Techd93 Smsextrnlinterface

HP TippingPoint Security Management System SMS External Interface Guide
SMS Version 3.2

Abstract This document describes the HP TippingPoint Security Management System (SMS) external interface and associated API information. This document is intended for system administrators, technicians and maintenance personnel responsible for installing, configuring, and maintaining HP TippingPoint SMS appliances and associated devices.
Part number: TECHD-00000093 First edition: September 2010
Legal and notice information Copyright 2010 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard. The information is provided as is without warranty of any kind and is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. TippingPoint, the TippingPoint logo, and Digital Vaccine are registered trademarks of Hewlett-Packard All other company and product names may be trademarks of their respective holders. All rights reserved. This document contains confidential information, trade secrets or both, which are the property of Hewlett-Packard No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from Hewlett-Packard or one of its subsidiaries. Adobe and Acrobat are trademarks of Adobe Systems Incorporated. Intel and Itanium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Microsoft, Windows, Windows NT, and Windows XP are U.S. registered trademarks of Microsoft Corporation. Oracle is a registered U.S. trademark of Oracle Corporation, Redwood City, California. UNIX is a registered trademark of The Open Group.
Security Management System SMS External Interface Guide
Table of Contents
About This Documentation
Overview Target Audience Conventions Headings Typeface Cross References Messages Warning Caution Note Tip How To Tasks Product Documentation Customer Support Contact Information Telephone E-mail
1
1 2 2 2 2 2 3 3 3 3 4 4 4 4 5 5 5
Chapter 1. SMS Web Services API

Authentication Authentication Example API Definition API Usage Version Status Schema DataDictionary GetData SMS Schema Reference SMS v 3.1 Changes SMS Schema Changes MySQL Example SMS v 3.0 Changes SMS Schema Changes MySQL Example DataDictionary ACTIONSET Table ALERT_TYPE Table
7
7 8 9 11 11 11 11 11 12 12 12 12 13 14 14 14 15 15 16
SMS External Interface Guide
Table of Contents
DEVICE Table POLICY Table PRODUCT_CATEGORY Table PROFILE Table QUARANTINE_NETWORK_DEVICES Table SEGMENT Table SEGMENT_GROUP Table VIRTUAL_SEGMENT Table SEVERITY Table SIGNATURE Table TAXONOMY_MAJOR Table TAXONOMY_MINOR Table TAXONOMY_PLATFORM Table TAXONOMY_PROTOCOL Table THRESHOLD_UNITS Table Events Data ALERTS Table DDOS_STATS Table FIREWALL_BLOCK_ALERTS Table FIREWALL_TRAFFIC_ALERTS Table QUARANTINE_HOSTS Table RATELIMIT_STATS Table THRESHOLD_STATS Table
16 17 17 17 18 18 19 19 19 20 20 21 21 21 21 22 22 24 25 26 27 27 28
Chapter 2. Active Response

Initiating an Active Response Explanation of Arguments IP address Response History ID Active Response Policy Active Response Timeout Authenticated User Use of This Interface
29
29 30 30 30 30 30 31 31
Chapter 3. Remote Profile Management

Whats New Profile Import Authentication URL URL Example CURL CURL Example Traffic Management Filters
33
34 34 34 34 34 34 35 35
ii
Table of Contents
Profile Export URL Method Export Examples Profile Import URL Method Import Examples Profile Distribution URL Method Distribution Examples
36 36 38 38 39 40 40 40 41
Chapter 4. Remote Administration Management

Remote Backups Backup Examples
43
44 44
Chapter 5. Reputation Management

Whats New Import Reputation Entries Import Example Create Reputation Entries Create Example Delete Reputation Entries Delete Examples Reset Reputation Entries Reputation Import Rules Examples Example: File Rules Examples: Field Rules Examples: Address Rules Examples: Tags
45
46 46 46 46 46 47 47 47 48 49 49 50 51 53 54
Chapter 6. Packet Trace

Whats New Device-Based Packet Trace Device-Base Packet Trace Example Events-Based Packet Trace Setting up Event-Based Packet Trace
55
55 55 55 56 56
Chapter 7. MIB Files for the SMS

Traps SMS MIB Files Monitoring SMS MIB Files Public MIB Files Health Monitoring
57
57 57 64 64 66 67
iii
Table of Contents
iv
List of Tables
Table 1- 1: Parameter Definitions Table 1- 2: ACTIONSET Table Column Descriptions Table 1- 3: ALERT_TYPE Table Column Descriptions Table 1- 4: DEVICE Table Column Descriptions Table 1- 5: POLICY Table Column Descriptions Table 1- 6: PRODUCT_CATEGORY Table Column Descriptions Table 1- 7: PROFILE Table Column Descriptions Table 1- 8: QUARANTINE_NETWORK_DEVICES Table Column Descriptions Table 1- 9: SEGMENT Table Column Descriptions Table 1- 10: SEGMENT_GROUP Table Column Descriptions Table 1- 11: VIRTUAL_SEGMENT Table Column Descriptions Table 1- 12: SEVERITY Table Column Descriptions Table 1- 13: SIGNATURE Table Column Descriptions Table 1- 14: TAXONOMY_MAJOR Table Column Descriptions Table 1- 15: TAXONOMY_MINOR Table Column Descriptions Table 1- 16: TAXONOMY_PLATFORM Table Column Descriptions Table 1- 17: TAXONOMY_PROTOCOL Table Column Descriptions Table 1- 18: THRESHOLD_UNITS Table Column Descriptions Table 1- 19: ALERTS Table Column Descriptions Table 1- 20: DDOS_STATS Table Column Descriptions Table 1- 21: FIREWALL_BLOCK_ALERTS Table Column Descriptions Table 1- 22: FIREWALL_TRAFFIC_ALERTS Table Column Descriptions Table 1- 23: QUARANTINE_HOSTS Table Column Descriptions Table 1- 24: RATELIMIT_STATS Table Column Descriptions Table 1- 25: THRESHOLD_STATS Table Column Descriptions Table 3- 1: Traffic Management Filters: Required Parameters Table 3- 2: Traffic Management Filters: Optional Parameters Table 3- 3: Export Profile Parameter Table 3- 4: SMB Location Parameters Table 3- 5: NFS Location Parameters Table 3- 6: Authentication Parameters Table 3- 7: Import Profile Parameter Table 3- 8: Authentication Parameters Table 3- 9: Profile Distribution Parameters Table 3- 10: Segment Group Target Parameters Table 3- 11: Single Segment Target Parameters Table 3- 12: Authentication Parameters Table 4- 1: Remote Backup Parameters Table 5- 1: Reputation Import Rules Table 7- 1: SMS Health Section OIDs 9 15 16 16 17 17 18 18 18 19 19 19 20 20 21 21 21 21 22 24 25 26 27 27 28 35 35 36 36 37 37 39 39 41 41 41 41 44 48 67
List of Tables
vi
About This Documentation

