rule 205
Host Profile TestsThe host profile tests include:
Table 4-7 Host Profile Tests
Test Description Default Test Name ParametersHost Profile Port
Valid when the port is open on the configured local source or destination. You can also specify if the status of the port is detected using one of the following methods:• Active - STRM actively
searches for the configured port through scanning or vulnerability assessment.
• Passive - STRM passively monitors the network recording hosts previously detected.
when the local source host destination port is open either actively or passively seen
Configure the following parameters:• source - Specify if you want this
test to apply to the source or destination port. The default is source.
• either actively or passively - Specify if you want this test to consider active and/or passive scanning.
Host Existence Valid when the local source or destination host is known to exist through active or passive scanning. You can also specify if the status of the host is detected using one of the following methods:• Active - STRM actively
searches for the configured port through scanning or vulnerability assessment.
• Passive - STRM passively monitors the network recording hosts previously detected.
when the local source host exists either actively or passively seen
Configure the following parameters:• source - Specify if you want this
test to apply to source or destination port. The default is source.
• either actively or passively - Specify if you want this test to consider active and/or passive scanning.
Host Profile Age
Valid when the local source or destination host profile age is greater than the configured value within the configured time intervals.
when the local source host profile age is greater than this number of time intervals
Configure the following parameters:• source - Specify if you want this
test to apply to source or destination port. The default is source.
• greater than - Specify if you want this test to consider greater than or less than the profile port age.
• this number of - Specify the number of time intervals you want this test to consider.
• time intervals - Specify whether you want this test to consider minutes or hours.
STRM Administration Guide
206 CONFIGURING RULES
Host Port Age Valid when the local source or destination host profile age is greater than or less than a configured amount of time.
when the local source host profile port age is greater than this number of time intervals
Configure the following parameters:• source - Specify if you want this
test to apply to the source or destination port. The default is source.
• greater than - Specify if you want this test to consider greater than or less than the profile port age.
• this number of - Specify the time you want this test to consider.
• time intervals - Specify whether you want this test to consider minutes or hours.
Host Vulnerability Assessment Risk Level
Valid when the local source or destination host vulnerability risk level is greater than or less than the configured value.
when the local destination host vulnerability risk level is greater than 5 {default}
Configure the following parameters:• destination - Specify if you want
this test to apply to the source or destination port.
• greater than - Specify if you want this test to be greater than or less than the vulnerability risk.
• 5 - Specify the value you want this test to consider.
Host Vulnerability Assessment Port Risk Level
Valid when the local source or destination host port vulnerability risk level is greater than or less than a configured amount of time.
when the local destination host port vulnerability risk level is greater than this value
Configure the following parameters:• destination - Specify if you want
this test to apply to the source or destination port.
• greater than - Specify if you want this test to consider greater than or less than the vulnerability risk.
• this value - Specify the value you want this test to consider.
Attacker Threat Level
Threat Posing is the calculated value for this attacker over time, that indicates how severe the attacker is compared to all other attackers in your network. Valid when the amount of threat posed to the network by an attacker is greater than or less than the configured value.
when the amount of threat the attacker is posing is greater than this value
Configure the following parameters:• greater than - Specify if you want
the threat level to greater than or less than the configured value.
• this value - Specify the value you want this test to consider.
Table 4-7 Host Profile Tests (continued)
Test Description Default Test Name Parameters
STRM Administration Guide
Creating a Rule 207
Attacker Threat STRM calculates the long and short-term threat of an attacker and then calculates the difference between the two to provide information on changes in the attacker’s behavior.Valid when the threat delta posed by an attacker is greater than or less than the configured value.
when the threat delta of the attacker is greater than this value
Configure the following parameters:• greater than - Specify if you want
the threat data to be greater than or less than the configured value.
• this value - Specify the value you want this test to consider.
Target Threat Threat under is the value applied to the threat a network is under over time. This is calculated based on the average weighted value of the threat under over time. This test is valid when the amount of threat the target is under is greater than or less than the configured value.
when the amount of the threat the target is under is greater than this value
Configure the following parameters:• greater than - Specify if you want
the threat level to be greater than or less than the configured value.
• this value - Specify the value you want this test to consider.
Target Threat STRM calculates the long and short-term threat of a target and then calculates the difference between the two to provide information on changes in the target’s behavior.Valid when the threat delta of the target is greater than or less than the configured value.
when the threat delta the target is greater than this value
Configure the following parameters:• greater than - Specify if you want
the threat delta to be greater than or less than the configured value.
• this value - Specify the value you want this test to consider.
Asset Valid when the device being attacked (destination) or if the host is that attacker (source) has an assigned weight greater than or less than the configured value.
when the destination asset has a weight greater than this value
Configure the following parameters:• destination - Specify if want this
test to consider the source or destination asset.
• greater than - Specify if you want the value to be greater than or less than the configured value.
• this value - Specify the value you want this test to consider.
Table 4-7 Host Profile Tests (continued)
Test Description Default Test Name Parameters
STRM Administration Guide
208 CONFIGURING RULES
Date/Time TestsThe date and time tests include:
Host Vulnerable to Event
Valid when the local host destination port is vulnerable to the current event.
when the target is vulnerable to current exploit on any port
Configure the following parameters:• target - Specify if want this test to
consider a target, attacker, local host, or remote host.
• current - Specify if you want this test to consider current or any exploit.
• any - Specify if you want this test to consider any or the current port.
OSVDB IDs Valid when an IP address (source, destination, or any) is vulnerable to the configured Open Source Vulnerability Database (OSVDB) IDs.
when the source IP is vulnerable to one of the following OSVDB IDs
Configure the following parameters:• source IP - Specify if you want
this test to consider the source IP address, destination IP address, or any IP address.
• OSVDB IDs - Specify any OSVDB IDs that you want this test to consider. For more information regarding OSVDB IDs, see http://osvdb.org/.
Table 4-7 Host Profile Tests (continued)
Test Description Default Test Name Parameters
Table 4-8 Date/Time Tests
Test Description Default Test Name ParametersEvent Day Valid when the event occurs
on the configured day of the month.
when the event(s) occur on the selected day of the month
Configure the following parameters:• on - Specify if you want this test
to consider on, after, or before the configured day.
• selected - Specify the day of the month you want this test to consider.
Event Week Valid when the event occurs on the configured days of the week.
when the event(s) occur on any of these days of the week
these days of the week - Specify the days of the week you want this test to consider.
Event Time Valid when the event occurs on the after the configured time.
when the event(s) occur after this time
Configure the following parameters:• after - Specify if you want this
test to consider after, before, or at the configured time.
• this time - Specify the time you want this test to consider.
STRM Administration Guide
Creating a Rule 209
Device TestsThe device tests include:
Offense Rule Tests This section provides information on the tests you can apply to the rules including:• IP/Port Tests
• Host Profile Tests
• Date/Time Tests• Device Tests
• Offense Property Tests
IP/Port Tests The IP/Port tests include:
Table 4-9 Device Tests
Test Description Default Test Name ParametersSource Device Valid when one of the
configured source devices is the source of the event.
when the event(s) were detected by one or more of these device
these devices - Specify the devices that you want this test to detect.
Source Device Type
Valid when one of the configured device types is the source of the event
when the event(s) were detected by one or more of these device types
these device types - Specify the devices that you want this test to detect.
Devices Valid when the event(s) have not been detected by the configured devices.
when the event(s) have not been detected by one or more of these devices for 300 seconds.
Configure the following parameters:• these devices - Specify the
devices you want this test to consider.
• 300 - Specify the time, in seconds, you want this test to consider.
Device Groups Valid when an event is detected by the configured device groups
when the event(s) were detected by one or more of these device groups
these device groups - Specify the groups you want this rule to consider.
Table 4-10 IP/Port Test Group
Test Description Default Test Name ParametersAttacker IP Address
Valid when the attacker IP address is one of the configured IP address(es).
when the attacker/violator IP is one of the following IP addresses.
IP addresses - Specify the IP address(es) you want this test to consider. You can enter multiple entries using a comma-separated list.
STRM Administration Guide
210 CONFIGURING RULES
Function TestsThe function tests include:
Host Profile TestsThe host profile tests include:
Target IP Address
Valid when the target list is any of the configured IP adddress(es).
when the target list includes any of the following IP addresses
Configure the following parameters:• any - Specify if you want this test
to consider any or all of the listed targets.
• IP addresses - Specify the IP address(es) you want this test to consider. You can enter multiple entries using a comma-separated list.
Table 4-10 IP/Port Test Group (continued)
Test Description Default Test Name Parameters
Table 4-11 Offense Function Group
Test Description Default Test Name ParametersMulti-Rule Offense Function
Allows you to use saved building blocks and other rules to populate this test. The offense has to match either all or any of the selected rules. If you want to create an OR statement for this rule test, specify the any parameter.
when the offense matches any of the following offense rules.
Configure the following parameters:• any - Specify either any or all of
the configured rules apply to this test.
• rules - Specify the rules you want this test to consider.
Table 4-12 Host Profile Tests
Test Description Default Test Name ParametersAttacker Threat Level
Threat Posing is the calculated value for this attacker over time, that indicates how severe the attacker is compared to all other attackers in your network. Valid when the threat posed to the network by an attacker is greater or less than the configured value.
when the amount of threat the attacker is posing is greater than this value
Configure the following parameters:• greater than - Specify if you want
the threat level to be greater than or less than the configured value.
• this value - Specify the value you want this test to consider.
STRM Administration Guide
Creating a Rule 211
Date/Time TestsThe date and time tests include:
Network Vulnerability Risk
Valid when the overall VA risk on the network is greater or less than the configured value.
when the overall network VA risk is greater than this value
Configure the following parameters:• greater than - Specify if you want
the threat to be greater or less than the configured value.
• this value - Specify the value you want this test to consider.
Network Threat Posing
Valid when the amount of threat a network is posing to local and remote networks is greater than, less than, or equal to the configured value.
when the amount of threat the network is posing is greater than this value
Configure the following parameters:• greater than - Specify if you want
the value to be greater or less than the configured value.
• this value - Specify the value you want this test to consider.
Network Threat Under
Threat under is the value applied to the threat a network is under over time. This is calculated based on the average weighted value of the threat under over time. This test is valid when the amount of threat a network is under to local and remote networks is greater than, less than, or equal to the configured value.
when the amount of threat the network is under is greater than this value
Configure the following parameters:• greater than - Specify if you want
the network threat to be greater than or less than the configured value.
• this value - Specify the value you want this test to consider.
Table 4-12 Host Profile Tests (continued)
Test Description Default Test Name Parameters
Table 4-13 Date/Time Tests
Test Description Default Test Name ParametersEvent Day Valid when the offense
occurs on the configured day of the month.
when the offense(s) occur on the selected day of the month
Configure the following parameters:• on - Specify if you want this rule
to consider on, after, or before the selected date.
• selected - Specify the date you want this test to consider.
Event Week Valid when the offense occurs on the configured day of the week.
when the offense(s) occur on these days of the week
Configure the following parameters:• on - Specify if you want this rule
to consider on, after, or before the selected day.
• these days of the week - Specify the days you want this test to consider.
STRM Administration Guide
212 CONFIGURING RULES
Device TestsThe device tests include:
Offense Property TestsThe offense property tests include:
Event Time Valid when the offense occurs after, before, or on the configured time.
when the offense(s) occur after this time
Configure the following parameters:• after - Specify if you want this
test to consider after, before, or at a specified time.
• this time - Specify the time you want this test to consider.
Table 4-13 Date/Time Tests (continued)
Test Description Default Test Name Parameters
Table 4-14 Device Tests
Test Description Default Test Name ParametersDevices Types Valid when one of the
configured device types is the source of the event.
when the device type(s) that detected the offense is one of the following device types
device types - Specify the device types that you want this test to detect.
Number of Device Type
Valid when the number of device types is greater than the configured value.
when the number of device types that detected the offense is greater than this number
greater than this number - Specify the number of devices types that you want this test to consider.
Table 4-15 Offense Property Tests
Test Description Default Test Name ParametersNetwork Object Valid when the network is
affected are any or all of the configured networks.
when the networks affected are any of one of the following networks
Configure the following parameters:• any - Specify if you want this test
to consider any or all networks.• one of the following networks -
Specify the networks you want this test to consider.
Offense Category
Valid when the event category is any or all of the configured event categories.
when the categories of the offense includes any of the following list of categories
Configure the following parameters:• any - Specify if you want this test
to consider any or all categories.• list of categories - Specify the
categories you want this test to consider.
For more information on event categories, see the Event Category Correlation Reference Guide.
STRM Administration Guide
Creating a Rule 213
Severity Valid when the severity is greater than, less than, or equal to the configured value.
when the offense severity is greater than 5 {default}
Configure the following parameters:• greater than - Specify if you
want the offense severity to be greater than, less than, or equal to the configured value.
• 5 - Specify the value you want this test to consider.
Credibility Valid when the credibility is greater than, less than, or equal to the configured value.
when the offense credibility is greater than 5 {default}
Configure the following parameters:• greater than - Specify if you
want the offense credibility to be greater than, less than, or equal to the configured value.
• 5 - Specify the value you want this test to consider.
Relevance Valid when the relevance is greater than, less than, or equal to the configured value.
when the offense relevance is greater than 5 {default}
Configure the following parameters:• greater than - Specify if you
want the offense relevance to be greater than, less than, or equal to the configured value.
• 5 - Specify the value you want this test to consider.
Attack Context Attack Context is the relationship between the attacker and target. For example, a local attacker to a remote target. Valid if the attack context is one of the following:• Local to Local• Local to Remote• Remote to Local• Remote to Remote
when the attack context is this context
this context - Specify the context you want this test to consider. The options are:• Local to Local• Local to Remote• Remote to Local• Remote to Remote
Attacker Location Valid when the attacker is either local or remote. The default is remote.
when the attacker is local or remote IPs {default: remote}
local or remote - Specify if you want the attacker to be local or remote.
Target Location Valid when the target is either local or remote. The default is remote.
when the target list includes local or remote IP addresses {default: remote}
local or remote IP addresses - Specify if you want the target to be local or remote.
Table 4-15 Offense Property Tests (continued)
Test Description Default Test Name Parameters
STRM Administration Guide
214 CONFIGURING RULES
Network Flow Analysis
Valid when STRM detects one of the configured behaviors in the Attacker Target analysis.
when real-time network flow analysis has detected any of the following attacker target analysis behaviors listed.
Configure the following parameters:• any - Specify if you want this test
to consider any or all behaviors.• listed - Specify the behaviors
you want this test to consider. Network Flow Analysis
Valid when STRM detects one of the configured behaviors in the Target analysis.
when real-time network flow analysis has detected any of the following target analysis behaviors listed.
Configure the following parameters:• any - Specify if you want this test
to consider any or all behaviors.• listed - Specify the behaviors
you want this test to consider. Category Count in an Offense
Valid when the number of event categories for an offense greater than, less than, or equal to the configured value.
when the number of categories involved in the offense is greater than this number
Configure the following parameters:• greater than - Specify if you
want the number of categories to be greater than, less than, or equal to the configured value.
• this number - Specify the value you want this test to consider.
For more information on event categories, see the Event Category Correlation Reference Guide.
Target Count in an Offense
Valid when the number of targets for an offense greater than, less than, or equal to the configured value.
when the number of targets under attack is greater than this number
Configure the following parameters:• greater than - Specify if you
want the number of targets to be greater than, less than, or equal to the configured value.
• this number - Specify the value you want this test to consider.
Event Count in an Offense
Valid when the number of events for an offense is greater than, less than, or equal to the configured value.
when the number of events making up the offense is greater than this number
Configure the following parameters:• greater than - Specify if you
want the number of events to be greater than, less than, or equal to the configured value.
• this number - Specify the value you want this test to consider.
Offense ID Valid when the Offense ID is the configured value.
when the offense ID is this ID
this ID - Specify the offense ID you want this test to consider.
Offense Creation Valid when a new offense is created.
when a new offense is created
Table 4-15 Offense Property Tests (continued)
Test Description Default Test Name Parameters
STRM Administration Guide
Copying a Rule 215
Copying a Rule To copy a rule:
Step 1 Select the Offense Manager tab.The Offense Manager appears.
Step 2 In the navigation bar, click Rules.
Step 3 In the Display drop-down list box, select Rules. Step 4 Select the rule you want to duplicate.
Step 5 Using the Actions drop-down list box, select Duplicate.
Step 6 In the Enter name for the copied rule, enter a name for the new rule. Click Ok. The duplicated rule appears.
Step 7 Click Edit to edit the tests for the rule.
For more information on editing the rule, see Creating a Rule.
Deleting a Rule To delete a rule:
Step 1 Select the Offense Manager tab.
The Offense Manager appears.
Step 2 In the navigation bar, click Rules.
Step 3 In the Display drop-down list box, select Rules. Step 4 Select the rule you want to delete.
Step 5 Using the Actions drop-down list box, select Delete.
Offense Change Valid when the configured offense property has increased or decreases below the configured value.
when the offense property has increased by at least this percent
Configure the following parameters:• property - Specify the property
you want this test to consider. The options are magnitude, severity, credibility, relevance, target count, attacker count, category count, annotation count, or event count.
• this - Specify the percent value you want this test to consider.
• percent - Specify if you want this test to consider percentage or units.
Table 4-15 Offense Property Tests (continued)
Test Description Default Test Name Parameters
STRM Administration Guide
216 CONFIGURING RULES
Grouping Rules You can now group and view your rules and building blocks based on your chosen criteria. Categorizing your rules or building blocks into groups allows you to efficiently view and track your rules. For example, you can view all rules related to compliance. By default, the Rules interface displays all rules and building blocks.
As you create new rules, you have a choice whether you want to assign the rule to an existing group. For information on assigning a group to a using the rule wizard, see Creating a Rule.
Note: You must have administrative access to create, edit, or delete groups. For more information on user roles, see Chapter 1 Managing Users.
This sections provides information on grouping rules and building blocks including:• Viewing Groups
• Creating a Group
• Editing a Group• Copying an Item to Another Group(s)
• Deleting an Item from a Group
• Assigning an Item to a Group
Viewing Groups To view rules or building blocks using groups:
Step 1 Click the Offense Manager tab.
The Offense Manager interface appears. Step 2 In the navigation menu, click Rules.
Step 3 Using the Display drop-down list box, select whether you want to view Rules or Building blocks.
Step 4 Form the Filter drop-down list box, select the group category you want to view.
Step 5 The list of items assigned to that group appear.
Creating a Group To create a group:
Step 1 Click the Offense Manager tab.
The Offense Manager interface appears. Step 2 In the navigation menu, click Rules.
Step 3 Click Groups.
The Group window appears.
STRM Administration Guide
Grouping Rules 217
Step 4 From the menu tree, select the group under which you want to create a new group.
Note: Once you create the group, you can drag and drop menu tree items to change the organization of the tree items.
Step 5 Click New Group. The Group Properties window appears.
Step 6 Enter values for the parameters:
• Name - Specify the name you want to assign to the new group. The name may be up to 255 characters in length.
• Description - Specify a description you want to assign to this group. The description may be up to 255 characters in length.
Step 7 Click Ok. Step 8 If you want to change the location of the new group, click the new group and drag
the folder to the desired location in your menu tree. Step 9 Close the Groups window.
STRM Administration Guide
218 CONFIGURING RULES
Editing a Group To edit a group:
Step 1 Click the Offense Manager tab.The Offense Manager interface appears.
Step 2 In the navigation menu, click Rules.
Step 3 Click Groups. The Group window appears.
Step 4 From the menu tree, select the group you want to edit.
Step 5 Click Edit. The Group Properties window appears.
Step 6 Update values for the parameters, as necessary:
• Name - Specify the name you want to assign to the new group. The name may be up to 255 characters in length.
• Description - Specify a description you want to assign to this group. The description may be up to 255 characters in length.
Step 7 Click Ok. Step 8 If you want to change the location of the group, click the new group and drag the
folder to the desired location in your menu tree.
Step 9 Close the Groups window.
Copying an Item toAnother Group(s)
Using the groups functionality, you can copy a rule or building block to one or many groups. To copy a rule or building block:
Step 1 Click the Offense Manager tab.
The Offense Manager interface appears.
Step 2 In the navigation menu, click Rules.
STRM Administration Guide
Grouping Rules 219
Step 3 Click Groups.
The Group window appears.
Step 4 From the menu tree, select the rule or building block you want to copy to another group.
Step 5 Click Copy.
The Choose Group window appears.
Step 6 Select the check box for the group(s) to which you want to copy the rule or building block.
Step 7 Click Copy.
Step 8 Close the Groups window.
STRM Administration Guide
220 CONFIGURING RULES
Deleting an Item froma Group
To delete a rule or building block from a group:
Note: Deleting a group removes this rule or building block from the Rules interface. Deleting an item from a group does not delete the rule or building block from the Rules interface.
Step 1 Click the Offense Manager tab.
The Offense Manager interface appears. Step 2 In the navigation menu, click Rules.
Step 3 Click Groups.
The Group window appears. Step 4 From the menu tree, select the top level group.
Step 5 From the list of groups, select the group you want to delete.
Step 6 Click Remove. A confirmation window appears.
Step 7 Click Ok.
Step 8 If you want to change the location of the new group, click the new group and drag the folder to the desired location in your menu tree.
Step 9 Close the Groups window.
Assigning an Item toa Group
To assign a rule or building block to a group:
Step 1 Click the Offense Manager tab.
The Offense Manager interface appears.
Step 2 In the navigation menu, click Rules. Step 3 Select the rule or building block you want to assign to a group.
Step 4 Using the Actions drop-down list box, select Assign Groups.
The Choose Group window appears. Step 5 Click Assign Groups.
Editing Building Blocks
Building blocks allow you to re-use specific rule tests in other rules. For example, you can save a building block that excludes the IP addresses of all mail servers in your deployment from the rule.
The default building blocks depend on the template chosen during the installation process. For more information on the defaults, see:
• Enterprise Template - See Appendix B Enterprise Template Defaults.• University Template - See Appendix C University Template Defaults.
STRM Administration Guide
Editing Building Blocks 221
To edit a building block:
Step 1 Select the Offense Manager tab. The Offense Manager window appears.
Step 2 In the navigation menu, click Rules.
The rules window appears. Step 3 In the Display drop-down list box, select Building Blocks.
The Building Blocks appear.
Step 4 Double-click the building block you want to edit. The Custom Rules Wizard appears.
Step 5 Update the building block, as necessary. Click Next. Step 6 Continue through the wizard. For more information see, Creating a Rule.
The Rule Summary appears.
STRM Administration Guide
222 CONFIGURING RULES
Step 7 Click Finish.
STRM Administration Guide
12
DISCOVERING SERVERSThe Server Discovery function uses STRM’s Asset Profile database to discover different server types based on port definitions, then allows you to select which servers should be added to a server-type building block. This feature makes the discovery and tuning process simpler and faster by allowing a quick mechanism to insert servers into building blocks.
The Server Discovery function is based on server-type building blocks. Ports are used to define the server type so that the server-type building block essentially functions as a port-based filter when searching the Asset Profile database.
For more information on building blocks, see Chapter 11 Configuring Rules.
To discover servers:
Step 1 Click the Assets tab.
The Assets window appears. Step 2 In the navigation menu, click Server Discovery.
The Server Discovery panel appears.
Step 3 From the Server Type drop-down list box, select the server type you want to discover.
Step 4 Select the option to determine the servers you want to discover including: • All - Search all servers in your deployment with the currently selected Server
Type. • Assigned - Search servers in your deployment that have been previously
assigned to the currently selected Server Type. • Unassigned - Search servers in your deployment that have not been
previously assigned. Step 5 From the Network drop-down list box, select the network you want to search.
Step 6 Click Discover Servers. The discovered servers appear.
STRM Administration Guide
224 DISCOVERING SERVERS
Step 7 In the Matching Servers table, select the check box(es) of all servers you want to assign to the server role.
Note: If you want to modify the search criteria, click either Edit Port or Edit Definition. The Rules Wizard appears. For more information on the rules wizard, see Chapter 11 Configuring Rules.
Step 8 Click Approve Selected Servers.
STRM Administration Guide
13
FORWARDING SYSLOG DATASTRM allows you to forward received log data to other products. You can forward syslog data (raw log data) received from devices as well as STRM normalized event data. You can forward data on a per Event Collector/ Event Processor basis and you can configure multiple forwarding destinations. Also, STRM ensures that all data that is forwarded is unaltered.
This chapter includes:
• Adding a Syslog Destination
• Editing a Syslog Destination• Delete a Syslog Destination
Adding a Syslog Destination
To add a syslog forwarding destination:
Step 1 In the Administration Console, click the SIM Configuration tab.
The SIM Configuration panel appears.
Step 2 Click the Syslog Forwarding Destinations icon. The Syslog Forwarding Destinations window appears.
Step 3 Click Add. The Syslog Forwarding Destinations window appears.
STRM Administration Guide
226 FORWARDING SYSLOG DATA
Step 4 Enter values for the parameters:
• Forwarding Event Collector - Using the drop-down list box, select the deployed Event Collector from which you want to forward log data.
• IP - Enter the IP address of the system to which you want to forward log data.
• Port - Enter the port number on the system to which you want to forward log data.
Step 5 Click Save.
Editing a Syslog Destination
To edit a syslog forwarding destination:
Step 1 In the Administration Console, click the SIM Configuration tab. The SIM Configuration panel appears.
Step 2 Click the Syslog Forwarding Destinations icon.
The Syslog Forwarding Destinations window appears.Step 3 Select the entry you want to edit.
Step 4 Click Edit. The Syslog Forwarding Destinations window appears.
Step 5 Update values, as necessary:• Forwarding Event Collector - Using the drop-down list box, select the
deployed Event Collector from which you want to forward log data.
• IP - Enter the IP address of the system to which you want to forward log data. • Port - Enter the port number on the system to which you want to forward log
data. Step 6 Click Save.
STRM Administration Guide
Delete a Syslog Destination 227
Delete a Syslog Destination
To delete a syslog forwarding destination:
Step 1 In the Administration Console, click the SIM Configuration tab.
The SIM Configuration panel appears. Step 2 Click the Syslog Forwarding Destinations icon.
The Syslog Forwarding Destinations window appears.
Step 3 Select the entry you want to delete. Step 4 Click Delete.
A confirmation window appears.
Step 5 Click Ok.
STRM Administration Guide
A
JUNIPER NETWORKS MIBThis appendix provides information on the Juniper Networks ManagementInformation Base (MIB). The Juniper Networks MIB allows you to send SNMPtraps to other network management systems. The Juniper Networks OID is 1.3.6.1.4.1.20212.
Note: For assistance with the Juniper Networks MIB, please contact Juniper Networks Customer Support.
The Juniper Networks MIB includes:
JUNIPER-STRM-TRAPS DEFINITIONS ::= BEGINIMPORTSMODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE,IpAddressFROM SNMPv2-SMIjnxStrmFROM JUNIPER-SMIDisplayString, DateAndTime, TruthValue,TEXTUAL-CONVENTIONFROM SNMPv2-TC;strmTrapInfo MODULE-IDENTITYLAST-UPDATED "200811101100Z"ORGANIZATION "Juniper Networks, Inc"CONTACT-INFO" Juniper Technical Assistance CenterJuniper Networks, Inc.1194 N. Mathilda AvenueSunnyvale, CA 94089E-mail: [email protected]"DESCRIPTION "Security Threat Response Manger trapdefinitions for STRM"::= { jnxStrm 1 }"strmTrap OBJECT IDENTIFIER ::= { jnxStrm 0 }------ Variables within the STRM Trap Info--- .2636.7.1.*---
STRM Administration Guide
230 JUNIPER NETWORKS MIB
strmLocalHostAddress OBJECT-TYPESYNTAX IpAddressMAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "IP address of the local machine where thenotification originated"::= { strmTrapInfo 1 }strmTimeString OBJECT-TYPESYNTAX DisplayString (SIZE(0..64))MAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "Time offense was created or time the event rulefired. Example 'Mon Apr 28 10:14:49 GMT 2008'"::= { strmTrapInfo 2 }strmTimeInMillis OBJECT-TYPESYNTAX Counter64MAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "Time offense was created or time the event rulefired in milliseconds"::= { strmTrapInfo 3 }------ Offense Properties---strmOffenseID OBJECT-TYPESYNTAX Counter64MAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "Offense ID"::= { strmTrapInfo 4 }strmOffenseDescription OBJECT-TYPESYNTAX DisplayString (SIZE(0..1024))MAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "Description of the Offense"::= { strmTrapInfo 6 }strmOffenseLink OBJECT-TYPESYNTAX DisplayString (SIZE(0..1024))MAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "HTTP link to the offense"::= { strmTrapInfo 7 }strmMagnitude OBJECT-TYPESYNTAX Integer32MAX-ACCESS accessible-for-notifySTATUS current
STRM Administration Guide
231
DESCRIPTION "Offense magnitude"::= { strmTrapInfo 8 }strmSeverity OBJECT-TYPESYNTAX Integer32MAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "Offense severity"::= { strmTrapInfo 9 }strmCreditibility OBJECT-TYPESYNTAX Integer32MAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "Offense creditibility"::= { strmTrapInfo 10 }STRM Administration Guide242 JUNIPER NETWORKS MIBstrmRelevance OBJECT-TYPESYNTAX Integer32MAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "Offense relevance"::= { strmTrapInfo 11 }------ Attacker Properties---strmAttackerIP OBJECT-TYPESYNTAX IpAddressMAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "Attacker IP"::= { strmTrapInfo 12 }strmAttackerUserName OBJECT-TYPESYNTAX DisplayString (SIZE(0..1024))MAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "Attacker's User Name"::= { strmTrapInfo 13 }strmAttackerCount OBJECT-TYPESYNTAX Counter64MAX-ACCESS accessible-for-notifySTATUS currentDESCRIPTION "Total Number of Attackers"::= { strmTrapInfo 14 }strmTop5AttackerIPs OBJECT-TYPESYNTAX DisplayString (SIZE(0..1024))MAX-ACCESS accessible-for-notify
STRM Administration Guide
232 JUNIPER NETWORKS MIB
STATUS currentDESCRIPTION "Top 5 Attackers by Magnitude(comma separated)"STRM Administration Guide243::= { strmTrapInfo 15 }strmTopAttackerIP OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Top Attacker IPs"
::= { strmTrapInfo 16 }
strmTop5AttackerUsernames OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Top 5 Attackers by Magnitude(comma separated)"
::= { strmTrapInfo 48 }
strmTopAttackerUsername OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..32))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Top Attacker IPs"
::= { strmTrapInfo 49 }
strmAttackerNetworks OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Attacker Networks(comma separated)"
::= { strmTrapInfo 17 }
---
--- Target Properties
---
strmTargetIP OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS accessible-for-notify
STRM Administration Guide
244 JUNIPER NETWORKS MIB
STATUS current
DESCRIPTION "Target IP"
::= { strmTrapInfo 18 }
STRM Administration Guide
233
strmTargetUserName OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..64))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Target's User Name"
::= { strmTrapInfo 19 }
strmTargetCount OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Total Number of Targets"
::= { strmTrapInfo 20 }
strmTop5TargetIPs OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Top 5 Target IPs by Magnitude"
::= { strmTrapInfo 21 }
strmTopTargetIP OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Top Target"
::= { strmTrapInfo 22 }
strmTop5TargetUsernames OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Top 5 Target Usernames by Magnitude"
::= { strmTrapInfo 50 }
STRM Administration Guide
245
strmTopTargetUsername OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..32))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Top Target"
::= { strmTrapInfo 51 }
STRM Administration Guide
234 JUNIPER NETWORKS MIB
strmTargetNetworks OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Target Networks(comma separated)"
::= { strmTrapInfo 23 }
---
--- Category properties
---
strmCategoryCount OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Total Number of Categories"
::= { strmTrapInfo 24 }
strmTop5Categories OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Top 5 Categories(comma separated)"
::= { strmTrapInfo 25 }
strmTopCategory OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..64))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Top Category"
::= { strmTrapInfo 26 }
STRM Administration Guide
246 JUNIPER NETWORKS MIB
strmCategoryID OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Category ID of Event that triggered the Event CRE
Rule"
::= { strmTrapInfo 27 }
strmCategory OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..64))
STRM Administration Guide
235
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Category of the Event that triggered the Event CRE
Rule"
::= { strmTrapInfo 28 }
---
--- Annontation Properties
---
strmAnnotationCount OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Total Number of Annotations"
::= { strmTrapInfo 29 }
strmTopAnnotation OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Top Annotation"
::= { strmTrapInfo 30 }
---
--- Rule Properties
---
strmRuleCount OBJECT-TYPE
STRM Administration Guide
247
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Total Number of Rules contained in the Offense"
::= { strmTrapInfo 31 }
strmRuleNames OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Names of the Rules that contributed to the
Offense(comma separated)"
::= { strmTrapInfo 32 }
STRM Administration Guide
236 JUNIPER NETWORKS MIB
strmRuleID OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "ID of the Rule that was triggered in the CRE"
::= { strmTrapInfo 33 }
strmRuleName OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..256))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Name of the Rules that was triggered in the CRE"
::= { strmTrapInfo 34 }
strmRuleDescription OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Description/Notes of the Rules that was triggered
in the CRE"
::= { strmTrapInfo 35 }
STRM Administration Guide
248 JUNIPER NETWORKS MIB
---
--- Event Properties
---
strmEventCount OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Total Number of Events contained in the Offense"
::= { strmTrapInfo 36 }
strmEventID OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "ID of the Event that triggered the Event CRE Rule"
::= { strmTrapInfo 37 }
strmQid OBJECT-TYPE
SYNTAX Integer32
STRM Administration Guide
237
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "QID of the Event that triggered the Event CRE Rule"
::= { strmTrapInfo 38 }
strmEventName OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..256))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Name of the Event that triggered the Event CRE
Rule"
::= { strmTrapInfo 39 }
strmEventDescription OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..1024))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Description/Notes of the Event that triggered the
Event CRE Rule"
STRM Administration Guide
249
::= { strmTrapInfo 40 }
---
--- IP Properties
---
strmSourceIP OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Source IP of the Event that triggered the Event CRE
Rule"
::= { strmTrapInfo 41 }
strmSourcePort OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Source Port of the Event that triggered the Event
CRE Rule"
::= { strmTrapInfo 42 }
strmDestinationIP OBJECT-TYPE
STRM Administration Guide
238 JUNIPER NETWORKS MIB
SYNTAX IpAddress
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Destination IP of the Event that triggered the
Event CRE Rule"
::= { strmTrapInfo 43 }
strmDestinationPort OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Destination Port of the Event that triggered the
Event CRE Rule"
::= { strmTrapInfo 44 }
strmProtocol OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Protocol of the Event that triggered the Event CRE Rule"
::= { strmTrapInfo 45 }
strmAttackerPort OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Source Port of the Event that triggered the Event CRE Rule"
::= { strmTrapInfo 46 }
strmTargetPort OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "Destination Port of the Event that triggered the Event CRE Rule"
::= { strmTrapInfo 47 }
---
--- STRM Trap Notifications
--- .2636.7.0.*
---
strmEventCRENotification NOTIFICATION-TYPE
STRM Administration Guide
239
OBJECTS {
strmLocalHostAddress,
strmTimeString,
strmRuleName,
strmRuleDescription,
strmAttackerIP,
strmAttackerPort,
strmAttackerUserName,
strmAttackerNetworks,
strmTargetIP,
strmTargetPort,
strmTargetUserName,
strmTargetNetworks,
strmProtocol,
strmQid,
strmEventName,
strmEventDescription,
STRM Administration Guide
251
strmCategory
}
STATUS current
DESCRIPTION "Event CRE Notification"
::= { strmTrap 1 }
strmOffenseCRENotification NOTIFICATION-TYPE
OBJECTS {
strmLocalHostAddress,
strmTimeString,
strmRuleName,
strmRuleDescription,
strmOffenseID,
strmOffenseDescription,
strmOffenseLink,
strmMagnitude,
strmSeverity,
strmCreditibility,
strmRelevance,
strmEventCount,
STRM Administration Guide
240 JUNIPER NETWORKS MIB
strmCategoryCount,
strmTop5Categories,
strmAttackerIP,
strmAttackerUserName,
strmAttackerNetworks,
strmAttackerCount,
strmTop5AttackerIPs,
strmTargetIP,
strmTargetUserName,
strmTargetNetworks,
strmTargetCount,
strmTop5TargetIPs,
strmRuleCount,
strmRuleNames,
strmAnnotationCount,
strmTopAnnotation.1,
strmTopAnnotation.2,
strmTopAnnotation.3,
STRM Administration Guide
252 JUNIPER NETWORKS MIB
strmTopAnnotation.4,
strmTopAnnotation.5,
}
STATUS current
DESCRIPTION "Offense CRE Notification"
::= { strmTrap 2 }
END
STRM Administration Guide
B
ENTERPRISE TEMPLATE DEFAULTSThe Enterprise template includes settings with emphasis on internal network activities. This appendix provides the defaults for the Enterprise template including:
• Default Sentries• Default Custom Views
• Default Rules
• Default Building Blocks
Default Sentries The default sentries for the Enterprise template include:
Table B-1 Default Sentries
Sentry DescriptionBehavior - Flow Count Behavior Change
Monitors the number of flows on your network and alerts when a change is detected. By default, this activity must occur 10 times before an alert generates.
Behavior - Host Count Behavior Change
Learns the number of local and remote active hosts in the network over a weekly period. If the number of hosts increases dramatically outside the projected behavior for at least 5 intervals, an event generates.
Behavior - Threat Traffic Packet Rate Behavior Change
Detects a behavioral change, within the last 5 minutes, in the packet rate of traffic considered to be threatening, compared to what has been learned over the past weeks. This may indicate an attack is in progress. By default, the minimum number of times, in flows, this activity must occur before an event generates is 5.
DoS - External - Distributed DoS Attack (High Number of Hosts)
Detects a large number of hosts (100,000) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offense Manager.
DoS - External - Distributed DoS Attack (Low Number of Hosts)
Detects a low number of hosts (500) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offense Manager.
STRM Administration Guide
242 ENTERPRISE TEMPLATE DEFAULTS
DoS - External - Distributed DoS Attack (Medium Number of Hosts)
Detects a medium number of hosts (5,000) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offense Manager.
DoS - External - Flood Attack (High)
Detects flood attacks above 100,000 packets per second. This activity may indicate a serious attack.
DoS - External - Flood Attack (Medium)
Detects flood attacks above 5,000 packets per second. This activity typically indicates a serious attack.
DoS - External - Flood Attack (Low)
Detects flood attacks above 500 packets per second. This activity may indicate an attack.
DoS - External - Potential ICMP DoS
Detects flows that appear to be an ICMP Denial of Service (DoS) attack attempt.
DoS - External - Potential TCP DoS
Detects flows that appear to be a TCP DoS attack attempt.
DoS - External - Potential UDP DoS
Detects flows that appear to be a UDP DoS attack attempt.
DoS - External - Potential Unresponsive Service or Distributed DoS
Detects a low number of hosts sending identical, non-responsive packets to a single target.
DoS - Internal - Distributed DoS Attack (High Number of Hosts)
Detects a large number of hosts (100,000) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offense Manager.
DoS - Internal - Distributed DoS Attack (Low Number of Hosts)
Detects a low number of hosts (500) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offense Manager.
DoS - Internal - Distributed DoS Attack (Medium Number of Hosts)
Detects a medium number of hosts (5,000) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offense Manager.
DoS - Internal - Flood Attack (Medium)
Detects flood attacks above 5,000 packets per second. This activity typically indicates a serious attack.
Dos - Internal - Flood Attack (High)
Detects flood attacks above 100,000 packets per section. This activity typically indicates a serious attack.
DoS - Internal - Flood Attack (Low)
Detects flood attacks above 500 packets per second. This activity may indicate an attack.
DoS - Internal - Potential ICMP DoS
Detects flows that appear to be an ICMP Denial of Service (DoS) attack attempt.
DoS - Internal - Potential TCP DoS
Detects flows that appear to be a TCP DoS attack attempt.
Table B-1 Default Sentries (continued)
Sentry Description
STRM Administration Guide
Default Sentries 243
DoS - Internal - Potential UDP DoS
Detects flows that appear to be a UDP DoS attack attempt.
DoS - Internal - Potential Unresponsive Service or Distributed DoS
Detects a low number of hosts sending identical, non-responsive packets to a single target.
Policy-External - Large Outbound File Transfer
Detects a possible information leak.
Local Host Count Change Detects scanning activity or a worm infection. Malware - External - Client Based DNS Activity to the Internet
Detects a host attempting to connect to a DNS server that is not defined as a local network. With the exception of your DNS servers or other hosts specifically configured to communicate with external DNS servers, this is suspicious activity and may be the sign of a bot net connection. If this is a false positive, add the external DNS server to the BB DNS Servers building block in custom rules. By default, this sentry generates an event 30 seconds after the first instance of the event.
Malware - External Communication with BOT Control Channel
Detects an IP address being communicated that was a control channel for a BOTNET. The local machine may be infected with a bot and should be investigated.
Policy - External - Clear Text Application Usage
Detects flows to or from the Internet where the application types use clear text passwords. This many include application such as Telnet, FTP, and POP.
Policy - External - Hidden FTP Server
Detects an FTP server on a non-standard port. The default port for FTP is TCP port 21. Detecting FTP on other ports may indicate an exploited host, where the attacker has installed this server to provide backdoor access to the host.
Policy - Internal - Clear Text Application Usage
Detects flows to or from the Internet where the application types use clear text passwords. This many include application such as Telnet, FTP, and POP.
Policy - Internal - Hidden FTP Server
Detects an FTP server on a non-standard port. The default port for FTP is TCP port 21. Detecting FTP on other ports may indicate an exploited host, where the attacker has installed this server to provide backdoor access to the host.
Policy - External - IM/Chat Detects an excessive amount of IM/Chat traffic from a single source. By default, the minimum number of times, in flows, this activity must occur before an event generates is 20.
Policy - External - IRC Connections
Detects a local host issuing an excessive number of IRC connections to the Internet. By default, the minimum number of times, in flows, this activity must occur before an event generates is 20.
Table B-1 Default Sentries (continued)
Sentry Description
STRM Administration Guide
244 ENTERPRISE TEMPLATE DEFAULTS
Policy - Local P2P Server Detected
Detects local hosts operating as a Peer-to-Peer (P2P) server. This indicates a violation of local network policy and may indicate illegal activities, such as, copyright infringement.
Policy - External - Long Duration Flow Detected
Detects a flow communicating to or from the Internet with a sustained duration of more than 48 hours. This is not typical behavior for most applications. We recommend that you investigate the host for potential malware infections. By default, this parameter is set to 3,600 seconds, which means that an event generates after 3,600 seconds of the first instance of the event.
Policy - External - P2P Communications Detected
Detects Peer-to-Peer (P2P) communications.
Policy - External - Possible Tunneling
Detects possible tunneling, which can indicate a bypass of policy, or an infected system.
Policy - External - Remote Desktop Access from the Internet
Detects the Microsoft Remote Desktop Protocol from the Internet to a local host. Most companies consider this a violation of corporate policy. If this is normal activity on your network, you should remove this sentry.
Policy - External - SMTP Mail Sender
Detects an internal host sending a large number of SMTP flows from the same source to the Internet, in one interval. This may indicate a mass mailing, worm, or spam relay is present. By default, the minimum number of times, in flows, this activity must occur before an event generates is 10.
Policy - External - SSH or Telnet Detected on Non-Standard Ports
Detects an SSH or Telnet server on a non-standard port. The default port for SSH and Telnet servers is TCP port 22 and 23. Detecting SSH or Telnet operating on other ports may indicate an exploited host, where the attacker has installed these servers to provide backdoor access to the host.
Policy - Internal - SSH or Telnet Detected on Non-Standard Ports
Detects an SSH or Telnet server on a non-standard port. The default port for SSH and Telnet servers is TCP port 22 and 23. Detecting SSH or Telnet operating on other ports may indicate an exploited host, where the attacker has installed these servers to provide backdoor access to the host.
Policy - External - Usenet Usage
Detects flows to or from a Usenet server. It is uncommon for legitimate business communications to use Usenet or NNTP services. The hosts involved may be violating corporate policy.
Policy - External - VNC Access From the Internet to a Local Host
Detects VNC (a remote desktop access application) from the Internet to a local host. Many companies consider this an policy issue that should be addressed. If this is normal activity on your network, remove this sentry.
Table B-1 Default Sentries (continued)
Sentry Description
STRM Administration Guide
Default Sentries 245
Recon - External - ICMP Scan (High)
Detects a host scanning more than 100,000 hosts per minute using ICMP. This indicates a host performing reconnaissance activity at an extremely high rate. This is typical of a worm infection or a standard scanning application.
Recon - External - ICMP Scan (Low)
Detects a host scanning more than 500 hosts per minute using ICMP. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not be exhibiting this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation.
Recon - External - ICMP Scan (Medium)
Detects a host scanning more the 5,000 hosts per minute using ICMP. This indicates a host performing reconnaissance activity at a high rate. This is typical of a worm infection or a host configured for network management purposes.
Recon - External - Potential Network Scan
Detects a host sending identical packets to a number of hosts that have not responded. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, client hosts in your network should not be exhibiting this behavior for long periods of time.
Recon - External - Scanning Activity (High)
Detects a host performing reconnaissance activity at an extremely high rate (100,000 hosts per minute), which is typical of a worm infection or a scanning application.
Recon - External - Scanning Activity (Low)
Detects a host performing reconnaissance activity at a rate of 500 hosts per minute. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not be exhibiting this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation.
Recon - External - Scanning Activity (Medium)
Detects a host performing reconnaissance activity at a high rate (5,000 hosts per minute), which is typical of a worm infection or a scanning application. This activity may also indicate network management hosts or even busy servers on internal networks.
Table B-1 Default Sentries (continued)
Sentry Description
STRM Administration Guide
246 ENTERPRISE TEMPLATE DEFAULTS
Recon - Internal - ICMP Scan (High)
Detects a host scanning more than 100,000 hosts per minute using ICMP. This indicates a host performing reconnaissance activity at an extremely high rate. This is typical of a worm infection or a standard scanning application.
Recon - Internal - ICMP Scan (Low)
Detects a host scanning more than 500 hosts per minute using ICMP. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not exhibit this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation.
Recon - Internal - ICMP Scan (Medium)
Detects a host scanning more the 5,000 hosts per minute using ICMP. This indicates a host performing reconnaissance activity at a high rate. This is typical of a worm infection or a host configured for network management purposes.
Recon - Internal - Potential Network Scan
Detects a host sending identical packets to a number of hosts that have not responded. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, client hosts in your network should not be exhibiting this behavior for long periods of time.
Recon - Internal - Scanning Activity (High)
Detects a host performing reconnaissance activity at an extremely high rate (100,000 hosts per minute), which is typical of a worm infection or a scanning application.
Recon - Internal - Scanning Activity (Low)
Detects a host performing reconnaissance activity at a rate of 500 hosts per minute. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not exhibit this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation.
Recon - Internal - Scanning Activity (Medium)
Detects a host performing reconnaissance activity at a high rate (5,000 hosts per minute), which is typical of a worm infection or a scanning application. This activity may also indicate network management hosts or even busy servers on internal networks.
Table B-1 Default Sentries (continued)
Sentry Description
STRM Administration Guide
Default Sentries 247
Suspicious - Internal - Outbound Unidirectional Flows Threshold
Detects an excessive rate (more than 1,000) of inbound unidirectional (local host not responding) flows within the last 5 minutes. This may indicate a scan is in progress, worms, DoS attack, or issues with your network configuration. By default, this activity must occur 5 times before an alert generates.
Suspicious- External - Outbound Unidirectional Flows Threshold
Detects an excessive rate of outbound unidirectional (remote host not responding) flows within 5 minutes. By default, this activity must occur 5 times before an alert generates.
Suspicious - External - Inbound Unidirectional Flows Threshold
Detects an excessive rate (more than 1,000) of inbound unidirectional (local host not responding) flows within the last 5 minutes. This may indicate a scan is in progress, worms, DoS attack, or issues with your network configuration. By default, this activity must occur 5 times before an alert generates.
Suspicious - External - Anomalous ICMP Flows
Detects an excessive number of ICMP flows from one source IP address, where the applied ICMP types and codes are considered abnormal when seen entering or leaving the network. By default, the minimum number of times, in flows, this activity must occur before an event generates is 15.
Suspicious - External - Invalid TCP Flag usage
Detects flows that appear to have improper flag combinations. This may indicate various troubling behaviors, such as OS detection, DoS attacks, or even forms of reconnaissance. By default, the minimum number of times, in flows, this activity must occur before an event generates is 10.
Suspicious - External - Port 0 Flows Detected
Detects flows whose destination or source ports are 0. This may be considered suspicious.
Suspicious - External - Rejected Communication Attempts
Detects flows that indicate a host is attempting to establish connections to other hosts but is being refused or is responding with packets containing no payload. By default, the minimum number of times, in flows, this activity must occur before an event generates is 15.
Suspicious - External - Unidirectional ICMP Detected
Detects excessive unidirectional ICMP traffic from a single source. This may indicate an attempt to enumerate hosts on the network or other serious network issues. By default, the minimum number of times, in flows, this activity must occur before an event generates is 15.
Suspicious - External - Unidirectional ICMP Responses Detected
Detects excessive unidirectional ICMP responses from a single source. This may indicate an attempt to enumerate hosts on the network, or can be an indicator of other serious network issues. By default, the minimum number of times, in flows, this activity must occur before an event generates is 15.
Table B-1 Default Sentries (continued)
Sentry Description
STRM Administration Guide
248 ENTERPRISE TEMPLATE DEFAULTS
Suspicious - External - Unidirectional TCP Flows
Detects flows that indicate a host is sending an excessive quantity (at least 15) of unidirectional flows. These types of flows may be considered normal, however, client workstations and other devices, should not be seen emitting large quantities of such flows, and therefore should be considered suspicious.
Suspicious - External - Unidirectional UDP or Misc Flows
Detects an excessive number of UDP, non-TCP, or ICMP from a single source. By default, the minimum number of times, in flows, this activity must occur before an event generates is 20.
Suspicious - External - Suspicious IRC Traffic
Detects suspicious IRC traffic.
Suspicious - Internal - Anomalous ICMP Flows
Detects an excessive number of ICMP flows from one source IP address, where the applied ICMP types and codes are considered abnormal when seen entering or leaving the network. By default, the minimum number of times, in flows, this activity must occur before an event generates is 15.
Suspicious - Internal - Invalid TCP Flag usage
Detects flows that appear to have improper flag combinations. This may indicate various troubling behaviors, such as OS detection, DoS attacks, or even forms of reconnaissance. By default, the minimum number of times, in flows, this activity must occur before an event generates is 10.
Suspicious - Internal - Port 0 Flows Detected
Detects flows whose destination or source ports are 0. This may be considered suspicious.
Suspicious - Internal - Rejected Communication Attempts
Detects flows that indicate a host is attempting to establish connections to other hosts but is being refused or is responding with packets containing no payload. By default, the minimum number of times, in flows, this activity must occur before an event generates is 15.
Suspicious - Internal - Unidirectional ICMP Detected
Detects excessive unidirectional ICMP traffic from a single source. This may indicate an attempt to enumerate hosts on the network or other serious network issues. By default, the minimum number of times, in flows, this activity must occur before an event generates is 15.
Suspicious - Internal - Unidirectional ICMP Responses Detected
Detects excessive unidirectional ICMP responses from a single source. This may indicate an attempt to enumerate hosts on the network, or can be an indicator of other serious network issues. By default, the minimum number of times, in flows, this activity must occur before an event generates is 15.
Table B-1 Default Sentries (continued)
Sentry Description
STRM Administration Guide
Default Custom Views 249
Default Custom Views
This section provides the default custom views for the Enterprise template including:
• IP Tracking Group• Threats Group
• Attacker Target Analysis Group
• Target Analysis Group• Policy Violations Group
• ASN Source Group
• ASN Destination Group• IFIndexIn Group
• IFIndexOut Group
• QoS Group• Flow Shape Group
IP Tracking Group Pre-configured groups that specify traffic flows from your local and remote IP addresses including:
Suspicious - Internal - Unidirectional TCP Flows
Detects flows that indicate a host is sending an excessive quantity (at least 15) of unidirectional flows. These types of flows may be considered normal, however, client workstations and other devices, should not be seen emitting large quantities of such flows, and therefore should be considered suspicious.
Suspicious - Internal - Unidirectional UDP or Misc Flows
Detects an excessive number of UDP, non-TCP, or ICMP from a single source. By default, the minimum number of times, in flows, this activity must occur before an event generates is 20.
Table B-1 Default Sentries (continued)
Sentry Description
Table B-2 Custom Views - IP Tracking View
IP Tracking Group Group ObjectsLocals Specifies traffic flows originating from specific local IP addresses
or CIDR ranges. Configure to specify traffic flows for your local IP addresses.
Remotes Specifies traffic flows originating from specific remote IP addresses or CIDR ranges. Configure to specify traffic flows for your remote IP addresses.
STRM Administration Guide
250 ENTERPRISE TEMPLATE DEFAULTS
Threats Group Pre-configured groups that specify traffic flows from suspicious IP addresses, protocols, server ports, and network sweeps including:
Table B-3 Custom Views - Threats View
Group ObjectsExceptions This group includes:
Network_Management_Hosts - Defines network management servers or other system responsible for reconnaissance, SNMP, large numbers of ICMP requests, or other attacks, such as, traffic on your network such as vulnerability assessment (VA) scanners.
STRM Administration Guide
Default Custom Views 251
DoS The Denial of Service (DoS) group includes: • Inbound_Flood_NoResponse_High - Defines a remote
source sending packets, which are not being responded to, at a rate greater than 100,000 packets per second.
• Inbound_Flood_NoResponse_Medium - Defines a remote source sending packets, which are not being responded to, at a rate greater than 5,000 packets per second.
• Inbound_Flood_NoResponse_Low - Defines a remote source sending packets, which are not being responded to, at a rate greater than 500 packets per second.
• Outbound_Flood_NoResponse_High - Defines a local source sending packets, which are not being responded to, at a rate greater than 100,000 packets per second.
• Outbound_Flood_NoResponse_Medium - Defines a local source sending packets, which are not being responded to, at a rate greater than 500 packets per second.
• Outbound_Flood_NoResponse_Low - Defines a local source sending packets, which are not being responded to, at a rate greater than 500 packets per second.
• Multihost_Attack_High - Defines a scan of more than 100,000 hosts per minute.
• Multihost_Attack_Medium - Defines a scan of more than 5,000 hosts per minute.
• Multihost_Attack_Low - Defines a scan of more than 500 hosts per minute.
• Potential_TCP_DoS - Detects TCP Syn flood flows with a packet arrival rate of more then 300 packets per second and have lasted for at least 5 seconds. This may indicate an attempted TCP DoS attack.
• Potential_UDP_DoS - Detects UDP Flows with a packet arrival rate of more then 750 packets per second and have lasted for at least 3 seconds. This may indicate an attempted ICMP DoS attack.
• Potential_ICMP_DoS - Detects ICMP flows with a packet arrival rate of more then 300 packets per second and have lasted for at least 2 seconds. This may indicate an attempted ICMP DoS attack.
• Potential_Multihost_Attack - Detects type B superflows. This may indicate a service failure or an attack.
Table B-3 Custom Views - Threats View (continued)
Group Objects
STRM Administration Guide
252 ENTERPRISE TEMPLATE DEFAULTS
Scanning This scanning group includes: • ICMPScan_High - Detects a host sending ICMP packets to
more than 100,000 hosts more minute. • ICMPScan_Medium - Detects a host sending ICMP packets
to more than 5,000 hosts more minute. • ICMPScan_Low - Detects a host sending ICMP packets to
more than 500 hosts more minute. • Scan_High - Defines a scan of more than 100,000 hosts per
minute.• Scan_Medium - Defines a scan of more than 5,000 hosts per
minute.• Scan_Low - Defines a scan of more than 500 hosts per
minute.• Empty_Responsive_Flows_High - Defines traffic with more
than 100,000 packets per second that contain little, if any, payload. These can be the result of scans where the target responds to the attack.
• Empty_Responsive_Flows_Medium - Defines traffic with more than 5,000 packets per second that contain little, if any, payload. These can be the result of scans where the target responds to the attack.
• Empty_Responsive_Flows_Low - Defines traffic with more than 500 packets per second that contain little, if any, payload. These can be the result of scans where the target responds to the attack.
• Potential_Scan - Defines a type A superflow. This may indicate a host performing scanning activity.
PortScans This PortScans group includes: • Host_Scans - Detects a host attempting to make multiple
connections, using TCP, to another host targeting multiple unique ports.
• UDPPortScan - Detects a host attempting to make multiple connections, using UDP, to another host targeting multiple unique ports.
Table B-3 Custom Views - Threats View (continued)
Group Objects
STRM Administration Guide
Default Custom Views 253
Suspicious_IP_Protocol_Usage
This group includes: • Illegal_TCP_Flag_Combination - Detects flows with illegal
TCP flag combinations. This may indicate malicious activity, such as port scanning or operating system detection.
• Suspicious_ICMP_Type_Code - Detects flows entering or leaving your network from the Internet, using ICMP types or codes generally accepted to be suspicious or malicious. For more information, see http://techrepublic.com.com /5100-1035_11-5087087.html
• TCP_UDP_Port_0 - Detects flows with a source or destination port of 0. This is illegal according to Internet RFCs and should be considered malicious.
• Unidirectional_TCP_Flows - Detects unidirectional TCP flows. This may indicate application failures to connect to a service, but an indicate other issues if the quantity or rate of these flows is high.
• Unidirectional_ICMP_Reply - Detects unidirectional ICMP replies or unreachable flows. This may be expected network behavior, however, an excessive quantity may indicate that a host is scanning the network attempting to enumerate hosts.
• Unidirectional_ICMP_Flows - Detects unidirectional ICMP flows. This may be expected network behavior, however, an excessive quantity of these flows from a single source may indicate a host scanning the network attempting to enumerate hosts.
• Unidirectional_UDP_And_Misc_Flows - Detects unidirectional UDP (or other flows not including TCP or ICMP) flows. This may be expected network behavior, however, an excessive quantity should be considered suspicious.
• Zero_Payload_Bidirectional_Flows - Detects flows that contain small amounts (if any) payload. This may be the result of scans where the target responds with reset packets.
• Long_Duration_Flow - Detects a flow communicating to or from the Internet with a sustained duration of more than 48 hours. This is not typical behavior for most applications. We recommend that you investigate the host for potential malware infections.
• Large_DNS_Packets - Detects UDP DNS packets that are larger than 1K in size.
• Large_ICMP_Packets - Detects ICMP packets that are larger than 1K in size.
Table B-3 Custom Views - Threats View (continued)
Group Objects
STRM Administration Guide
254 ENTERPRISE TEMPLATE DEFAULTS
Attacker TargetAnalysis Group
Pre-configured groups that specify traffic flows from attackers, responses, and events including:
Remote_Access_Violation
This group includes:• Hidden_Telnet_SSH - Detects flows where the application
type is Telnet or SSH but the destination server port is not one of the common ports for this application. This may indicate that a system has been altered to provide a backdoor for unauthorized access.
• Hidden_FTP - Detects flows to a local host where the application type is FTP but the destination server port is not one of the common ports of this application. This may indicate that the server is hosting illegal data, such as pirated applications or other media.
• Remote_Desktop_Access_From_Internet - Detects Remote Desktop Protocol (RDP) access to the local network from the Internet. If you want to allow this activity on your network, delete this view. Otherwise, you should consider this activity suspicious and we recommend investigating the accessed server.
• VNC_Activity_From_Internet - Detects Virtual Network Computing (VNC) access to the local network from the Internet. If you want to allow this activity on your network, delete this view. Otherwise, you should consider this activity suspicious and we recommend investigating the accessed server.
Suspicious_IRC Detects suspicious IRC activity.
Table B-3 Custom Views - Threats View (continued)
Group Objects
Table B-4 Custom Views - AttackerTargetAnalysis
Group ObjectsAttackResponseAnalysis
This group includes:• Target_Did_Not_Respond - The network flow that appears to
have carried the attack event that triggered this analysis indicates that the target host did not respond to the attack.
• Target_Responded - The network flow analysis indicates a target responded to the event from the attacker, and therefore increases the likelihood the attacker was successful.
STRM Administration Guide
Default Custom Views 255
Target AnalysisGroup
Pre-configured groups that specify traffic flows from back door entries, scanning behaviors, malicious software (malware), spam relay including:
PeripheralCommsAnalysis
This group includes:• Activity_Before_Event - The network flow analysis indicates
a target and attacker were communicating prior to the event that generated this analysis. This can indicate a false positive, or that this attacker is concentrating on breaking this host. Many typical attacks fire an exploit at the target with little or no prior host investigation.
• Activity_After_Event - The network flow analysis indicates a target and attacker were communicating after the event that triggered this analysis. This can indicate a false positive if the attacker/target were also seen communicating before the event, and the device emitting these events has a high false positive rate. Conversely, if this is a serious event and the device is credible, it can indicate a successful attack has occurred.
• Target_Initiating_Comms_To_Attacker - The network flow analysis indicates a target was seen initiating connections back to the attacker before or after the event. This may indicate that the attacker has successfully forced the target to communicate with the attacker, bypassing firewall rules.
Table B-4 Custom Views - AttackerTargetAnalysis (continued)
Group Objects
Table B-5 Custom Views - TargetAnalysis
Group ObjectsBotNetAnalysis BotNet_Connect - The network flow analysis indicates a target
host is connected to IRC servers on the Internet. This may indicate the attacker has installed an IRC Bot on the target requesting the target to connect to an IRC Channel, which is controlled by the attacker, to wait for further instructions. Large numbers of such exploited machines form a BotNet and can be used by the attacker to coordinate large scale Distributed Denial of Service attacker (DDoS).
MalwareAnalysis Malware_Server_Connection - Network flow analysis indicates a target is aggressively attempting (and failing) to connect to many other hosts on the network (or Internet). This behavior is seen in the presence of security events aimed at this host, and therefore is possible the attacker has infected the target with a worm, or other hostile malware, and it is attempting to spread from this host.
STRM Administration Guide
256 ENTERPRISE TEMPLATE DEFAULTS
Policy ViolationsGroup
Pre-configured groups that specify traffic flows from your internal and external policies, such as mail policies, web polices, P2P, games, applications, and compliance policies including:
PeripheralCommsAnalysis
This group includes:• Service_Unresponsive_After_Attack - The network flow
analysis indicates that the service on the target that was attacked is unresponsive to other hosts on the network. This may indicate that the attack has intentionally, or inadvertently stopped the service running on this host.
• Spam_Relay_Possible - The network flow analysis indicates that a target is accepting and servicing SMTP mail server connections. Given this activity is occurring in the presence of security events targeting this host, it is possible the attacker has installed an SMTP server to operate as a spam relay. If this target is a mail server, this behavior is to be expected.
• Outbound_Mail_Relay_Possible - The network flow analysis indicates that a target is sending mail to SMTP servers on the Internet. Given this activity is occurring in the presence of a security event targeting this host, it is possible the attacker has installed mass mailing malware on the target. This behavior is also to be expected if the target is a known mail server.
Table B-5 Custom Views - TargetAnalysis (continued)
Group Objects
Table B-6 Custom Views - PolicyViolations
Group ObjectsMail_Policy_Violation
This group includes:• Outbound_Mail_Sender - Detects flows sent from local hosts
to the Internet on port 25 (SMTP) or detected with the SMTP application signature. This may indicate hosts violating network mail policy, or that a host is infected with a mass mailing agent. We recommend updating this equation to not include network mail servers.
• Remote_Connection_to_Internal_Mail_Server - Detects bidirectional flows inbound into the local network on port 25 (SMTP). This indicates communication with a local SMTP server. Additionally, such servers may be the result of an infected host, which is inadvertently running a SPAM relay. We recommend updating this equation to not include network mail servers.
STRM Administration Guide
Default Custom Views 257
ASN Source Group STRM detects the ASN values from network flows. When STRM detects a ASN source values in a flow, STRM creates a new object in the ASN Source group. For example, if STRM detects an ASN 238 flow within the source traffic, the object ASN238 is created in the ASNSource group.
IRC_IM_Policy_Violation
This group includes:• IRC_Connection_to_Internet - Detects bidirectional flows
from local client hosts to the Internet on common IRC port or detected though an application signature. This indicates an active IRC connection. This can simply be a user disregarding corporate policy, or can indicate a host that has been exploited and is connected to an IRC botnet. IRC botnets are used to remotely control exploited hosts to perform DoS attacks and other illegal activities.
• IM_Communications - Detects bidirectional flows from client hosts on the network indicating the use of common Instant Messaging clients (IM), such as MSN.
Remote_Access_Policy_Violation
Remote_Access_Shell - Detects bidirectional flows, where remote hosts were connecting to local remote access servers. Detection of any of the following access technologies include: Citrix, PCAnywhere, SSH, Telnet, or VNC.
P2P_Policy_Violation
This group includes:• Local_P2P__Server - Detects flows indicating a P2P server is
operating on the local network. This can be in violation of local network policy.
• Local_P2P_Client - Detects flows indicating a P2P client is operating on the local network. This can be in violation of local network policy.
Application_Policy_Violation
This group includes:• NNTP_to_Internet - Detects flows indicating an NNTP news
client is operating on the local network. This may be in violation of local network policy.
• Unknown_Local_Service - Detects an active service on a local host.
Compliance_Policy_Violations
This group includes:• Clear_Text_Application_Usage - Detects flows where the
application types use clear text passwords. Applications that usage for this view include Telnet, FTP, and POP. We recommend that you tune this view to add or remove additional applications.
• Large_Outbound_Transfer - Detects large outbound file transfers.
Table B-6 Custom Views - PolicyViolations (continued)
Group Objects
STRM Administration Guide
258 ENTERPRISE TEMPLATE DEFAULTS
ASN DestinationGroup
STRM detects the ASN values from network flows. When STRM detects a ASN destination values in a flow, STRM creates a new object in the ASN destination group. For example, if STRM detects an ASN 238 flow within the destination traffic, the object ASN238 is created in the ASNDestination group.
IFIndexIn Group STRM detects the IFIndex values from network flows. When STRM detects IFIndex values in a flow, STRM creates a new object in the respective group.
IFIndexOut Group STRM detects the IFIndex values from network flows. When STRM detects IFIndex values in a flow, STRM creates a new object in the respective group.
QoS Group Default QoS groups include:
Flow Shape Group Default FlowShape groups include:
Table B-7 Custom Views - QoS View
QoS Group Group ObjectsNetworkControl Object
Specifies QoS values related to link layer and routing protocols.
IPRoutingControl Specifies QoS values used by IP routing protocols. Expedited Specifies values related to expedited forwarding, such as, a
virtual leased line or premium service. Class 4 Specifies values related to Class 4 traffic. Class 3 Specifies values related to Class 3 traffic. Class 2 Specifies values related to Class 2 traffic. Class 1 Specifies values related to Class 1 traffic. Best Effort Specifies traffic related to best effort QoS traffic. Best effort
services does not guarantee delivery.
Table B-8 Custom Views - Flow Shape View
Flow Shape Group Group ObjectsInbound_Only Specifies traffic flows originating from a host on the Internet
and is not responded to by a local host. Outbound_Only Specifies traffic flows originating from a local host attempting
to communicate with a host on the Internet in which the remote host does not respond.
Mostly_Inbound Specifies traffic flows that sends 5 times more data into the network than received.
Mostly_Outbound Specifies traffic flows that sends 5 times more bytes out of the network than received.
NearSame_Internet Specifies traffic to and from hosts on the Internet that have around the same amount of bytes sent and received.
STRM Administration Guide
Default Rules 259
Default Rules Default rules for the Enterprise template include:
Local_Unidirectional Specifies a one-sided flow with a source and destination within the local network.
Local_SRC_Bias Specifies internal traffic that has 5 times more bytes transferred by the source than the destination.
Local_DST_Bias Specifies internal traffic that has 5 times more bytes transferred by the destination than the source.
NearSame_Internal Specifies internal traffic that has a balance of source and destination bytes.
Table B-8 Custom Views - Flow Shape View (continued)
Flow Shape Group Group Objects
Table B-9 Default Rules
Rule GroupRule Type Enabled Description
Default-Response-E-mail: Offense E-mail Sender
Response Offense False Reports any offense matching the severity, credibility, and relevance minimums to e-mail. You must configure the e-mail address. You can limit the number of e-mails sent by tuning the severity, credibility, and relevance limits. Also, this rule only sends one e-mail every hour, per offense.
Default-Response-Sylog: Offense SYSLOG Sender
Response Offense False Reports any offense matching the severity, credibility, or relevance minimum to syslog.
Default-Rule-Anomaly: Devices with High Event Rates
Anomaly Event False Monitors devices for high event rates. Typically, the default threshold is low for most networks and we recommend that you adjust this value before enabling this rule. To configure which devices will be monitored, edit the Default-BB-DeviceDefinition: Devices to Monitor for High Event Rates building block.
Default-Rule-Anomaly: DMZ Jumping
Anomaly Event False Reports when connections are bridged across your network’s Demilitarized Zone (DMZ).
Default-Rule-Anomaly: DMZ Reverse Tunnel
Anomaly Event False Reports when connections are bridged across your network’s DMZ through a reverse tunnel.
Default-Rule-Anomaly: Excessive Database Connections
Anomaly Event True Reports an excessive number of successful database connections.
Default-Rule-Anomaly: Excessive Firewall Accepts Across Multiple Hosts
Anomaly Event False Reports excessive firewall accepts across multiple hosts. More than 100 events were detected across at least 100 unique destination IP addresses in 5 minutes.
STRM Administration Guide
260 ENTERPRISE TEMPLATE DEFAULTS
Default-Rule-Anomaly: Excessive Firewall Denies from Single Source
Anomaly Event True Reports excessive firewall denies from a single host. Detects more than 400 firewall deny attempts from a single source to a single destination within 5 minutes.
Default-Rule-Anomaly: Long Duration Flow
Anomaly Event True Reports a flow communicating to or from the Internet with a sustained duration of more than 48 hours. This is not typical behavior for most applications. We recommend that you investigate the host for potential malware infections.
Default-Rule-Anomaly: Potential Honeypot Access
Anomaly Event False Reports an event that was targeting or sourced from a honeypot or tarpit defined address. Before enabling this rule, you must configure the Default-BB-HostDefinition: Honeypot like addresses building block and create the appropriate sentry from the Network Surveillance interface.
Default-Rule-Anomaly: Rate Analysis Marked Events
Anomaly Event False Reports a host emitting events at a rate greater than normal. This may be normal, but in some cases can be an early warning sign that the host has changed behavior. We recommend that you perform an event search and/or flow search to determine if the host is exhibiting other suspicious activity.
Default-Rule-Anomaly: Remote Access from Foreign Country
Anomaly Event False Reports successful logins or access from an IP address known to be in a country that does not have remote access right. Before you enable this rule, we recommend that you configure the Default-BB-CategoryDefinition: Countries with no Remote Access building block.
Default-Rule-Anomaly: Single IP with Multiple MAC Addresses
Anomaly Event False Reports when the MAC address of a single IP address changes multiple times over a period of time.
Default-Rule-Authentication: Login Failure to Disabled Account
Authentication Event True Reports a host login message from a disabled user account. If the user is no longer a member of the organization, we recommend that you investigate any other received authentication messages from the same user.
Default-Rule-Authentication: Login Failure to Expired Account
Authentication Event True Reports a host login failure message from an expired user account known. If the user is no longer a member of the organization, we recommend that you investigate any other received authentication messages.
Default-Rule - Authentication: Login Failures Across Multiple Hosts
Authentication Event True Reports authentication failures on the same source IP address more than three times, across more than three destination IP addresses within 10 minutes.
Table B-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
Default Rules 261
Default-Rule-Authentication: Login Failures Followed By Success
Authentication Event True Reports multiple log in failures to a single host, followed by a successful log in to the host.
Default-Rule-Authentication: Login Successful After Scan Attempt
Authentication, Compliance
Event True Reports a successful log in to a host after reconnaissance has been performed against this network.
Default-Rule-Authentication: Multiple VoIP Login Failures
Authentication Event True Reports multiple log in failures to a VoIP PBX.
Default-Rule-Authentication: Repeated Login Failures, Single Host
Authentication Event True Reports when a source IP address causes an authentication failure event at least seven times to a single destination within 5 minutes.
Default-Rule-Botnet: Potential Botnet Connection (DNS)
Botnet,Exploit Event False Reports a host connecting or attempting to connect to a DNS server on the Internet. This may indicate a host connecting to a Botnet. The host should be investigated for malicious code. Do not enable this rule until you have tuned the Default-BB-HostDefinition: DNS Servers building block. Note: Laptops that include wireless adapters may cause this rule to generate alerts since the laptops may attempt to communicate with another IDPs DNS server. If this occurs, define the ISPs DNS server in the Default-BB-HostDefinition: DNS Servers building block.
Default-Rule-Botnet: Potential Botnet Connection (IRC)
Botnet Event True Reports a host connecting or attempting to connect to an IRC server on the Internet. This may indicate a host connecting to a Botnet. The host should be investigated for malicious code.
Default-Rule-Botnet: Potential Botnet Events Become Offenses
Botnet Event True Reports exploit attacks on events. Enable this rule if you want all events categorized as exploits to create an offense.
Default-Rule-CategoryDefinitions: Access Denied
CategoryDefinition
Event True Reports events in different Access Denied categories.
Default-Rule-CategoryDefinitions: Session Closed
CategoryDefinition, Malware
Event True Reports all Session Closed events by categories.
Default-Rule-CategoryDefinitions: Session Opened
CategoryDefinition, Malware
Event True Reports all Session Opened events by categories.
Table B-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
262 ENTERPRISE TEMPLATE DEFAULTS
Default-Rule-CategoryDefinitions: Virus Detected
CategoryDefinition, Malware
Event True Reports all virus detection events.
Default-Rule-CategoryDefinitions: VPN Access Denied
CategoryDefinition
Event True Reports VPN events that are considered Denied Access events.
Default-Rule-CategoryDefinitions: Database Access Denied
CategoryDefinition
Event True Reports database events indicate denied access activities.
Default-Rule-CategoryDefinitions: Database Access Permitted
CategoryDefinition
Event True Reports database events that indicate permitted access.
Default-Rule-CategoryDefinitions: System Errors and Failures
Category Definitions
Event True Rule detects events that may indicate a system error or failure.
Default-Rule-CategoryDefinitions: VPN Access Accepted
CategoryDefinition
Event True Reports VPN events that indicate permitted access.
Default-Rule-Compliance: Compliance Events Become Offenses
Compliance Event False Reports compliance-based events, such as, clear text passwords.
Default-Rule-Compliance: Excessive Failed Logins to Compliance IS
Compliance Event False Reports excessive authentication failures to a compliance server within 10 minutes.
Default-Rule-Database: Attempted Configuration Modification by a remote host
Compliance, Database
Event True Reports when a configuration modification is attempted to a database server from a remote network.
Default-Rule-Database: Concurrent Logins from Multiple Locations
Compliance, Database
Event True Reports when several authentications to a database server occur across many remote IP addresses.
Default-Rule-Database: Failures Followed by User Changes
Compliance, Database
Event True Reports when there are failures followed by the addition or change of a user account.
Default-Rule-Database: Groups changed from Remote Host
Compliance, Database
Event True Monitors changes to groups on a database when the change is initiated from a remote network.
Default-Rule-Database: Multiple Database Failures Followed by Success
Compliance, Database
Event True Reports when there are multiple database failures followed by a success within a short period of time.
Default-Rule-Database: Remote Login Failure
Compliance, Database
Event True Increases the severity of a failed login attempt to a database from a remote network.
Table B-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
Default Rules 263
Default-Rule-Database: Remote Login Success
Compliance, Database
Event True Reports when a successful authentication occurs to a database server from a remote network.
Default-Rule-Database: User Rights Changed from Remote Host
Compliance, Database
Event True Reports when changes to user privileges occurs to a database from a remote network.
Default-Rule-DDoS Attack Detected
D\DoS Event True Reports network Distributed Denial of Service (DDoS) attacks on a system.
Default-Rule-DDoS: DDoS Events with High Magnitude Become Offenses
D\DoS Event True Reports when offenses are created for DoS-based events with high magnitude.
Default-Rule-DeviceDefinition: Access/Authentication/Audit
DeviceDefinition
Event True Reports all access, authentication, and audit devices.
Default-Rule-DeviceDefinition: AntiVirus
DeviceDefinition
Event True Reports all antivirus services on the system.
Default-Rule-DeviceDefinition: Application
DeviceDefinition
Event True Reports all application and OS devices on the network.
Default-Rule-DeviceDefinition: FW/Router/Switch
DeviceDefinition
Event True Reports all firewall (FW), routers, and switches on the network.
Default-Rule-DeviceDefinition: IDS/IPS
DeviceDefinition
Event True Reports all IDS and IPS devices on the network.
Default-Rule-DeviceDefinition:VPN
DeviceDefinition
Event True Reports all VPNs on the network.
Default-Rule-DoS: Decrease Magnitude of Low Rate Attacks
D\DoS Event True If a low rate flow-based DoS attack is detected, this rule decreases the magnitude of the current event.
Default-Rule-DoS: DoS Events from Darknet
D/DoS Event False Reports when DoS attack events are identified on Darknet network ranges.
Default-Rule-DoS: DoS Events with High Magnitude Become Offenses
D\DoS Event True Rule forces the creation of an offense for DoS based events with a high magnitude.
Default-Rule-DoS: Increase Magnitude of High Rate Attacks
D\DoS Event True If a high rate flow-based DoS attack is detected, this rule increases the magnitude of the current event.
Default-Rule-DoS: Network DoS Attack Detected
D\DoS Event True Reports network Denial of Service (DoS) attacks on a system.
Default-Rule-DoS: Service DoS Attack Detected
D\DoS Event True Reports a DoS attack against a local target that is known to exist and the target port is open.
Table B-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
264 ENTERPRISE TEMPLATE DEFAULTS
Default-Rule-Exploit:All Exploits Become Offenses
Exploit Event False Reports exploit attacks on events. By default, this rule is disabled. Enable this rule if you want all events categorized as exploits to create an offense.
Default-Rule-Exploit: Attack followed by Attack Response
Exploit Event False Reports when exploit or attack events are followed by typical responses, which may indicate a successful attack.
Default-Rule-Exploit: Attacker Vulnerable to any Exploit
Exploit Event False Reports an attack from a local host where the attacker has at least one vulnerability. It is possible the attacker was a target in an earlier offense.
Default-Rule-Exploit: Attacker Vulnerable to this Exploit
Exploit Event False Reports an attack from a local host where the attacker is vulnerable to the attack being used. It is possible that the attacker was a target in an earlier offense.
Default-Rule-Exploit: Exploit Followed by Suspicious Host Activity
Exploit Event False Reports an exploit or attack type activity from a source IP address followed by suspicious account activity on the destination host within 15 minutes.
Default-Rule-Exploit: Exploit/Malware Events Across Multiple Targets
Exploit Event True Reports a source IP address generating multiple (at least 5) exploits or malicious software (malware) events in the last 5 minutes. These events are not targeting hosts that are vulnerable and may indicate false positives generating from a device.
Default-Rule-Exploit: Exploits Events with High Magnitude Become Offenses
Exploit Event True Rule forces the creation of offenses for exploit-based events with a high magnitude.
Default-Rule-Exploit: Exploits Followed by Firewall Accepts
Exploit Event False Reports when exploit or attack events are followed by firewall accept events, which may indicate a successful attack.
Default-Rule-Exploit: Multiple Exploit Types Against Single Target
Exploit Event True Reports a target attempting to be exploited using multiple types of attacks from one or more attackers.
Default-Rule-Exploit: Multiple Vector Attacker
Exploit Event False Reports when an attacker attempts multiple attack vectors. This may indicate an attacker specifically targeting an asset.
Default-Rule-Exploit: Potential VoIP Toll Fraud
Exploit Event False Reports multiple failed logins to your VoIP hardware followed by sessions being opened. At least 3 events were detected within 30 seconds. This action could indicate that illegal users are executing VoIP sessions on your network.
Default-Rule-Exploit: Recon followed by Exploit
Exploit Event True Reports reconnaissance followed by an exploit from the same source IP address to the same destination port within 1 hour.
Table B-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
Default Rules 265
Default-Rule-Exploit: Target Vulnerable to Detected Exploit
Exploit Event True Reports an attack against a vulnerable local target, where the target is known to exist, and the host is vulnerable to the attack.
Default-Rule-Exploit: Target Vulnerable to Detected Exploit on a Different Port
Exploit Event True Reports an attack against a vulnerable local target, where the target is known to exist, and the host is vulnerable to the attack on a different port.
Default-Rule-Exploit: Target Vulnerable to Different Exploit than Attempted on Attacked Port
Exploit Event False Reports an attack against a vulnerable local target, where the target is known to exist, and the host is vulnerable to some attack but not the one being attempted.
Default-Rule-FalsePositive: False Positive Rules and Building Blocks
False Positive Event True Reports events that include false positive rules and building blocks, such as, Default-BB-FalsePositive: Windows Server False Positive Events. Events that match the above conditions are stored but also dropped. If you add any new building blocks or rules to remove events from becoming offenses, you must add these new rules or building blocks to this rule.
Default-Rule-Malware: Treat Backdoor, Trojans and Virus Events as Offenses
Malware Event False Enable this rule if you want all events categorized as backdoor, viruses, and trojans to create an offense.
Default-Rule-Malware: Treat Key Loggers as Offenses
Malware Event False Enable this rule if you want all events categorized as key loggers to create offenses.
Default-Rule-Malware: Treat Non-Spyware Malware as Offenses
Malware Event False Reports non-spyware malware attacks on events. Enable this rule if you want all events categorized as malware to create an offense.
Default-Rule-Malware: Treat Spyware and Virus as Offenses
Malware Event False Reports spyware and/or a virus on events. Enable this rule if you want all events categorized as Virus or Spyware to create an offense.
Default-Rule-Malware: Local Host Sending Malware
Malware, Policy Event False Reports malware being sent from local hosts.
Default-Rule-NetworkDefinition: Local to Local
Network Definition
Event True Reports events that are considered Local-to-Local (L2L).
Default-Rule-NetworkDefinition: Local to Remote
Network Definition
Event True Reports events that are considered Local-to-Remote (L2R).
Table B-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
266 ENTERPRISE TEMPLATE DEFAULTS
Default-Rule-NetworkDefinition: Remote to Local
Network Definition
Event True Reports events that are considered Remote-to-Local (R2L).
Default-Rule-Policy: Create Offenses for All Instant Messenger Traffic
Policy Event False Reports Instant Messenger traffic or any event categorized as Instant Messenger traffic where the source is local and the destination is remote.
Default-Rule-Policy: Create Offenses for All P2P Usage
Policy Event False Reports P2P traffic or any event categorized as P2P.
Default-Rule-Policy: Create Offenses for All Policy Events
Policy Event False Reports policy events. By default, this rule is disabled. Enable this rule if you want all events categorized as policy to create an offense.
Default-Rule-Policy: Create Offenses for All Porn Usage
Policy Event False Reports any traffic that contains illicit materials or any event categorized as Porn. By default, this rule is disabled. Enable this rule if you want all events categorized as Porn to create an offense.
Default-Rule-Policy: Host has SANS Top 20 Vulnerability
Policy Event False Rule acts as a warning that the asset in which an event identifies is vulnerable to a vulnerability identified in the SANS Top 20 Vulnerabilities. (www.sans.org/top20/)
Default-Rule-Policy: Local P2P Server Detected
Policy Event True Reports local Peer-to-Peer (P2P) traffic or any event categorized as P2P. More than 10 hosts were detected connecting to a local host that appears to be operating as a P2P server.
Default-Rule-Policy: New Host Discovered
Policy Event False Reports when a new host has been discovered on the network.
Default-Rule-Policy: New Service Discovered
Policy Event False Reports when an existing host has a newly discovered service.
Default-Rule-Policy: Potential Tunneling
Policy Event False Rule identifies potential tunneling that can be used to bypass policy or security controls.
Default-Rule-Policy: Upload to Local WebServer
Policy Event False Reports potential file uploads to a local web server. To edit the details of this rule, edit the Default-BB-CategoryDefinition: Upload to Local WebServer building block.
Default-Rule-Recon: Aggressive Local Scanner Detected
Recon Event True Reports an aggressive scan from a local source IP address, scanning other local or remote IP addresses. More than 400 targets received reconnaissance or suspicious events in less than 2 minutes. This may indicate a manually driven scan, an exploited host searching for other targets, or a worm is present on the system.
Table B-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
Default Rules 267
Default-Rule-Recon: Aggressive Remote Scanner Detected
Recon Event True Reports an aggressive scan from a remote source IP address, scanning other local or remote IP addresses. More than 50 targets received reconnaissance or suspicious events in less than 3 minutes. This may indicate a manually driven scan, an exploited host searching for other targets, or a worm on a system.
Default-Rule-Recon: Excessive Firewall Denies From Local Hosts
Recon Event True Reports excessive attempts, from local hosts, to access the firewall and access is denied. More than 40 attempts are detected across at least 40 destination IP addresses in 5 minutes.
Default-Rule-Recon: Excessive Firewall Denies From Remote Hosts
Recon Event True Reports excessive attempts, from remote hosts, to access the firewall and access is denied. More than 40 attempts are detected across at least 40 destination IP addresses in 5 minutes.
Default-Rule-Recon: Host Port Scan Detected by Local Host
Recon Event True Reports a single source IP address scanning more than 50 ports in under 3 minutes.
Default-Rule-Recon: Host Port Scan Detected by Remote Host
Recon Event True Reports when more than 400 ports were scanned from a single source IP address in under 2 minutes.
Default-Rule-Recon: Increase Magnitude of High Rate Scans
Recon Event True If a high rate flow-based scanning attack is detected, this rule increases the magnitude of the current event.
Default-Rule-Recon: Increase Magnitude of Medium Rate Scans
Recon Event True If a medium rate flow-based scanning attack is detected, this rule increases the magnitude of the current event.
Default-Rule-Recon:Local LDAP Server Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common LDAP ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon:Local Database Scanner
Recon Event True Reports a scan from a local host against other local or remote targets. At least 30 host were scanned in 10 minutes.
Default-Rule-Recon: Local DHCP Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common DHCP ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local DNS Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes.
Table B-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
268 ENTERPRISE TEMPLATE DEFAULTS
Default-Rule-Recon: Local FTP Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes.
Default-Rule-Recon: Local Game Server Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common game server ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local ICMP Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local IM Server Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local IRC Server Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes.
Default-Rule-Recon: Local Mail Server Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common mail server ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local P2P Server Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local Proxy Server Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common proxy server ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local RPC Server Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common RPC server ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local Scanner Detected
Recon Event True Reports a scan from a local host against other hosts or remote targets. At least 60 hosts were scanned within 20 minutes. This activity was using a protocol other than TCP, UDP, or ICMP.
Default-Rule-Recon: Local SNMP Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common SNMP ports to more than 60 hosts in 10 minutes.
Table B-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
Default Rules 269
Default-Rule-Recon: Local SSH Server Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes.
Default-Rule-Recon: Local Suspicious Probe Events Detected
Recon Event False Reports when various suspicious or reconnaissance events have been detected from the same local source IP address to more than 5 destination IP address in 4 minutes. This can indicate various forms of host probing, such as Nmap reconnaissance, which attempts to identify the services and operation systems of the target.
Default-Rule-Recon: Local TCP Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local UDP Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local Web Server Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common local web server ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local Windows Server Scanner to Internet
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common Windows server ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local Windows Server Scanner
Recon Event True Reports on events that are detected by the system and when the attack context is Local-to-Local (L2L).
Default-Rule-Recon: Recon Followed by Accept
Recon Event False Adds an additional event into the event stream when a host that has been performing reconnaissance also has a firewall accept following the reconnaissance activity.
Default-Rule-Recon: Remote Database Scanner
Recon Event True Reports a scan from a remote host against other local or remote targets. At least 30 hosts were scanned in 10 minutes.
Default-Rule-Recon: Remote DHCP Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common DHCP ports to more than 30 hosts in 10 minutes.
Default-Rule-Recon: Remote DNS Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes.
Table B-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
270 ENTERPRISE TEMPLATE DEFAULTS
Default-Rule-Recon: Remote FTP Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes.
Default-Rule-Recon: Remote Game Server Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common game server ports to more than 30 hosts in 10 minutes.
Default-Rule-Recon: Remote ICMP Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local IM Server Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local IRC Server Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes.
Default-Rule-Recon: Remote LDAP Server Scanner
Recon Event True Reports a scan from a remote host against other local or remote targets. At least 30 hosts were scanned in 10 minutes.
Default-Rule-Recon: Remote Mail Server Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common mail server ports to more than 30 hosts in 10 minutes.
Default-Rule-Recon: Remote P2P Server Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Remote Proxy Server Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common proxy server ports to more than 30 hosts in 10 minutes.
Default-Rule-Recon: Remote RPC Server Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common RPC server ports to more than 30 hosts in 10 minutes.
Default-Rule-Recon: Remote Scanner Detected
Recon Event True Reports a scan from a remote host against other hosts or remote targets. At least 60 hosts were scanned within 20 minutes. This activity was using a protocol other than TCP, UDP, or ICMP.
Default-Rule-Recon: Remote SNMP Scanner
Recon Event True Reports scans from a remote host against local or remote targets. At least 30 hosts were scanned in 10 minutes.
Table B-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
Default Rules 271
Default-Rule-Recon: Remote SSH Server Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes.
Default-Rule-Recon: Remote Suspicious Probe Events Detected
Recon Event False Reports various suspicious or reconnaissance events from the same remote source IP address to more then 5 destination IP addresses in 4 minutes. This may indicate various forms of host probing, such as Nmap reconnaissance that attempts to identify the services and operating system of the targets.
Default-Rule-Recon: Remote TCP Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Remote UDP Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Remote Web Server Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common local web server ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Remote Windows Server Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common Windows server ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Single Merged Recon Events
Recon Event True Reports merged reconnaissance events generated by some devices. This rule causes all these events to create an offense. All devices of this type and their categories should be added to the Default-BB-ReconDetected: Devices which Merge Recon into Single Events building block.
Default-Rule-SuspiciousActivity: Common Non-Local to Remote Ports
Event False Rule identifies events that have common internal only ports, communicating outside of the local network.
Default-Rule-SuspiciousActivity: Communication with Known Hostile Networks
Anomaly Event False Reports events that are involved with known hostile networks.
Default-Rule-SuspiciousActivity: Communication with Known Online Services
Anomaly Event False Reports events that are involved with networks identified as possible sites that may involve data loss.
Table B-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
272 ENTERPRISE TEMPLATE DEFAULTS
Default-Rule-SuspiciousActivity: Communication with Known Watched Networks
Anomaly Event False Reports events that are involved with networks that are defined as networks you wish to monitor.
Default-Rule-SuspiciousActivity: Consumer Grade Equipment
Compliance Event False Reports assets that appear to be customer grade equipment.
Default-Rule-System-Notification
Event True Rule ensures that notification events shall be sent to the notification framework.
Default-Rule-System: 100% Accurate Events
System Event True Creates an offense when an event matches a 100% accurate signature for successful comprises.
Default-Rule-System:Critical System Events
System Event False Reports when STRM detects critical event.
Default-Rule-System: Device Stopped Sending Events
System Event False Reports when an event source has not sent an event to the system in over 1 hour. Edit this rule to add devices you want to monitor.
Default-Rule-System: Host Based Failures
System Event False Reports when STRM detects events that indicate failures within services or hardware.
Default-Rule-System: Load Building Blocks
System Event True Loads BBs that need to be run to assist with reporting. This rule has no actions or responses.
Default-Rule-Recon: Multiple System Errors
System Event False Reports when as source has 10 system errors within 3 minutes.
Default-Rule-Vulnerabilities: Vulnerability Reported by Scanner
Compliance Event False Reports when a vulnerability is discovered on a local host.
Default-Rule-WormsDetection: Local Mass Mailing Host Detected
Worm Event True Reports a local host sending more than 20 SMTP flows in 1 minute. This may indicate a host being used as a spam relay or infected with a form of mass mailing worm.
Default-Rule-WormsDetection: Possible Local Worm Detected
Worm Event True Reports a local host generating reconnaissance or suspicious events across a large number of hosts (greater than 300) in 20 minutes. This may indicate the presence of a worm on the network or a wide spread scan.
Default-Rule-WormsDetection: Worm Detected (Events)
Worm Event True Reports exploits or worm activity on a system for local-to-local or local-to-remote traffic.
Table B-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
Default Building Blocks 273
Default Building Blocks
Default building blocks for the Enterprise template include:
Table B-10 Default Building Blocks
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
Default-BB-BehaviorDefinition: Compromise Activities
Category Definitions
Event Edit this BB to include categories that are considered part of events detected during a typical compromise.
Default-BB-BehaviorDefinition: Post Compromise Activities
Category Definitions
Event Edit this BB to include categories that are considered part of events detected after a typical compromise.
Default-BB-CategoryDefinition: Authentication Failures
Category Definitions, Compliance
Event Edit this BB to include all events that indicate an unsuccessful attempt to access the network.
Default-BB-CategoryDefinition: Authentication Success
Category Definitions, Compliance
Event Edit this BB to include all events that indicate successful attempts to access the network.
Default-BB-CategoryDefinition: Authentication to Disabled Account
Category Definitions, Compliance
Event Edit this BB to include all events that indicate failed attempts to access the network using a disabled account.
Default-BB-CategoryDefinition: Authentication to Expired Account
Category Definitions, Compliance
Event Edit this BB to include all events that indicate failed attempts to access the network using an expired account.
Default-BB-CategoryDefinition: Authentication User or Group Added or Changed
Category Definitions, Compliance
Event Edit this building block to include all events that indicate modification to accounts or groups.
Default-BB-CategoryDefinition: Countries with no Remote Access
Category Definitions
Event Edit this BB to include any geographic location that typically would not be allowed remote access to the enterprise. Once configured, you can enable the Default-Rule-Anomaly: Remote Access from Foreign Country rule.
Default-BB-CategoryDefinition: Database Connections
Category Definitions
Event Edit this BB to define successful logins to databases. You may need to add additional device types for this BB.
Default-BB-CategoryDefinition: DDoS Attack
Category Definitions
Event Edit this BB to include all event categories that you want to categorize as a DDoS attack.
Default-BB-CategoryDefinition: Exploits, Backdoors, and Trojans
Category Definitions
Event Edit this BB to include all events that are typically exploits, backdoor, or trojans.
STRM Administration Guide
274 ENTERPRISE TEMPLATE DEFAULTS
Default-BB-CategoryDefinition: Failure Service or Hardware
Category Definitions, Compliance
Event Edit this BB that indicate failure within a service or hardware.
Default-BB-CategoryDefinition: Firewall or ACL Accept
Category Definitions
Event Edit this BB to include all events that indicate access to the firewall.
Default-BB-CategoryDefinition: Firewall or ACL Denies
Category Definitions
Event Edit this BB to include all events that indicate unsuccessful attempts to access the firewall.
Default-BB-CategoryDefinition: Firewall System Errors
Category Definitions
Event Edit this BB to include all events that may indicate a firewall system error. By default, this BB applies when an event is detected by one or more of the following devices:• CheckPoint• Generic Firewall• Iptables• NetScreen Firewall• Cisco Pix
Default-BB-CategoryDefinition: Flow Events
Category Definitions
Event Edit this BB to include all events that indicate flow events within your network. By default, this BB applies to events detected by the Classification Engine.
Default-BB-CategoryDefinition: High Magnitude Events
Category Definitions
Event Edit this BB to the severity, credibility, and relevance levels you want to generate an event. The defaults are:• Severity = 6• Credibility = 7• Relevance = 7
Default-BB-CategoryDefinitions: KeyLoggers
Category Definitions
Event Edit this BB to include all events that are typically exploits, backdoor, or trojans.
Default-BB-CategoryDefinition: Mail Policy Violation
Category Definitions, Compliance
Event Edit this BB to define mail policy violations.
Default-BB-CategoryDefinition: Malware Annoyances
Category Definitions
Event Edit this BB to include event categories that are typically associated with spyware infections.
Table B-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
Default Building Blocks 275
Default-BB-CategoryDefinition: Network DoS Attack
Category Definitions
Event Edit this BB to include all event categories that you want to categorize as a network DoS attack.
Default-BB-CategoryDefinition: Policy Events
Category Definitions, Compliance
Event Edit this BB to include all event categories that may indicate a violation to network policy.
Default-BB-CategoryDefinition: Post Exploit Account Activity
Category Definitions
Event Edit this BB to include all event categories that may indicate exploits to accounts.
Default-BB-CategoryDefinition: Rate Analysis Marked Events
Category Definitions
Event STRM monitors event rates of all source IP addresses/QIDs and destination IP addresses/QIDs and marks events that exhibit abnormal rate behavior.Edit this BB to include events that are marked with rate analysis.
Default-BB-CategoryDefinition: Recon Events
Category Definitions
Event Edit this BB to include all events that indicate reconnaissance activity.
Default-BB-CategoryDefinition: Service DoS
Category Definitions
Event Edit this BB to define Denial of Service (DoS) attack events.
Default-BB-CategoryDefinition: Suspicious Events
Category Definitions
Event Edit this BB to include all events that indicate suspicious activity.
Default-BB-CategoryDefinition: System Configuration
Category Definitions, Malware
Event Edits this BB to define system configuration events.
Default-BB-CategoryDefinition: Upload to Local WebServer
Category Definitions
Event Typically, most networks are configured to restrict applications that use the PUT method running on their web application servers. This BB detects if a remote host has used this method on a local server. The BB could be duplicated to also detect other unwanted methods or for local hosts using the method connecting to remote servers. This building block is referenced by the Default-Rule-Policy: Upload to Local WebServer rule.
Default-BB-CategoryDefinition: VoIP Authentication Failure Events
Category Definitions
Event Edit this BB to include all events that indicate a VoIP login failure.
Table B-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
Default-BB-CategoryDefinition: VoIP Session Opened
Category Definitions
Event Edit this BB to include all events that indicate the start of a VoIP session.
Default-BB-CategoryDefinition: Windows Compliance Events
Category Definitions, Compliance
Event Edit this BB to include all event categories that indicate compliance events.
Default-BB-CategoryDefinition: Worm Events
Category Definitions
Event Edit this BB to define worm events. This BB only applies to events not detected by a custom rule.
Default-BB-ComplianceDefinition: GLBA Servers
Compliance, Host Definitions
Event Edit this BB to include your GLBA IP systems. You must then apply this BB to rules related to failed logins, remote access, etc.
Default-BB-ComplianceDefinition: HIPAA Servers
Compliance, Host Definitions
Event Edit this BB to include your HIPAA Servers by IP address. You must then apply this BB to rules related to failed logins, remote access, etc.
Default-BB-ComplianceDefinition: SOX Servers
Compliance, Host Definitions
Event Edit this BB to include your SOX IP Servers. You must then apply this BB to rules related to failed logins, remote access, etc.
Default-BB-ComplianceDefinition: PCI DSS Servers
Compliance, Host Definitions, Response
Event Edit this BB to include your PCI DSS servers by IP address. You must apply this BB to rules related to failed logins, remote access, etc.
Default-BB-Database: System Action Allow
Category Definitions, Compliance
Event Edit this BB to include any events that indicates successful actions within a database.
Default-BB-Database: System Action Deny
Category Definitions, Compliance
Event Edit this BB to include any events that indicate unsuccessful actions within a database.
Default-BB-Database: User Addition or Change
Category Definitions, Compliance
Event Edit this BB to include events that indicate the successful addition or change of user privileges
Default-BB-DeviceDefinition: Consumer Grade Routers
Device Definitions
Event Edit this BB to include MAC addresses of known consumer grade routers.
Default-BB-DeviceDefinition: Consumer Grade Wireless APs
Device Definitions
Event Edit this BB to include MAC addresses of known consumer grade wireless access points.
Default-BB-DeviceDefinition: Database
Device Definitions
Event
Table B-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
Default Building Blocks 277
Default-BB-DeviceDefinition: Devices to Monitor for High Event Rates
Device Definitions
Event Edit this BB to include devices you want to monitor for high event rates. The event rate threshold is controlled by the Default-Rule-Anomaly: Devices with High Event Rates.
Default-BB-FalseNegative: Events That Indicate Successful Compromise
False Positive
Event Edit this BB to include events that indicate a successful compromise. These events generally have 100% accuracy.
Default-BB-FalsePositive: All Default False Positive BBs
False Positive
Event Edit this BB to include all false positive building blocks.
All Default-BB-FalsePositive building blocks
Default-BB-FalsePositive: Broadcast Address False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from the broadcast address space.
Default-BB-FalsePositive: Database Server False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from database servers that are defined in the Default-BB-HostDefinition: Database Servers building block.
Default-BB-HostDefinition: Database Servers
Default-BB-FalsePositive: Database Server False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from database servers that are defined in the Default-BB-HostDefinition: Database Servers building block.
Default-BB-HostDefinition: Database Servers
Default-BB-FalsePositive: Device and Specific Event
False Positive
Event Edit this BB to include the devices and QID of devices that continually generate false positives.
Default-BB-FalsePositive: DHCP Server False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from DHCP servers that are defined in the Default-BB-HostDefinition: DHCP Servers building block.
Default-BB-HostDefinition: DHCP Servers
Default-BB-FalsePositive: DHCP Server False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from DHCP servers that are defined in the Default-BB-HostDefinition: DHCP Servers building block.
Default-BB-HostDefinition: DHCP Servers
Table B-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
278 ENTERPRISE TEMPLATE DEFAULTS
Default-BB-FalsePositive: DNS Server False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from DNS based servers that are defined in the Default-BB-HostDefinition: DNS Servers building block.
Default-BB-HostDefinition: DNS Servers
Default-BB-FalsePositive: DNS Server False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from DNS-based servers that are defined in the Default-BB-HostDefinition: DNS Servers building block.
Default-BB-HostDefinition: DNS Servers
Default-BB-FalsePositive: Firewall Deny False Positive Events
False Positive
Event Edit this BB to define firewall deny events that are false positives
Default-BB-FalsePositive: FTP Server False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from FTP based servers that are defined in the Default-BB-HostDefinition: FTP Servers building block.
Default-BB-HostDefinition: FTP Servers
Default-BB-FalsePositive: FTP False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from FTP-based servers that are defined in the Default-BB-HostDefinition: FTP Servers building block.
Default-BB-HostDefinition: FTP Servers
Default-BB-FalsePositive: Global False Positive Events
False Positive
Event Edit this BB to include any event QIDs that you want to ignore.
Default-BB-FalsePositive: Internal Attacker to Internal Target False Positives
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from Local-to-Local (L2L) based servers.
Default-BB-FalsePositive: Internal Attacker to Remote Target False Positives
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from Local-to-Remote (L2R) based servers.
Default-BB-FalsePositive: Large Volume Local FW Events
False Positive
Event Edit this BB to define specific events that can create a large volume of false positives in general rules.
Table B-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
Default Building Blocks 279
Default-BB-FalsePositive: LDAP Server False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from LDAP servers that are defined in the Default-BB-HostDefinition: LDAP Servers building block.
Default-BB-HostDefinition: LDAP Servers
Default-BB-FalsePositive: LDAP Server False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from LDAP servers that are defined in the Default-BB-HostDefinition: LDAP Servers building block.
Default-BB-HostDefinition: LDAP Servers
Default-BB-FalsePositive: Mail Server False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from mail servers that are defined in the Default-BB-HostDefinition: Mail Servers building block.
Default-BB-HostDefinition: Mail Servers
Default-BB-FalsePositive: Mail Server False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from mail servers that are defined in the Default-BB-HostDefinition: Mail Servers building block.
Default-BB-HostDefinition: Mail Servers
Default-BB-FalsePositive: Network Management Servers Recon
False Positive
Event Edit this BB to define all the false positive categories that occur to or from network management servers that are defined in the Default-BB-HostDefinition: Network Management Servers building block.
Default-BB-HostDefinition: Network Management Servers
Default-BB-FalsePositive: Proxy Server False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from proxy servers that are defined in the Default-BB-HostDefinition: Proxy Servers building block.
Default-BB-HostDefinition: Proxy Servers
Default-BB-FalsePositive: Proxy Server False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from proxy servers that are defined in the Default-BB-HostDefinition: Proxy Servers building block.
Default-BB-HostDefinition: Proxy Servers
Default-BB-FalsePositive: Remote Attacker to Internal Target False Positives
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from Remote-to-Local (R2L) based servers.
Default-BB-FalsePositive: RPC Server False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from RPC servers that are defined in the Default-BB-HostDefinition: RPC Servers building block.
Default-BB-HostDefinition: RPC Servers
Table B-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
Default-BB-FalsePositive: RPC Server False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from RPC servers that are defined in the Default-BB-HostDefinition: RPC Servers building block.
Default-BB-HostDefinition: RPC Servers
Default-BB-FalsePositive: SNMP Sender or Receiver False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from SNMP servers that are defined in the Default-BB-HostDefinition: SNMP Servers building block.
Default-BB-HostDefinition: SNMP Servers
Default-BB-FalsePositive: SNMP Sender or Receiver False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from SNMP servers that are defined in the Default-BB-HostDefinition: SNMP Servers building block.
Default-BB-HostDefinition: SNMP Servers
Default-BB-FalsePositive: Source IP and Specific Event
False Positive
Event Edit this BB to include source IP addresses or specific events that you want to remove.
Default-BB-FalsePositive: SSH Server False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from SSH servers that are defined in the Default-BB-HostDefinition: SSH Servers building block.
Default-BB-HostDefinition: SSH Servers
Default-BB-FalsePositive: SSH Server False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from SSH servers that are defined in the Default-BB-HostDefinition: SSH Servers building block.
Default-BB-HostDefinition: SSH Servers
Default-BB-FalsePositive: Syslog Sender False Positive Categories
False Positive
Event Edit this BB to define all false positive categories that occur to or from syslog sources.
Default-BB-HostDefinition: Syslog Servers and Senders
Default-BB-FalsePositive: Syslog Sender False Positive Events
False Positive
Event Edit this BB to define all false positive events that occur to or from syslog sources or destinations.
Default-BB-HostDefinition: Syslog Servers and Senders
Default-BB-FalsePositive: Virus Definition Update Categories
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from virus definition or other automatic update hosts that are defined in the Default-BB-HostDefinition: Virus Definition and Other Update Servers building block.
Default-BB-HostDefinition: Virus Definition
Default-BB-FalsePositive: Web Server False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from web servers that are defined in the Default-BB-HostDefinition: Web Servers building block.
Default-BB-HostDefinition: Web Servers
Table B-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
Default Building Blocks 281
Default-BB-FalsePositive: Web Server False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from Web servers that are defined in the Default-BB-HostDefinition: Web Servers building block.
