Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

3Com TippingPoint UnityOne IPS

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 SNMP CPU, memory, Interface utilization Performance and Availability Monitoring
 Syslog IPS Alerts Security Monitoring

 

Event Types

In ADMIN > Device Support > Event Types, search for "tippingpoint" to see the event types associated with this device. 

Configuration

SNMP
  1. Log in to the TippingPoint appliance or the SMS Console.
  2. Go to System > Configuration > SMS/NMS.
  3. For SMS Authorized IP Address/CIDR, make sure any is entered.
  4. Select Enabled for SNMP V2.
  5. For NMS Community String, enter public
  6. Click Apply
Syslog
  1. Log in to the TippingPoint appliance or the SMS Console.
  2. Go to System > Configuration > Syslog Servers.
  3. Under System Log, enter the IP Address of the FortiSIEM virtual appliance. 
  4. Select Enable syslog offload for System Log.
  5. Under Aud Log, enter the IP Address of the FortiSIEM virtual appliance. 
  6. Select Enable syslog offload for Audit Log.
  7. Click Apply.

Configure the Syslog Forwarding Policy (Filter Notification Forwarding)

The filter log can be configured to generate events related to specific traffic on network segments that must pass through the device. This log includes three categories of events.

Event Category Description
Alert Alert events indicate that the IPS has detected suspicious activity in the packet, but still permits the packet to pass through (specific settings are controlled by administrator profile)
Block Block events are malicious packets not permitted to pass
P2P Refers to peer-to-peer traffic events

In addition, filter events contain a UUID, which is a unique numerical identifier that correlates with the exact security threat defined by Tipping Point Digital Vaccine Files. The FortiSIEM Virtual Appliance will correlate these with authoritative databases of security threats.

  1. Go to IPS > Action Sets.
  2. Click Permit + Notify.
  3. Under Contacts, click Remote Syslog. 
  4. Under Remote Syslog Information, enter the IP Address of the FortiSIEM virtual appliance. 
  5. Make sure the Port is set to 514.
  6. Make sure Delimiter is set to tab, comma, or semicolon.
  7. Click Add to Table Below.
    You should now see the IP address of the FortiSIEM virtual appliance appear as an entry in the Remote Syslogs table.

Sample Parsed Syslog Messages

Directly from TippingPoint IPS Device

<36>Oct 28 13:10:45 9.0.0.1 ALT,v4,20091028T131045+0480,"PH-QA-TIP1"/20.30.44.44,835197,1,Permit,Minor,00000002-0002-0002-0002-000000000089, "0089: IP: Short Time To Live (1)","0089: IP: Short Time To Live (1)",ip," ",172.16.10.1:0,224.0.0.5:0,20091028T130945+0480,6," ",0,1A-1B <37>Nov 5 20:16:19 20.30.44.44 BLK,v4,20091105T201619+0480,"PH-QA-TIP1"/20.30.44.44,70,2,Block,Low,00000002-0002-0002-0002-000000004316, "4316: OSPF: OSPF Packet With Time-To-Live of 1","4316: OSPF: OSPF Packet With Time-To-Live of 1",ip," ",172.16.10.1:0,224.0.0.5:0,20091105T201619+0480,1," ",0,1A-1B <37>Jul 12 15:04:01 SOCIPS01 ALT,v5,20110712T150401-0500,SOCIPS01/192.168.10.122,3225227,1,Permit,Low,00000002-0002-0002-0002-000000010960, "10960: IM: Google GMail Chat SSL Connection Attempt","10960: IM: Google GMail Chat SSL Connection Attempt",tcp," ",156.63.133.8,10948,72.14.204.189,443, 20110712T150239-0500,3," ",0,6A-6B

From Tipping Point NMS Device

<36> 7 2 00000002-0002-0002-0002-000000001919 00000001-0001-0001-0001-000000001919 1919: Backdoor: Psychward 1919 tcp 10.1.1.100 13013 10.1.1.101 1240 3 3 2 207-2400-Jack 33761793 1109876221622 <36> 7 2 00000002-0002-0002-0002-000000001919 00000001-0001-0001-0001-000000001919 1919: Backdoor: Psychward 1919 tcp 10.1.1.100 13013 10.1.1.101 1240 3 3 2 207-2400-Jack 33761793 1109876221622

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type 3Com TippingPoint UnityOne IPS
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration

3Com TippingPoint UnityOne IPS

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 SNMP CPU, memory, Interface utilization Performance and Availability Monitoring
 Syslog IPS Alerts Security Monitoring

 

Event Types

In ADMIN > Device Support > Event Types, search for "tippingpoint" to see the event types associated with this device. 

Configuration

SNMP
  1. Log in to the TippingPoint appliance or the SMS Console.
  2. Go to System > Configuration > SMS/NMS.
  3. For SMS Authorized IP Address/CIDR, make sure any is entered.
  4. Select Enabled for SNMP V2.
  5. For NMS Community String, enter public
  6. Click Apply
Syslog
  1. Log in to the TippingPoint appliance or the SMS Console.
  2. Go to System > Configuration > Syslog Servers.
  3. Under System Log, enter the IP Address of the FortiSIEM virtual appliance. 
  4. Select Enable syslog offload for System Log.
  5. Under Aud Log, enter the IP Address of the FortiSIEM virtual appliance. 
  6. Select Enable syslog offload for Audit Log.
  7. Click Apply.

Configure the Syslog Forwarding Policy (Filter Notification Forwarding)

The filter log can be configured to generate events related to specific traffic on network segments that must pass through the device. This log includes three categories of events.

Event Category Description
Alert Alert events indicate that the IPS has detected suspicious activity in the packet, but still permits the packet to pass through (specific settings are controlled by administrator profile)
Block Block events are malicious packets not permitted to pass
P2P Refers to peer-to-peer traffic events

In addition, filter events contain a UUID, which is a unique numerical identifier that correlates with the exact security threat defined by Tipping Point Digital Vaccine Files. The FortiSIEM Virtual Appliance will correlate these with authoritative databases of security threats.

  1. Go to IPS > Action Sets.
  2. Click Permit + Notify.
  3. Under Contacts, click Remote Syslog. 
  4. Under Remote Syslog Information, enter the IP Address of the FortiSIEM virtual appliance. 
  5. Make sure the Port is set to 514.
  6. Make sure Delimiter is set to tab, comma, or semicolon.
  7. Click Add to Table Below.
    You should now see the IP address of the FortiSIEM virtual appliance appear as an entry in the Remote Syslogs table.

Sample Parsed Syslog Messages

Directly from TippingPoint IPS Device

<36>Oct 28 13:10:45 9.0.0.1 ALT,v4,20091028T131045+0480,"PH-QA-TIP1"/20.30.44.44,835197,1,Permit,Minor,00000002-0002-0002-0002-000000000089, "0089: IP: Short Time To Live (1)","0089: IP: Short Time To Live (1)",ip," ",172.16.10.1:0,224.0.0.5:0,20091028T130945+0480,6," ",0,1A-1B <37>Nov 5 20:16:19 20.30.44.44 BLK,v4,20091105T201619+0480,"PH-QA-TIP1"/20.30.44.44,70,2,Block,Low,00000002-0002-0002-0002-000000004316, "4316: OSPF: OSPF Packet With Time-To-Live of 1","4316: OSPF: OSPF Packet With Time-To-Live of 1",ip," ",172.16.10.1:0,224.0.0.5:0,20091105T201619+0480,1," ",0,1A-1B <37>Jul 12 15:04:01 SOCIPS01 ALT,v5,20110712T150401-0500,SOCIPS01/192.168.10.122,3225227,1,Permit,Low,00000002-0002-0002-0002-000000010960, "10960: IM: Google GMail Chat SSL Connection Attempt","10960: IM: Google GMail Chat SSL Connection Attempt",tcp," ",156.63.133.8,10948,72.14.204.189,443, 20110712T150239-0500,3," ",0,6A-6B

From Tipping Point NMS Device

<36> 7 2 00000002-0002-0002-0002-000000001919 00000001-0001-0001-0001-000000001919 1919: Backdoor: Psychward 1919 tcp 10.1.1.100 13013 10.1.1.101 1240 3 3 2 207-2400-Jack 33761793 1109876221622 <36> 7 2 00000002-0002-0002-0002-000000001919 00000001-0001-0001-0001-000000001919 1919: Backdoor: Psychward 1919 tcp 10.1.1.100 13013 10.1.1.101 1240 3 3 2 207-2400-Jack 33761793 1109876221622

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type 3Com TippingPoint UnityOne IPS
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration