Accenture MDR Quick Start Guide for HP TippingPoint Intrusion Prevention System (IPS)

This quick start guide will help Accenture MDR customers configure HP TippingPoint Intrusion Prevention System (IPS) to send logs to the Log collection Platform (LCP).

The document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document

(Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture.

Port Requirements

Table 1-1: Port requirements for LCP communication.

Configuring the TippingPoint IPS

Based on the TippingPoint architecture, you can configure log forwarding in two ways:

• Without SMS integration

• With SMS integration

Configuring IPS Without SMS Integration

To configure IPS to send events to LCP, follow the steps below.

1. Login to the Tipping Point Local Security Manager (LSM) console.

2. In the left pane, go to IPS > Action Sets.

3. On the Action Sets page, click the Notification Contacts tab.

4. On the Notification Contacts page, in the Contacts list, click Remote System Log.

5. On the Edit Notification Contact page, type the IP address and port of the LCP.

6. Select Alert Facility and Block Facility. You can select none, or select a number from the range 0 to 31. These numbers are used to identify the message source.

7. In the Delimiter field, select tab.

8. Specify a Remote system log aggregation period in minutes.

9. To add the remote syslog server, click Add to table below.

10. Click Apply.

To configure the IPS to send system and audit events to the LCP, follow the steps below.

1. On the LSM menu, go to System > Syslog Servers.

2. Select Enable syslog offload for Audit and System logs.

3. Type the IP address for the LCP.

4. Enable or disable RFC format for remote syslog messages as required.

5. Enable additional event information, which includes the true Client IP address, for remote syslog messages.

6. Enable additional event information for SNMP traps as required.

7. Click Apply.

Configuring the IPS with SMS Integration

Note: The X-Forwarded-For (XFF) HTTP header field is used for identifying the originating IP address of a client connecting to a web server through an HTTP proxy. The XFF field is set by the proxy server, which enables a web server to detect whether a client/browser is connecting directly or via a proxy server as it provides the originating IP. This feature is useful for MDR analytics.

To collect security logs (custom format) with XFF facility from SMS 3.6 integrated with the IPS, follow the steps below.

1. Login to the TippingPoint SMS administrative console.

2. On the toolbar, go to Admin > Server Properties > Syslog.

3. In the Syslog Formats section, select SMS 2.5 Syslog Format, and click Copy.

4. In the Edit Syslog Format window, do the following:

• Enter a name for this format.

• Enter a description, as required.

• Click Insert Field and add the following at the end of the text in the Pattern field.

  • ${_DELIMITER.EN_US}

  • ${CLIENTADDRESS.EN_US}

  • Click OK.

The updated format is similar to SMS 2.5 Syslog Format, except for the two fields, delimiter and clientaddress, appended to the format.

The text in the Pattern field appears as follows: Please copy and paste the pattern fields from the below

${actionType}${_delimiter}${severity}${_delimiter}${policyUUID}${_delimiter}${signatureUUID}${_delimi ter}${filterName}${_delimiter}${signatureNumber}${_delimiter}${protocolLower}${_delimiter}${srcAddr ess}${_delimiter}${srcPort}${_delimiter}${destAddress}${_delimiter}${destPort}${_delimiter}${hitCount}

${_delimiter}${srcZone}${_delimiter}${destZone}${_delimiter}${physicalPortIn}${_delimiter}${vlanTag}${

_delimiter}${deviceName}${_delimiter}${taxonomyID}${_delimiter}${eventTimestamp}${_delimiter}${m sgParameters}${_delimiter}${eventID}${_delimiter}${clientAddress}${_delimiter}${uriHost}${_delimiter}

${uriMethod}${_delimiter}${uriString}

Note: Select the HTTP Context check box if you want the profile to identify information associated with any HTTP URI. When possible, the devices will detect this and provide the HTTP hostname,URI, and method in the Inspection event.

5. Add HTTP Context

• Select Profiles > Inspection Profiles.

• Click New.

• Enter the following information for the profile.

  • Enter a Name for the profile

  • Select Deployment mode Default

  • Select the Client IP (X-Forwarded-For & True-Client-IP) check box.

  • Select check box the HTTP Context (Hostname,URI,Method)

  • Inheritance Select profile.

  • Click ok.

6. In the Remote Syslog for Events section, click New.

7. In Create Remote Syslog Notification Settings, do the following:

8. Click OK.

To collect security logs (SMS 2.5 format) without XFF facility from SMS integrated with the IPS, follow the steps below.

1. Login to the TippingPoint SMS administrative console.

2. On the toolbar, go to Admin > Server Properties > Syslog.

3. In the Remote Syslog for Events section, click New.

4. In Create Remote Syslog Notification Settings, do the following:

5. Click OK.

To collect SMS system logs from SMS integrated with the IPS, follow the steps below.

1. Login to the TippingPoint SMS administrative console.

2. On the toolbar, go to Admin > Server Properties > Syslog.

3. In the Remote Syslog for Events section, click New.

4. In Create Remote Syslog Notification Settings, do the following:

5. Click OK.

To collect SMS Audit logs from SMS integrated with the IPS, follow the steps below.

1. Start the TippingPoint SMS administrative console.

2. On the toolbar, go to Admin > Server Properties > Syslog.

3. In the Remote Syslog for Events section, click New.

4. In Create Remote Syslog Notification Settings, do the following:

5. Click OK.

LCP Configuration Parameters

Table 1-2: The HP TippingPoint Intrusion Prevention System (IPS) collector (Syslog -3421)event collector properties to be configured by MDR are shown in the table.