Default-BB-HostDefinition: Web Servers
Default-BB-FalsePositive: Windows Server False Positive Categories Local
False Positive
Event Edit this BB to define all the false positive categories that occur to or from Windows servers that are defined in the Default-BB-HostDefinition: Windows Servers building block.
Default-BB-HostDefinition: Windows Servers
Default-BB-FalsePositive: Windows Server False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from Windows servers that are defined in the Default-BB-HostDefinition: Windows Servers building block.
Default-BB-HostDefinition: Windows Servers
Default-BB-HostBased: Critical Events
Category Definitions, Compliance
Event Edit this BB to define event categories that indicate critical events.
Default-BB-HostDefinition: Database Servers
Host Definitions
Event Edit this BB to define typical database servers.
Default-BB-FalsePositive: Database Server False Positive CategoriesDefault-BB-FalsePositive: Database Server False Positive Events
Default-BB-HostDefinition: DHCP Servers
Host Definitions
Event Edit this BB to define typical DHCP servers.
Default-BB-False Positive: DHCP Server False Positives CategoriesDefault-BB-FalsePositve: DHCP Server False Positive Events
Default-BB-HostDefinition: DNS Servers
Host Definitions
Event Edit this BB to define typical DNS servers.
Default-BB-False Positive: DNS Server False Positives Categories Default-BB-FalsePositve: DNS Server False Positive Events
Default-BB-HostDefinition: FTP Servers
Host Definitions
Event Edit this BB to define typical FTP servers.
Default-BB-False Positive: FTP Server False Positives CategoriesDefault-BB-FalsePositve: FTP Server False Positive Events
Table B-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
282 ENTERPRISE TEMPLATE DEFAULTS
Default-BB-HostDefinition: Host with Port Open
Host Definitions
Event Edit this BB to include a host and port that is actively or passively seen.
Default-BB-HostDefinition: LDAP Servers
Host Definitions
Event Edit this BB to define typical LDAP servers.
Default-BB-False Positive: LDAP Server False Positives CategoriesDefault-BB-FalsePositve: LDAP Server False Positive Events
Default-BB-HostDefinition: Mail Servers
Host Definitions
Event Edit this BB to define typical mail servers.
Default-BB-False Positive: Mail Server False Positives CategoriesDefault-BB-FalsePositve: Mail Server False Positive Events
Default-BB-HostDefinition: Network Management Servers
Host Definitions
Event Edit this BB to define typical network management servers.
Default-BB-HostDefinition: Proxy Servers
Host Definitions
Event Edit this BB to define typical proxy servers.
Default-BB-False Positive: Proxy Server False Positives CategoriesDefault-BB-FalsePositve: Proxy Server False Positive Events
Default-BB-HostDefinition: RPC Servers
Host Definitions
Event Edit this BB to define typical RPC servers.
Default-BB-False Positive: RPC Server False Positives CategoriesDefault-BB-FalsePositve: RPC Server False Positive Events
Default-BB-HostDefinition: Servers
Host Definitions
Event Edit this BB to define generic servers.
Default-BB-HostDefinition: SNMP Sender or Receiver
Host Definitions
Event Edit this BB to define SNMP senders or receivers.
Default-BB-PortDefinition: SNMP Ports
Default-BB-HostDefinition: SSH Servers
Host Definitions
Event Edit this BB to define typical SSH servers.
Default-BB-False Positive: SSH Server False Positives CategoriesDefault-BB-FalsePositve: SSH Server False Positive Events
Table B-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
Default Building Blocks 283
Default-BB-HostDefinition: Syslog Servers and Senders
Host Definitions
Event Edit this BB to define typical host that send or receive syslog traffic.
Default-BB-FalsePositive: Syslog Server False Positive CategoriesDefault-BB-FalsePositive: Syslog Server False Positive Events
Default-BB-HostDefinition: VA Scanner Source IP
Host Definitions
Event Edit this BB to include the source IP address of your VA scanner. By default, this BB applies when the source IP address is 127.0.0.2.
Default-BB-HostDefinition: Virus Definition and Other Update Servers
Host Definitions
Event Edit this BB to include all servers that include virus protection and update functions.
Default-BB-HostDefinition: VoIP IP PBX Server
Host Definitions
Event Edit this BB to define typical VoIP IP PBX servers.
Default-BB-HostDefinition: Web Servers
Host Definitions
Event Edit this BB to define typical web servers.
Default-BB-False Positive: Web Server False Positives CategoriesDefault-BB-FalsePositve: Web Server False Positive Events
Default-BB-HostDefinition: Windows Servers
Host Definitions
Event Edit this BB to define typical Windows servers, such as domain controllers or exchange servers.
Default-BB-False Positive: Windows Server False Positives CategoriesDefault-BB-FalsePositve: Windows Server False Positive Events
Default-BB-NetworkDefinition: Broadcast Address Space
Network Definition
Event Edit this BB to include the broadcast address space of your network. This is used to remove false positive events that may be caused by the use of broadcast messages.
Default-BB-NetworkDefinition: Client Networks
Network Definition
Event Edit this BB to include all networks that include client hosts.
Default-BB-NetworkDefinition: Darknet Addresses
Network Definition
Event Edit this BB to include networks that you want to add to a Darket list.
Default-BB-NetworkDefinition: DLP Addresses
Network Definition
Event Edit this BB to include networks that you want to add to a data loss prevention (DLP) list.
Default-BB-NetworkDMZ Addresses
NetworkDefinition
Event Edit this BB to include addresses that are included in the DMZ.
Table B-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
284 ENTERPRISE TEMPLATE DEFAULTS
Default-BB-NetworkDefinition: Honeypot like Addresses
Network Definition
Event Edit this BB by replacing the other network with network objects defined in your network hierarchy that are currently not in use in your network or are used in a honeypot or tarpit installation. Once these have been defined, you must enable the Default-Rule-Anomaly: Potential Honeypot Access rule. You must also add a security/policy sentry to these network objects to generate events based on attempted access.
Default-BB-NetworkDefinition: NAT Address Range
Network Definition
Event Edit this BB to define typical Network Address Translation (NAT) range you want to use in your deployment.
Default-BB-NetworkDefinition: Server Networks
Network Definition
Event Edit this BB to include the networks where your servers are located.
Default-BB-NetworkDefinition: Undefined IP Space
Network Definition
Event Edit this BB to include areas of your network that does not contain any valid hosts.
Default-BB-NetworkDefinition: Watch List Addresses
NetworkDefinition
Event Edit this BB to include networks that should be added to a watch list.
Default-BB-Policy: Application Policy Violation Events
Policy Event Edit this BB to define policy application and violation events.
Default-BB-Policy: IRC/IM Connection Violations
Policy Event Edit this BB to define all policy IRC/IM connection violations.
Default-BB-Policy: Policy P2P
Policy Event Edit this BB to include all events that indicate Peer-to-Peer (P2P) events.
Default-BB-PortDefinition: Authorized L2R Ports
Port\Protocol Definition
Event Edit this BB to include ports that are commonly detected in Local-to-Remote (L2R) traffic.
Default-BB-PortDefinition: Database Ports
Port\Protocol Definition
Event Edit this BB to include all common database ports.
Default-BB-PortDefinition: DHCP Ports
Port\Protocol Definition
Event Edit this BB to include all common DHCP ports.
Default-BB-PortDefinition: DNS Ports
Port\Protocol Definition
Event Edit this BB to include all common DNS ports.
Table B-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
Default Building Blocks 285
Default-BB-PortDefinition: FTP Ports
Port\Protocol Definition
Event Edit this BB to include all common FTP ports.
Default-BB-PortDefinition: Game Server Ports
Port\Protocol Definition
Event Edit this BB to include all common game server ports.
Default-BB-PortDefinition: IM Ports
Compliance, Port\Protocol Definition
Event Edit this BB to include all common IM ports.
Default-BB-PortDefinition: IRC Ports
Port\Protocol Definition
Event Edit this BB to include all common IRC ports.
Default-BB-PortDefinition: LDAP Ports
Port\Protocol Definition
Event Edit this BB to include all common ports used by LDAP servers.
Default-BB-PortDefinition: Mail Ports
Port\Protocol Definition
Event Edit this BB to include all common ports used by mail servers.
Default-BB-PortDefinition: P2P Ports
Port\Protocol Definition
Event Edit this BB to include all common ports used by Peer-to-Peer (P2P) servers.
Default-BB-PortDefinition: Proxy Ports
Port\Protocol Definition
Event Edit this BB to include all common ports used by proxy servers.
Default-BB-PortDefinition: RPC Ports
Port\Protocol Definition
Event Edit this BB to include all common ports used by RPC servers.
Default-BB-PortDefinition: SNMP Ports
Port\Protocol Definition
Event Edit this BB to include all common ports used by SNMP servers.
Default-BB-PortDefinition: SSH Ports
Port\Protocol Definition
Event Edit this BB to include all common ports used by SSH servers.
Default-BB-PortDefinition: Syslog Ports
Port\Protocol Definition
Event Edit this BB to include all common ports used by the syslog servers.
Default-BB-PortDefinition: Unauthorized L2R Ports
Port\Protocol Definition
Event Edit this BB to include ports that are not typically detected in Local-to-Remote (L2R) traffic.
Default-BB-PortDefinition: Web Ports
Port\Protocol Definition
Event Edit this BB to include all common ports used by Web servers.
Table B-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
286 ENTERPRISE TEMPLATE DEFAULTS
Default-BB-PortDefinition: Windows Ports
Port\Protocol Definition
Event Edit this BB to include all common ports used by Windows servers.
Default-BB-ProtocolDefinition: Windows Protocols
Port\Protocol Definition
Event Edit this BB to include all common protocols (not including TCP) used by Windows servers that will be ignored for false positive tuning rules.
Default-BB-ReconDetected: All Recon Rules
Recon Event Define all Juniper Networks default reconnaissance tests. This BB is used to detect a host that has performed reconnaissance such that other follow on tests can be performed. For example, reconnaissance followed by firewall accept.
Default-BB-ReconDetected: Devices That Merge Recon into Single Events
Recon Event Edit this BB to include all devices that accumulate reconnaissance across multiple hosts or ports into a single event. This rule forces these events to become offenses.
Default-BB-ReconDetected: Host Port Scan
Recon Event Edit this BB to define reconnaissance scans on hosts in your deployment.
Default-BB-ReconDetected: Port Scan Detected Across Multiple Hosts
Recon Event Edit this BB to indicate port scanning activity across multiple hosts. By default, this BB applies when an attacker is performing reconnaissance against more than 5 hosts within 10 minutes. If internal, this may indicate an exploited machine or a worm scanning for targets.
User-BB-FalsePositive: User Defined False Positives Tunings
User Tuning Event This BB contains any events that you have tuned using the False Positive tuning function. For more information, see the STRM Users Guide.
User-BB-FalsePositive: User Defined Server Type 1 False Positive Categories
User Tuning Event Edit this BB to include any categories you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 1 building block.
User-BB-HostDefinition: User Defined Server Type 1
Table B-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
Default Building Blocks 287
User-BB-FalsePositive: User Defined Server Type 1 False Positive Events
User Tuning Event Edit this BB to include any events you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 1 building block.
User-BB-HostDefinition: User Defined Server Type 1
User-BB-FalsePositive: User Defined Server Type 2 False Positive Categories
User Tuning Event Edit this BB to include any categories you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 2 building block.
User-BB-HostDefinition: User Defined Server Type 2
User-BB-FalsePositive: User Defined Server Type 2 False Positive Events
User Tuning Event Edit this BB to include any events you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 2 building block.
User-BB-HostDefinition: User Defined Server Type 2
User-BB-FalsePositive: User Defined Server Type 3 False Positive Categories
User Tuning Event Edit this BB to include any categories you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 3 building block.
User-BB-HostDefinition: User Defined Server Type 3
User-BB-FalsePositive: User Defined Server Type 3 False Positive Events
User Tuning Event Edit this BB to include any events you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 3 building block.
User-BB-HostDefinition: User Defined Server Type 3
User-BB-HostDefinition: User Defined Server Type 1
User Tuning Event Edit this BB to include the IP address of your custom server type. Once you have added the servers, add any events or categories you want to consider false positives to these servers as defined in the User-BB-FalsePositives: User Defined Server Type 1 False Positive Category or the User-BB-False Positives: User Defined Server Type 1 False Positive Events building blocks.
User-BB-FalsePositives: User Defined Server Type 1 False Positive CategoryUser-BB-False Positives: User Defined Server Type 1 False Positive Events
Table B-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
288 ENTERPRISE TEMPLATE DEFAULTS
User-BB-HostDefinition: User Defined Server Type 2
User Tuning Event Edit this BB to include the IP address of your custom server type. Once you have added the servers, add any events or categories you want to consider false positives to these servers as defined in the User-BB-FalsePositives: User Defined Server Type 2 False Positive Category or the User-BB-False Positives: User Defined Server Type 2 False Positive Events building blocks.
User-BB-FalsePositives: User Defined Server Type 2 False Positive CategoryUser-BB-False Positives: User Defined Server Type 2 False Positive Events
User-BB-HostDefinition: User Defined Server Type 3
User Tuning Event Edit this BB to include the IP address of your custom server type. Once you have added the servers, add any events or categories you want to consider false positives to these servers as defined in the User-BB-FalsePositives: User Defined Server Type 3 False Positive Category or the User-BB-False Positives: User Defined Server Type 3 False Positive Events building blocks.
User-BB-FalsePositives: User Defined Server Type 3 False Positive CategoryUser-BB-False Positives: User Defined Server Type 3 False Positive Events
Table B-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
C
UNIVERSITY TEMPLATE DEFAULTSThe University template includes settings with emphasis on internal network activities. This appendix provides the defaults for the University template including:
• Default Sentries
• Default Custom Views
• Default Rules• Default Building Blocks
Default Sentries The default sentries for the University template include:
Table C-1 Default Sentries
Sentry DescriptionBehavior - Flow Count Behavior Change
Monitors the number of flows on your network and alerts when a change is detected. By default, this activity must occur 10 times before an alert generates.
Behavior - Host Count Behavior Change
Learns the number of local and remote active hosts in the network over a weekly period. If the number of hosts increases dramatically outside the projected behavior for at least 5 intervals, an event generates.
Behavior - Threat Traffic Packet Rate Behavior Change
Detects a behavioral change, within the last 5 minutes, in the packet rate of traffic considered to be threatening, compared to what has been learned over the past weeks. This may indicate an attack is in progress. By default, the minimum number of times, in flows, this activity must occur before an event generates is 5.
Suspicious - Internal - Inbound Unidirectional Flows Threshold
Detects an excessive rate (more than 1,000) of inbound unidirectional (local host not responding) flows within the last 5 minutes. This may indicate a scan is in progress, worms, DoS attack, or issues with your network configuration. By default, this activity must occur 5 times before an alert generates.
DoS - External - Distributed DoS Attack (High Number of Hosts)
Detects a large number of hosts (100,000) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offense Manager.
STRM Administration Guide
290 UNIVERSITY TEMPLATE DEFAULTS
DoS - External - Distributed DoS Attack (Low Number of Hosts)
Detects a low number of hosts (500) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offense Manager.
DoS - External - Distributed DoS Attack (Medium Number of Hosts)
Detects a medium number of hosts (5,000) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offense Manager.
DoS - External - Flood Attack (High)
Detects flood attacks above 100,000 packets per second. This activity may indicate a serious attack.
DoS - External - Flood Attack (Medium)
Detects flood attacks above 5,000 packets per second. This activity typically indicates a serious attack.
DoS - External - Flood Attack (Low)
Detects flood attacks above 500 packets per second. This activity may indicate an attack.
DoS - External - Potential ICMP DoS
Detects flows that appear to be an ICMP Denial of Service (DoS) attack attempt.
DoS - External - Potential TCP DoS
Detects flows that appear to be a TCP DoS attack attempt.
DoS - External - Potential UDP DoS
Detects flows that appear to be a UDP DoS attack attempt.
DoS - External - Potential Unresponsive Service or Distributed DoS
Detects a low number of hosts sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offense Manager.
Suspicious - Internal - Inbound Unidirectional Flows Threshold
Detects an excessive rate (more than 1,000) of inbound unidirectional (local host not responding) flows within the last 5 minutes. This may indicate a scan is in progress, worms, DoS attack, or issues with your network configuration. By default, this activity must occur 5 times before an alert generates.
DoS - Internal - Distributed DoS Attack (High Number of Hosts)
Detects a large number of hosts (100,000) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offense Manager.
DoS - Internal - Distributed DoS Attack (Low Number of Hosts)
Detects a low number of hosts (500) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offense Manager.
DoS - Internal - Distributed DoS Attack (Medium Number of Hosts)
Detects a medium number of hosts (5,000) sending identical, non-responsive packets to a single target. In this case, the target is treated as the attacker in the Offense Manager.
DoS - Internal - Flood Attack (High)
Detects flood attacks above 100,000 packets per second. This activity may indicate a serious attack.
Table C-1 Default Sentries (continued)
Sentry Description
STRM Administration Guide
Default Sentries 291
DoS - Internal - Flood Attack (Medium)
Detects flood attacks above 5,000 packets per second. This activity typically indicates a serious attack.
DoS - Internal - Flood Attack (Low)
Detects flood attacks above 500 packets per second. This activity may indicate an attack.
DoS - Internal - Potential ICMP DoS
Detects flows that appear to be an ICMP Denial of Service (DoS) attack attempt.
DoS - Internal - Potential TCP DoS
Detects flows that appear to be a TCP DoS attack attempt.
DoS - Internal - Potential UDP DoS
Detects flows that appear to be a UDP DoS attack attempt.
DoS - Internal - Potential Unresponsive Service or Distributed DoS
Detects a low number of hosts sending identical, non-responsive packets to a single target.
Malware - External - Client Based DNS Activity to the Internet
Detects a host attempting to connect to a DNS server that is not defined as a local network. With the exception of your DNS servers or other hosts specifically configured to communicate with external DNS servers, this is suspicious activity and may be the sign of a bot net connection. If this is a false positive, add the external DNS server to the BB DNS Servers building block in custom rules. By default, this sentry generates an event 30 seconds after the first instance of the event.
Malware - External Communication with BOT Control Channel
Detects an IP address being communicated with was a control channel for a BOTNET. The local machine may be infected with a bot and should be investigated.
Policy - External - Clear Text Application Usage
Detects flows to or from the Internet where the application types use clear text passwords. This many include application such as Telnet, FTP, and POP.
Policy - External - Hidden FTP Server
Detects an FTP server on a non-standard port. The default port for FTP is TCP port 21. Detecting FTP on other ports may indicate an exploited host, where the attacker has installed this server to provide backdoor access to the host.
Policy - Internal - Clear Text Application Usage
Detects flows to or from the Internet where the application types use clear text passwords. This many include application such as Telnet, FTP, and POP.
Policy - Internal - Hidden FTP Server
Detects an FTP server on a non-standard port. The default port for FTP is TCP port 21. Detecting FTP on other ports may indicate an exploited host, where the attacker has installed this server to provide backdoor access to the host.
Table C-1 Default Sentries (continued)
Sentry Description
STRM Administration Guide
292 UNIVERSITY TEMPLATE DEFAULTS
Policy - External - IM/Chat Detects an excessive amount of IM/Chat traffic from a single source. By default, the minimum number of times, in flows, this activity must occur before an event generates is 20.
Policy - External - IRC Connections
Detects a local host issuing an excessive number of IRC connections to the Internet. By default, the minimum number of times, in flows, this activity must occur before an event generates is 20.
Policy - Local P2P Server Detected
Detects local hosts operating as a Peer-to-Peer (P2P) server. This indicates a violation of local network policy and may indicate illegal activities, such as, copyright infringement.
Policy - External - Long Duration Flow Detected
Detects a flow communicating to or from the Internet with a sustained duration of more than 48 hours. This is not typical behavior for most applications. We recommend that you investigate the host for potential malware infections. By default, this parameter is set to 3600 seconds, which means that an event generates after 3600 seconds of the first instance of the event.
Policy - External - P2P Communications Detected
Detects Peer-to-Peer (P2P) communications.
Policy - External - Possible Tunneling
Detects possible tunneling, which can indicate a bypass of policy, or an infected system.
Policy - External - Remote Desktop Access from the Internet
Detects the Microsoft Remote Desktop Protocol from the Internet to a local host. Most companies consider this a violation of corporate policy. If this is normal activity on your network, you should remove this sentry.
Policy - External - SMTP Mail Sender
Detects an internal host sending a large number of SMTP flows from the same source to the Internet, in one interval. This may indicate a mass mailing, worm, or spam relay is present. By default, the minimum number of times, in flows, this activity must occur before an event generates is 10.
Policy - External - SSH or Telnet Detected on Non-Standard Ports
Detects an SSH or Telnet server on a non-standard port. The default port for SSH and Telnet servers is TCP port 22 and 23. Detecting SSH or Telnet operating on other ports may indicate an exploited host, where the attacker has installed these servers to provide backdoor access to the host.
Policy - Internal - SSH or Telnet Detected on Non-Standard Ports
Detects an SSH or Telnet server on a non-standard port. The default port for SSH and Telnet servers is TCP port 22 and 23. Detecting SSH or Telnet operating on other ports may indicate an exploited host, where the attacker has installed these servers to provide backdoor access to the host.
Table C-1 Default Sentries (continued)
Sentry Description
STRM Administration Guide
Default Sentries 293
Policy - External - Usenet Usage
Detects flows to or from a Usenet server. It is uncommon for legitimate business communications to use Usenet or NNTP services. The hosts involved may be violating corporate policy.
Policy - External - VNC Access From the Internet to a Local Host
Detects VNC (a remote desktop access application) from the Internet to a local host. Many companies consider this an policy issue that should be addressed. If this is normal activity on your network, remove this sentry.
Policy - P2P Policy Threshold Detects more than 100 KB/s of Peer-to-Peer (P2P) traffic within 5 minutes.
Recon - External - ICMP Scan (High)
Detects a host scanning more than 100,000 hosts per minute using ICMP. This indicates a host performing reconnaissance activity at an extremely high rate. This is typical of a worm infection or a standard scanning application.
Recon - External - ICMP Scan (Low)
Detects a host scanning more than 500 hosts per minute using ICMP. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not be exhibiting this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation.
Recon - External - ICMP Scan (Medium)
Detects a host scanning more the 5,000 hosts per minute using ICMP. This indicates a host performing reconnaissance activity at a high rate. This is typical of a worm infection or a host configured for network management purposes.
Recon - External - Potential Network Scan
Detects a host sending identical packets to a number of hosts that have not responded. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, client hosts in your network should not be exhibiting this behavior for long periods of time.
Recon - External - Scanning Activity (High)
Detects a host performing reconnaissance activity at an extremely high rate (100,000 hosts per minute), which is typical of a worm infection or a scanning application.
Table C-1 Default Sentries (continued)
Sentry Description
STRM Administration Guide
294 UNIVERSITY TEMPLATE DEFAULTS
Recon - External - Scanning Activity (Low)
Detects a host performing reconnaissance activity at a rate of 500 hosts per minute. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not be exhibiting this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation.
Recon - External - Scanning Activity (Medium)
Detects a host performing reconnaissance activity at a high rate (5,000 hosts per minute), which is typical of a worm infection or a scanning application. This activity may also indicate network management hosts or even busy servers on internal networks.
Recon - Internal - ICMP Scan (High)
Detects a host scanning more than 100,000 hosts per minute using ICMP. This indicates a host performing reconnaissance activity at an extremely high rate. This is typical of a worm infection or a standard scanning application.
Recon - Internal - ICMP Scan (Low)
Detects a host scanning more than 500 hosts per minute using ICMP. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not exhibit this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation.
Recon - Internal - ICMP Scan (Medium)
Detects a host scanning more the 5,000 hosts per minute using ICMP. This indicates a host performing reconnaissance activity at a high rate. This is typical of a worm infection or a host configured for network management purposes.
Recon - Internal - Potential Network Scan
Detects a host sending identical packets to a number of hosts that have not responded. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, client hosts in your network should not be exhibiting this behavior for long periods of time.
Recon - Internal - Scanning Activity (High)
Detects a host performing reconnaissance activity at an extremely high rate (100,000 hosts per minute), which is typical of a worm infection or a scanning application.
Table C-1 Default Sentries (continued)
Sentry Description
STRM Administration Guide
Default Sentries 295
Recon - Internal - Scanning Activity (Low)
Detects a host performing reconnaissance activity at a rate of 500 hosts per minute. This may indicate a host configured for network management or normal server behavior on a busy internal network. However, typically client hosts in your network should not exhibit this behavior for long periods of time. If this behavior continues for long periods of time, this may indicate classic behavior of worm activity. We recommend that you check the host for infection or malware installation.
Recon - Internal - Scanning Activity (Medium)
Detects a host performing reconnaissance activity at a high rate (5,000 hosts per minute), which is typical of a worm infection or a scanning application. This activity may also indicate network management hosts or even busy servers on internal networks.
Suspicious - External - Anomalous ICMP Flows
Detects an excessive number of ICMP flows from one source IP address, where the applied ICMP types and codes are considered abnormal when seen entering or leaving the network. By default, the minimum number of times, in flows, this activity must occur before an event generates is 40.
Suspicious - External - Invalid TCP Flag usage
Detects flows that appear to have improper flag combinations. This may indicate various troubling behaviors, such as OS detection, DoS attacks, or even forms of reconnaissance. By default, the minimum number of times, in flows, this activity must occur before an event generates is 10.
Suspicious - External - Port 0 Flows Detected
Detects flows whose destination or source ports are 0. This may be considered suspicious.
Suspicious - External - Rejected Communication Attempts
Detects flows that indicate a host is attempting to establish connections to other hosts but is being refused or is responding with packets containing no payload. By default, the minimum number of times, in flows, this activity must occur before an event generates is 40.
Suspicious - External - Unidirectional ICMP Detected
Detects excessive unidirectional ICMP traffic from a single source. This may indicate an attempt to enumerate hosts on the network or other serious network issues. By default, the minimum number of times, in flows, this activity must occur before an event generates is 40.
Suspicious - External - Unidirectional ICMP Responses Detected
Detects excessive unidirectional ICMP responses from a single source. This may indicate an attempt to enumerate hosts on the network, or can be an indicator of other serious network issues. By default, the minimum number of times, in flows, this activity must occur before an event generates is 40.
Table C-1 Default Sentries (continued)
Sentry Description
STRM Administration Guide
296 UNIVERSITY TEMPLATE DEFAULTS
Suspicious - External - Unidirectional TCP Flows
Detects flows that indicate a host is sending an excessive quantity (at least 40) of unidirectional flows. These types of flows may be considered normal, however, client workstations and other devices, should not be seen emitting large quantities of such flows, and therefore should be considered suspicious.
Suspicious - Internal - Anomalous ICMP Flows
Detects an excessive number of ICMP flows from one source IP address, where the applied ICMP types and codes are considered abnormal when seen entering or leaving the network. By default, the minimum number of times, in flows, this activity must occur before an event generates is 40.
Suspicious - Internal - Invalid TCP Flag usage
Detects flows that appear to have improper flag combinations. This may indicate various troubling behaviors, such as OS detection, DoS attacks, or even forms of reconnaissance. By default, the minimum number of times, in flows, this activity must occur before an event generates is 10.
Suspicious - External - Outbound Unidirectional Flows Threshold
Detects an excessive rate of outbound unidirectional (remote host not responding) flows within 5 minutes.
Suspicious - Internal - Port 0 Flows Detected
Detects flows whose destination or source ports are 0. This may be considered suspicious.
Suspicious - Internal - Rejected Communication Attempts
Detects flows that indicate a host is attempting to establish connections to other hosts but is being refused or is responding with packets containing no payload. By default, the minimum number of times, in flows, this activity must occur before an event generates is 40.
Suspicious - Internal - Unidirectional ICMP Detected
Detects excessive unidirectional ICMP traffic from a single source. This may indicate an attempt to enumerate hosts on the network or other serious network issues. By default, the minimum number of times, in flows, this activity must occur before an event generates is 40.
Suspicious - Internal - Unidirectional ICMP Responses Detected
Detects excessive unidirectional ICMP responses from a single source. This may indicate an attempt to enumerate hosts on the network, or can be an indicator of other serious network issues. By default, the minimum number of times, in flows, this activity must occur before an event generates is 40.
Suspicious - Internal - Unidirectional TCP Flows
Detects flows that indicate a host is sending an excessive quantity (at least 40) of unidirectional flows. These types of flows may be considered normal, however, client workstations and other devices, should not be seen emitting large quantities of such flows, and therefore should be considered suspicious.
Table C-1 Default Sentries (continued)
Sentry Description
STRM Administration Guide
Default Custom Views 297
Default Custom Views
This section provides the default custom views for the Enterprise template including:• IP Tracking Group
• Threats Group
• Attacker Target Analysis Group• Target Analysis Group
• Policy Violations Group
• ASN Source Group• ASN Destination Group
• IFIndexIn Group
• IFIndexOut Group• QoS Group
• Flow Shape Group
IP Tracking Group Pre-configured groups that specify traffic flows from your local and remote IP addresses including:
Excessive Unidirectional UDP or Misc Flows
Detects an excessive number of UDP, non-TCP, or ICMP from a single source. By default, the minimum number of times, in flows, this activity must occur before an event generates is 80.
Table C-1 Default Sentries (continued)
Sentry Description
Table C-2 Custom Views - IP Tracking View
IP Tracking Group Group ObjectsLocals Specifies traffic flows originating from specific local IP addresses
or CIDR ranges. Configure to specify traffic flows for your local IP addresses.
Remotes Specifies traffic flows originating from specific remote IP addresses or CIDR ranges. Configure to specify traffic flows for your remote IP addresses.
STRM Administration Guide
298 UNIVERSITY TEMPLATE DEFAULTS
Threats Group Pre-configured groups that specify traffic flows from suspicious IP addresses, protocols, server ports, and network sweeps including:
Table C-3 Custom Views - Threats View
Group ObjectsExceptions This group includes:
Network_Management_Hosts - Defines network management servers or other system responsible for reconnaissance, SNMP, large numbers of ICMP requests, or other attacks, such as, traffic on your network such as vulnerability assessment (VA) scanners.
STRM Administration Guide
Default Custom Views 299
DoS The Denial of Service (DoS) group includes: • Inbound_Flood_NoResponse_High - Defines a remote
source sending packets, which are not being responded to, at a rate greater than 100,000 packets per second.
• Inbound_Flood_NoResponse_Medium - Defines a remote source sending packets, which are not being responded to, at a rate greater than 5,000 packets per second.
• Inbound_Flood_NoResponse_Low - Defines a remote source sending packets, which are not being responded to, at a rate greater than 500 packets per second.
• Outbound_Flood_NoResponse_High - Defines a local source sending packets, which are not being responded to, at a rate greater than 100,000 packets per second.
• Outbound_Flood_NoResponse_Medium - Defines a local source sending packets, which are not being responded to, at a rate greater than 500 packets per second.
• Outbound_Flood_NoResponse_Low - Defines a local source sending packets, which are not being responded to, at a rate greater than 500 packets per second.
• Multihost_Attack_High - Defines a scan of more than 100,000 hosts per minute.
• Multihost_Attack_Medium - Defines a scan of more than 5,000 hosts per minute.
• Multihost_Attack_Low - Defines a scan of more than 500 hosts per minute.
• Potential_TCP_DoS - Detects TCP Syn flood flows with a packet arrival rate of more then 300 packets per second and have lasted for at least 5 seconds. This may indicate an attempted TCP DoS attack.
• Potential_UDP_DoS - Detects UDP Flows with a packet arrival rate of more then 750 packets per second and have lasted for at least 3 seconds. This may indicate an attempted ICMP DoS attack.
• Potential_ICMP_DoS - Detects ICMP flows with a packet arrival rate of more then 300 packets per second and have lasted for at least 2 seconds. This may indicate an attempted ICMP DoS attack.
• Potential_Multihost_Attack - Detects type B superflows. This may indicate a service failure or an attack.
Table C-3 Custom Views - Threats View (continued)
Group Objects
STRM Administration Guide
300 UNIVERSITY TEMPLATE DEFAULTS
Scanning This scanning group includes: • ICMPScan_High - Detects a host sending ICMP packets to
more than 100,000 hosts more minute. • ICMPScan_Medium - Detects a host sending ICMP packets
to more than 5,000 hosts more minute. • ICMPScan_Low - Detects a host sending ICMP packets to
more than 500 hosts more minute. • Scan_High - Defines a scan of more than 100,000 hosts per
minute.• Scan_Medium - Defines a scan of more than 5,000 hosts per
minute.• Scan_Low - Defines a scan of more than 500 hosts per
minute.• Empty_Responsive_Flows_High - Defines traffic with more
than 100,000 packets per second that contain little, if any, payload. These can be the result of scans where the target responds to the attack.
• Empty_Responsive_Flows_Medium - Defines traffic with more than 5,000 packets per second that contain little, if any, payload. These can be the result of scans where the target responds to the attack.
• Empty_Responsive_Flows_Low - Defines traffic with more than 500 packets per second that contain little, if any, payload. These can be the result of scans where the target responds to the attack.
• Potential_Scan - Defines a type A superflow. This may indicate a host performing scanning activity.
PortScans This PortScans group includes: • Host_Scans - Detects a host attempting to make multiple
connections, using TCP, to another host targeting multiple unique ports.
• UDPPortScan - Detects a host attempting to make multiple connections, using UDP, to another host targeting multiple unique ports.
Table C-3 Custom Views - Threats View (continued)
Group Objects
STRM Administration Guide
Default Custom Views 301
Suspicious_IP_Protocol_Usage
This group includes: • Illegal_TCP_Flag_Combination - Detects flows with illegal
TCP flag combinations. This may indicate malicious activity, such as port scanning or operating system detection.
• Suspicious_ICMP_Type_Code - Detects flows entering or leaving your network from the Internet, using ICMP types or codes generally accepted to be suspicious or malicious. For more information, see http://techrepublic.com.com /5100-1035_11-5087087.html
• TCP_UDP_Port_0 - Detects flows with a source or destination port of 0. This is illegal according to Internet RFCs and should be considered malicious.
• Unidirectional_TCP_Flows - Detects unidirectional TCP flows. This may indicate application failures to connect to a service, but an indicate other issues if the quantity or rate of these flows is high.
• Unidirectional_ICMP_Reply - Detects unidirectional ICMP replies or unreachable flows. This may be expected network behavior, however, an excessive quantity may indicate that a host is scanning the network attempting to enumerate hosts.
• Unidirectional_ICMP_Flows - Detects unidirectional ICMP flows. This may be expected network behavior, however, an excessive quantity of these flows from a single source may indicate a host scanning the network attempting to enumerate hosts.
• Unidirectional_UDP_And_Misc_Flows - Detects unidirectional UDP (or other flows not including TCP or ICMP) flows. This may be expected network behavior, however, an excessive quantity should be considered suspicious.
• Zero_Payload_Bidirectional_Flows - Detects flows that contain small amounts (if any) payload. This may be the result of scans where the target responds with reset packets.
• Long_Duration_Flow - Detects a flow communicating to or from the Internet with a sustained duration of more than 48 hours. This is not typical behavior for most applications. We recommend that you investigate the host for potential malware infections.
• Large_DNS_Packets - Detects UDP DNS packets that are larger than 1K in size.
• Large_ICMP_Packets - Detects ICMP packets that are larger than 1K in size.
Table C-3 Custom Views - Threats View (continued)
Group Objects
STRM Administration Guide
302 UNIVERSITY TEMPLATE DEFAULTS
Attacker TargetAnalysis Group
Pre-configured groups that specify traffic flows from attackers, responses, and events including:
Remote_Access_Violation
This group includes:• Hidden_Telnet_SSH - Detects flows where the application
type is Telnet or SSH but the destination server port is not one of the common ports for this application. This may indicate that a system has been altered to provide a backdoor for unauthorized access.
• Hidden_FTP - Detects flows to a local host where the application type is FTP but the destination server port is not one of the common ports of this application. This may indicate that the server is hosting illegal data, such as pirated applications or other media.
• Remote_Desktop_Access_From_Internet - Detects Remote Desktop Protocol (RDP) access to the local network from the Internet. If you want to allow this activity on your network, delete this view. Otherwise, you should consider this activity suspicious and we recommend investigating the accessed server.
• VNC_Activity_From_Internet - Detects Virtual Network Computing (VNC) access to the local network from the Internet. If you want to allow this activity on your network, delete this view. Otherwise, you should consider this activity suspicious and we recommend investigating the accessed server.
Suspicious_IRC Detects suspicious IRC activity.
Table C-3 Custom Views - Threats View (continued)
Group Objects
Table C-4 Custom Views - AttackerTargetAnalysis
Group ObjectsAttackResponseAnalysis
This group includes:• Target_Did_Not_Respond - The network flow that appears to
have carried the attack event that triggered this analysis indicates that the target host did not respond to the attack.
• Target_Responded - The network flow analysis indicates a target responded to the event from the attacker, and therefore increases the likelihood the attacker was successful.
STRM Administration Guide
Default Custom Views 303
Target AnalysisGroup
Pre-configured groups that specify traffic flows from back door entries, scanning behaviors, malicious software (malware), spam relay including:
PeripheralCommsAnalysis
This group includes:• Activity_Before_Event - The network flow analysis indicates
a target and attacker were communicating prior to the event that triggered this analysis. This can indicate a false positive, or that this attacker is concentrating on breaking this host. Many typical attacks fire an exploit at the target with little or no prior host investigation.
• Activity_After_Event - The network flow analysis indicates a target and attacker were communicating after the event that triggered this analysis. This can indicate a false positive if the attacker/target were also seen communicating before the event, and the device emitting these events has a high false positive rate. Conversely, if this is a serious event and the device is credible, it can indicate a successful attack has occurred.
• Target_Initiating_Comms_To_Attacker - The network flow analysis indicates a target was seen initiating connections back to the attacker before or after the event. This can sometimes indicate the attacker has been able to force the target to communicate back to the attacker, therefore bypassing some firewall rules.
Table C-4 Custom Views - AttackerTargetAnalysis (continued)
Group Objects
Table C-5 Custom Views - TargetAnalysis
Group ObjectsBotNetAnalysis BotNet_Connect - The network flow analysis indicates a target
host is connected to IRC servers on the Internet. This may indicate the attacker has installed an IRC Bot on the target and instructed the target to connect to an IRC Channel that is under the control and await instructions. Large numbers of such exploited machines form a BotNet and can be used by the attacker to coordinate large scale Distributed Denial of Service attacker (DDoS).
MalwareAnalysis Malware_Server_Connection - Network flow analysis indicates a target is aggressively attempting (and failing) to connect to many other hosts on the network (or Internet). This behavior is being seen in the presence of security events aimed at this host, and therefore is possible the attacker has infected the target with a worm, or other hostile malware, and it is attempting to spread from this host.
STRM Administration Guide
304 UNIVERSITY TEMPLATE DEFAULTS
Policy ViolationsGroup
Pre-configured groups that specify traffic flows from your internal and external policies, such as mail policies, web polices, P2P, games, applications, and compliance policies including:
PeripheralCommsAnalysis
This group includes:• Service_Unresponsive_After_Attack - The network flow
analysis indicates that the service on the target that was attacked is unresponsive to other hosts on the network. This may indicate that the attack has intentionally, or inadvertently crashed the service running on this host.
• Spam_Relay_Possible - The network flow analysis indicates that a target is accepting and servicing SMTP mail server connections. Given this activity is occurring in the presence of security events targeting this host, it is possible the attacker has installed an SMTP server to operate as a spam relay. If this target is a mail server, this behavior is to be expected.
• Outbound_Mail_Relay_Possible - The network flow analysis indicates that a target is sending mail to SMTP servers on the Internet. Given this activity is occurring in the presence of a security event targeting this host, it is possible the attacker has installed mass mailing malware on the target. This behavior is also to be expected if the target is a known mail server.
Table C-5 Custom Views - TargetAnalysis (continued)
Group Objects
Table C-6 Custom Views - PolicyViolations
Group ObjectsMail_Policy_Violation
This group includes:• Outbound_Mail_Sender - Detects flows sent from local hosts
to the Internet on port 25 (SMTP) or detected with the SMTP application signature. This may indicate hosts violating network mail policy, or that a host is infected with a mass mailing agent. We recommend updating this equation to not include network mail servers.
• Remote_Connection_to_Internal_Mail_Server - Detects bidirectional flows inbound into the local network on port 25 (SMTP). This indicates communication with a local SMTP server. Additionally, such servers may be the result of an infected host which is inadvertently running a SPAM relay. We recommend updating this equation to not include network mail servers.
STRM Administration Guide
Default Custom Views 305
ASN Source Group STRM detects the ASN values from network flows. When STRM detects a ASN source values in a flow, STRM creates a new object in the ASN Source group. For example, if STRM detects an ASN 238 flow within the source traffic, the object ASN238 is created in the ASNSource group.
IRC_IM_Policy_Violation
This group includes:• IRC_Connection_to_Internet - Detects bidirectional flows
from local client hosts to the Internet on common IRC port or detected though an application signature. This indicates an active IRC connection. This can simply be a user disregarding corporate policy, or can indicate a host that has been exploited and is connected to an IRC botnet. IRC botnets are used to remotely control exploited hosts to perform DoS attacks and other illegal activities.
• IM_Communications - Detects bidirectional flows from client hosts on the network indicating the use of common Instant Messaging clients (IM), such as MSN.
Remote_Access_Policy_Violation
Remote_Access_Shell - Detects bidirectional flows, where remote hosts were connecting to local remote access servers. Detection of any of the following access technologies include: Citrix, PCAnywhere, SSH, Telnet, or VNC.
P2P_Policy_Violation
This group includes:• Local_P2P__Server - Detects flows indicating a P2P server is
operating on the local network. This can be in violation of local network policy.
• Local_P2P_Client - Detects flows indicating a P2P client is operating on the local network. This can be in violation of local network policy.
Application_Policy_Violation
This group includes:• NNTP_to_Internet - Detects flows indicating an NNTP news
client is operating on the local network. This may be in violation of local network policy.
• Unknown_Local_Service - Detects an active service on a local host.
Compliance_Policy_Violations
This group includes:• Clear_Text_Application_Usage - Detects flows where the
application types use clear text passwords. Applications that usage for this view include Telnet, FTP, and POP. We recommend that you tune this view to add or remove additional applications.
• Large_Outbound_Transfer - Detects large outbound file transfers.
Table C-6 Custom Views - PolicyViolations (continued)
Group Objects
STRM Administration Guide
306 UNIVERSITY TEMPLATE DEFAULTS
ASN DestinationGroup
STRM detects the ASN values from network flows. When STRM detects a ASN destination values in a flow, STRM creates a new object in the ASN destination group. For example, if STRM detects an ASN 238 flow within the destination traffic, the object ASN238 is created in the ASNDestination group.
IFIndexIn Group STRM detects the IFIndex values from network flows. When STRM detects IFIndex values in a flow, STRM creates a new object in the respective group.
IFIndexOut Group STRM detects the IFIndex values from network flows. When STRM detects IFIndex values in a flow, STRM creates a new object in the respective group.
QoS Group Default QoS groups include:
Flow Shape Group Default FlowShape groups include:
Table C-7 Custom Views - QoS View
QoS Group Group ObjectsNetworkControl Object
Specifies QoS values related to link layer and routing protocols.
IPRoutingControl Specifies QoS values used by IP routing protocols. Expedited Specifies values related to expedited forwarding, such as, a
virtual leased line or premium service. Class 4 Specifies values related to Class 4 traffic. Class 3 Specifies values related to Class 3 traffic. Class 2 Specifies values related to Class 2 traffic. Class 1 Specifies values related to Class 1 traffic. Best Effort Specifies traffic related to best effort QoS traffic. Best effort
services does not guarantee delivery.
Table C-8 Custom Views - Flow Shape View
Flow Shape Group Group ObjectsInbound_Only Specifies traffic flows originating from a host on the Internet
and is not responded to by a local host. Outbound_Only Specifies traffic flows originating from a local host attempting
to communicate with a host on the Internet in which the remote host does not respond.
Mostly_Inbound Specifies traffic flows that sends 5 times more data into the network than received.
Mostly_Outbound Specifies traffic flows that sends 5 times more bytes out of the network than received.
NearSame_Internet Specifies traffic to and from hosts on the Internet that have around the same amount of bytes sent and received.
STRM Administration Guide
Default Rules 307
Default Rules Default rules for the University template include:
Local_Unidirectional Specifies a one-sided flow with a source and destination within the local network.
Local_SRC_Bias Specifies internal traffic that has 5 times more bytes transferred by the source than the destination.
Local_DST_Bias Specifies internal traffic that has 5 times more bytes transferred by the destination than the source.
NearSame_Internal Specifies internal traffic that has a balance of source and destination bytes.
Table C-8 Custom Views - Flow Shape View (continued)
Flow Shape Group Group Objects
Table C-9 Default Rules
Rule GroupRule Type Enabled Description
Default-Response-E-mail: Offense E-mail Sender
Response Offense False Reports any offense matching the severity, credibility, and relevance minimums to e-mail. You must configure the e-mail address. You can limit the number of e-mails sent by tuning the severity, credibility, and relevance limits. Also, this rule only sends one e-mail every hour, per offense.
Default-Response-Sylog: Offense SYSLOG Sender
Response Offense False Reports any offense matching the severity, credibility, or relevance minimum to syslog.
Default-Rule-Anomaly: Devices with High Event Rates
Anomaly Event False Monitors devices for high event rates. Typically, the default threshold is low for most networks and we recommend that you adjust this value before enabling this rule. To configure which devices will be monitored, edit the Default-BB-DeviceDefinition: Devices to Monitor for High Event Rates building block.
Default-Rule-Anomaly: DMZ Jumping
Anomaly Event False Reports when connections are bridged across your network’s Demilitarized Zone (DMZ).
Default-Rule-Anomaly: Excessive Database Connections
Anomaly Event True Reports an excessive number of successful database connections.
Default-Rule-Anomaly: Excessive Firewall Accepts Across Multiple Hosts
Anomaly Event False Reports excessive firewall accepts across multiple hosts. More than 100 events were detected across at least 100 unique destination IP addresses in 5 minutes.
Default-Rule-Anomaly: Excessive Firewall Denies from Single Source
Anomaly Event True Reports excessive firewall denies from a single host. Detects more than 400 firewall deny attempts from a single source to a single destination within 5 minutes.
STRM Administration Guide
308 UNIVERSITY TEMPLATE DEFAULTS
Default-Rule-Anomaly: Long Duration Flow
Anomaly Event False Reports a flow communicating to or from the Internet with a sustained duration of more than 48 hours. This is not typical behavior for most applications. We recommend that you investigate the host for potential malware infections.
Default-Rule-Anomaly: Potential Honeypot Access
Anomaly Event False Reports an event that was targeting or sourced from a honeypot or tarpit defined address. Before enabling this rule, you must configure the Default-BB-HostDefinition: Honeypot like addresses building block and create the appropriate sentry from the Network Surveillance interface.
Default-Rule-Anomaly: Rate Analysis Marked Events
Anomaly Event False Reports a host emitting events at a rate greater than normal. This may be normal, but in some cases can be an early warning sign that the host has changed behavior. We recommend that you perform an event search and/or flow search to determine if the host is exhibiting other suspicious activity.
Default-Rule-Anomaly: Remote Access from Foreign Country
Anomaly Event False Reports successful logins or access from an IP address known to be in a country that does not have remote access right. Before you enable this rule, we recommend that you configure the Default-BB-CategoryDefinition: Countries with no Remote Access building block.
Default-Rule-Authentication: Login Failure to Disabled Account
Authentication Event True Reports a host login message from a disabled user account. If the user is no longer a member of the organization, we recommend that you investigate any other received authentication messages from the same user.
Default-Rule-Authentication: Login Failure to Expired Account
Authentication Event False Reports a host login failure message from an expired user account known. If the user is no longer a member of the organization, we recommend that you investigate any other received authentication messages.
Default-Rule - Authentication: Login Failures Across Multiple Hosts
Authentication Event True Reports authentication failures on the same source IP address more than three times, across more than three destination IP addresses within 10 minutes.
Default-Rule-Authentication: Login Failures Followed By Success
Authentication Event True Reports multiple log in failures to a single host, followed by a successful log in to the host.
Table C-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
Default Rules 309
Default-Rule-Authentication: Login Successful After Scan Attempt
Authentication, Compliance
Event True Reports on events detected by the system when at least one of the configured rules is detected with the same source IP address followed by successful authentication with the same IP address, within 30 minutes.
Default-Rule-Authentication: Multiple VoIP Login Failures
Authentication Event True Reports multiple log in failures to a VoIP PBX.
Default-Rule-Authentication: Repeated Login Failures, Single Host
Authentication Event True Reports when a source IP address causes an authentication failure event at least seven times to a single destination within 5 minutes.
Default-Rule-Botnet: Potential Botnet Connection (DNS)
Botnet,Exploit Event False Reports a host connecting or attempting to connect to a DNS server on the Internet. This may indicate a host connecting to a Botnet. The host should be investigated for malicious code. Do not enable this rule until you have tuned the Default-BB-HostDefinition: DNS Servers building block. Note: Laptops that include wireless adapters may cause this rule to generate alerts since the laptops may attempt to communicate with another IDPs DNS server. If this occurs, define the ISPs DNS server in the Default-BB-HostDefinition: DNS Servers building block.
Default-Rule-Botnet: Potential Botnet Connection (IRC)
Botnet Event False Reports a host connecting or attempting to connect to an IRC server on the Internet. This may indicate a host connecting to a Botnet. The host should be investigated for malicious code.
Default-Rule-Botnet: Potential Botnet Events Become Offenses
Botnet Event True Reports exploit attacks on events. Enable this rule if you want all events categorized as exploits to create an offense.
Default-Rule-CategoryDefinitions: Access Denied
CategoryDefinition
Event True Reports events in different Access Denied categories.
Default-Rule-CategoryDefinitions: Session Closed
CategoryDefinition, Malware
Event True Reports all Session Closed events by categories.
Default-Rule-CategoryDefinitions: Session Opened
CategoryDefinition, Malware
Event True Reports all Session Opened events by categories.
Default-Rule-CategoryDefinitions: Virus Detected
CategoryDefinition, Malware
Event True Reports all virus detection events.
Table C-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
310 UNIVERSITY TEMPLATE DEFAULTS
Default-Rule-CategoryDefinitions: System Errors and Failures
Category Definitions
Event True Reports events that may indicate a system error or failure.
Default-Rule-CategoryDefinitions: VPN Access Denied
CategoryDefinition
Event True Reports VPN events that are considered Denied Access events.
Default-Rule-CategoryDefinitions: Database Access Denied
CategoryDefinition
Event True Reports database events indicate denied access activities.
Default-Rule-CategoryDefinitions: Database Access Permitted
CategoryDefinition
Event True Reports database events that indicate permitted access.
Default-Rule-CategoryDefinitions: VPN Access Accepted
CategoryDefinition
Event True Reports VPN events that indicate permitted access.
Default-Rule-Compliance: Compliance Events Become Offenses
Compliance Event False Reports compliance-based events, such as, clear text passwords.
Default-Rule-Compliance: Excessive Failed Logins to Compliance IS
Compliance Event False Reports excessive authentication failures to a compliance server within 10 minutes.
Default-Rule-Database: Attempted Configuration Modification by a remote host
Database, Compliance
Event False Reports when a configuration modification is attempted to a database server from a remote network.
Default-Rule-Database: Concurrent Logins from Multiple Locations
Database, Compliance
Event True Reports when several authentications to a database server occur across many remote IP addresses.
Default-Rule-Database: Failures Followed by User Changes
Database, Compliance
Event True Reports when there are failures followed by the addition or change of a user account.
Default-Rule-Database: Groups changed from Remote Host
Database, Compliance
Event True Monitors changes to groups on a database when the change is initiated from a remote network.
Default-Rule-Database: Multiple Database Failures Followed by Success
Database, Compliance
Event True Reports when there are multiple database failures followed by a success within a short period of time.
Default-Rule-Database: Remote Login Failure
Database, Compliance
Event True Increases the severity of a failed login attempt to a database from a remote network.
Default-Rule-Database: Remote Login Success
Database, Compliance
Event True Reports when a successful authentication occurs to a database server from a remote network.
Table C-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
Default Rules 311
Default-Rule-Database: User Rights Changed from Remote Host
Database, Compliance
Event True Reports when changes to user privileges occurs to a database from a remote network.
Default-Rule-DDoS Attack Detected
D\DoS Event False Reports network Distributed Denial of Service (DDoS) attacks on a system.
Default-Rule-DeviceDefinitions: Access/Authentication/Audit
DeviceDefinition
Event True Reports all access, authentication, and audit devices.
Default-Rule-DeviceDefinitions: AntiVirus
DeviceDefinition
Event True Reports all antivirus services on the system.
Default-Rule-DeviceDefinitions: Application
DeviceDefinition
Event True Reports all application and OS devices on the network.
Default-Rule-DeviceDefinitions: Database
DeviceDefinition
Event True Reports all databases on the system.
Default-Rule-DeviceDefinitions: FW/Router/Switch
DeviceDefinition
Event True Reports all firewall (FW), routers, and switches on the network.
Default-Rule-DeviceDefinitions: IDS/IPS
DeviceDefinition
Event True Reports all IDS and IPS devices on the network.
Default-Rule-DeviceDefinitions:VPN
DeviceDefinition
Event True Reports all VPNs on the network.
Default-Rule-DoS: Decrease Magnitude of Low Rate Attacks
D\DoS Event True If a low rate flow-based DoS attack is detected, this rule decreases the magnitude of the current event.
