TippingPoint IPS adapter

IBM® QRadar® Risk Manager supports TippingPoint IPS (intrusion prevention system) appliances that run TOS and that are under SMS control.

The following features are available with the TippingPoint IPS adapter:
  • IPS
  • Telnet, SSH+HTTPS connection protocols

This adapter requires interaction with the following devices:

  • IPS directly by using the TippingPoint operating system (TOS) over Telnet or SSH.
  • TippingPoint Secure Management Server (SMS) via the web services API over HTTPS.
A connection to the TippingPoint SMS is required to get the most recent Digital Vaccines signatures, which are managed by the SMS.

This adapter works only with IPS devices under SMS control. The SMS web services must be enabled for a successful backup.

This list is limitations of the TippingPoint adapter:

  • QRadar Risk Manager doesn't process source or destination IP addresses in IPS rules or filters. The following TippingPoint features are not supported:
    • Traffic management filters
    • Profile or filter exceptions and restrictions
    • User-defined filters

  • IPS filters without an associated CVE are not modeled because the IPS cannot be mapped to any QRadar vulnerabilities.

The integration requirements for the TippingPoint adapter are described in following table:

Table 1. TippingPoint IPS Adapter
Integration Requirement Description

Supported Versions

TOS 3.6 and SMS 4.2
Minimum User Access Level

IPS: Operator

SMS: Operator (custom)

A user who belongs to a group with a custom operator role, that has Access SMS Web Services option enabled

.

SNMP discovery

No

Required credential parameters

To add credentials in QRadar log in as an administrator and use Configuration Source Management on the Admin tab.

 Enter the following credentials:

Username: <IPS CLI username>

Password: <IPS CLI password>

Enable Username: <SMS username>

Enable Password: <SMS password>

Supported connection protocols

To add protocols in QRadar, log in as an administrator and use Configuration Source Management on the Admin tab.

 Use any one of the following supported connection protocols:

Telnet for IPS CLI

SSH for IPS CLI

HTTPS for SMS

Commands that the adapter requires to log in and collect data

show config

show version

show interface

show host

show sms

show filter $filterNumber (for each signature found in Digital Vaccine)

API commands sent to the SMS to retrieve the most recent signatures

 https://<sms_server>/dbAccess/ tptDBServlet?method=DataDictionary&table=SIGNATURE&format=xml