Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TippingPoint X505/X506 Device

 

The TippingPoint X505/X506 DSM for JSA accepts events by using syslog.

JSA records all relevant system, audit, VPN, and firewall session events.

Configure your TippingPoint X506/X506 device to communicate with Syslog

To retrieve events in JSA, you must configure your TippingPoint X505/X506 device to forward events to JSA.

  1. Log in to your TippingPoint X505/X506 device.
  2. From the LSM menu, select System >Configuration >Syslog Servers.

    The Syslog Servers window is displayed.

  3. For each log type you want to forward, select a check box and type the IP address of your JSA.Note

    If your JSA is in a different subnet than your TippingPoint device, you might have to add static routes. For more information, see your vendor documentation.

    You are now ready to configure the log source in JSA.

  4. To configure JSA to receive events from a TippingPoint X505/X506 device: From the Log Source Type list, select the TippingPoint X Series Appliances option.Note

    If you have a previously configured TippingPoint X505/X506 DSM installed and configured on your JSA, the TippingPoint X Series Appliances option is still displayed in the Log Source Type list. However, for any new TippingPoint X505/X506 DSM that you configure, you must select the TippingPoint Intrusion Prevention System (IPS) option.

Sample Event Message

Use this sample event message to verify a successful integration with JSA.

Tipping Point Intrusion Prevention System (IPS) sample message when you use the Syslog protocol

Note

Due to formatting issues, paste the message formats into a text editor and then remove any carriage return or line feed characters.

The following sample detects an attempt to use a memory corruption vulnerability in vulnerable installations of Microsoft Excel. The specific flaw exists in the way that Microsoft Excel parses certain Binary Interchange File Format (BIFF) structures. An attacker might use the vulnerability to gain remote code execution in the privilege context of the current user. User interaction is required in that a user must download a malicious file.

<170>Jun 5 23:28:27 XXXX 8 4 af268b55-9e4b-11e1-0cf4-4fcf2efeb4af 00000001-0001-0001-0001-0000000123 11 12311: HTTP: Microsoft Excel ObjectLink Memory Corruption Vulnerability 12311 tcp <IP> <PORT> 1 2A 2B 4 0 XXXX 1338938885045 130277955