3Com TippingPoint UnityOne IPS
What is Discovered and Monitored
Protocol | Information Discovered | Metrics Collected | Used For |
---|---|---|---|
SNMP | CPU, memory, Interface utilization | Performance and Availability Monitoring | |
Syslog | IPS Alerts | Security Monitoring |
Event Types
In ADMIN > Device Support > Event, search for "tippingpoint" in the Device Type and Description columns to see the event types associated with this device.
Configuration
SNMP
- Log in to the TippingPoint appliance or the SMS Console.
- Go to System > Configuration > SMS/NMS.
- For SMS Authorized IP Address/CIDR, make sure any is entered.
- Select Enabled for SNMP V2.
- For NMS Community String, enter
public
. - Click Apply.
Syslog
- Log in to the TippingPoint appliance or the SMS Console.
- Go to System > Configuration > Syslog Servers.
- Under System Log, enter the IP Address of the FortiSIEM virtual appliance.
- Select Enable syslog offload for System Log.
- Under Aud Log, enter the IP Address of the FortiSIEM virtual appliance.
- Select Enable syslog offload for Audit Log.
- Click Apply.
Configure the Syslog Forwarding Policy (Filter Notification Forwarding)
The filter log can be configured to generate events related to specific traffic on network segments that must pass through the device. This log includes three categories of events.
Event Category | Description |
---|---|
Alert | Alert events indicate that the IPS has detected suspicious activity in the packet, but still permits the packet to pass through (specific settings are controlled by administrator profile) |
Block | Block events are malicious packets not permitted to pass |
P2P | Refers to peer-to-peer traffic events |
In addition, filter events contain a UUID, which is a unique numerical identifier that correlates with the exact security threat defined by Tipping Point Digital Vaccine Files. The FortiSIEM Virtual Appliance will correlate these with authoritative databases of security threats.
- Go to IPS > Action Sets.
- Click Permit + Notify.
- Under Contacts, click Remote Syslog.
- Under Remote Syslog Information, enter the IP Address of the FortiSIEM virtual appliance.
- Make sure the Port is set to 514.
- Make sure Delimiter is set to tab, comma, or semicolon.
- Click Add to Table Below.
You should now see the IP address of the FortiSIEM virtual appliance appear as an entry in the Remote Syslogs table.
Sample parsed syslog messages
Directly from TippingPoint IPS device
<36>Oct 28 13:10:45 9.0.0.1 ALT,v4,20091028T131045+0480,"PH-QA-TIP1"/20.30.44.44,835197,1,Permit,Minor,00000002-0002-0002-0002-000000000089, "0089: IP: Short Time To Live (1)","0089: IP: Short Time To Live (1)",ip," ",172.16.10.1:0,224.0.0.5:0,20091028T130945+0480,6," ",0,1A-1B <37>Nov 5 20:16:19 20.30.44.44 BLK,v4,20091105T201619+0480,"PH-QA-TIP1"/20.30.44.44,70,2,Block,Low,00000002-0002-0002-0002-000000004316, "4316: OSPF: OSPF Packet With Time-To-Live of 1","4316: OSPF: OSPF Packet With Time-To-Live of 1",ip," ",172.16.10.1:0,224.0.0.5:0,20091105T201619+0480,1," ",0,1A-1B <37>Jul 12 15:04:01 SOCIPS01 ALT,v5,20110712T150401-0500,SOCIPS01/192.168.10.122,3225227,1,Permit,Low,00000002-0002-0002-0002-000000010960, "10960: IM: Google GMail Chat SSL Connection Attempt","10960: IM: Google GMail Chat SSL Connection Attempt",tcp," ",156.63.133.8,10948,72.14.204.189,443, 20110712T150239-0500,3," ",0,6A-6B
From Tipping Point NMS device
<36> 7 2 00000002-0002-0002-0002-000000001919 00000001-0001-0001-0001-000000001919 1919: Backdoor: Psychward 1919 tcp 10.1.1.100 13013 10.1.1.101 1240 3 3 2 207-2400-Jack 33761793 1109876221622 <36> 7 2 00000002-0002-0002-0002-000000001919 00000001-0001-0001-0001-000000001919 1919: Backdoor: Psychward 1919 tcp 10.1.1.100 13013 10.1.1.101 1240 3 3 2 207-2400-Jack 33761793 1109876221622
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting | Value |
---|---|
Name | <set name> |
Device Type | 3Com TippingPoint UnityOne IPS |
Access Protocol | See Access Credentials |
Port | See Access Credentials |
Password config | See Password Configuration |