TippingPiont reporting to MARS

Unanswered Question

We have a TippingPoint X400 and a MARS 110 in our environment for PCI compliance. The TippingPoint can send syslog as SNORT and the MARS receives the raw data but shows it as "Unknown Device Event Type" and not as SNORT. One Example of the raw data.

30964462 Unknown Device Event Type Jan 7, 2008 11:38:03 AM CST TippingPoint <166>Jan 07 11:36:13 snort[71]: [1:0:1] tpti : 1456: MS-SQL: Slammer-Sapphire Worm [Classification: Misc Attack] [Priority: 1]: {udp} xxx.xxx.xxx.xxx-> xxx.xxx.xxx.xxx

Any suggestions besides replacing the TippingPoint with a Cisco IPS?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (1 ratings)
Loading.
Farrukh Haroon Wed, 08/17/2011 - 04:41

Hello

How have you configured the log format in the Tipping point SMS console? Is it "Snort Syslog Format (MARS)"

Have you properly added the tipping point device to MARS? Have you verified if it is still there, perhaps it got corrupted/deleted during or after the upgrade?

Regards

Farrukh

chechipan Fri, 08/19/2011 - 02:23

Thanks, Farrukh!

My action is to clear everything and recover the software to MARS, all the old configuration is cleared. Then I can add the firewalls to the MARS and I can generate report properly. The next step is to add the TippingPoint and set the format is Snort 2.0, the IPS can be added successfully without any problem.

However, the events coming from the IPS are classified as "Unknown Device Event Type". When I click the link of those messages, I can see the messages properly such as MARS can recognize the IPS. I don't know why it is classified as unknown.

Would you please provide suggestion?


Farrukh Haroon Sat, 08/20/2011 - 03:42

Can you please send me a screenshot of one such event? I have a tipping point available with me and will also try to play around with this.

Regards

Farrukh

chechipan Sun, 08/21/2011 - 19:05

Query result is shown as following, all the messges are sent by unknown device:

When I click the raw message, the message can be displayed:

The following screenshots are the device settings of the SMS server:

Farrukh Haroon Mon, 08/22/2011 - 01:37

I see two issues here

Firstly you did not provide the correct raw log, this log seems to be from a Cisco Device (ACL log) and not a tipping point box! Please check.

Secondly can you change the logging type in SMS to the one I mentioned above i.e. Snort Syslog Format (MARS)" instead of the one you have setup?

Regards

Farrukh

chechipan Mon, 08/22/2011 - 19:36

You are right! My MARS can recognize the IPS now.

Thank you so much!

Actions

This Discussion