IBM Internet Security Series Proventia
What is Discovered and Monitored
Protocol | Information Discovered | Metrics Collected | |
---|---|---|---|
SNMP Traps |
Event Types
In ADMIN > Device Support > Event, search for "proventia" in the Device Type and Description column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
SNMP Trap
FortiSIEM receives SNMP traps from IBM/ISS Proventia IPS appliances that are sent by IBM/ISS SiteProtector Management Console. You must first configure IBM/ISS Proventia to send alerts to IBM/ISS SiteProtector, then configure IBM/ISS SiteProtector to send those alerts as SNMP traps to FortiSIEM.
Configure IBM/ISS Proventia Appliances to Send SNMP Notifications to IBM/ISS SiteProtector Management Console
- Log in to the IBM Proventia IPS web interface.
- Click Manage System Settings > SiteProtector Management.
- Click and select Register withSiteProtector.
- Click and select Local Settings Override SiteProtector Group Settings.
- Specify the Group, Heartbeat Interval, and Logging Level.
- Configure these settings:
Setting Description Authentication Level Use the default first-time trust. Agent Manager Name Enter the Agent Manager name exactly as it appears in SiteProtector. This setting is case-sensitive. Agent Manager Address Enter the Agent Manager's IP address. Agent Manager Port Use the default value 3995. User Name If the appliance has to log into an account access the Agent Manager, enter the user name for that account here. User Password Click Set Password, enter and confirm the password, and then click OK. Use Proxy Settings If the appliance has to go through a proxy to access the Agent Manager, select the Use Proxy Settings option, and then enter the Proxy Server Address and Proxy Server Port.
Define FortiSIEM as a Response Object for SNMP Traps
- Log in to IBM SiteProtector console.
- Go to Grouping > Site Management > Central Responses > Edit settings.
- Select Response Objects > SNMP.
- Click Add.
- Enter a Name for your FortiSIEM virtual appliance.
- For Manager, enter the IP address of your virtual appliance.
- For Community, enter
public
. - Click OK.
Define a Response Rule to Forward SNMP Traps to FortiSIEM
- Go to Response Rules.
- Click Add.
- Select Enabled.
- Enter a Name and Comment for the response rule.
- In the Responses tab, select SNMP.
- Select Enabled for the response object that represents your FortiSIEM virtual appliance.
- Click OK.
Refining Rules for Specific IP Addresses
By default, a rule matches on any source or destination IP addresses.
- To refine the rule to match on a specific source IP address, select the rule, click Edit, and then select the Source tab.
-
Select Use specific source addresses to restrict the rule based on IP address of the source.
If you set this option, set the Mode to specify that the rule should either be From or Not From the IP address. - Click Add to define one or more IP addresses.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting | Value |
---|---|
Name | <set name> |
Device Type | IBM ISS Proventia |
Access Protocol | See Access Credentials |
Port | See Access Credentials |
Password config | See Password Configuration |
Sample SNMP trap
2013-02-07 16:52:18 100.0.0.218(via UDP: [192.168.64.218]:55545) TRAP, SNMP v1, community public SNMPv2-SMI::enterprises.2499 Enterprise
Specific Trap (4) Uptime: 0:00:00.15 SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.1 = STRING: "SiteProtector_Central_Response (Response1)"
SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.2 = STRING: "16:52:18 2013-02-07" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.3 = STRING: "6"
SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.4 = STRING: "100.0.0.216" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.5 = STRING: "100.0.0.218"
SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.6 = "" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.7 = ""
SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.8 = STRING: "48879" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.9 = STRING: "80"
SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.10 = STRING: "DISPLAY=WithoutRaw:0,BLOCK=Default:0" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.11 = STRING: " SensorName: IBM-IPS ObjectName: 80 DestinationAddress: 100.0.0.218 AlertName: HTTP_OracleAdmin_Web_Interface AlertTarget: 100.0.0.218 AlertCount: 1
VulnStatus: Simulated block (blocking not enabled) AlertDateTime: 16:52:17 2013-02-07 ObjectType: Target Port SourceAddress: 100.0.0.216 SensorAddress: 192.168.64.15"