Trend Micro Tipping Point IPS - LSM

Deployment Guide
Date Published: 8/7/2021
Securonix Proprietary Statement

This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any
third party, nor used by the recipient except under the terms and conditions prescribed by Securonix.

The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or their
respective owners.

Securonix Copyright Statement

This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using any
medium, without the prior written authorization of Securonix.

However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and
reference.

Information in this document is subject to change without notice. The software described in this document is
furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in
accordance with the terms of those agreements. Nothing herein should be construed as constituting an additional
warranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of this
publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or
mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without
the written permission of Securonix.

Copyright © 2021 Securonix. All rights reserved.

Contact Information

Securonix
5080 Spectrum Drive, Suite 950W
Addison, TX 75001
(855) 732-6649

SNYPR Deployment Guide 2

Table of Contents

Introduction 4
About Tipping Point IPS - LSM 4
Supported Collection Method 4
Format 4
Functionality 4
Tipping Point IPS - LSM Configuration 5
Configuration in SNYPR 8
Verify the Job 12
Resources 12

SNYPR Deployment Guide 3

Introduction

Introduction
This Deployment Guide provides information on how to configure Tipping Point IPS -
LSM to send security logs to SNYPR.

About Tipping Point IPS - LSM

The Tipping Point IPS is a high-speed, comprehensive security system that includes
the Intrusion Prevention System (IPS), Local Security Manager (LSM), Digital Vaccine,
the Security Management System Appliance, and the Core Controller.

Supported Collection Method

The collection method is Syslog.

Format
The format is Regex.

Functionality
In SNYPR, resource groups (datasources) are categorized by functionality. The
functionality determines what content is available when you import the datasource.
For more information about Device Categorization, see the Data Dictionary.

The functionality of Tipping Point IPS - LSM is IDS / IPS / UTM / Threat Detection.

SNYPR Deployment Guide 4

Tipping Point IPS - LSM Configuration

Tipping Point IPS - LSM

Configuration
Complete the following steps to configure Tipping Point IPS - LSM to export events to
SNYPR.

Integrating Tipping Point IPS - LSM

Before you configure the Tipping Point IPS, you must have the IP Address of the
Remote Ingester Node (RIN). If you are using an LSM device, you must configure LSM
notification contacts.

Configure notifications contact for LSM

1. Log in to the Tipping Point system.

2. Select IPS > Action Sets from the LSM menu.

Note: The IPS Profile - Action Sets window is displayed.

3. 3. Click the Notification Contacts tab.

4. Click Remote System Log in the Contacts list.

Note: The Edit Notification Contact page is displayed.

5. Configure the following values: 

SNYPR Deployment Guide 5

Tipping Point IPS - LSM Configuration

a. Syslog Server: Type the IP address of the RIN to receive syslog event
messages.

b. Port: Type 514 as the port address.

c. Alert Facility: Select none or a numeric value 0-31 from the list. Syslog uses
these numbers to identify the message source.

d. Block Facility: Select none or a numeric value 0-31 from the list. Syslog uses
these numbers to identify the message source.

e. Delimiter - Select TAB from the list.

f. Click Add to table below.

g. Configure a Remote system log aggregation period in minutes.

6. Click Save.

Configure an action set for your LSM

1. Log into the Tipping Point system.

2. Select IPS Action Sets from the LSM menu.

Note: The IPS Profile - Action Sets window is displayed.

3. Click Create Action Set.

SNYPR Deployment Guide 6

Tipping Point IPS - LSM Configuration

Note: The Create/Edit Action Set window is displayed.

4. Type the Action Set Name.

5. Select a flow control action setting for Actions: 

a. Permit: Allows traffic.

b. Rate Limit: Limits the speed of traffic. If you select Rate Limit, you must also
select the desired rate.

c. Block: Does not permit traffic.

d. TCP Reset: When this is used with the Block action, it resets the source,
destination, or both IP addresses of an attack. This option resets blocked TCP
flows.

e. Quarantine: When this is used with the Block action, it blocks an IP address
(source or destination) that triggers the filter.

6. Select the Remote System Log check box for each action that you select.

7. Click Create.

Note: You are now ready to configure the log source in RIN.

8. Configure Remote Ingestion Node (RIN) to recieve events from a Tipping Point
device: 

SNYPR Deployment Guide 7

Configuration in SNYPR

1. Select the Tipping Point Intrusion Prevention System (IPS) option from the
Log Source Type list.

Verify Logs on RIN

On Remote Ingester Node, verify logs are being received using the following command:
tcpdump -i eth0 tcp port 3514 -v -A

<109>Dec 20 01:22:12 securonix-labs 8 1 6d0357sdd-3b40-43fe-b107-0ca413af1dc0

00000001-0001-0001-0001-000000005601 5601: SSH: SSH Login Attempt Client
Request (ATT&CK T1021,T1032) 5601 ssh 10.0.0.1 57918 10.0.0.21 22 1 11 2 SNX-01
11111111 1613456759996 1341330058

Configuration in SNYPR
To configure Tipping Point IPS - LSM in SNYPR, complete the following steps:

1. Login to SNYPR.
2. Navigate to Menu > Add Data > Activity.
3. Click + > Add Data for Existing Device Type.
4. Click the Vendor drop-down and select the following information:
l Vendors: Trend Micro Inc.
l Device Type: TippingPoint IPS
l Collection Method:REGEX[SYSLOG]

SNYPR Deployment Guide 8

Configuration in SNYPR

5. Choose an ingester from the drop-down list.

6. Complete the following information in the Device Information section:

a. Datasource Name:TippingPoint IPS
b. Specify timezone for activity logs: Click the drop-down and select a timezone
for the logs.

7. Click Get Preview on the top right of the screen to view the data.

8. Click Save & Next until you reach step 4: Identity Attribution.
9. Click + > Add New Correlation Rule.

SNYPR Deployment Guide 9

 Configuration in SNYPR

10. Enter a descriptive name for the correlation rule.

11. Provide the following parameters to create a correlation rule:

SNYPR Deployment Guide 10

 Configuration in SNYPR

l User Attribute
l Operation
l Parameter
l Condition
l Separator

Example: User Attribute: firstname | Operation: None | Condition: And |

Separator: . (period) + User Attribute: lastname | Operation: None | Condition:
And. This correlation rule will correlate users to activity accounts with the
format: firstname.lastname.

12. Scroll to the bottom of the screen and click Save.

13. Click Save & Next.
14. Select Do you want to run job Once? in the Job Scheduling Information section.

15. Click Save & Run.

You will be automatically be directed to the Job Monitor screen.

SNYPR Deployment Guide 11

Resources

Verify the Job

Upon a successful import, the event data will be available for searching in Spotter. To
search events in Spotter, complete the following steps:

1. Navigate to Menu > Security Center > Spotter.

2. Verify that the datasource you ingested is listed under the Available Datasources
section.

Resources
For additional information, see the following resources:

SNYPR Deployment Guide 12

Resources

https://success.trendmicro.com/solution/TP000088717-Configuring-the-IPS-TPS-for-
a-Remote-SYSLOG-server

SNYPR Deployment Guide 13