Explains intended audience, where related information is located, and how to obtain customer support.
IMPORTANT!
For the most current information, download the latest SMS documentation from the TippingPoint Threat Management Center (TMC).
1. 2. 3.
Log in to the TippingPoint TMC (https://tmc.tippingpoint.com). Select the Documentation tab and then choose Product Documentation. Select the SMS Product Documentation folder and open the most recent version of the SMS documentation.
Overview
Welcome to the TippingPoint Security System documentation. This section includes the following items: Target Audience on page 2 Conventions on page 2 Product Documentation on page 4 Customer Support on page 4
Target Audience
The intended audience includes technicians and maintenance personnel responsible for installing, configuring, and maintaining TippingPoint security systems and associated devices. Users should be familiar with networking concepts and the following standards and protocols: TCP/IP UDP ICMP Ethernet Simple Network Time Protocol (SNTP) Simple Mail Transport Protocol (SMTP) Simple Network management Protocol (SNMP)
Conventions
The TippingPoint documentation uses the following conventions for structuring information.
Headings
Each main section starts with a brief description of the information you can find in that section, which correlates with the major headings in that section. Each major heading corresponds to a task or concept that is important for you to understand. Headings are of a different size and type to make them easy to skim, whether you are viewing an online or print copy of this document.
Typeface
This document uses the following typeface conventions: Bold
Code
Italic Hyperlink
Used for the names of screen elements like buttons, drop-down lists, or fields. For example, when you are done with a dialog, you would click the OK button. Used for text a user must type to use the product. Used for book titles, variables, and important terms. Used for Web site and cross reference links.
Cross References
When a topic is covered in depth elsewhere in this document, or in another document in this series, a cross reference to the other information is provided as follows:
Conventions
Messages
Messages are emphasized by font, format, and icons. There are four types of messages in this document: Warnings indicate how to avoid physical injury to people or equipment. For people, injury includes anything from temporary conditions, such as pain, to irreversible conditions such as death. For equipment, injury includes anything requiring repair. Warnings indicate what you should or should not do and the consequences of not heeding the warning. Cautions indicate how to avoid a serious loss that stops short of physical damage, such as the loss of data, time, or security. Cautions indicate what you should or should not do to avoid such losses and the consequences of not heeding the caution. Notes Notes indicate information that might not be obvious or that does not relate directly to the current topic, but that may affect relevant behavior. Tips Tips are suggestions about how to perform a task more easily or more efficiently.
Warning
Warnings are represented by a red octagon with a white lightning bolt drawn inside. Warnings also start with the word WARNING and are presented in bold face type. WARNING Only trained and qualified personnel should install, replace, or service this equipment. Disconnect the system before servicing.
Caution
Cautions are represented by a yellow triangle icon with a black exclamation point drawn inside. Cautions also start with the word CAUTION. CAUTION Do not type del *.* from the root (C:\) directory. Typing del *.* from the root directory will destroy all the program and configuration data that your computer needs to run, and will render your system inoperable.
Note
A note has an icon represented by a piece of note paper and starts with the word Note. Note To view information about attacks, you must have Operator authority.To create or edit attack filters and related objects, you must have Super User or Administrator authority.
Tip
A tip is represented by a circle icon with a light bulb drawn inside and starts with the word Tip.
TIP
Setting the logging parameter to off or minimal will improve your system processing performance, but it will make debugging very difficult in the event of a system crash. During system integration, you can set logging to full to ease debugging. After you have finished testing, set logging to minimal to improve performance.
How To Tasks
This documentation contains step-by-step procedures that explain how to perform a specific task. These procedures begins with a phrase that describes the task and are followed by numbered steps that describe what to do to complete the task.
Product Documentation
TippingPoint Systems have a full set of documentation. For the most recent documentation updates, check the Threat Management Center (TMC) Web site at https://tmc.tippingpoint.com.
Customer Support
TippingPoint is committed to providing quality customer support to all of its customers. Each customer is provided with a customized support agreement that provides detailed customer and support contact information. For the most efficient resolution of your problem, gather some basic information from your records and from your system before contacting customer support, including your customer number. Have the following information available:
Information Your customer number Your SMS server serial number Your SMS version number Location You can find this number on your Customer Support Agreement and on the shipping invoice that came with your TippingPoint system. You can find this number on the bottom of the server chassis. Also, from the SMS CLI, you can run the key command. You can find this information on the Dashboard in the Updates area. The Admin >General screen also displays the version number.
Customer Support
Contact Information
For additional information or assistance, contact TippingPoint Customer Support:
Telephone
North America: +1 866 681 8324 International: +1 512 681 8324 For a list of international toll-free contact numbers, consult one of the following web pages: https://tmc.tippingpoint.com/TMC/Content/support/Support_Contacts http://www.tippingpoint.com/support.html
E-mail
tippingpoint.support@hp.com
SMS Web Services API

The information in this chapter details how to use the SMS Web services API with external databases.
1.
Overview
This chapter provides an overview of the SMS Web Services for use with SMS V 3.0. Using the API, you can obtain data on SMS managed devices, defined policies, Digital Vaccines (for IPS devices), and policy notifications that are captured by the SMS. By default, SMS Web Services are always enabled for the SMS system. You may use a database for saving the data over a significant amount of time. This provides a means to capture historical data regarding your network. Using this API, third-party vendors can also integrate with their event correlation and security information management software. This chapter includes the following sections: Authentication on page 7 API Usage on page 11 SMS Schema Reference on page 12
Authentication
You can enable Web authentication with the CLI command set pwd.web or through the SMS Client Preferences (see the TippingPoint Security Management System Users Guide). SMS Web authentication is based on the user accounts established for SMS Client access. Authentication is required by default. You can bypass authentication by clearing the pwd.web setting. This allows for access to Web services without a password.
SMS External Interface Guide 7
Authentication Example
The following example details a basic HTTP authentication header:
GET /url_request HTTP/1.0 Request Method: GET Connection: Keep-Alive Host: 192.168.65.69 Authorization: Basic d2ViOmhlbGxv
API Definition
API Definition
This section details the API definition for the servlet. The API uses a single servlet as the basis for all tasks. The servlet URL is in the following form:
http[s]://<sms_server>/dbAccess/tptDBServlet?<parameters>
Table 1- 1: Parameter Definitions Parameter method Variable Version Status Schema DataDictionary database table (optional) Oracle, MySQL (default) Only valid for sql format ACTIONSET Default is all variables. ALERT_TYPE DEVICE POLICY PRODUCT_CATEGORY PROFILE QUARANTINE_NETWORK_DEVICES SEGMENT SEGMENT_GROUP SEVERITY SIGNATURE TAXONOMY_MAJOR TAXONOMY_MINOR TAXONOMY_PLATFORM TAXONOMY_PROTOCOL THRESHOLD_UNITS VIRTUAL_SEGMENT format (optional) mode (optional) sql (default), csv, xml insert (default) Only valid for sql format. update replace Only works with MySQL. Sub-Parameter Variable
Table 1- 1: Parameter Definitions (Continued) Parameter method (contd) Variable GetData Sub-Parameter table ALERTS DDOS_STATS FIREWALL_BLOCK_ALERTS FIREWALL_TRAFFIC_ALERTS QUARANTINE_HOSTS QUARANTINE_NETWORK_DEVICES RATELIMIT_STATS THRESHOLD_STATS begin_time integer Time is expressed as the number of milliseconds since 01-01-1970 00:00:00 GMT. integer Time is expressed as the number of milliseconds since 01-01-1970 00:00:00 GMT. csv (default), sql, xml integer This is the maximum number of values returned. By default, all values are returned. ALERTS DDOS_STATS FIREWALL_BLOCK_ALERTS FIREWALL_TRAFFIC_ALERTS QUARANTINE_HOSTS RATELIMIT_STATS Variable
end_time
format (optional) limit (optional)
GetOldestRecord Get NewestRecord
table
10
API Usage
API Usage
This section details the usage of the API: Version on page 11 Status on page 11 Schema on page 11 DataDictionary on page 11 GetData on page 12
You use the API according to the following sequence:

STEP 1 STEP 2
Use Schema method to retrieve schema definition. Apply the returned data to database. Use DataDictionary method to retrieve supporting data. Apply the returned data to database. You may repeat this step as needed, such as creating new profiles and activating new Digital Vaccine (for IPS devices). Continuously use the GetData method, importing the data (events data) into the database.
STEP 3
Version
Example: Output: Extra:
http[s]://<sms_server>/dbAccess/tptDBServlet?method=Version X.X (current version number of the API) Returns current interface version number.
Status
Example: Output:
http[s]://<sms_server>/dbAccess/tptDBServlet?method=Status
Extra:
OK if Web services is up and running. If Web services are not enabled, your response is a page not found if you have the Web server enable. Otherwise a network timeout occurs, due to no service. This API should be used to test if the Web services support is enabled and running.
Schema
Example: Output:
http[s]://<sms_server>/dbAccess/tptDBServlet?method=Schema format=sql : Oracle 8i or MySQL 4.0 compliant DDL statements.
DataDictionary
Example: Output:
http[s]://<sms_server>/dbAccess/ tptDBServlet?method=DataDictionary[&format=<format>]
format=sql : SQL '92 compliant DML statements. (default) format=csv : A comma delimited file listing of the table data. format=xml : XML for each of the tables.
11
GetData
Example:
http[s]://<sms_server>/dbAccess/tptDBServlet?method=GetData& table=ALERTS&begin_time=1&end_time=1162252800000 [&format=<format>] http[s]://<sms_server>/dbAccess/tptDBServlet?method=GetData& table=THRESHOLD_STATS&begin_time=1&end_time=1162252800000 [&format=<format>] http[s]://<sms_server>/dbAccess/tptDBServlet?method=GetData& table=RATE_LIMIT_STATS&begin_time=1&end_time=1162252800000 [&format=<format>]
Example:
Example:
Output:
format=csv : A comma delimited file listing of the table data. (default) format=sql : SQL '92 compliant DML insert statements. format=xml : XML output of the table data.
SMS Schema Reference

This section details the table and column relationships as defined by the SMS external database schema. The schema has referential integrity constraints, as well as unique and foreign keys. Unique keys are specified to constrain the table to only one specific entry of that type. This ensures the uniqueness of each entry in that table. The exception is the ALERTS table, it uses a multi-column unique index. That explanation is provided in the table section. Foreign keys are used to enforce a binding between tables that have a relation. Foreign keys are labeled with a (FK) symbol and have a dotted line between that column and the table it is constrained to have an matching entry. This section has the following topics SMS v 3.1 Changes on page 12 SMS v 3.0 Changes on page 14 DataDictionary on page 15 Events Data on page 22
SMS v 3.1 Changes

SMS Packet Trace Changes
SMS Schema Changes

ALERTS table Four columns were added. These changes allow for packet trace access. See ALERTS Table on page 22. PACKET_TRACE int unsigned not null; DEVICE_TRACE_BUCKET int unsigned not null; DEVICE_TRACE_BEGIN_SEQ int unsigned not null; DEVICE_TRACE_END_SEQ int unsigned not null;
12
Existing databases can be altered to accommodate these changes.
MySQL Example
alter table ALERTS add column PACKET_TRACE int unsigned not null; alter table ALERTS add column DEVICE_TRACE_BUCKET int unsigned not null; alter table ALERTS add column DEVICE_TRACE_BEGIN_SEQ int unsigned not null; alter table ALERTS add column DEVICE_TRACE_END_SEQ int unsigned not null;
The following SQL example retrieves all block alerts containing packet traces for a one minute time period. Statement
mysql> select ip_address, policy_id, device_trace_bucket, device_trace_begin_seq, device_trace_end_seq from ALERTS a, DEVICE d where alert_type_id = 2 and packet_trace = 1 and a.device_short_id = d.short_id and begin_time > unix_timestamp('2009-06-25 16:53:00')*1000 and end_time < unix_timestamp('2009-06-25 16:54:00')*1000;
Output
+----------------+--------------------------------------+--------------------+------------------------+----------------------+ | IP_ADDRESS | POLICY_ID | DEVICE_TRACE_BUCKET |DEVICE_TRACE_BEGIN_SEQ | DEVICE_TRACE_END_SEQ | +----------------+--------------------------------------+--------------------+------------------------+----------------------+ | 192.168.66.106 | 00000002-0002-0002-0002-000000000534 | 41309 | 3262 | 3262 | +----------------+--------------------------------------+--------------------+------------------------+----------------------+ 1 row in set (0.06 sec)
13
SMS v 3.0 Changes

