TippingPoint Intrusion Prevention System

The TippingPoint Intrusion Prevention System (IPS) DSM for JSA accepts TippingPoint events by using the Syslog protocol.

JSA records all relevant events from either a Local Security Management (LMS) device or multiple devices with a Security Management System (SMS).

Before you configure JSA to integrate with TippingPoint, you must configure your device based on type:

Configuring Remote Syslog for SMS

To configure TippingPoint for SMS, you must enable and configure your appliance to forward events to a remote host using syslog.

TippingPoint SMS V5.2.0 is supported in JSA.

Log in to the TippingPoint system.
On the Admin Navigation menu, select Server Properties.
Select the Management tab.
Click Add.

The Edit Syslog Notification window is displayed.
Select the Enable check box.
Configure the following values:
1. Syslog Server Type the IP address of the JSA to receive syslog event messages.
2. Port Type 514 as the port address.
3. Log Type Select SMS 2.0 / 2.1 Syslog format from the list.
4. Facility Select Log Audit from the list.
5. Severity Select Severity in Event from the list.
6. Delimiter Select TAB as the delimiter for the generated logs.
7. Include Timestamp in Header Select Use original event timestamp.
8. Select the Include SMS Hostname in Header check box.
9. Click OK.
10. You are now ready to configure the log source in JSA.
To configure JSA to receive events from a TippingPoint device: From the Log Source Type list, select the TippingPoint Intrusion Prevention System (IPS) option.

For more information about your TippingPoint device, see your vendor documentation.

If you are using an LSM device, you must configure LSM notification contacts.

Log in to the TippingPoint system.
From the LSM menu, select IPS >Action Sets.

The IPS Profile - Action Sets window is displayed.
Click the Notification Contacts tab.
In the Contacts List, click Remote System Log.

The Edit Notification Contact page is displayed.
Configure the following values:
1. Syslog Server Type the IP address of the JSA to receive syslog event messages.
2. Port - Type 514 as the port address.
3. Alert Facility Select none or a numeric value 0-31 from the list. Syslog uses these numbers to identify the message source.
4. Block Facility Select none or a numeric value 0-31 from the list. Syslog uses these numbers to identify the message source.
5. Delimiter Select TAB from the list.
6. Click Add to table below.
7. Configure a Remote system log aggregation period in minutes.
Click Save.

Note:
If your JSA is in a different subnet than your TippingPoint device, you might have to add static routes. For more information, see your vendor documentation.

You are now ready to configure the action set for LSM, see Configuring an Action Set for LSM.

If you are using LSM, configure an action set for your LSM.

Log in to the TippingPoint system.
From the LSM menu, select IPS Action Sets.

The IPS Profile - Action Sets window is displayed.
Click Create Action Set.

The Create/Edit Action Set window is displayed.
Type the Action Set Name.
For Actions, select a flow control action setting:
- Permit Allows traffic.
- Rate Limit Limits the speed of traffic. If you select Rate Limit, you must also select the desired rate.
- Block Does not permit traffic.
- TCP Reset When this is used with the Block action, it resets the source, destination, or both IP addresses of an attack. This option resets blocked TCP flows.
- Quarantine When this is used with the Block action, it blocks an IP address (source or destination) that triggers the filter.
Select the Remote System Log check box for each action you that you select.
Click Create.

You are now ready to configure the log source in JSA.
To configure JSA to receive events from a Tipping Point device: From the Log Source Type list, select the TippingPoint Intrusion Prevention System (IPS) option.

For more information about your TippingPoint device, see your vendor documentation.