In the article Sharing suspicious objects with TippingPoint Security Management System (SMS) via Deep Discovery Inspector (DDI), we demostrate how to share suspicious objects to TippingPoint Security Management System (SMS) via DDI.
Suspicious objects shared to TippingPoint SMS will be stored in reputation database as a reputation entry from other reputation feed.
This article will continue to describe how to configure reputation filters to apply block, permit, or notify actions across an entire reputation group.
After integrating DDI with TippingPoint SMS, DDI sends each suspicious object with the following optional information:
- Trend Micro Severity: Severity of each suspicious object
- Trend Micro Publisher: Trend Micro Deep Discovery Inspector
- Trend Micro Source: Deep Discovery Inspector host name
- Trend Micro Detection Category: Suspicious object
All suspicious objects are stored in the reputation database and searchable via Reputation Database > Search Entries.
TippingPoint SMS provides global vision and security policy control for large-scale deployments of all TippingPoint network security products.
To apply security actions for suspicious objects, creating a repution filter that associates an action set (e.g. Block and Notify) is needed.
To create a reputation filter for suspicious objects:
Under the TippingPoint SMS Profile menu, select Profile > Reputation / Geo. The Reputation Filter and Settings screen displays.
In the Reputation Filters section, select New Reputation. The Create Reputation Filter screen displays.
2.1 In the General Settings tab:
2.2 On the Entry Selection Criteria tab, under Tag Criteria:
Select the Trend Micro Detection Category then tick the Tag value is any of radio button and select Suspicious Object as the tag value.
Take note that the reputation filter with Block+Notify action may have a risk if a legitimate entry is added into suspicious object list.
To avoid false positives and mitigate the potential business impact, it is recommended to apply Block+Notify action on suspicious objects with High severity, or configure the Permit+Notify action for initial monitoring.
2.3 Distrbute the profile to target devices by selecting Distribute after the configuration:
After distributing the profile with a reputation filer for suspicious objects to target devices, if any entities match, the TippingPoint device (here we used TPS 2200T) will execute the corresponding action and block the traffic.
The Security analyst or administrator can also check the triggered events from TippingPoint SMS via Event > Inspection Events > Reputation Events.
Events can also be reviewed directly from the TippingPoint network products' LSM console .