Thursday, February 21, 2008

Tipping Point with MARS

Ok, MARS supports a number of different IDS/IPS vendors, out the box, including Netscreen, Symantec, ISS, Snort,Dragon and McAfee and obviously the Cisco IPS Range.

Now if you were a member of the MARS User Group, you would know, its no secret, but you can also get Tipping Point IPS Sensors to work with MARS also.

And here is the trick, Tipping Points Security Management System (SMS), can send syslog in Snort format.

Now your not going to get zero-day updates to the known signatures (or Digital Vaccines in Tipping Point Terminology), as you would with Cisco IPS, as MARS 5.3.3 (latest) only knows about snort signatures upto Dec 2007.

But it can be done. As i just briefly mentioned, you configure the Tipping Points Security Management System (SMS), to send syslog in Snort format. This is documented in the SMS User Guide...

And add the Tipping Point box to MARS as a Snort Device...

And as we would expect, we can then get alerts that appear in the SMS console, to be (mostly) recognised in the MARS GUI.

As we can see from a Raw Message Query, Tipping Point Events, are being recognised by MARS.

And Incidents are created..

And looking at the Tipping Point Raw Message, funny enough its in Snort format!

But, as i mentioned earlier, it will not recognise "newer" Digital Vaccines, or snort alerts beyond Dec 2007, in the current MARS release.

So a Session query, shows some "Unknown Device Event Type"

And a Raw Message Query, shows that its down to a PHP Exploit, that MARS did not understand from the Tipping Point/Snort syslog.

No comments: