Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Configuring TippingPoint Security Management System (SMS) reputation filters to apply action across suspicious objects shared through Deep Discovery Inspector (DDI)

    • Updated:
    • 10 Sep 2018
    • Product/Version:
    • Deep Discovery Inspector 3.8
    • Deep Discovery Inspector 5.0
    • Deep Discovery Inspector 5.1
    • TippingPoint SMS 5.All
    • Platform:
    • N/A N/A
Summary

In the article Sharing suspicious objects with TippingPoint Security Management System (SMS) via Deep Discovery Inspector (DDI), we demostrate how to share suspicious objects to TippingPoint Security Management System (SMS) via DDI.

Suspicious objects shared to TippingPoint SMS will be stored in reputation database as a reputation entry from other reputation feed.

This article will continue to describe how to configure reputation filters to apply block, permit, or notify actions across an entire reputation group.

Details
Public

After integrating DDI with TippingPoint SMS, DDI sends each suspicious object with the following optional information:

  • Trend Micro Severity: Severity of each suspicious object
  • Trend Micro Publisher: Trend Micro Deep Discovery Inspector
  • Trend Micro Source: Deep Discovery Inspector host name
  • Trend Micro Detection Category: Suspicious object

All suspicious objects are stored in the reputation database and searchable via Reputation Database > Search Entries.

TippingPoint SMS provides global vision and security policy control for large-scale deployments of all TippingPoint network security products.

To apply security actions for suspicious objects, creating a repution filter that associates an action set (e.g. Block and Notify) is needed.

To create a reputation filter for suspicious objects:

  1. Under the TippingPoint SMS Profile menu, select Profile > Reputation / Geo. The Reputation Filter and Settings screen displays.

  2. In the Reputation Filters section, select New Reputation. The Create Reputation Filter screen displays.

    2.1 In the General Settings tab:

    • Enter a Name for the filter.
    • Configure the action set (e.g. Block+Notify) from the drop-down menu.

    2.2 On the Entry Selection Criteria tab, under Tag Criteria:

    • Select the Trend Micro Detection Category then tick the Tag value is any of radio button and select Suspicious Object as the tag value.

     

    Take note that the reputation filter with Block+Notify action may have a risk if a legitimate entry is added into suspicious object list.

    To avoid false positives and mitigate the potential business impact, it is recommended to apply Block+Notify action on suspicious objects with High severity, or configure the Permit+Notify action for initial monitoring.

    apply BlockNotify action on SO with High severity

    2.3 Distrbute the profile to target devices by selecting Distribute after the configuration:

After distributing the profile with a reputation filer for suspicious objects to target devices, if any entities match, the TippingPoint device (here we used TPS 2200T) will execute the corresponding action and block the traffic.

The Security analyst or administrator can also check the triggered events from TippingPoint SMS via Event > Inspection Events > Reputation Events.

Events can also be reviewed directly from the TippingPoint network products' LSM console .

Premium
Internal
Rating:
Category:
Configure; SPEC
Solution Id:
1120974
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.