Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TippingPiont reporting to MARS

We have a TippingPoint X400 and a MARS 110 in our environment for PCI compliance. The TippingPoint can send syslog as SNORT and the MARS receives the raw data but shows it as "Unknown Device Event Type" and not as SNORT. One Example of the raw data.

30964462 Unknown Device Event Type Jan 7, 2008 11:38:03 AM CST TippingPoint <166>Jan 07 11:36:13 snort[71]: [1:0:1] tpti : 1456: MS-SQL: Slammer-Sapphire Worm [Classification: Misc Attack] [Priority: 1]: {udp} xxx.xxx.xxx.xxx-> xxx.xxx.xxx.xxx

Any suggestions besides replacing the TippingPoint with a Cisco IPS?

8 REPLIES
Bronze

Re: TippingPiont reporting to MARS

MARS does not support TippingPoint and so it identifies it as an unknown device. Following link may help you

http://www.cisco.com/en/US/docs/security/csa/csa51/user_guide/Chap14.html

New Member

TippingPiont reporting to MARS

When I use the MARS ver 5.x, it can shows the event properly if I follow the steps shown in the following site:

http://ciscomars.blogspot.com/2008/02/tipping-point-with-mars.html

Howver, after the MARS is upgreded to version 6.1.2, I encouter the same problem as jnoyes@usbeefcorp.com posted.

Is there any solution for the problem?

TippingPiont reporting to MARS

Hello

How have you configured the log format in the Tipping point SMS console? Is it "Snort Syslog Format (MARS)"

Have you properly added the tipping point device to MARS? Have you verified if it is still there, perhaps it got corrupted/deleted during or after the upgrade?

Regards

Farrukh

New Member

TippingPiont reporting to MARS

Thanks, Farrukh!

My action is to clear everything and recover the software to MARS, all the old configuration is cleared. Then I can add the firewalls to the MARS and I can generate report properly. The next step is to add the TippingPoint and set the format is Snort 2.0, the IPS can be added successfully without any problem.

However, the events coming from the IPS are classified as "Unknown Device Event Type". When I click the link of those messages, I can see the messages properly such as MARS can recognize the IPS. I don't know why it is classified as unknown.

Would you please provide suggestion?

TippingPiont reporting to MARS

Can you please send me a screenshot of one such event? I have a tipping point available with me and will also try to play around with this.

Regards

Farrukh

New Member

TippingPiont reporting to MARS

Query result is shown as following, all the messges are sent by unknown device:

When I click the raw message, the message can be displayed:

The following screenshots are the device settings of the SMS server:

TippingPiont reporting to MARS

I see two issues here

Firstly you did not provide the correct raw log, this log seems to be from a Cisco Device (ACL log) and not a tipping point box! Please check.

Secondly can you change the logging type in SMS to the one I mentioned above i.e. Snort Syslog Format (MARS)" instead of the one you have setup?

Regards

Farrukh

New Member

TippingPiont reporting to MARS

You are right! My MARS can recognize the IPS now.

Thank you so much!

2523
Views
5
Helpful
8
Replies
CreatePlease login to create content