Accenture MDR Quick Start Guide for HP TippingPoint Intrusion Prevention System (IPS)
This quick start guide will help Accenture MDR customers configure HP TippingPoint Intrusion Prevention System (IPS) to send logs to the Log collection Platform (LCP).
Â
The document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document
(Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture.
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
TippingPoint IPS or SMS Server | LCP | 514 (UDP) or 601 (TCP) | Default port |
Configuring the TippingPoint IPS
Based on the TippingPoint architecture, you can configure log forwarding in two ways:
Without SMS integration
With SMS integration
Configuring IPS Without SMS Integration
To configure IPS to send events to LCP, follow the steps below.
Login to the Tipping Point Local Security Manager (LSM) console.
In the left pane, go to IPS > Action Sets.
On the Action Sets page, click the Notification Contacts tab.
On the Notification Contacts page, in the Contacts list, click Remote System Log.
On the Edit Notification Contact page, type the IP address and port of the LCP.
Select Alert Facility and Block Facility. You can select none, or select a number from the range 0 to 31. These numbers are used to identify the message source.
In the Delimiter field, select tab.
Note: The collector supports only tab as delimiter.
8. Specify a Remote system log aggregation period in minutes.
Note: Recommended period is 1 minute.
9. To add the remote syslog server, click Add to table below.
10. Click Apply.
Â
To configure the IPS to send system and audit events to the LCP, follow the steps below.
On the LSM menu, go to System > Syslog Servers.
Select Enable syslog offload for Audit and System logs.
Type the IP address for the LCP.
Enable or disable RFC format for remote syslog messages as required.
Enable additional event information, which includes the true Client IP address, for remote syslog messages.
Enable additional event information for SNMP traps as required.
Click Apply.
Â
Configuring the IPS with SMS Integration
Note: The X-Forwarded-For (XFF) HTTP header field is used for identifying the originating IP address of a client connecting to a web server through an HTTP proxy. The XFF field is set by the proxy server, which enables a web server to detect whether a client/browser is connecting directly or via a proxy server as it provides the originating IP. This feature is useful for MDR analytics.
To collect security logs (custom format) with XFF facility from SMS 3.6 integrated with the IPS, follow the steps below.
Login to the TippingPoint SMS administrative console.
On the toolbar, go to Admin > Server Properties > Syslog.
In the Syslog Formats section, select SMS 2.5 Syslog Format, and click Copy.
In the Edit Syslog Format window, do the following:
Enter a name for this format.
Enter a description, as required.
Click Insert Field and add the following at the end of the text in the Pattern field.
${_DELIMITER.EN_US}
${CLIENTADDRESS.EN_US}
Click OK.
Â
The updated format is similar to SMS 2.5 Syslog Format, except for the two fields, delimiter and clientaddress, appended to the format.
The text in the Pattern field appears as follows: Please copy and paste the pattern fields from the below
${actionType}${_delimiter}${severity}${_delimiter}${policyUUID}${_delimiter}${signatureUUID}${_delimi ter}${filterName}${_delimiter}${signatureNumber}${_delimiter}${protocolLower}${_delimiter}${srcAddr ess}${_delimiter}${srcPort}${_delimiter}${destAddress}${_delimiter}${destPort}${_delimiter}${hitCount}
${_delimiter}${srcZone}${_delimiter}${destZone}${_delimiter}${physicalPortIn}${_delimiter}${vlanTag}${
_delimiter}${deviceName}${_delimiter}${taxonomyID}${_delimiter}${eventTimestamp}${_delimiter}${m sgParameters}${_delimiter}${eventID}${_delimiter}${clientAddress}${_delimiter}${uriHost}${_delimiter}
${uriMethod}${_delimiter}${uriString}
Note: Select the HTTP Context check box if you want the profile to identify information associated with any HTTP URI. When possible, the devices will detect this and provide the HTTP hostname,URI, and method in the Inspection event.
5. Add HTTP Context
Select Profiles > Inspection Profiles.
Click New.
Enter the following information for the profile.
Enter a Name for the profile
Select Deployment mode Default
Select the Client IP (X-Forwarded-For & True-Client-IP) check box.
Select check box the HTTP Context (Hostname,URI,Method)
Inheritance Select profile.
Click ok.
6. In the Remote Syslog for Events section, click New.
7. In Create Remote Syslog Notification Settings, do the following:
Field | Description |
Enable | Check the checkbox. |
Syslog Server | Add the LCP IP address. |
Protocol | Select the required protocol. The default protocol is UDP. |
Port | Add the destination port number. The default port number is 514. |
Log Type | Select the name of the customized log type format created in step 4. |
Event Query | Keep the default value, All Events. |
Facility | Select Local Use 6. |
Severity | Select the required value.The default value is Severity in Event. |
Delimiter | Select Tab. |
Include Timestamp in Header | Select None. |
Include SMS hostname in Header | The checkbox should be unchecked. |
Send New Events/Log Only | The checkbox should be unchecked. |
8. Click OK.
To collect security logs (SMS 2.5 format) without XFF facility from SMS integrated with the IPS, follow the steps below.
Login to the TippingPoint SMS administrative console.
On the toolbar, go to Admin > Server Properties > Syslog.
In the Remote Syslog for Events section, click New.
In Create Remote Syslog Notification Settings, do the following:
Field | Description |
Enable | Check the checkbox. |
Syslog Server | Add the LCP IP address. |
Protocol | Select the required protocol. The default protocol is UDP. |
Port | Add the destination port number. The default port number is 514. |
Log Type | Keep the default value, SMS 2.5 Syslog Format. |
Event Query | Keep the default value, All Events. |
Facility | Select Local Use 6. |
Severity | Select the required value.The default value is Severity in Event. |
Delimiter | Select Tab. |
Include Timestamp in Header | Under this section, select None. |
Include SMS hostname in header | The checkbox should be unchecked. |
Send New Events/Log Only | The checkbox should be unchecked. |
5. Click OK.
Â
To collect SMS system logs from SMS integrated with the IPS, follow the steps below.
Login to the TippingPoint SMS administrative console.
On the toolbar, go to Admin > Server Properties > Syslog.
In the Remote Syslog for Events section, click New.
In Create Remote Syslog Notification Settings, do the following:
Field | Description |
Enable | Check the checkbox. |
Syslog Server | Add the LCP IP address. |
Protocol | Select the required protocol. The default protocol is UDP. |
Port | Add the destination port number. The default port number is 514. |
Log Type | Select SMS System. |
Event Query | Keep the default value, All Events. |
Facility | Select Local Use 6. |
Severity | Select the required value.The default value is Severity in Event. |
Delimiter | Select Tab. |
Include Timestamp in Header | In this section, select None. |
Include SMS hostname in Header | Check the check box. |
Send New Events/Log Only | The check box should be unchecked. |
5. Click OK.
To collect SMS Audit logs from SMS integrated with the IPS, follow the steps below.
Start the TippingPoint SMS administrative console.
On the toolbar, go to Admin > Server Properties > Syslog.
In the Remote Syslog for Events section, click New.
In Create Remote Syslog Notification Settings, do the following:
Â
Field | Description |
Enable | Check the checkbox. |
Syslog Server | Add the LCP IP address. |
Protocol | Select the required protocol. The default protocol is UDP. |
Port | Add the destination port number. The default port number is 514. |
Log Type | Select SMS Audit. |
Event Query | Keep the default value, All Events. |
Facility | Select Local Use 6. |
Severity | Select the required value.The default value is Severity in Event. |
Delimiter | Select Tab. |
Include Timestamp in Header | Under this section, select None. |
Include SMS hostname in Header | Check the check box. |
Send New Events/Log Only | The check box should be unchecked. |
5. Click OK.
LCP Configuration Parameters
Table 1-2: The HP TippingPoint Intrusion Prevention System (IPS) collector (Syslog -3421)event collector properties to be configured by MDR are shown in the table.
Property | Default value | Description |
Protocol | UDP | The default protocol for syslog. The collector can also accept logs in TCP (only via a syslog relay). Note: While TCP offers guaranteed delivery of log packets, it places a larger overhead on the LCP. To balance TCP for reliability over UDP for speed/simplicity, contact the Accenture MDR onboarding team. |
IP Address | TippingPoint IPS or SMS interface IP address | Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact the Accenture MDR onboarding team. |
Port Number | 514 | The default port number for syslog. For TCP, the default port is 601. Note: The LCP can be configured to listen on a non-standard port, please advise the Accenture MDR onboarding team if this is a requirement. |
Â
Â
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.