Default-Rule-DoS: DoS Events from Darknet
D/DoS Event False Reports when DoS attack events are identified on Darknet network ranges.
Default-Rule-DDoS: DDoS Events with High Magnitude Become Offenses
D\DoS Event False Reports when offenses are created for DoS-based events with high magnitude.
Default-Rule-DoS: Decrease Magnitude of Low Rate Attacks
D\DoS Event True If a low rate flow-based DoS attack is detected, this rule decreases the magnitude of the current event.
Default-Rule-DoS: DoS Events with High Magnitude Become Offenses
D\DoS Event True Rule forces the creation of an offense for DoS based events with a high magnitude.
Default-Rule-DoS: Increase Magnitude of High Rate Attacks
D\DoS Event True If a high rate flow-based DoS attack is detected, this rule increases the magnitude of the current event.
Default-Rule-DoS: Network DoS Attack Detected
D\DoS Event True Reports network Denial of Service (DoS) attacks on a system.
Table C-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
312 UNIVERSITY TEMPLATE DEFAULTS
Default-Rule-DoS: Service DoS Attack Detected
D\DoS Event True Reports a DoS attack against a local target that is known to exist and the target port is open.
Default-Rule-Exploit: All Exploits Become Offenses
Exploit Event False Reports exploit attacks on events. By default, this rule is disabled. Enable this rule if you want all events categorized as exploits to create an offense.
Default-Rule-Exploit: Attacker Vulnerable to any Exploit
Exploit Event False Reports an attack from a local host where the attacker has at least one vulnerability. It is possible the attacker was a target in an earlier offense.
Default-Rule-Exploit: Attack followed by Attack Response
Exploit Event False Reports when exploit or attack events are followed by typical responses, which may indicate a successful attack.
Default-Rule-Exploit: Attacker Vulnerable to this Exploit
Exploit Event False Reports an attack from a local host where the attacker is vulnerable to the attack being used. It is possible that the attacker was a target in an earlier offense.
Default-Rule-Exploit: Exploit Followed by Suspicious Host Activity
Exploit Event False Reports an exploit or attack type activity from a source IP address followed by suspicious account activity on the destination host within 15 minutes.
Default-Rule-Exploit: Exploit/Malware Events Across Multiple Targets
Exploit Event True Reports a source IP address generating multiple (at least 5) exploits or malicious software (malware) events in the last 5 minutes. These events are not targeting hosts that are vulnerable and may indicate false positives generating from a device.
Default-Rule-Exploit: Exploits Events with High Magnitude Become Offenses
Exploit Event False Rule forces the creation of offenses for exploit-based events with a high magnitude.
Default-Rule-Exploit: Exploits Followed by Firewall Accepts
Exploit Event False Reports when exploit or attack events are followed by firewall accept events, which may indicate a successful attack.
Default-Rule-Exploit: Multiple Exploit Types Against Single Target
Exploit Event True Reports a target attempting to be exploited using multiple types of attacks from one or more attackers.
Default-Rule-Exploit: Multiple Vector Attacker
Exploit Event False Reports when an attacker attempts multiple attack vectors. This may indicate an attacker specifically targeting an asset.
Default-Rule-Exploit: Potential VoIP Toll Fraud
Exploit Event False Reports multiple failed logins to your VoIP hardware followed by sessions being opened. At least 3 events were detected within 30 seconds. This action could indicate that illegal users are executing VoIP sessions on your network.
Table C-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
Default Rules 313
Default-Rule-Exploit: Recon followed by Exploit
Exploit Event True Reports reconnaissance followed by an exploit from the same source IP address to the same destination port within 1 hour.
Default-Rule-Exploit: Target Vulnerable to Detected Exploit
Exploit Event True Reports an attack against a vulnerable local target, where the target is known to exist, and the host is vulnerable to the attack.
Default-Rule-Exploit: Target Vulnerable to Detected Exploit on a Different Port
Exploit Event True Reports an attack against a vulnerable local target, where the target is known to exist, and the host is vulnerable to the attack on a different port.
Default-Rule-Exploit: Target Vulnerable to Different Exploit than Attempted on Attacked Port
Exploit Event False Reports an attack against a vulnerable local target, where the target is known to exist, and the host is vulnerable to some attack but not the one being attempted.
Default-Rule-FalsePositive: False Positive Rules and Building Blocks
False Positive Event True Reports events that include false positive rules and building blocks, such as, Default-BB-FalsePositive: Windows Server False Positive Events. Events that match the above conditions are stored but also dropped. If you add any new building blocks or rules to remove events from becoming offenses, you must add these new rules or building blocks to this rule.
Default-Rule-Malware: Treat Backdoor, Trojans and Virus Events as Offenses
Malware Event False Enable this rule if you want all events categorized as backdoor, viruses, and trojans to create an offense.
Default-Rule-Malware: Local Host Sending Malware
Malware, Policy Event False Reports malware being sent from local hosts.
Default-Rule-Malware: Treat Key Loggers as Offenses
Malware Event False Enable this rule if you want all events categorized as key loggers to create offenses.
Default-Rule-Malware: Treat Non-Spyware Malware as Offenses
Malware Event False Reports non-spyware malware attacks on events. Enable this rule if you want all events categorized as malware to create an offense.
Default-Rule-Malware: Treat Spyware and Virus as Offenses
Malware Event False Reports spyware and/or a virus on events. Enable this rule if you want all events categorized as Virus or Spyware to create an offense.
Default-Rule-NetworkDefinition: Local to Local
Network Definition
Event True Reports events that are considered Local-to-Local (L2L).
Table C-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
314 UNIVERSITY TEMPLATE DEFAULTS
Default-Rule-NetworkDefinition: Local to Remote
Network Definition
Event True Reports events that are considered Local-to-Remote (L2R).
Default-Rule-NetworkDefinition: Remote to Local
Network Definition
Event True Reports events that are considered Remote-to-Local (R2L).
Default-Rule-Policy: Create Offenses for All Instant Messenger Traffic
Policy Event False Reports Instant Messenger traffic or any event categorized as Instant Messenger traffic where the source is local and the destination is remote.
Default-Rule-Policy: Create Offenses for All P2P Usage
Policy Event False Reports P2P traffic or any event categorized as P2P.
Default-Rule-Policy: Create Offenses for All Policy Events
Policy, Compliance
Event False Reports policy events. By default, this rule is disabled. Enable this rule if you want all events categorized as policy to create an offense.
Default-Rule-Policy: Create Offenses for All Porn Usage
Policy Event False Reports any traffic that contains illicit materials or any event categorized as Porn. By default, this rule is disabled. Enable this rule if you want all events categorized as Porn to create an offense.
Default-Rule-Policy: Host has SANS Top 20 Vulnerability
Policy Event False Rule acts as a warning that the asset in which an event identifies is vulnerable to a vulnerability identified in the SANS Top 20 Vulnerabilities. (www.sans.org/top20/)
Default-Rule-Policy: Local P2P Server Detected
Policy Event False Reports local Peer-to-Peer (P2P) traffic or any event categorized as P2P. More than 10 hosts were detected connecting to a local host that appears to be operating as a P2P server.
Default-Rule-Policy: New Host Discovered
Policy Event False Reports when a new host has been discovered on the network.
Default-Rule-Policy: New Host Discovered in DMZ
Authentication, Compliance
Event False Reports when a new host has been discovered in the DMZ.
Default-Rule-Policy: New Service Discovered
Policy Event False Reports when an existing host has a newly discovered service.
Default-Rule-Policy: Potential Tunneling
Policy Event False Rule identifies potential tunneling that can be used to bypass policy or security controls.
Default-Rule-Policy: New Service Discovered in DMZ
Authentication, Compliance
Event False Reports when a new service has been discovered in the DMZ.
Table C-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
Default Rules 315
Default-Rule-Policy: Upload to Local WebServer
Policy Event False Reports potential file uploads to a local web server. To edit the details of this rule, edit the Default-BB-CategoryDefinition: Upload to Local WebServer building block.
Default-Rule-Recon: Aggressive Local Scanner Detected
Recon Event True Reports an aggressive scan from a local source IP address, scanning other local or remote IP addresses. This may indicate a manually driven scan, an exploited host searching for other targets, or a worm is present on the system.
Default-Rule-Recon: Aggressive Remote Scanner Detected
Recon Event True Reports an aggressive scan from a remote source IP address, scanning other local or remote IP addresses. This may indicate a manually driven scan, an exploited host searching for other targets, or a worm on a system.
Default-Rule-Recon: Excessive Firewall Denies From Local Host
Recon Event True Reports excessive attempts, from a local host, to access the firewall and access is denied. More than 40 attempts are detected across at least 40 destination IP addresses in 5 minutes.
Default-Rule-Recon: Excessive Firewall Denies From Remote Host
Recon Event True Reports excessive attempts, from a remote host, to access the firewall and access is denied. More than 40 attempts are detected across at least 40 destination IP addresses in 5 minutes.
Default-Rule-Recon: Host Port Scan Detected by Local Host
Recon Event True Reports a single source IP address scanning more than 50 ports in under 3 minutes.
Default-Rule-Recon: Host Port Scan Detected by Remote Host
Recon Event True Reports when more than 50 ports were scanned from a single source IP address in under 3 minutes.
Default-Rule-Recon: Increase Magnitude of High Rate Scans
Recon Event True If a high rate flow-based scanning attack is detected, this rule increases the magnitude of the current event.
Default-Rule-Recon: Increase Magnitude of Medium Rate Scans
Recon Event True If a medium rate flow-based scanning attack is detected, this rule increases the magnitude of the current event.
Default-Rule-Recon:Local LDAP Server Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common LDAP ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon:Local Database Scanner
Recon Event True Reports a scan from a local host against other local or remote targets. At least 30 host were scanned in 10 minutes.
Table C-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
316 UNIVERSITY TEMPLATE DEFAULTS
Default-Rule-Recon: Local DHCP Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common DHCP ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local DNS Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local FTP Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes.
Default-Rule-Recon: Local Game Server Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common game server ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local ICMP Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local IM Server Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local IRC Server Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes.
Default-Rule-Recon: Local Mail Server Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common mail server ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local P2P Server Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local Proxy Server Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common proxy server ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local RPC Server Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common RPC server ports to more than 60 hosts in 10 minutes.
Table C-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
Default Rules 317
Default-Rule-Recon: Local Scanner Detected
Recon Event True Reports a scan from a local host against other hosts or remote targets. At least 60 hosts were scanned within 10 minutes. This activity was using a protocol other than TCP, UDP, or ICMP.
Default-Rule-Recon: Local SNMP Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common SNMP ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local SSH Server Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes.
Default-Rule-Recon: Local Suspicious Probe Events Detected
Recon Event False Reports when various suspicious or reconnaissance events have been detected from the same local source IP address to more than 5 destination IP address in 4 minutes. This can indicate various forms of host probing, such as Nmap reconnaissance, which attempts to identify the services and operation systems of the target.
Default-Rule-Recon: Local TCP Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local UDP Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local Web Server Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common local web server ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local Windows Scanner to Internet
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on the same source IP address more than 5 times, across more than 60 destination IP address(es) within 20 minutes.
Default-Rule-Recon: Local Windows Server Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common Windows server ports with the same source IP address more than 5 times, across more than 200 destination IP address(es) within 20 minutes.
Table C-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
318 UNIVERSITY TEMPLATE DEFAULTS
Default-Rule-Recon: Recon Followed by Accept
Recon Event False Adds an additional event into the event stream when a host that has been performing reconnaissance also has a firewall accept following the reconnaissance activity.
Default-Rule-Recon: Remote Database Scanner
Recon Event True Reports a scan from a remote host against other local or remote targets. At least 30 hosts were scanned in 10 minutes.
Default-Rule-Recon: Remote DHCP Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common DHCP ports to more than 30 hosts in 10 minutes.
Default-Rule-Recon: Remote DNS Scanner
Recon Event True Reports a source IP address attempting reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Remote FTP Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes.
Default-Rule-Recon: Remote Game Server Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common game server ports to more than 30 hosts in 10 minutes.
Default-Rule-Recon: Remote ICMP Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local IM Server Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Local IRC Server Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes.
Default-Rule-Recon: Remote LDAP Server Scanner
Recon Event True Reports a scan from a remote host against other local or remote targets. At least 30 hosts were scanned in 10 minutes.
Default-Rule-Recon: Remote Mail Server Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common mail server ports to more than 30 hosts in 10 minutes.
Default-Rule-Recon: Remote P2P Server Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes.
Table C-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
Default Rules 319
Default-Rule-Recon: Remote Proxy Server Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common proxy server ports to more than 30 hosts in 10 minutes.
Default-Rule-Recon: Remote RPC Server Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common RPC server ports to more than 30 hosts in 10 minutes.
Default-Rule-Recon: Remote Scanner Detected
Recon Event True Reports a scan from a remote host against other hosts or remote targets. At least 60 hosts were scanned within 20 minutes. This activity was using a protocol other than TCP, UDP, or ICMP.
Default-Rule-Recon: Remote SNMP Scanner
Recon Event True Reports scans from a remote host against local or remote targets. At least 30 hosts were scanned in 10 minutes.
Default-Rule-Recon: Remote SSH Server Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes.
Default-Rule-Recon: Remote Suspicious Probe Events Detected
Recon Event False Reports various suspicious or reconnaissance events from the same remote source IP address to more then 5 destination IP addresses in 4 minutes. This may indicate various forms of host probing, such as Nmap reconnaissance that attempts to identify the services and operating system of the targets.
Default-Rule-Recon: Remote TCP Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Remote UDP Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Remote Web Server Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common local web server ports to more than 60 hosts in 10 minutes.
Default-Rule-Recon: Remote Windows Server Scanner
Recon Event True Reports a remote host attempting reconnaissance or suspicious connections on common Windows server ports to more than 60 hosts in 10 minutes.
Table C-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
320 UNIVERSITY TEMPLATE DEFAULTS
Default-Rule-Recon: Single Merged Recon Events
Recon Event True Reports merged reconnaissance events generated by some devices. This rule causes all these events to create an offense. All devices of this type and their categories should be added to the Default-BB-ReconDetected: Devices which Merge Recon into Single Events building block.
Default-Rule-System-Notification
Event True Rule ensures that notification events shall be sent to the notification framework.
Default-Rule-System: 100% Accurate Events
System Event True Creates an offense when an event matches a 100% accurate signature for successful comprises.
Default-Rule-System:Critical System Events
System Event False Reports when STRM detects critical event.
Default-Rule-System: Device Stopped Sending Events
System Event False Reports when an event source has not sent an event to the system in over 1 hour. Edit this rule to add devices you want to monitor.
Default-Rule-System: Host Based Failures
System Event False Reports when STRM detects events that indicate failures within services or hardware.
Default-Rule-System: Load Building Blocks
System Event True Loads BBs that need to be run to assist with reporting. This rule has no actions or responses.
Default-Rule-Recon: Multiple System Errors
System Event False Reports when as source has 10 system errors within 3 minutes.
Default-Rule-Vulnerabilities: Vulnerability Reported by Scanner
Compliance Event False Reports when a vulnerability is discovered on a local host.
Default-Rule-WormsDetection: Local Mass Mailing Host Detected
Worms Event False Reports a local host sending more than 20 SMTP flows in 1 minute. This may indicate a host being used as a spam relay or infected with a form of mass mailing worm.
Default-Rule-WormsDetection: Possible Local Worm Detected
Worms Event True Reports a local host generating reconnaissance or suspicious events across a large number of hosts (greater than 300) in 20 minutes. This may indicate the presence of a worm on the network or a wide spread scan.
Default-Rule-WormsDetection: Worm Detected (Events)
Worms Event True Reports exploits or worm activity on a system for local-to-local or local-to-remote traffic.
Table C-9 Default Rules (continued)
Rule GroupRule Type Enabled Description
STRM Administration Guide
Default Building Blocks 321
Default Building Blocks
Default building blocks for the University template include:
Table C-10 Default Building Blocks
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
Default-BB-BehaviorDefinition: Post Compromise Activities
Category Definitions
Event Edit this BB to include categories that are considered part of events detected after a typical compromise.
Default-BB-CategoryDefinition: Authentication Failures
Category Definitions, Compliance
Event Edit this BB to include all events that indicate an unsuccessful attempt to access the network.
Default-BB-CategoryDefinition: Authentication Success
Category Definitions, Compliance
Event Edit this BB to include all events that indicate successful attempts to access the network.
Default-BB-CategoryDefinition: Authentication to Disabled Account
Category Definitions, Compliance
Event Edit this BB to include all events that indicate failed attempts to access the network using a disabled account.
Default-BB-CategoryDefinition: Authentication to Expired Account
Category Definitions, Compliance
Event Edit this BB to include all events that indicate failed attempts to access the network using an expired account.
Default-BB-CategoryDefinition: Authentication User or Group Added or Changed
Category Definitions, Compliance
Event Edit this building block to include all events that indicate modification to accounts or groups.
Default-BB-CategoryDefinition: Countries with no Remote Access
Category Definitions
Event Edit this BB to include any geographic location that typically would not be allowed remote access to the enterprise. Once configured, you can enable the Default-Rule-Anomaly: Remote Access from Foreign Country rule.
Default-BB-CategoryDefinition: Database Connections
Category Definitions
Event Edit this BB to define successful logins to databases. You may need to add additional device types for this BB.
Default-BB-CategoryDefinition: DDoS Attack
Category Definitions
Event Edit this BB to include all event categories that you want to categorize as a DDoS attack.
Default-BB-CategoryDefinition: Exploits, Backdoors, and Trojans
Category Definitions
Event Edit this BB to include all events that are typically exploits, backdoor, or trojans.
Default-BB-CategoryDefinition: Failure Service or Hardware
Category Definitions, Compliance
Event Edit this BB that indicate failure within a service or hardware.
STRM Administration Guide
322 UNIVERSITY TEMPLATE DEFAULTS
Default-BB-CategoryDefinition: Firewall or ACL Accept
Category Definitions
Event Edit this BB to include all events that indicate access to the firewall.
Default-BB-CategoryDefinition: Firewall or ACL Denies
Category Definitions
Event Edit this BB to include all events that indicate unsuccessful attempts to access the firewall.
Default-BB-CategoryDefinition: Firewall System Errors
Category Definitions
Event Edit this BB to include all events that may indicate a firewall system error. By default, this BB applies when an event is detected by one or more of the following devices:• CheckPoint• Generic Firewall• Iptables• NetScreen Firewall• Cisco Pix
Default-BB-CategoryDefinition: Flow Events
Category Definitions
Event Edit this BB to include all events that indicate flow events within your network. By default, this BB applies to events detected by the Classification Engine.
Default-BB-CategoryDefinition: High Magnitude Events
Category Definitions
Event Edit this BB to the severity, credibility, and relevance levels you want to generate an event. The defaults are:• Severity = 6• Credibility = 7• Relevance = 7
Default-BB-CategoryDefinitions: KeyLoggers
Category Definitions
Event Edit this BB to include all events that are typically exploits, backdoor, or trojans.
Default-BB-CategoryDefinition: Mail Policy Violation
Category Definitions, Compliance
Event Edit this BB to define mail policy violations.
Default-BB-CategoryDefinition: Malware Annoyances
Category Definitions
Event Edit this BB to include event categories that are typically associated with spyware infections.
Default-BB-CategoryDefinition: Network DoS Attack
Category Definitions
Event Edit this BB to include all event categories that you want to categorize as a network DoS attack.
Table C-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
Default Building Blocks 323
Default-BB-CategoryDefinition: Policy Events
Category Definitions, Compliance
Event Edit this BB to include all event categories that may indicate a violation to network policy.
Default-BB-CategoryDefinition: Post Exploit Account Activity
Category Definitions
Event Edit this BB to include all event categories that may indicate exploits to accounts.
Default-BB-CategoryDefinition: Rate Analysis Marked Events
Category Definitions
Event STRM monitors event rates of all source IP addresses/QIDs and destination IP addresses/QIDs and marks events that exhibit abnormal rate behavior.Edit this BB to include events that are marked with rate analysis.
Default-BB-CategoryDefinition: Recon Events
Category Definitions
Event Edit this BB to include all events that indicate reconnaissance activity.
Default-BB-CategoryDefinition: Service DoS
Category Definitions
Event Edit this BB to define Denial of Service (DoS) attack events.
Default-BB-CategoryDefinition: Suspicious Events
Category Definitions
Event Edit this BB to include all events that indicate suspicious activity.
Default-BB-CategoryDefinition: System Configuration
Category Definitions, Malware
Event Edits this BB to define system configuration events.
•
Default-BB-CategoryDefinition: Upload to Local WebServer
Category Definitions
Event Typically, most networks are configured to restrict applications that use the PUT method running on their web application servers. This BB detects if a remote host has used this method on a local server. The BB could be duplicated to also detect other unwanted methods or for local hosts using the method connecting to remote servers. This building block is referenced by the Default-Rule-Policy: Upload to Local WebServer rule.
Default-BB-CategoryDefinition: VoIP Authentication Failure Events
Category Definitions
Event Edit this BB to include all events that indicate a VoIP login failure.
Default-BB-CategoryDefinition: VoIP Session Opened
Category Definitions
Event Edit this BB to include all events that indicate the start of a VoIP session.
Table C-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
Default-BB-CategoryDefinition: Windows Compliance Events
Category Definitions, Compliance
Event Edit this BB to include all event categories that indicate compliance events.
Default-BB-CategoryDefinition: Worm Events
Category Definitions
Event Edit this BB to define worm events. This BB only applies to events not detected by a custom rule.
Default-BB-ComplianceDefinition: GLBA Servers
Compliance, Host Definitions
Event Edit this BB to include your GLBA IP systems. You must then apply this BB to rules related to failed logins, remote access, etc.
Default-BB-ComplianceDefinition: HIPAA Servers
Compliance, Host Definitions
Event Edit this BB to include your HIPAA Servers by IP address. You must then apply this BB to rules related to failed logins, remote access, etc.
Default-BB-ComplianceDefinition: SOX Servers
Compliance, Host Definitions
Event Edit this BB to include your SOX IP Servers. You must then apply this BB to rules related to failed logins, remote access, etc.
Default-BB-ComplianceDefinition: PCI DSS Servers
Compliance, Host Definitions, Response
Event Edit this BB to include your PCI DSS servers by IP address. You must apply this BB to rules related to failed logins, remote access, etc.
Default-BB-Database: System Action Allow
Category Definitions, Compliance
Event Edit this BB to include any events that indicates successful actions within a database.
Default-BB-Database: System action Deny
Category Definitions, Compliance
Event Edit this BB to include any events that indicate unsuccessful actions within a database.
Default-BB-Database: User Addition or Change
Category Definitions, Compliance
Event Edit this BB to include events that indicate the successful addition or change of user privileges
Default-BB-DeviceDefinition: Devices to Monitor for High Event Rates
Category Definitions
Event Edit this BB to include devices you want to monitor for high event rates. The event rate threshold is controlled by the Default-Rule-Anomaly: Devices with High Event Rates.
Default-BB-FalseNegative: Events That Indicate Successful Compromise
False Positive
Event Edit this BB to include events that indicate a successful compromise. These events generally have 100% accuracy.
Default-BB-FalsePositive: All Default False Positive Building Blocks
False Positive
Event Edit this BB to include all false positive building blocks.
All Default-BB-FalsePositive building blocks
Default-BB-FalsePositive: Broadcast Address False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from the broadcast address space.
Table C-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
Default Building Blocks 325
Default-BB-FalsePositive: Database Server False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from database servers that are defined in the Default-BB-HostDefinition: Database Servers building block.
Default-BB-HostDefinition: Database Servers
Default-BB-FalsePositive: Database Server False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from database servers that are defined in the Default-BB-HostDefinition: Database Servers building block.
Default-BB-HostDefinition: Database Servers
Default-BB-FalsePositive: Device and Specific Event
False Positive
Event Edit this BB to include the devices and QID of devices that continually generate false positives.
Default-BB-FalsePositive: DHCP Server False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from DHCP servers that are defined in the Default-BB-HostDefinition: DHCP Servers building block.
Default-BB-HostDefinition: DHCP Servers
Default-BB-FalsePositive: DHCP Server False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from DHCP servers that are defined in the Default-BB-HostDefinition: DHCP Servers building block.
Default-BB-HostDefinition: DHCP Servers
Default-BB-FalsePositive: DNS Server False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from DNS based servers that are defined in the Default-BB-HostDefinition: DNS Servers building block.
Default-BB-HostDefinition: DNS Servers
Default-BB-FalsePositive: DNS Server False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from DNS-based servers that are defined in the Default-BB-HostDefinition: DNS Servers building block.
Default-BB-HostDefinition: DNS Servers
Default-BB-FalsePositive: Firewall Deny False Positive Events
False Positive
Event Edit this BB to define firewall deny events that are false positives
Default-BB-FalsePositive: FTP Server False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from FTP based servers that are defined in the Default-BB-HostDefinition: FTP Servers building block.
Default-BB-HostDefinition: FTP Servers
Table C-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
326 UNIVERSITY TEMPLATE DEFAULTS
Default-BB-FalsePositive: FTP False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from FTP-based servers that are defined in the Default-BB-HostDefinition: FTP Servers building block.
Default-BB-HostDefinition: FTP Servers
Default-BB-FalsePositive: Global False Positive Events
False Positive
Event Edit this BB to include any event QIDs that you want to ignore.
Default-BB-FalsePositive: Internal Attacker to Internal Target False Positives
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from Local-to-Local (L2L) based servers.
Default-BB-FalsePositive: Internal Attacker to Remote Target False Positives
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from Local-to-Remote (L2R) based servers.
Default-BB-FalsePositive: LDAP Server False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from LDAP servers that are defined in the Default-BB-HostDefinition: LDAP Servers building block.
Default-BB-HostDefinition: LDAP Servers
Default-BB-FalsePositive: LDAP Server False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from LDAP servers that are defined in the Default-BB-HostDefinition: LDAP Servers building block.
Default-BB-HostDefinition: LDAP Servers
Default-BB-FalsePositive: Large Volume Local FW Events
False Positive
Event Edit this BB to define specific events that can create a large volume of false positives in general rules.
Default-BB-FalsePositive: Mail Server False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from mail servers that are defined in the Default-BB-HostDefinition: Mail Servers building block.
Default-BB-HostDefinition: Mail Servers
Default-BB-FalsePositive: Mail Server False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from mail servers that are defined in the Default-BB-HostDefinition: Mail Servers building block.
Default-BB-HostDefinition: Mail Servers
Table C-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
Default Building Blocks 327
Default-BB-FalsePositive: Network Management Servers Recon
False Positive
Event Edit this BB to define all the false positive categories that occur to or from network management servers that are defined in the Default-BB-HostDefinition: Network Management Servers building block.
Default-BB-HostDefinition: Network Management Servers
Default-BB-FalsePositive: Proxy Server False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from proxy servers that are defined in the Default-BB-HostDefinition: Proxy Servers building block.
Default-BB-HostDefinition: Proxy Servers
Default-BB-FalsePositive: Proxy Server False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from proxy servers that are defined in the Default-BB-HostDefinition: Proxy Servers building block.
Default-BB-HostDefinition: Proxy Servers
Default-BB-FalsePositive: Remote Attacker to Internal Target False Positives
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from Remote-to-Local (R2L) based servers.
Default-BB-FalsePositive: RPC Server False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from RPC servers that are defined in the Default-BB-HostDefinition: RPC Servers building block.
Default-BB-HostDefinition: RPC Servers
Default-BB-FalsePositive: RPC Server False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from RPC servers that are defined in the Default-BB-HostDefinition: RPC Servers building block.
Default-BB-HostDefinition: RPC Servers
Default-BB-FalsePositive: SNMP Sender or Receiver False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from SNMP servers that are defined in the Default-BB-HostDefinition: SNMP Servers building block.
Default-BB-HostDefinition: SNMP Servers
Default-BB-FalsePositive: SNMP Sender or Receiver False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from SNMP servers that are defined in the Default-BB-HostDefinition: SNMP Servers building block.
Default-BB-HostDefinition: SNMP Servers
Default-BB-FalsePositive: Source IP and Specific Event
False Positive
Event Edit this BB to include source IP addresses or specific events that you want to remove.
Table C-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
328 UNIVERSITY TEMPLATE DEFAULTS
Default-BB-FalsePositive: SSH Server False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from SSH servers that are defined in the Default-BB-HostDefinition: SSH Servers building block.
Default-BB-HostDefinition: SSH Servers
Default-BB-FalsePositive: SSH Server False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from SSH servers that are defined in the Default-BB-HostDefinition: SSH Servers building block.
Default-BB-HostDefinition: SSH Servers
Default-BB-FalsePositive: Syslog Sender False Positive Categories
False Positive
Event Edit this BB to define all false positive categories that occur to or from syslog sources.
Default-BB-HostDefinition: Syslog Servers and Senders
Default-BB-FalsePositive: Syslog Sender False Positive Events
False Positive
Event Edit this BB to define all false positive events that occur to or from syslog sources or destinations.
Default-BB-HostDefinition: Syslog Servers and Senders
Default-BB-FalsePositive: Virus Definition Update Categories
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from virus definition or other automatic update hosts that are defined in the Default-BB-HostDefinition: Virus Definition and Other Update Servers building block.
Default-BB-HostDefinition: Virus Definition
Default-BB-FalsePositive: Web Server False Positive Categories
False Positive
Event Edit this BB to define all the false positive categories that occur to or from web servers that are defined in the Default-BB-HostDefinition: Web Servers building block.
Default-BB-HostDefinition: Web Servers
Default-BB-FalsePositive: Web Server False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from Web servers that are defined in the Default-BB-HostDefinition: Web Servers building block.
Default-BB-HostDefinition: Web Servers
Default-BB-FalsePositive: Windows Server False Positive Categories Local
False Positive
Event Edit this BB to define all the false positive categories that occur to or from Windows servers that are defined in the Default-BB-HostDefinition: Windows Servers building block.
Default-BB-HostDefinition: Windows Servers
Default-BB-FalsePositive: Windows Server False Positive Events
False Positive
Event Edit this BB to define all the false positive QIDs that occur to or from Windows servers that are defined in the Default-BB-HostDefinition: Windows Servers building block.
Default-BB-HostDefinition: Windows Servers
Table C-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
Default Building Blocks 329
Default-BB-HostBased: Critical Events
Category Definitions, Compliance
Event Edit this BB to define event categories that indicate critical events.
Default-BB-HostDefinition: Database Servers
Host Definitions
Event Edit this BB to define typical database servers.
Default-BB-FalsePositive: Database Server False Positive CategoriesDefault-BB-FalsePositive: Database Server False Positive Events
Default-BB-HostDefinition: DHCP Servers
Host Definitions
Event Edit this BB to define typical DHCP servers.
Default-BB-False Positive: DHCP Server False Positives CategoriesDefault-BB-FalsePositve: DHCP Server False Positive Events
Default-BB-HostDefinition: DNS Servers
Host Definitions
Event Edit this BB to define typical DNS servers.
Default-BB-False Positive: DNS Server False Positives Categories Default-BB-FalsePositve: DNS Server False Positive Events
Default-BB-HostDefinition: FTP Servers
Host Definitions
Event Edit this BB to define typical FTP servers.
Default-BB-False Positive: FTP Server False Positives CategoriesDefault-BB-FalsePositve: FTP Server False Positive Events
Default-BB-HostDefinition: Host with Port Open
Host Definitions
Event Edit this BB to include a host and port that is actively or passively seen.
Default-BB-HostDefinition: LDAP Servers
Host Definitions
Event Edit this BB to define typical LDAP servers.
Default-BB-False Positive: LDAP Server False Positives CategoriesDefault-BB-FalsePositve: LDAP Server False Positive Events
Default-BB-HostDefinition: Mail Servers
Host Definitions
Event Edit this BB to define typical mail servers.
Default-BB-False Positive: Mail Server False Positives CategoriesDefault-BB-FalsePositve: Mail Server False Positive Events
Table C-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
330 UNIVERSITY TEMPLATE DEFAULTS
Default-BB-HostDefinition: Network Management Servers
Host Definitions
Event Edit this BB to define typical network management servers.
Default-BB-HostDefinition: Proxy Servers
Host Definitions
Event Edit this BB to define typical proxy servers.
Default-BB-False Positive: Proxy Server False Positives CategoriesDefault-BB-FalsePositve: Proxy Server False Positive Events
Default-BB-HostDefinition: RPC Servers
Host Definitions
Event Edit this BB to define typical RPC servers.
Default-BB-False Positive: RPC Server False Positives CategoriesDefault-BB-FalsePositve: RPC Server False Positive Events
Default-BB-HostDefinition: Servers
Host Definitions
Event Edit this BB to define generic servers.
Default-BB-HostDefinition: SNMP Sender or Receiver
Host Definitions
Event Edit this BB to define SNMP senders or receivers.
Default-BB-PortDefinition: SNMP Ports
Default-BB-HostDefinition: SSH Servers
Host Definitions
Event Edit this BB to define typical SSH servers.
Default-BB-False Positive: SSH Server False Positives CategoriesDefault-BB-FalsePositve: SSH Server False Positive Events
Default-BB-HostDefinition: Syslog Servers and Senders
Host Definitions
Event Edit this BB to define typical host that send or receive syslog traffic.
Default-BB-FalsePositive: Syslog Server False Positive CategoriesDefault-BB-FalsePositive: Syslog Server False Positive Events
Default-BB-HostDefinition: VA Scanner Source IP
Host Definitions
Event Edit this BB to include the source IP address of your VA scanner. By default, this BB applies when the source IP address is 127.0.0.2.
Default-BB-HostDefinition: Virus Definition and Other Update Servers
Host Definitions
Event Edit this BB to include all servers that include virus protection and update functions.
Default-BB-HostDefinition: VoIP IP PBX Server
Host Definitions
Event Edit this BB to define typical VoIP IP PBX servers.
Table C-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
Default Building Blocks 331
Default-BB-HostDefinition: Web Servers
Host Definitions
Event Edit this BB to define typical web servers.
Default-BB-False Positive: Web Server False Positives CategoriesDefault-BB-FalsePositve: Web Server False Positive Events
Default-BB-HostDefinition: Windows Servers
Host Definitions
Event Edit this BB to define typical Windows servers, such as domain controllers or exchange servers.
Default-BB-False Positive: Windows Server False Positives CategoriesDefault-BB-FalsePositve: Windows Server False Positive Events
Default-BB-NetworkDefinition: Broadcast Address Space
Network Definition
Event Edit this BB to include the broadcast address space of your network. This is used to remove false positive events that may be caused by the use of broadcast messages.
Default-BB-NetworkDefinition: Client Networks
Network Definition
Event Edit this BB to include all networks that include client hosts.
Default-BB-NetworkDefinition: Darknet Addresses
Network Definition
Event Edit this BB to include networks that you want to add to a Darket list.
Default-BB-NetworkDefinition: DLP Addresses
Network Definition
Event Edit this BB to include networks that you want to add to a data loss prevention (DLP) list.
Default-BB-NetworkDefinition: Honeypot like Addresses
Network Definition
Event Edit this BB by replacing the other network with network objects defined in your network hierarchy that are currently not in use in your network or are used in a honeypot or tarpit installation. Once these have been defined, you must enable the Default-Rule-Anomaly: Potential Honeypot Access rule. You must also add a security/policy sentry to these network objects to generate events based on attempted access.
Default-BB-NetworkDefinition: NAT Address Range
Network Definition
Event Edit this BB to define typical Network Address Translation (NAT) range you want to use in your deployment.
Table C-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
332 UNIVERSITY TEMPLATE DEFAULTS
Default-BB-NetworkDefinition: Server Networks
Network Definition
Event Edit this BB to include the networks where your servers are located.
Default-BB-NetworkDefinition: Undefined IP Space
Network Definition
Event Edit this BB to include areas of your network that does not contain any valid hosts.
Default-BB-NetworkDefinition: Watch List Addresses
NetworkDefinition
Event Edit this BB to include networks that should be added to a watch list.
Default-BB-Policy: Application Policy Violation Events
Policy Event Edit this BB to define policy application and violation events.
Default-BB-Policy: IRC/IM Connection Violations
Policy Event Edit this BB to define all policy IRC/IM connection violations.
Default-BB-Policy: Policy P2P
Policy Event Edit this BB to include all events that indicate Peer-to-Peer (P2P) events.
Default-BB-PortDefinition: Database Ports
Port\Protocol Definition
Event Edit this BB to include all common database ports.
Default-BB-PortDefinition: DHCP Ports
Port\Protocol Definition
Event Edit this BB to include all common DHCP ports.
Default-BB-PortDefinition: DNS Ports
Port\Protocol Definition
Event Edit this BB to include all common DNS ports.
Default-BB-PortDefinition: FTP Ports
Port\Protocol Definition
Event Edit this BB to include all common FTP ports.
Default-BB-PortDefinition: Game Server Ports
Port\Protocol Definition
Event Edit this BB to include all common game server ports.
Default-BB-PortDefinition: IM Ports
Compliance, Port\Protocol Definition
Event Edit this BB to include all common IM ports.
Default-BB-PortDefinition: IRC Ports
Port\Protocol Definition
Event Edit this BB to include all common IRC ports.
Default-BB-PortDefinition: LDAP Ports
Port\Protocol Definition
Event Edit this BB to include all common ports used by LDAP servers.
Table C-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
Default Building Blocks 333
Default-BB-PortDefinition: Mail Ports
Port\Protocol Definition
Event Edit this BB to include all common ports used by mail servers.
Default-BB-PortDefinition: P2P Ports
Port\Protocol Definition
Event Edit this BB to include all common ports used by Peer-to-Peer (P2P) servers.
Default-BB-PortDefinition: Proxy Ports
Port\Protocol Definition
Event Edit this BB to include all common ports used by proxy servers.
Default-BB-PortDefinition: RPC Ports
Port\Protocol Definition
Event Edit this BB to include all common ports used by RPC servers.
Default-BB-PortDefinition: SNMP Ports
Port\Protocol Definition
Event Edit this BB to include all common ports used by SNMP servers.
Default-BB-PortDefinition: SSH Ports
Port\Protocol Definition
Event Edit this BB to include all common ports used by SSH servers.
Default-BB-PortDefinition: Syslog Ports
Port\Protocol Definition
Event Edit this BB to include all common ports used by the syslog servers.
Default-BB-PortDefinition: Web Ports
Port\Protocol Definition
Event Edit this BB to include all common ports used by Web servers.
Default-BB-PortDefinition: Windows Ports
Port\Protocol Definition
Event Edit this BB to include all common ports used by Windows servers.
Default-BB-ProtocolDefinition: Windows Protocols
Port\Protocol Definition
Event Edit this BB to include all common protocols (not including TCP) used by Windows servers that will be ignored for false positive tuning rules.
Default-BB-ReconDetected: All Recon Rules
Recon Event Define all Juniper Networks default reconnaissance tests. This BB is used to detect a host that has performed reconnaissance such that other follow on tests can be performed. For example, reconnaissance followed by firewall accept.
Default-BB-ReconDetected: Devices That Merge Recon into Single Event
Recon Event Edit this BB to include all devices that accumulate reconnaissance across multiple hosts or ports into a single event. This rule forces these events to become offenses.
Table C-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
334 UNIVERSITY TEMPLATE DEFAULTS
Default-BB-ReconDetected: Host Port Scan
Recon Event Edit this BB to define reconnaissance scans on hosts in your deployment.
Default-BB-ReconDetected: Port Scan Detected Across Multiple Hosts
Recon Event Edit this BB to indicate port scanning activity across multiple hosts. By default, this BB applies when an attacker is performing reconnaissance against more than 5 hosts within 10 minutes. If internal, this may indicate an exploited machine or a worm scanning for targets.
User-BB-FalsePositive: User Defined False Positives Tunings
User Tuning Event This BB contains any events that you have tuned using the False Positive tuning function. For more information, see the STRM Users Guide.
User-BB-FalsePositive: User Defined Server Type 1 False Positive Categories
User Tuning Event Edit this BB to include any categories you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 1 building block.
User-BB-HostDefinition: User Defined Server Type 1
User-BB-FalsePositive: User Defined Server Type 1 False Positive Events
User Tuning Event Edit this BB to include any events you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 1 building block.
User-BB-HostDefinition: User Defined Server Type 1
User-BB-FalsePositive: User Defined Server Type 2 False Positive Categories
User Tuning Event Edit this BB to include any categories you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 2 building block.
User-BB-HostDefinition: User Defined Server Type 2
User-BB-FalsePositive: User Defined Server Type 2 False Positive Events
User Tuning Event Edit this BB to include any events you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 2 building block.
User-BB-HostDefinition: User Defined Server Type 2
User-BB-FalsePositive: User Defined Server Type 3 False Positive Categories
User Tuning Event Edit this BB to include any categories you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 3 building block.
User-BB-HostDefinition: User Defined Server Type 3
Table C-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
Default Building Blocks 335
User-BB-FalsePositive: User Defined Server Type 3 False Positive Events
User Tuning Event Edit this BB to include any events you want to consider false positives for hosts defined in the User-BB-HostDefinition: User Defined Server Type 3 building block.
User-BB-HostDefinition: User Defined Server Type 3
User-BB-HostDefinition: User Defined Server Type 1
User Tuning Event Edit this BB to include the IP address of your custom server type. Once you have added the servers, add any events or categories you want to consider false positives to these servers as defined in the User-BB-FalsePositives: User Defined Server Type 1 False Positive Category or the User-BB-False Positives: User Defined Server Type 1 False Positive Events building blocks.
User-BB-FalsePositives: User Defined Server Type 1 False Positive CategoryUser-BB-False Positives: User Defined Server Type 1 False Positive Events
User-BB-HostDefinition: User Defined Server Type 2
User Tuning Event Edit this BB to include the IP address of your custom server type. Once you have added the servers, add any events or categories you want to consider false positives to these servers as defined in the User-BB-FalsePositives: User Defined Server Type 2 False Positive Category or the User-BB-False Positives: User Defined Server Type 2 False Positive Events building blocks.
User-BB-FalsePositives: User Defined Server Type 2 False Positive CategoryUser-BB-False Positives: User Defined Server Type 2 False Positive Events
User-BB-HostDefinition: User Defined Server Type 3
User Tuning Event Edit this BB to include the IP address of your custom server type. Once you have added the servers, add any events or categories you want to consider false positives to these servers as defined in the User-BB-FalsePositives: User Defined Server Type 3 False Positive Category or the User-BB-False Positives: User Defined Server Type 3 False Positive Events building blocks.
User-BB-FalsePositives: User Defined Server Type 3 False Positive CategoryUser-BB-False Positives: User Defined Server Type 3 False Positive Events
Table C-10 Default Building Blocks (continued)
Building Block GroupBlock Type Description
Associated Building Blocks, if applicable
STRM Administration Guide
D
VIEWING AUDIT LOGSChanges made by STRM users are recorded in the audit logs. You can view the audit logs to monitor changes to STRM and the users performing those changes.
All audit logs are stored in plain text and are archived and compressed once the audit log file reaches a size of 200 MB. The current log file is named audit.log. Once the file reaches a size of 200 MB, the file is compressed and renamed as follows: audit.1.gz, audit.2.gz, etc with the file number incrementing each time a log file is archived. STRM stores up to 50 archived log files.
This appendix provides information on using the audit logs including:
• Logged Actions
• Viewing the Log File
Logged Actions STRM logs the following categories of actions in the audit log file:
Table D-1 Logged Actions
Category ActionUser Authentication Log in to STRM.User Authentication Log out of STRM.Administrator Authentication Log in to the STRM Administration Console.Administrator Authentication Log out of the STRM Administration Console.Session Authentication Create a new administration session.
Terminate an administration session.Deny an invalid authentication session. Expire a session authentication. Create an authentication session. Terminate an authentication session.
STRM Administration Guide
338 VIEWING AUDIT LOGS
User Authentication Ariel Deny a login attempt. Add an Ariel property. Delete an Ariel property. Edit an Ariel property. Add an Ariel property extension. Delete an Ariel property extension. Edit an Ariel property extension.
Root Login Log in to STRM, as root.Log out of STRM, as root.
Rules Add a rule.Delete a rule.Edit a rule.
Sentry Add a sentry.Edit a sentry.Delete a sentry.Edit a sentry package.Edit sentry logic.
User Accounts Add an account.Edit an account.Delete an account.
User Roles Add a role.Edit a role.Delete a role.
Sensor Devices Add a sensor device.Edit a sensor device.Delete a sensor device.Add a sensor device group.Edit a sensor device group.Delete a sensor device group.Edit the DSM parsing order.
Table D-1 Logged Actions (continued)
Category Action
STRM Administration Guide
Logged Actions 339
Sensor Device Extension Add an sensor device extension.Edit the sensor device extension.Delete a sensor device extension.Upload a sensor device extension.Upload a sensor device extension successfully.Upload an invalid sensor device extension. Download a sensor device extension.Report a sensor device extension.Modify a sensor devices association to a device or device type.
Protocol Configuration Add a protocol configuration.Delete a protocol configuration.Edit a protocol configuration.
Flow Sources Add a flow source.Edit a flow source.Delete a flow source.
Offense Manager Hide an offense.Close an offense.Close all offenses.
TNC Recommendations Create a recommendation.Edit a recommendation.Delete a recommendation.
Syslog Forwarding Add a syslog forwarding.Delete a syslog forwarding.Edit a syslog forwarding.
Reports Add a template.Delete a template.Edit a template.Execute a template.Delete a report.
Groups Add a group.Delete a group.Edit a group.
Table D-1 Logged Actions (continued)
Category Action
STRM Administration Guide
340 VIEWING AUDIT LOGS
Backup and Recovery Edit the configuration.Initiate the backup.Complete the backup.Fail the backup.Delete the backup.Synchronize the backup.Cancel the backup.Initiate the restore.Upload a backup.Upload an invalid backup.Delete the backup.Purge the backup.
VIS Discover a new host. Discover a new operating system. Discover a new port. Discover a new vulnerability.
Scanner Add a scanner.Delete a scanner.Edit a scanner.
Scanner Schedule Add a schedule.Edit a schedule.Delete a schedule.
SIM Clean a SIM model. Asset Delete all assets.QIDmap Add a QID map entry.
Edit a QID map entry. Ariel Properties Add a custom event property.
Edit a custom event property. Delete a custom property.
Ariel Property Extensions Add a custom event property expression. Edit a custom event property expression. Delete a custom event property expression.
Installation Install a .rpm package, such as a DSM update. License Add a license key.
Edit a license key.
Table D-1 Logged Actions (continued)
Category Action
STRM Administration Guide
Viewing the Log File 341
Viewing the Log File
To view the audit logs:
Step 1 Log in to STRM, as root.
Step 2 Go to the following directory:/var/log/audit
Step 3 Open the desired audit log file. Each entry in the log file displays using the following format:
Note: The maximum size of any audit message (not including date, time, and host name) is 1024 characters.<date_time> <host name> <user>@<IP address> (thread ID) [<category>] [<sub-category>] [<action>] <payload>
Where:
<date_time> is the date and time of the activity in the format: Month Date HH:MM:SS.
<host name> is the host name of the Console where this activity was logged.
<user> is the name of the user that performed the action.
<IP address> is the IP address of the user that performed the action. (thread ID) is the identifier of the Java thread that logged this activity.
<category> is the high-level category of this activity.
<sub-category> is the low-level category of this activity. <action> is the activity that occurred.
<payload> is the complete record that has changed, if any. This may include a user record or an event rule.
For example:Nov 6 12:22:31 localhost.localdomain [email protected] (Session) [Authentication] [User] [Login]
Nov 6 12:22:31 localhost.localdomain [email protected] (0) [Configuration] [User Account] [Account Modified] username=james, password=/oJDuXP7YXUYQ, networks=ALL, [email protected], userrole=Admin
Nov 13 10:14:44 localhost.localdomain [email protected] (0) [Configuration] [FlowSource] [FlowSourceModified] Flowsource( name="tim", enabled="true", deployed="false", asymmetrical="false", targetQflow=DeployedComponent(id=3), flowsourceType=FlowsourceType(id=6), flowsourceConfig=FlowsourceConfig(id=1))
STRM Administration Guide
Aadministration console
about 127accessing 128using 128
administrative e-mail address 37administrator role 5aeriel database settings 39alert directory 40alert e-mail from address 37Ariel database 115asset management role 6asset profile reporting interval 37asset profile view 37asymmetric flows 106, 121audience 1audit log 37
viewing 341authentication
configuring 13LDAP 13RADIUS 12system 12TACACS 13user 12
authorized services 51adding 52revoking 53token 51viewing 51
auto detection 99, 113automatic update
about 34on demand 36scheduling 34
Bbackup and recovery 55branch filtering 106, 109building blocks
about 181editing 220
Cchanges
deploying 129Classification Engine 107
343
344
configuring 107coalescing events 38command line max matched results 39components 97
connecting 71connecting deployments 72console
settings 45content capture 98content filter 105conventions 1Custom Views
about 167Attacker Target Analysis Group 254, 302creating 168editing 176equation
editing 177equation editor 170IP Tracking 249, 297managing 167operators
editing 178Policy Violations Group 256, 304Target Analysis Group 255, 303Threats Group 250, 298
customer supportcontacting 2
Ddatabase settings 38database storage location 38delete root mail 37deploying changes 129deployment editor 63
about 63accessing 65creating your deployment 67event view 75flow view 68preferences 68requirements 67system view 82toolbar 66using 65
deployment STRM components 97
deploymentsconnecting 72
device access 20device management 23discover servers 223dynamic custom view deploy interval 38Eelement types 171enabling and disabling views 178encryption 72, 75, 80, 81, 83enterprise template 241
building blocksdefault 273, 321
rulesdefault 259
equation editor 170element type 171
equationsediting 177elements 146objects 146
Event Collectorabout 75configuring 112
Event Processorabout 75configuring 113
event rule 182about 182data/time tests 208device tests 209event property tests 195host profile tests 205IP/port tests 198network property tests 193test 193
event viewabout 64adding components 77building 75connecting components 79renaming components 82
event viewer role 6external flow sources 117
345
346
Ffirewall access 20flow configuration 120Flow Processor
configuring 101flow source
about 117adding 120alias 124
adding 125deleting 126editing 125
deleting 124editing 122enabling/disabling 123external 117internal 117managing 117virtual name 124
flow viewabout 64adding components 69building 68components 69, 72, 79connecting components 71renaming components 75
Flow Writerconfiguring 111
flowlog file 120functions 181Gglobal IPtables access 38Hhashing
alogrithm 40event log 40flow log 39
hlocal 137host
adding 84host context 64, 94hremote 137Iinterface roles 23internal flow sources 117
IP range conversion 105JJavaScript 142J-Flow 119LLDAP/Active directory 13license key
exporting 19managing 17
logic unit 131, 141MMagistrate
about 76configuring 115
managed hostadding 84assigning components 93editing 86removing 88set-up 22
maximum real-time results 39MIB 229NNAT
editing 90enabling 88removing 91using with STRM 89
NetFlow 97, 117Network Address Translation. See NATnetwork hierarchy
creating 29network surveillance role 7network taps 97network view graph retention period 38NTP 27Ooffense management role 6offense rule
about 182date/time tests 211device tests 212host profile tests 210IP/port tests 209offense property tests 212
347
348
off-site source 73, 80off-site target 73, 80operators
editing 178Ppackage 131, 138
creating 138Packeteer 119passwords
changing 24pin 137plocal 137ports view 148pount 137QQFlow Collector
configuring 97QFlow ID 98RRADIUS authentication 12RDATE 25recovery 55reporting max matched results 39reset SIM 19, 48resolution interval length 37restarting STRM 48retention period
asset profile 39attacker history 39custom view 39device log data 39flow data 39identity history 39offense 38views
group 38object 38
role 3administrator 5asset management 6creating 4editing 8event viewer 6managing 3network surveillance 7
offense management 6reporting 7
rules 181copying 215creating 183deleting 215enabling/disabling 183group 216
assigning 220copying 218create 216deleting 220editing 218
viewing 182Sscripts
default sentry 40list of sentry 40
sentry 131about 131database location 40editing 133enterprise
defaults 241logic unit 131
creating 141editing 144
package 131creating 138editing 140managing 138
properties 40response queue 40university
defaults 289variables 136viewing 132
sentry database location 38sentry layers 137sentry settings 40servers
discovering 223services
authorized 51sFlow 118
349
350
SIMreset 19, 48
SNMPembedded SNMP agent settings 42
SNMP agentaccessing 19
SNMP settings 41source
off-site 72, 73, 79, 80starting STRM 48stopping STRM 48storage 110storage location
asset profile 39device log 39flow data 39
store event payload 38STRM components 97superflows 101, 104syslog
forwarding 225adding 225deleting 227editing 226
system authentication 12system settings 37
configuring 37system thresholds 42system time 25system view
about 64adding a host 84assigning components 93Host Context 94managed host 93managing 82
TTACACS authentication 13target
off-site 72, 73, 79, 80templates 132
enterprise 241university 289
temporary files retention period 37tests
about 181thresholds 42time 25time limit
command like execution 39reporting execution 39web execution 39
TNC recommendation 37transaction sentry 41Uuniversity template 289Update Daemon
configuring 109user
authentication 12creating account 10editing account 11, 12managing 3roles 3
user accountsmanaging 10
user data files 38Vviews
applications objectediting 155
Applications View 152adding 153
best practices 180Custom Views 167defining unique groups and objects 147enable and disable 178ports 148ports object
adding 148editing 150
Ports View 148QFlow Collector object
adding 164QFlow Collectors 164Remote Networks 157Remote Networks object
adding 157editing 159
Remote Services 160
351
352
Remote Services objectadding 161editing 162
VIS passive host profile interval 37