cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3455
Views
5
Helpful
8
Replies

TippingPiont reporting to MARS

jnoyes
Level 1
Level 1

We have a TippingPoint X400 and a MARS 110 in our environment for PCI compliance. The TippingPoint can send syslog as SNORT and the MARS receives the raw data but shows it as "Unknown Device Event Type" and not as SNORT. One Example of the raw data.

30964462 Unknown Device Event Type Jan 7, 2008 11:38:03 AM CST TippingPoint <166>Jan 07 11:36:13 snort[71]: [1:0:1] tpti : 1456: MS-SQL: Slammer-Sapphire Worm [Classification: Misc Attack] [Priority: 1]: {udp} xxx.xxx.xxx.xxx-> xxx.xxx.xxx.xxx

Any suggestions besides replacing the TippingPoint with a Cisco IPS?

8 Replies 8

tstanik
Level 5
Level 5

MARS does not support TippingPoint and so it identifies it as an unknown device. Following link may help you

http://www.cisco.com/en/US/docs/security/csa/csa51/user_guide/Chap14.html

When I use the MARS ver 5.x, it can shows the event properly if I follow the steps shown in the following site:

http://ciscomars.blogspot.com/2008/02/tipping-point-with-mars.html

Howver, after the MARS is upgreded to version 6.1.2, I encouter the same problem as jnoyes@usbeefcorp.com posted.

Is there any solution for the problem?

Hello

How have you configured the log format in the Tipping point SMS console? Is it "Snort Syslog Format (MARS)"

Have you properly added the tipping point device to MARS? Have you verified if it is still there, perhaps it got corrupted/deleted during or after the upgrade?

Regards

Farrukh

Thanks, Farrukh!

My action is to clear everything and recover the software to MARS, all the old configuration is cleared. Then I can add the firewalls to the MARS and I can generate report properly. The next step is to add the TippingPoint and set the format is Snort 2.0, the IPS can be added successfully without any problem.

However, the events coming from the IPS are classified as "Unknown Device Event Type". When I click the link of those messages, I can see the messages properly such as MARS can recognize the IPS. I don't know why it is classified as unknown.

Would you please provide suggestion?

Can you please send me a screenshot of one such event? I have a tipping point available with me and will also try to play around with this.

Regards

Farrukh

Query result is shown as following, all the messges are sent by unknown device:

When I click the raw message, the message can be displayed:

The following screenshots are the device settings of the SMS server:

I see two issues here

Firstly you did not provide the correct raw log, this log seems to be from a Cisco Device (ACL log) and not a tipping point box! Please check.

Secondly can you change the logging type in SMS to the one I mentioned above i.e. Snort Syslog Format (MARS)" instead of the one you have setup?

Regards

Farrukh

You are right! My MARS can recognize the IPS now.

Thank you so much!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: