TippingPoint tab

The TippingPoint tab allows you to configure integration with the TippingPoint Security Management System (SMS). This integration allows a VMware NSX Network Detection and Response appliance to push reputation information to the TippingPoint SMS server based on the threats it detects on the monitored network.

When malicious network behavior is detected, an appliance will, depending on configuration, push to the SMS server reputation information about the source or destination host involved in the malicious traffic. A network administrator can use this information in the policies deployed by the SMS server, for example, to automatically block traffic to hosts that the system has detected are acting as Malware Command and Control servers. In the terminology of TippingPoint SMS, these policies are called Reputation Filters.

The reputation information about a host that the system can push to TippingPoint SMS is structured into the following five tag categories:

Malware Class

String in the format:

{infected|malicious}:Malware Class Name

Malware Class Name is the name of a Malware Class as displayed in the details of the detection in the VMware NSX Network Detection and Response interface.

The prefix infected: is used for the client hosts (typically within the network) that are victim of the detected malware, such as an infected host that is calling out to a Command and Control server, or a client that was subject to a Drive-By attack.

The prefix malicious: is used for server hosts (typically outside the network) that are hosting the detected Malware, such as a Command and Control server or a web server distributing exploits or Malware binaries.

Impact

Integer in the range 1-100. The impact of the detected event. This corresponds to the impact score displayed in the event details.

Confidence

Integer in the range 1-100. The confidence of the detection.

Last Seen

Datetime. The timestamp of the most recent occurrence of the detected malicious behavior.

Event URL

URL. A URL to the details about the detection in the system interface.

Before reputation information can be pushed to an SMS server, the tag categories used by the system need to be imported into the TippingPoint SMS Server. A definition of these five tag categories, plus the three additional tag categories used by TippingPoint Reputation DV, is available for download.

TippingPoint notifications list

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

Click the plus icon to add a notification.

The columns to be displayed in the list can be customized by clicking the additional content icon.

Customize the number of rows to be displayed. The default is 20 entries. Use the left arrow (back) and right arrow (forward) icons to navigate through multiple pages.

The TippingPoint notifications list contains the following:

Appliance

The appliance or sensor that triggers the notifications.

Click edit to edit the notification.

Click delete to delete the notification. Click the Delete button in the Delete confirmation pop-up.

Click unread to view a summary of the notification configuration. The summary is displayed in a pop-up. Click the Send test notification button to send a test. Click the Edit button to edit the notification configuration. Click cancel/close or the Close button to dismiss the pop-up.

Click heartbeat/test to send a test notification. The icon will be grayed out if the notification is disabled.

Max daily notifications

The maximum number of notifications to send within a 24 hour period.

Seconds valid

Defines how long a notification is valid after being sent. The default is 86400 seconds.

SMS server

The IP address or hostname of the TippingPoint SMS server.

SMS server port

The port number the TippingPoint SMS server is listening on.

Protocol

The protocol used to connect to the TippingPoint SMS server (HTTP or HTTPS).

User

The user name used to connect to the TippingPoint SMS server.

Enabled

Shows True if the notification is enabled, False otherwise. Click power to toggle the enable/disable status of the notification.

Create TippingPoint notification page

On the Create TippingPoint Notification page, fill in the following:

Appliance

The appliance or sensor that triggers the notifications. Select from the License pull-down menu:

  • All licenses Automatically selects all sensors.

  • All sensors Use the Sensor pull-down menu to select any specific sensor from any license.

  • Specific license Use the Sensor pull-down menu to select All sensors for that license or any specific sensor.

Daily limit

Select the maximum number of notifications to send within a 24 hour period. 0 (zero) means unlimited.

Timezone

Select the timezone within which daily limits are computed. By default, the current system timezone is selected.

Enable/disable notification

Click the Enabled button to toggle whether the notification will be enabled upon being saved. Notifications can be enabled or disabled at any time.

TippingPoint settings

Seconds Valid

How long a notification is valid after being sent. A lower impact notification will not be sent for a host so long as a higher impact one was sent for it no longer than so many seconds in the past. The goal is to avoid overwriting reputation information about a high impact threat with less critical information. A value of 0 will disable this filter, but we recommend values of a day or above.

SMS Server

Location is the hostname/IP address of the TippingPoint SMS server.

Port is the port on which the TippingPoint SMS server is listening.

Protocol

The protocol used to connect to the to the TippingPoint SMS server. Select HTTP or HTTPS.

SMS Username/Password

The credentials used to connect to the TippingPoint SMS server.

Triggers

Select the appropriate triggers for the notification. For more information, see About notification triggers. Also see Sensor group notifications for some caveats about notifications and sensor groups.

Network triggers

By default, Network triggers are set to Enabled.

Once the notification is properly configured, click the Save button to apply the changes. The TippingPoint notification configuration summary pop-up is displayed. When you close it, the TippingPoint notifications list is displayed.