Configuring an Action Set for LSM

If you are using LSM, you need to configure an action set for your LSM.

1. Log in to the TippingPoint system.
2. From the LSM menu, select IPS Action Sets.

   The IPS Profile - Action Sets window is displayed.

3. Click Create Action Set.

   The Create/Edit Action Set window is displayed.

4. Type the Action Set Name.
5. For Actions, select a flow control action setting:
   • Permit - Allows traffic.
   • Rate Limit - Limits the speed of traffic. If you select Rate Limit, you must also select the desired rate.
   • Block - Does not permit traffic.
   • TCP Reset - When this is used with the Block action, it resets the source, destination, or both IP addresses of an attack. This option resets blocked TCP flows.
   • Quarantine - When this is used with the Block action, it blocks an IP address (source or destination) that triggers the filter.
6. Select the Remote System Log check box for each action you that you select.
7. Click Create.

   You are now ready to configure the log source in QRadar.

8. To configure QRadar to receive events from a TippingPoint device: From the Log Source Type list, select the TippingPoint Intrusion Prevention System (IPS) option.

   For more information about your TippingPoint device, see your vendor documentation.