SMS Schema Changes
ALERTS table Two columns were added. These changes allows IPv6 addresses to be stored. Two columns are used to store these large addresses. See ALERTS Table on page 22. SRC_IP_ADDR_HIGH DST_IP_ADDR_HIGH SEGMENT table Columns that store IP addresses as strings have increased in size QUARANTINE_NETWORK_DEVICES table Columns that store IP addresses as strings have increased in size QUARANTINE_HOSTS table Columns that store IP addresses as strings have increased in size VIRTUAL_SEGMENT table A new column was added. See VIRTUAL_SEGMENT Table on page 19. SEGMENT_GROUP_ID DEVICE table A new column was added. See DEVICE Table on page 16. SEGMENT_GROUP table A new table was added. See SEGMENT_GROUP Table on page 19 Existing databases can be altered to accommodate these changes.
MySQL Example
alter table ALERTS modify column SRC_IP_ADDR bigint signed not null; alter table ALERTS modify column DST_IP_ADDR bigint signed not null; alter table ALERTS add column SRC_IP_ADDR_HIGH bigint; alter table ALERTS add column DST_IP_ADDR_HIGH bigint; alter table SEGMENT modify column IP_ADDRESS char(50); alter table QUARANTINE_NETWORK_DEVICES modify column IP_ADDRESS char(50) not null; alter table QUARANTINE_HOSTS modify column QUARANTINED_IP char(50); alter table DEVICE add column DEVICE_GROUP char(50);
14
DataDictionary
See the following sections for more information on the tables in the database: ACTIONSET Table on page 15 ALERT_TYPE Table on page 16 DEVICE Table on page 16 POLICY Table on page 17 PRODUCT_CATEGORY Table on page 17 PROFILE Table on page 17 QUARANTINE_NETWORK_DEVICES Table on page 18 SEGMENT Table on page 18 SEGMENT_GROUP Table on page 19 SIGNATURE Table on page 20 TAXONOMY_MAJOR Table on page 20 TAXONOMY_MINOR Table on page 21 TAXONOMY_PLATFORM Table on page 21 TAXONOMY_PROTOCOL Table on page 21 THRESHOLD_UNITS Table on page 21
ACTIONSET Table
An ACTIONSET record is one defined by the user and applied to a POLICY. The ACTIONSET has a descriptive name that can help determine the action that is taken when a POLICY is triggered. For RATELIMIT ACTIONSETs, the RATE column has a value specifying the RATE to be applied. This table is not expected to grow by many entries. It is a relatively small table.
Table 1- 2: ACTIONSET Table Column Descriptions Column ID NAME RATE FLOW_CONTROL Description Unique identifier for the record entry. Use this column to join from other tables. A descriptive name for the ACTIONSET The RATELIMIT value applied to this ACTIONSET. Traffic flow indicator (ALLOW, DENY)
15
ALERT_TYPE Table
A simple table that gives descriptive names for ALERTS. The table should not grow, but may have new types added in future releases.
Table 1- 3: ALERT_TYPE Table Column Descriptions Column ID NAME Unique identifier for this record. A descriptive name for the entry. Description
DEVICE Table
An IPS entry. This table contains a record for each of the IPS's being managed. This table is not expected to grow by many entries. It is a relatively small table.
Table 1- 4: DEVICE Table Column Descriptions Column ID NAME MODEL IP_ADDRESS LOCATION DV_VERSION OS_VERSION DEVICE_GROUP Description Unique identifier for the table entry A descriptive name for the device provided by the end user during device installation. A string that represents the IPS model. The IP address for the management port of this IPS A descriptive location text entered by the user during device installation The current version of the Digital Vaccine installed on the IPS. If the device is a Core Controller, this field is null. The current version of the TippingPoint Operating System installed on the IPS The name of the group that the device belongs to
16
POLICY Table
The POLICY table holds objects that are setup by the end user to determine what actions to take and behavior to have for a SIGNATURE trigger. This table is expected to grow based on the number of changes made to the PROFILE table entries. It is a relatively small table.
Table 1- 5: POLICY Table Column Descriptions Column ID PROFILE_ID SIGNATURE_ID ACTIONSET_ID NAME Description Unique identifier for the table entry Identifier of the PROFILE object that contained this POLICY Identifier of the SIGNATURE this object is defining a POLICY Identifier for the ACTIONSET applied to this object. A descriptive name for the POLICY. This is usually the same as the SIGNATURE referenced by SIGNATURE_ID. However, THRESHOLDS allow the user to name the POLICY.
PRODUCT_CATEGORY Table
The PRODUCT_CATEGORY table maintains the names used for SIGNATURE categories. The SIGNATURE table contains a number that is joined to the ID field in this PRODUCT_CATEGORY table. The NAME field is the descriptive text for the PRODUCT_CATEGORY.
Table 1- 6: PRODUCT_CATEGORY Table Column Descriptions Column ID NAME Description Unique identifier for the record entry. Use this column to join from other tables. A descriptive name for the PRODUCT_CATEGORY
PROFILE Table
The PROFILE is a container for your POLICY entries. You are able to name the PROFILE, make changes to the POLICY objects, and then distribute to a segment group.
17
The table size depends on the number of PROFILEs you create in your SMS. It is a relatively small table.
Table 1- 7: PROFILE Table Column Descriptions Column ID VERSION NAME DESCRIPTION Description Unique identifier for the table entry The current version of the PROFILE A descriptive name provided by the end user A description of the PROFILE provided by the user
QUARANTINE_NETWORK_DEVICES Table
The QUARANTINE_NETWORK_DEVICES table contains the defined quarantine switches.
Table 1- 8: QUARANTINE_NETWORK_DEVICES Table Column Descriptions Column NAME IP_ADDRESS Description The descriptive name for the network device switch type. The IP address for the switch.
SEGMENT Table
A SEGMENT record represents a physical SEGMENT on a DEVICE. It is a relatively small table and is only expected to grow when new IPS devices are added to your network.
Table 1- 9: SEGMENT Table Column Descriptions Column ID DEVICE_ID NAME IP_ADDRESS SLOT_INDEX SEGMENT_INDEX Description Unique identifier for this record entry The DEVICE which this SEGMENT belongs to A descriptive name entered by the end user OBSOLETE IP Address that may be given to this SEGMENT. This value was used in Discovery services which have been removed from the product. The internal chassis slot number. This number is always 3 for physical segments and 0 for virtual segments. For physical segments, the physical segment number. For virtual segments, this number is 0.
18
SEGMENT_GROUP Table
A SEGMENT_GROUP record represents a group of physical SEGMENTS. It is a relatively small table and is only expected to grow when new IPS devices are added to your network.
Table 1- 10: SEGMENT_GROUP Table Column Descriptions Column ID NAME Description Unique identifier for this record entry A descriptive name for the SEGMENT GROUP provided by the end user during group creation
VIRTUAL_SEGMENT Table
A VIRTUAL_SEGMENT record represents a virtual physical SEGMENT on a DEVICE. It is a relatively small table and is only expected to grow when new IPS devices are added to your network.
Table 1- 11: VIRTUAL_SEGMENT Table Column Descriptions Column ID DEVICE_ID SEGMENT_GROUP_ID NAME Description Unique identifier for this record entry The DEVICE which this SEGMENT belongs to The SEGMENT GROUP which this SEGMENT belongs to A descriptive name entered by the end user
SEVERITY Table
A static table used to provide descriptive text for SEVERITY fields.
Table 1- 12: SEVERITY Table Column Descriptions Column ID NAME Unique identifier for this entry A descriptive text for the SEVERITY Description
19
SIGNATURE Table
This table contains descriptive details of the currently active Digital Vaccine package on your SMS for use with IPS devices. The table grows as new Digital Vaccines are released, downloaded, and activated.
Table 1- 13: SIGNATURE Table Column Descriptions Column ID NUM SEVERITY NAME CLASS PRODUCT_CATEGORY_ ID PROTOCOL TAXONOMY_ID CVE_ID BUGTRAQ_ID Unique identifier for this entry The integer number used to reference this SIGNATURE. The number is assigned by TippingPoint. The identifier for the SEVERITY of this SIGNATURE. Join to SEVERITY.ID to obtain a descriptive name of the SEVERITY. A name given to the SIGNATURE by TippingPoint Descriptive classification for the SIGNATURE The category ID from PRODUCT_CATEGORY table, provided by TippingPoint A well known PROTOCOL that this SIGNATURE is part The TAXONOMY classification A comma separated list of CVE IDs that can be used to link to the CVE database. See: http://www.cve.mitre.org/ A comma separated list of BugTraq IDs that can be used to link to the BugTraq database. See: http://www.securityfocus.com A descriptive text detailing this SIGNATURE. This text is informative information provided by TippingPoint. A message that can be filled in with ALERTS.MESSAGE_PARMS values to create a dynamic message for this SIGNATURE. Description
DESCRIPTION MESSAGE
TAXONOMY_MAJOR Table
This table describe the TippingPoint signature taxonomy major classifications. See the TippingPoint Event Taxonomy document For Taxonomy specifics.
Table 1- 14: TAXONOMY_MAJOR Table Column Descriptions Column ID NAME DESCRIPTION Unique identifier for this entry A short name for the TAXONOMY_MAJOR entry A descriptive text for the TAXONOMY_MAJOR entry Description
20
TAXONOMY_MINOR Table
This table describes the TippingPoint signature taxonomy minor classifications.
Table 1- 15: TAXONOMY_MINOR Table Column Descriptions Column ID MAJOR_ID DESCRIPTION Unique identifier for this entry Identifier of the major classification ID this minor classification relates to A descriptive text for the TAXONOMY_MINOR entry Description
TAXONOMY_PLATFORM Table
This table details the TippingPoint signature platforms.
Table 1- 16: TAXONOMY_PLATFORM Table Column Descriptions Column ID DESCRIPTION Unique identifier for this entry A descriptive text for the TAXONOMY_PLATFORM entry Description
TAXONOMY_PROTOCOL Table
This table details the TippingPoint signature protocols.
Table 1- 17: TAXONOMY_PROTOCOL Table Column Descriptions Column ID DESCRIPTION Unique identifier for this entry A descriptive text for the TAXONOMY_PROTOCOL entry Description
THRESHOLD_UNITS Table
A table that defines the UNITS in which THRESHOLDS can be specified. This table is not expected to grow and has very few records.
Table 1- 18: THRESHOLD_UNITS Table Column Descriptions Column ID NAME Unique identifier for this entry A descriptive name for this UNIT entry Description
21
Events Data
The following dynamic Events Data tables are used with the GetData variable: ALERTS Table on page 22 DDOS_STATS Table on page 24 FIREWALL_BLOCK_ALERTS Table on page 25 FIREWALL_TRAFFIC_ALERTS Table on page 26 QUARANTINE_HOSTS Table on page 27 RATELIMIT_STATS Table on page 27 THRESHOLD_STATS Table on page 28
ALERTS Table
The ALERTS table contains information pertaining to the event that caused a POLICY to trigger. When an ACTIONSET is applied to a POLICY and it has a Management Console notification selected, it is put in the ALERTS table. The primary key, a unique key, is a four column index, DEVICE_ID, ALERT_TYPE_ID, SEQUENCE_NUM, and END_TIME. The table is expected to have a continuous growth pattern and contain millions of records. The data is retrieved via the parameters method=GetData&table=ALERTS. The following table lists the table columns:
Table 1- 19: ALERTS Table Column Descriptions Column SEQUENCE_NUM Description This field is the part of the ALERTS table unique index. It is a reference to a particular logs row entry counter. The ALERT_TYPE column defines the log being referenced. Note: This sequence number is not reliable as far as counting on it behaving as an ever increasing sequential number. It can be reset on the IPS and repeat for new events. DEVICE_ID This is the identifier for the DEVICE entry that sent the notification. It is the second part of the ALERTS table unique index. A foreign key to the DEVICE table was left off for the purpose of performance and due to the possibility that a DEVICE entry may not have been yet stored in the DEVICE table for this external database. The TYPE column is the third and final primary key constraint on the ALERTS table. This field can be joined to the ALERT_TYPE table for a descriptive name for this column. Identifier used to map this alert to a POLICY table entry. Identifier used to map this alert to a SIGNATURE table entry.
ALERT_TYPE_ID
POLICY_ID SIGNATURE_ID
22
Table 1- 19: ALERTS Table Column Descriptions (Continued) Column BEGIN_TIME Description The time in which the event was first started. When using notification aggregation, this value and the END_TIME typically are off by the number of minutes specified in the aggregation setting. When aggregation is turned off, the BEGIN_TIME usually is the same as the END_TIME. This value is in milliseconds since Jan. 1, 1970 00:00:00 GMT. The time in which the notification was sent to the Management Console. Subtracting BEGIN_TIME from END_TIME can determine the length of an attack if aggregation is being used. This value is in milliseconds since Jan. 1, 1970 00:00:00 GMT. Note: This is the column used when comparing with begin_time and end_time fields in the GetData method. HIT_COUNT SRC_IP_ADDR A counter displaying the number of times the event triggered before the notification was sent to the Management Console Source IP of the packet causing the notification. Numeric value of an IPv4 address, or the low-order 64 bits for an IPv6 address if SRC_IP_ADDR_HIGH is not NULL. Source IP of the packet causing the notification. Numeric value of highorder 64 bits for an IPv6 address. Source port of the packet causing the notification Destination IP of the packet causing the notification. Numeric value of an IPv4 address, or the low-order 64 bits for an IPv6 address if DST_IP_ADDR_HIGH is not NULL. Destination IP of the packet causing the notification. Numeric value of high-order 64 bits for an IPv6 address. Destination port of the packet causing the notification The identifier for which device (IPS) segment this alert was seen on. The device port on which the event was detected. The VLAN identifier contained in the event. The SEVERITY of the event. Usually corresponds to the SIGNATURE.SEVERITY column, joined by the SIGNATURE_ID column. A foreign key constraint to the SEVERITY table has been applied here. Indicates if a packet trace is available on the device Part of the device packet trace identifier Part of the device packet trace identifier Part of the device packet trace identifier
END_TIME
SRC_IP_ADDR_HIGH SRC_PORT DST_IP_ADDR
DST_IP_ADDR_HIGH DST_PORT VIRTUAL_SEGMENT_INDEX PHYSICAL_PORT_IN VLAN_TAG SEVERITY
PACKET_TRACE DEVICE_TRACE_BUCKET DEVICE_TRACE_BEGIN_SEQ DEVICE_TRACE_END_SEQ
23
Table 1- 19: ALERTS Table Column Descriptions (Continued) Column MESSAGE_PARMS Description A variable list of message parameters. This value can be tokenized and combined with the SIGNATURE.MESSAGE data to display a dynamic ALERT message. Join SIGNATURE_ID with SIGNATURE.ID to retrieve the SIGNATURE.MESSAGE data. The MESSAGE_PARMS string is a delimited string, the delimiter is the | character. The SIGNATURE.MESSAGE string contains place holders for these strings, the place holders are %1, %2, %n. The tokenized MESSAGE_PARMS replaces the %n values based on there location in the string. Example:
MESSAGE_PARMS=Steve|TippingPoint|developer SIGNATURE.MESSAGE=Hello, my name is %1. I am a %3 at %2.
Combining these two together would give:

Hello, my name is Steve. I am a developer at TippingPoint.
DDOS_STATS Table
When using advanced DDOS policies, this data is accumulated from the DEVICE. If you are using advanced DDOS, this table is expected to have a continuous growth pattern and contain millions of records. The data is retrieved via the parameters, method=GetData&table=DDOS_STATS.
Table 1- 20: DDOS_STATS Table Column Descriptions Column POLICY_ID STAT_TIME REJECT_SYNS PROXIED_CXNS CPS_CXNS BLOCKED_CPS_CXNS CFLOOD_CXNS BLOCKED_CFLOOD_CXNS Description Identifier of the POLICY that was created to produce this DDOS data The time the data was collected. This time is stored in milliseconds since Jan. 1, 1970 00:00:00 GMT. Number of rejected SYN requests for the stat period Number of proxied connections for the stat period Number of Connections Per Second over stat period Number of blocked CPS in stat period Number of Connection Flood connections in stat period Number of blocked Connection Flood connections in stat period
24
FIREWALL_BLOCK_ALERTS Table
The FIREWALL_BLOCK_ALERTS table contains information pertaining to events where traffic has been blocked by firewall rules that have logging enabled, including packets that were blocked by the content filtering configuration. The data is retrieved via the parameters method=GetData&table=FIREWALL_BLOCK_ALERTS.
Table 1- 21: FIREWALL_BLOCK_ALERTS Table Column Descriptions Column Description
SEQUENCE_NUM DEVICE_ID BEGIN_TIME
This field is a reference to a particular logs row entry counter. This is the identifier for the DEVICE entry that sent the notification. The time in which the event was first started. When using notification aggregation, this value and the END_TIME typically are off by the number of minutes specified in the aggregation setting. When aggregation is turned off, the BEGIN_TIME usually is the same as the END_TIME. This value is in milliseconds since Jan. 1, 1970 00:00:00 GMT. The time in which the notification was sent to the Management Console. Subtracting BEGIN_TIME from END_TIME can determine the length of an attack if aggregation is being used. This value is in milliseconds since Jan. 1, 1970 00:00:00 GMT. The number of times the firewall rule was applied. Source IP of the packet causing the notification Source port of the packet causing the notification Destination IP of the packet causing the notification Destination port of the packet causing the notification Unique identifier for rule to monitor traffic between security zones. The packet type. The number associated with the protocol in the filter.
The protocol that was used to respond to the event.
END_TIME
HIT_COUNT SRC_IP_ADDR SRC_PORT DST_IP_ADDR DST_PORT RULE_ID PROTOCOL_NAME PROTOCOL_NUMBER PROTOCOL_TYPE IN_ZONE_ID OUT_ZONE_ID PHYSICAL_PORT_IN VLAN CATEGORY URL
The security zone from which the attack originated. The security zone from which the attack was targeted. The device port on which the attack was detected. The local VLAN that was targeted. The type of traffic filter that was activated. The URL that was associated with the attack, if applicable.
25
Table 1- 21: FIREWALL_BLOCK_ALERTS Table Column Descriptions (Continued) Column Description
URL_INFO SEVERITY_ID
Additional information relevant to the URL. The severity of the attack.
FIREWALL_TRAFFIC_ALERTS Table
The FIREWALL_TRAFFIC_ALERTS table contains information pertaining to events where traffic has been permitted by firewall rules that have logging enabled, including packets that were permitted by the content filtering configuration. The data is retrieved via the parameters method=GetData&table=FIREWALL_TRAFFIC_ALERTS.
Table 1- 22: FIREWALL_TRAFFIC_ALERTS Table Column Descriptions Column SEQUENCE_NUM DEVICE_ID END_TIME Description This field is a reference to a particular logs row entry counter. This is the identifier for the DEVICE entry that sent the notification. The time in which the notification was sent to the Management Console. Subtracting BEGIN_TIME from END_TIME can determine the length of an attack if aggregation is being used. This value is in milliseconds since Jan. 1, 1970 00:00:00 GMT. Source IP of the packet causing the notification Source port of the packet causing the notification Destination IP of the packet causing the notification Destination port of the packet causing the notification Unique identifier for rule to monitor traffic between security zones. The packet type. The number associated with the protocol in the filter. The security zone from which the attack originated. The security zone from which the attack was targeted. The type of traffic filter that was activated. The duration of the attack. The URL that was associated with the attack, if applicable. The number of bytes transferred for this event. A dynamic ALERT message.
SRC_IP_ADDR SRC_PORT DST_IP_ADDR DST_PORT RULE_ID PROTOCOL_NAME PROTOCOL_NUMBER IN_ZONE_ID OUT_ZONE_ID CATEGORY DURATION URL TRANSFER_BYTES MESSAGE
26
QUARANTINE_HOSTS Table
The QUARANTINE_HOSTS table is where quarantine actions for IPS and SMS actions are tracked. The data is retrieved via the parameters method=GetData&table=QUARANTINE_HOSTS.
Table 1- 23: QUARANTINE_HOSTS Table Column Descriptions Column ID QUARANTINED_IP QUARANTINED_MAC POLICY_NAME STATE AUTHORITY CREATE_TIME LAST_UPDATE Description Unique identifier for the table entry. The IP address of the quarantined host. The MAC address of the quarantined host. The descriptive name for the policy that triggered the host quarantine. The current state of the host - UNQUARANTINED, QUARANTINED, INITIAL, or ERROR. The source of the quarantine state for the host. The time the initial quarantine state was set. The time of the last quarantine state change.
RATELIMIT_STATS Table
When using RATELIMIT ACTIONSETs, this data is accumulated from the DEVICE. If you are using RATELIMIT ACTIONSETs, this table is expected to have a continuous growth pattern and contain millions of records. The data is retrieved via the parameters: method=GetData&table=RATELIMIT_STATS.
Table 1- 24: RATELIMIT_STATS Table Column Descriptions Column ACTIONSET_ID STAT_TIME DEVICE_ID RATE VALUE Description The identifier of the ACTIONSET table entry for this record The time this stat was recorded. The time is milliseconds since Jan. 1, 1970 00:00:00 GMT. Identifier for the DEVICE The RATE in kbps Number of Bytes
27
THRESHOLD_STATS Table
When using THRESHOLD policies, this data is accumulated from the DEVICE. If you are using THRESHOLDs, this table is expected to have a continuous growth pattern and contain millions of records. The data is retrieved via the parameters, method=GetData&table=THRESHOLD_STATS.
Table 1- 25: THRESHOLD_STATS Table Column Descriptions Column POLICY_ID STAT_TIME VALUE MEAS_UNIT Description Identifier of the POLICY that was created to produce this THRESHOLD data The time the data was collected. This time is stored in milliseconds since Jan. 1, 1970 00:00:00 GMT. The stat value for the MEAS_UNIT at collection time Identifier can be used to join with the THRESHOLD_UNITS table and obtain a descriptive name for the unit.
28
Active Response
The information in this chapter details how to initiate a response using simple Web API.
SMS Active Response is a policy-based service that reacts to its inputs in order to perform a set of actions. How it reacts and the set of actions taken is based on the Active Response policies that the user has configured. A policy contains a set of actions to be taken when the policy is triggered. A policy can be triggered in several ways: thresholding, manually, web service, or escalation of an IPS Quarantine action. Policies can be configured to include and/or exclude a set of IP addresses. An external third party can initiate an Active Response via a simple Web API. This allows for partners interacting with a TippingPoint secured environment to help to protect the network either according to their own triggers or some form of manual intervention.
Overview
Initiating an Active Response

To initiate a response, the external system uses one of the following URLs: Note: By default, there are no policies that can be externally triggered. The Active Response policy must be set to be externally triggered. This option can be set with the SMS in the Responder > Policy area. For more information see the SMS Users Guide or online help.
29
Response Examples
Create a Response (Quarantine URL)
http[s]://<sms_server>/quarantine/quarantine?ip=<target_ip> &policy=<policy_name>&timeout=<minutes_to_quarantine> &smsuser=<user_name>&smspass=<password parameters in the URL>
Close a Response (Unquarantine URL)

http[s]://<sms_server>/quarantine/unquarantine?ip=<target_ip> &smsuser=<user_name>&smspass=<password parameters in the URL>
Note: To close a response, either ip or id must be specified.
Explanation of Arguments
These arguments must be used.
IP address
The ip argument is the IP address for the target host, and is required to create or close a response.
ip=<target_ip>
Response History ID
The id argument is the Response History id that is displayed in the Response History table. To close a response, either ip or id must be specified.
id=<response_history>
Active Response Policy

To initiate a response one needs to identify a particular Active Response policy to implement. In this case you would add an additional argument of this form:
&policy=<policy_name>
The policy name is case sensitive and spaces are allowed. The policy name must match an existing SMS Active Response policy name. The policy must also have its Initiation setting for Allow an SNMP Trap or Web Service call to invoke this Policy. enabled. This argument is not necessary to close a response and, if provided, is ignored.
Active Response Timeout

This argument is optional and is used too specify the duration of the response.
&timeout=<minutes_to_response>
The value in the parameter overrides the default already in the policy. If no parameter is specified, the timeout value from the policy is used. This argument is not necessary to close a response and, if provided, is ignored.
30
Initiating an Active Response
Authenticated User
Initiating an Active Response operation requires an authenticated user. This applies to the Web interface as well, even if the Web authentication preference in the SMS is not turned on.
&smsuser=<user_name>&smspass=<password parameters in the URL>
Note: A password is not required, but the smspass parameter must be specified
Use of This Interface

TippingPoint recommends that you take the following steps to customize how you use this interface:
STEP 1
Use a unique username and password for external interactions. Create a unique user name that is used only for this feature. Examples: extqtime, webapi, webqtime Create customized policies specifically for this interface. An admin-level user can initiate via this interface. This helps to organize which policies are involved with any calls that happen externally.
STEP 2
31
32
Remote Profile Management

The information in this chapter details how to import, export, and manage profiles using Web APIs.
Overview
The new Web Services APIs for Profile Management allow an SMS IPS profile to be exported, imported, or distributed without interacting with the user interface via the SMS client. This is done through the HTTP interface. The existing Web Services APIs allow events, devices, and profile information to be exported from the SMS. This data could then be imported into an external database for event reporting. The new Profile Management APIs allow the user to make a change on the SMS remotely. As a result, these APIs require the user to provide a valid username and password as part of the API call. The parameters can be passed to the SMS either through a web browser by entering a URL or by using a command-line tool for HTTP scripting. Command-line tools make it possible to perform multiple operations using a script. One such open-source tool is CURL, which is available at http://curl.haxx.se/. This chapter includes the following sections: Whats New on page 34 Authentication on page 34 Traffic Management Filters on page 35 Traffic Management Filters: Optional Parameters on page 35 Profile Import on page 38 Profile Distribution on page 40
33
Whats New
Profile Import
The following import actions were documented with examples: Import a profile and replace an existing profile Import a profile and: Add any new settings to existing settings (no change to existing settings) Change existing settings to match imported settings See Profile Import on page 38.
Authentication
A valid user name and password are required for all of the Profile Management APIs. Before you begin, you must create the user ID on the SMS and give it the necessary permissions. For exporting or importing a profile, the user must be granted permission to that profile. For distributing a profile, the provided user account must have permission to the profile and to the Segment Group or segments that are the target of the distribution. The user name and password may be specified in the following ways:
URL
The userid/password can be specified as part of the URL using smsuser and smspass variables. This would be specified as:
smsuser=mySmsSuperUser&smspass=mypassword
URL Example
https://10.99.1.123/ipsProfileMgmt/ exportProfile?profileName=MyTestProfile& smsuser=mySmsSuperUser&smspass=mypassword
CURL
With the CURL, the authentication credentials can be provided as part of the CURL invocation. The user can specify a -u option in order to provide the userid and password. The parameters in the URL for smsuser and smspass would no longer be required.
34
Traffic Management Filters
CURL Example
curl -u mySmsSuperUser:mypassword https://10.99.1.123/ipsProfileMgmt/ exportProfile?profileName=MyTestProfile
Note: The passwords are sent in plain text, so these APIs should only be used on a trusted network.
Traffic Management Filters

The profile Web API allows the user to create Traffic Management filters.
https://<smshost>/ipsProfileMgmt/ createTrafficMgmt?parameter1=value&parameter2=value&...
Table 3- 1: Traffic Management Filters: Required Parameters Parameter name profile srcAddr destAddr Description Name of the traffic management filter. Names must be unique for each profile Name of the profile that contains the traffic management filter. The profile must already exist. Source address for the filter. Value can be any or an IP Address Destination address for the filter. Value can be any or an IP Address
The following table lists the optional parameters. If a parameter is not specified, the default value is used. Note: Parameter names and enumerated values are case insensitive. If a parameter is specified multiple times, behavior is unspecified.
Table 3- 2: Traffic Management Filters: Optional Parameters Parameter direction action Description Direction of filter. Valid values are AtoB, BtoA, or both. Action set to use. Valid values are restricted to allow, block, and trust. For rate limiting, use the rate-limit parameter Rate limiting action set to use. The action set must already be defined and be set to rate limit. Protocol to filter. Valid values are ip, tcp, udp, and icmp. ip Default AtoB block
rate-limit protocol
35
Parameter ipFragments icmptype icmpcode srcPort destPort position
Description Apply only to IP fragments. Valid only when protocol is IP. Valid values are true and false ICMP type. Valid only when protocol is ICMP. Valid values are 0-255. ICMP code. Valid only when protocol is ICMP. Valid values are 0-255. Source port to filter on. Valid only when protocol is TCP or UDP. Valid values are 0-65535. Destination port to filter on. Valid only when protocol is TCP or UDP. Valid values are 0-65535. Precedence of filter. Valid values are 0-200.
Default false 0 0 0, which is all ports 0, which is all ports 0, which uses the lowest unused value
comment state
Comment for filter State of filter. Valid values are enable and disable. enabled
Profile Export
The profile export API allows the user to export a profile to the SMS web Exports directory or to a fully specified NFS or SMB server location.
URL Method
http[s]://<sms_server>/ipsProfileMgmt/exportProfile? export parameters [SMB Parameters | NFS Parameters] [authentication parameters]
Table 3- 3: Export Profile Parameter Parameter exportMethod (optional) profileName profileVersion(optional) Description Export destination: SMS HTTP server [default], smb, nfs Name of profile to export Version of profile to export. If profileVersion is not specified, the latest version of the profile is used.
Table 3- 4: SMB Location Parameters Parameter remoteDirectory Remote SMB directory Description
36
Profile Export
Table 3- 4: SMB Location Parameters Parameter remoteFilename (optional) remoteServer userid password domain Description Remote filename (default: "profile_name.pkg") SMB server SMB userid SMB password SMB domain
Table 3- 5: NFS Location Parameters Parameter remoteDirectory remoteFilename (optional) remoteServer Remote NFS directory Remote filename (default: "profile_name.pkg") NFS server Description
Table 3- 6: Authentication Parameters Parameter smsuser smspass SMS userid SMS password for smsuser Description
Note: Authentication Parameters are not required if this information is provided separately.
37
Export Examples
Export profile, MyProfile, to SMS web server, Export directory
http[s]://<sms_server>/ipsProfileMgmt/ exportProfile?profileName=MyProfile
Export profile Default to SMB server

http[s]://<sms_server>/ipsProfileMgmt/ exportProfile?exportMethod=SMB&remoteDirectory=savedProfiles&remoteSer ver=MyExportDirectory&userid=guest&password=guestpass&domain=CompanyXD omain&profileName=Default
Export profile Default to NFS server

http[s]://<sms_server>/ipsProfileMgmt/ exportProfile?exportMethod=NFS&remoteDirectory=savedProfiles&remoteSer ver=MyExportDirectory&profileName=Default
Profile Import
Profile Import API allows the user to import a profile from a local file to the SMS server. Because the profile name is specified within the profile package, a profile name does not need to be specified. The SMS supports the following IPS profile import options: Import a profile and replace an existing profile Import a profile and: Add any new settings to existing settings (no change to existing settings) Change existing settings to match imported settings The version details section for the profile has an entry that indicates which profile the SMS profile was imported from and includes a date that indicates when the update occurred. Previously, the description was updated. If there are any action sets that are used by the policies and Category Settings in the profile, they are added to the SMS. If there is an existing action set with the same name, it is not overwritten. A new action set is added with a number added to the end of the name (Example: "My Quarantine_2"). Any notification contacts used by the action sets are also imported and renamed, if necessary. For Services, the third type of Shared Settings, the existing port definitions on the SMS remain the same. If there are some services with new port definitions, but that are unchanged on the SMS, those services are added to the SMS service list. The services should be reviewed if the imported profile is from a different user or a different environment.
38
Profile Import
URL Method
Note: CURL is the preferred method of transferring profiles to the server.
http[s]://<sms_server>/ipsProfileMgmt/importProfile? import parameters [authentication parameters]
Table 3- 7: Import Profile Parameter Parameter filename importAction(optional) Description File name of profile package file to import Action to take
importAction="replace" (replace existing profile) importAction="add" (add any new settings) default importAction=combine_change"(changes existing settings to match new settings
replacedProfileName(optional) If replacing a profile, the name of the profile on the SMS.
Note: When using the optional replacedProfileName parameter, a new profile is created if a profile does not exist. If a profile with the same name exists, the contents of the existing profile are replaced with the contents of the imported profile. When viewing profile information using the SMS, the entry indicates that a profile was imported into the existing profile.
39
Import Examples
Replace Existing Profile
curl -k -v -F "file=@</filepath/to/import.pkg>" -F "importAction=replace" -F "targetProfileName=<profile_name_on_sms_to_replace>" -F "replacedProfileName=<profile_name_on_sms_to_replace>" "https:// <smsip>/ipsProfileMgmt/ importProfile?smsuser=<smsuser>&smspass=<smspass>"
Add Any New Settings

curl -k -v -F "file=@</filepath/to/import.pkg>" -F "importAction=combine_add" -F "targetProfileName=<profile_name_on_sms_to_merge_into>" -F "replacedProfileName=<profile_name_on_sms_to_merge_into>" "https:// <smsip>/ipsProfileMgmt/ importProfile?smsuser=<smsuser>&smspass=<smspass>"
Change Existing Settings to Match Imported Settings

curl -k -v -F "file=@</filepath/to/import.pkg>" -F "importAction=combine_change" -F "targetProfileName=<profile_name_on_sms_to_merge_into>" -F "replacedProfileName=<profile_name_on_sms_to_merge_into>" "https:// <smsip>/ipsProfileMgmt/ importProfile?smsuser=<smsuser>&smspass=<smspass>"
Profile Distribution
The Profile Distribution API initiates an IPS profile distribution to a single segment target or to a Segment Group. Only a single segment or a single segment group can be specified.
URL Method
http[s]://<sms_server>/ipsProfileMgmt/distributeProfile? distribute parameters [segment group parameters | single segment parameters] [authentication parameters] [authentication parameters]
40
Profile Distribution
The following tables provide the parameters:

Table 3- 9: Profile Distribution Parameters Parameter profileName profileVersion(optional) distribPriority(optional) Description Name of profile on SMS to distribute Version of profile to distribute (latest version is used if not specified). Priority of distribution on IPS: high [default] or low. If priority is not specified, high priority is used as a default.
Table 3- 10: Segment Group Target Parameters Parameter segmentGroupName Description Name of segment group that is target of distribution
Table 3- 11: Single Segment Target Parameters Parameter deviceIpAddr segmentName Description IP Address of device, only required for single segment distributions Name of segment receiving distributed profile, only required for single segment distributions
Distribution Examples
Distribute profile to segment group
http[s]://<sms_server>/ipsProfileMgmt/ distributeProfile?profileName=MyInternalProfile&segmentGroupName= InternalIPS&smsuser=SuperBob&smspass=bobpass
Distribute profile to single segment

http[s]://<sms_server>/ipsProfileMgmt/ distributeProfile?profileName=MyInternalProfile&deviceName= IPS1&segmentName=Segment1A&smsuser=SuperBob&smspass=bobpass
41
42
Remote Administration Management

The information in this chapter details how to perform SMS Administration tasks from a remote location using Web APIs.
Overview
The new Administration Management APIs allow the user to perform SMS Administration on the SMS remotely. As a result, these APIs require the user to provide a valid username and password as part of the API call. The parameters can be passed to the SMS either through a web browser by entering a URL or by using a command-line tool for HTTP scripting. When using http, passwords are sent in plain text. Using these APIs with http should only be done on a trusted network. Passwords are not sent in plain text when using https. The SMS currently supports the following remote Administration task: Remote Backups on page 44
43
Chapter 4. Remote Administration Management
Remote Backups
Table 4- 1: Remote Backup Parameters Parameter type location username password domain tos dv events notify timestamp encryptionPass smsuser smspass Description Destination type: smb, nfs, scp, sftp, sms (stored locally on the SMS only one allowed) Destination path for backup file. Does not apply for destination type sms Type-specific username. Used for destination types: smb, scp and sftp Type-specific password. Used for destination types: smb, scp and sftp Type-specific domain. Only used for type smb Number of most recent tos packages to include (default value 0) Number of most recent dv packages to include (default value 1) Include events data (boolean default value false) Send email notification when backup has completed or failed (boolean default value true) Use timestamp to build backup file name (boolean default value true) Encrypt backup using supplied password (default is null - do not encrypt) SMS userid the backup will be created with SMS password for userid backup will be created with
Backup Examples
Backup Locally to SMS (with defaults)
http[s]://<sms_server>/smsAdmin/backup?type=sms
Backup with SCP (with some defaults)

http[s]://<sms_server>/smsAdmin/backup?type=scp&location=// d5.tippingponit.com/home/britd/backups/ &username=britd&password=britdpw&timestampName=true
Backup to SMB Server

http[s]://<sms_server>/smsAdmin/backup?type=smb&location=//1.1.1.1/ backups/ sms.bak&username=britd&password=britdpw&domain=SHBANG&tos=1&dv=1&event s=false&notify=false&timestampName=true
44
Reputation Management
The information in this chapter details how to manage Reputation entries using Web APIs.
The Administration Management APIs allow the user to manage entries in the Reputation Database. The parameters can be passed to the SMS either through a web browser by entering a URL or by using a command-line tool for HTTP scripting. When using http, passwords are sent in plain text. This chapter includes the following sections: Whats New on page 46 Import Reputation Entries on page 46 Create Reputation Entries on page 46 Delete Reputation Entries on page 47 Reset Reputation Entries on page 47 Reputation Import Rules on page 48
Overview
45
Whats New
For 3.1.1 and above , web API support was added for the following Reputation Database items: Delete all user entries and reset RepDV
http[s]://<sms_server>/repEntries/ delete?smsuser=[username]&smspass=[password]&criteria=all
Delete all user entries only

http[s]://<sms_server>/repEntries/ delete?smsuser=[username]&smspass=[password]&criteria=user
Reset RepDV
http[s]://<sms_server>/repEntries/ delete?smsuser=[username]&smspass=[password]&criteria=repdv
Import Reputation Entries

This API is similar to the Profile Import API. There only parameter is type. The type parameter is optional and has a default value of IPv4. The possible values include the following: IPv4 IPv6 DNS This import API works in a similar manner as the import Reputation entries function in the GUI. If the Reputation file does not have tags, the imported data merges with existing address values. If the file does have tags, the imported data overwrites existing address values.
Import Example
curl -v -k -F "file=@/home/userid/Rep.txt" "https://10.99.1.123/ repEntries/import?smsuser=myusername&smspass=mypasswd--&type=ipv4"
Create Reputation Entries

This API creates entries in the Reputation Database.
Create Example
https://1.1.1.1/repEntries/ add?smsuser=myusername&smspass=mypasswd&ip=2.2.2.2 https://1.1.1.1/repEntries/ add?smsuser=myusername&smspass=mypasswd&dns=yahoo.com
46
Delete Reputation Entries
Delete Reputation Entries

Delete Examples
Delete all user entries and reset RepDV
http[s]://<sms_server>/repEntries/ delete?smsuser=[username]&smspass=[password]&criteria=all
Delete all user entries only

http[s]://<sms_server>/repEntries/ delete?smsuser=[username]&smspass=[password]&criteria=user
Reset Reputation Entries

Reset Example
Reset RepDV
http[s]://<sms_server>/repEntries/ delete?smsuser=[username]&smspass=[password]&criteria=repdv
47
Reputation Import Rules

This section describes the rules to follow when importing files into the SMS Reputation Database. For reference, the rules are divided into files, fields, addresses and tags.
Table 5- 1: Reputation Import Rules Files CSV format The import file must be in comma separated value (CSV) format. Each line is made up of one or more fields separated by commas. Each line represents one entry, and entries must not span lines. Any line that has a first non-white space character of "#" is considered a comment. comment lines are discarded during import. There is no support for inline comments. Blank Lines The import file may not contain any blank lines within the body. Blank lines after the last line are ignored. Fields Double Quotes A field may be enclosed in double-quotes.
For a value that contains a comma that is not a field separator, enclose the field in a double quote. To represent a double-quote character within a quoted value, use two double-quotes.
Addresses Address Types Only one type of address (IPv4, IPv6 or DNS domain name) can be contained in the file. Mixing of types within a file is not allowed.
The first field on each line must be the IPv4 address, IPv6 address or DNS name for that entry. The remaining fields on a line are optional. If present, remaining fields are processed as tag category/tag value pairs.
DNS Entries A DNS entry matches any lookups that contain the specified string. For example, foo.com matches foo.com, www.foo.com, and images.foo.com.
To specify an exact DNS entry match, enclose the DNS name in square brackets. For example, [foo.com] matches only foo.com, and does NOT match www.foo.com or images.foo.com.
CIDR Values CIDR values are be normalized. Any bits outside the portion of the address specified by the prefix length are changed to zero. Tags SMS Parity Any tag categories that appear in the file must exist on the SMS prior to import.
48
Table 5- 1: Reputation Import Rules Character Case Yes/No tag categories In tag category names and tag values, character case is significant. For yes/no tag categories, character case is insignificant. For yes/no tag categores, the text "yes, regardless of case, denotes a yes value. All other values are considered no. Tag Pairs Empty tag pairs (tag category/tag value) in fields are ignored.
If a tag category field is empty, an error occurs and the entry is not imported. If a tag value field is empty, the corresponding tag category is discarded and the next field of the entry is processed. It is equivalent to the tag category not appearing on that line at all.
Tag pairs (tag category/tag value) do not have to appear in the same order on each line. Tag Categories It is not necessary that every entry specify every tag category, or even the same tag categoryes as other entries in the file.
Examples
The examples assume that the following tag categories are defined. Country (List) Approved (Yes/No) Comment (Text) For the Country tag category, the following countries are defined: China Mexico United States Examples are provided for the following areas: Example: File Rules on page 49 Examples: Field Rules on page 50 Examples: Address Rules on page 51 Examples: Tags on page 53
Example: File Rules

The import file must be in comma separated value (CSV) format. Each line is made up of one or more fields separated by commas.
49
RIGHT
1.2.3.0/24,Country,United States,Approved,yes 2.3.0.0/16,Country,Mexico,Approved,no 3.4.5.0/24,Country,China,Approved,yes
WRONG
1.2.3.0/24|Country|United States|Approved|yes 2.3.0.0/16|Country|Mexico|Approved|no 3.4.5.0/24|Country|China|Approved|yes
Examples: Field Rules

A field may be enclosed in double-quotes. This is mandatory when a value contains a comma that should not be treated as a field separator. RIGHT
1.2.3.0/24,Country,United States,Approved,yes,Comment,"This comment, contains a comma" 2.3.0.0/16,Country,Mexico,Approved,no 3.4.5.0/24,Country,China,Approved,yes
WRONG
1.2.3.0/24,Country,United States,Approved,yes,Comment,This comment, contains a comma 2.3.0.0/16,Country,Mexico,Approved,no 3.4.5.0/24,Country,China,Approved,yes
Use two double-quotes to represent a double-quote character within a quoted value. --------------------------------------------------------------------
50
RIGHT
1.2.3.0/24,Country,United States,Approved,yes,Comment,"This comment ""contains"" quotes" 3.4.5.0/24,Country,China,Approved,yes
WRONG
1.2.3.0/24,Country,United States,Approved,yes,Comment,"This comment "contains" quotes" 2.3.0.0/16,Country,Mexico,Approved,no 3.4.5.0/24,Country,China,Approved,yes
Each line represents one entry, and entries must not span lines. -------------------------------------------------------------------RIGHT
WRONG
1.2.3.0/24,Country,United States,Approved,yes,2.3.0.0/ 16,Country,Mexico,Approved,no 3.4.5.0/24,Country,China, Approved,yes
Examples: Address Rules

The file must contain entries of only one type: IPv4 addresses IPv6 addresses or DNS domain names Mixing of types within a file is not allowed.
51
RIGHT
WRONG
1.2.3.0/24,Country,United States,Approved,yes 2.3.0.0/16,Country,Mexico,Approved,no fc01:a63:1::/64,Country,China,Approved,yes
------------------------------------------------------------The first field on each line must be the IPv4 address, IPv6 address, or DNS name for that entry. RIGHT
foo.com,Country,United States,Approved,yes bar.com,Country,Mexico,Approved,no foo.org,Country,China,Approved,yes
WRONG
Country,United States,foo.com,Approved,yes bar.com,Country,Mexico,Approved,no foo.org,Country,China,Approved,yes
-------------------------------------------------------------------The remaining fields on a line are optional. If present, they are processed as tag category/tag value pairs. (The first field-second field of the line-is a tag category name. The next field is a tag value. The next field is a tag category name. The next field is a tag value. Etc.) RIGHT
1.2.3.0/24,Country,United States,Approved,yes 2.3.0.0/16 3.4.5.0/24,,,,
-------------------------------------------------------------------A DNS entry matches any lookups that contain the specified string. That is, "foo.com" matches "foo.com", "www.foo.com", and "images.foo.com". To specify an exact match, enclose the DNS name in square brackets. For example, "[foo.com]" matches only "foo.com", and not "www.foo.com" or "images.foo.com".
52
-------------------------------------------------------------------CIDR values are normalized. That is, any bits outside the portion of the address specified by the prefix length are changed to zero. For example, 192.168.66.127/24 are stored as 192.168.66.0/24. --------------------------------------------------------------------
Examples: Tags
Any tag categories that appear in the file must exist on the SMS. RIGHT
WRONG
1.2.3.0/24,Country,United States,Approved,yes,Description,This tag category is not defined 2.3.0.0/16,Country,Mexico,Approved,no 3.4.5.0/24,Country,China,Approved,yes
-------------------------------------------------------------------Except for yes/no tag categories, character case is significant in all tag category names and tag values. RIGHT
WRONG
1.2.3.0/24,COUNTRY,United States,Approved,yes 2.3.0.0/16,country,Mexico,Approved,no 3.4.5.0/24,Country,CHINA,Approved,yes
-------------------------------------------------------------------For yes/no tag categories, the text "yes", regardless of case, denotes a yes value. All other values are considered no.
53
RIGHT
1.2.3.0/24,Country,United States,Approved,Yes 2.3.0.0/16,Country,Mexico,Approved,yes 3.4.5.0/24,Country,China,Approved,YES
WRONG
1.2.3.0/24,COUNTRY,United States,Approved,Yes 2.3.0.0/16,country,Mexico,Approved,On 3.4.5.0/24,Country,CHINA,Approved,T
-------------------------------------------------------------------Empty pairs of fields are ignored. If a tag category field is empty, an error occurs and the entry is not imported. If a tag value field is empty, the corresponding tag category is discarded and the next field of the entry is processed. It is equivalent to the tag category not appearing on that line at all. RIGHT
1.2.3.0/24,,,Approved,Yes 2.3.0.0/16,,,, 3.4.5.0/24,Country,,Approved,
WRONG
1.2.3.0/24,,United States,Approved,yes 2.3.0.0/16,Country,Mexico,,yes 3.4.5.0/24,Country,China,Approved,yes
-------------------------------------------------------------------tag category/tag value pairs do not have to appear in the same order on each line. It is not necessary that every entry specify every tag category, or even the same tag categories as other entries in the file. The only requirement is that tag categories must exist on the SMS prior to the import. RIGHT
1.2.3.0/24,Country,United States,Approved,yes 2.3.0.0/16,Approved,no,Country,Mexico 3.4.5.0/24
54
Packet Trace
The information in this chapter details how to configure the API to retrieve packet trace information from a device or group of events.
Packet trace compiles information about packets that triggered a filter. It encapsulates the information according to requirements set in the application per filter. For attack events with the appropriate settings, you can view the compiled and stored packet trace. A filter compiles a packet trace according to the action set setting and must be configured to log a packet trace. The system saves the packet trace to a pcap file. Packet trace has the following retrieval options: Device-Based Packet Trace Events-Based Packet Trace
Overview
Whats New
For SMS v3.2, API support was added for device and event-based packet trace.
Device-Based Packet Trace

The Device-based method gets the all the pcap information from the SMS Database for a particular device.
Device-Base Packet Trace Example

https://<smsip>/pcaps/getByDevice?deviceId=12
In this example, 12 is the device short ID and is exposed in the external database.
55
Chapter 6. Packet Trace
Events-Based Packet Trace

To get all the pcap information from the SMS for a group of events, you need to know the event IDs. These event IDs are sent to the remote syslog server. For information on deployment Remote Syslog, refer to the current SMS Deployment Note available from the TippingPoint Threat Manage men et Center (TMC). For information on how to access the TMC, see Product Documentation on page 4.
Setting up Event-Based Packet Trace

STEP 1 STEP 2 STEP 3
Set up a remote syslog server. Refer to the current Deployment Note available from the TMC. Add all the event IDs to a file as a comma separated list (new line breaks are also allowed). Use curl to upload the file to the web server.
curl -k -v -F "file=@<filepath/to/eventidfile.txt>" "https://<smsip>/ pcaps/getByEventIds?smsuser=<smsuser>&smspass=<smspass>"
The result outputs to stdout and can be redirected to a file with a '>' operator.
56
MIB Files for the SMS

The SMS supports MIB files which are associated with a management information base (MIB).
A MIB is a type of database that is used to manage devices in a communications network. Database entries are addressed through object identifiers (OIDs). MIBs are descriptions of network objects that can be managed using the Simple Network Management Protocol (SNMP). The format of the MIB is defined as part of the SNMP. This section contains the following topics: Traps on page 57 Monitoring on page 64
Overview
Traps
SMS MIB Files
TPT-SMS-TRAP-MIB The TPT-SMS-TRAP-MIB file defines the SMS traps. To download this file, log in to the TippingPoint Threat Management Center (TMC) web site at https://tmc.tippingpoint.com, navigate to the Documentation area for this product release, and select Enterprise MIB files
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --- TippingPoint Technologies, Inc -- Copyright information is in the DESCRIPTION section of the MODULE-IDENTITY. --- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
57
TPT-SMS-TRAP-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE FROM SNMPv2-SMI OBJECT-GROUP, NOTIFICATION-GROUP FROM SNMPv2-CONF tpt-reg FROM TIPPINGPOINT-REG-MIB tpt-sms-notifypayload, tpt-sms-eventsV2, tpt-sms-groups FROM TPT-SMSMIBS ; tptSmsTrapsModule MODULE-IDENTITY LAST-UPDATED "0508301900Z" ORGANIZATION "TippingPoint Technologies, Inc." CONTACT-INFO "www.tippingpoint.com" DESCRIPTION "The following describes the notifications sent to and from an SMS box. Copyright 2001-2005 TippingPoint Technologies, Inc. All rights reserved. This document contains confidential and proprietary information to TippingPoint Technologies, Inc. Use of this document is subject to the terms and conditions of TippingPoint's Non-Disclosure Agreement." ::= { tpt-reg 4 }
tptSmsQuarantineRequest NOTIFICATION-TYPE OBJECTS { tptSmsQuarantineNotifyId, tptSmsQuarantineNotifyData } STATUS current DESCRIPTION "SMS asking an external NMS to quarantine an endstation using the data embedded in the request" ::= { tpt-sms-eventsV2 1 } tptSmsQuarantineAck NOTIFICATION-TYPE OBJECTS { tptSmsQuarantineNotifyId, tptSmsQuarantineNotifyData } STATUS current DESCRIPTION "External NMS notifying the SMS that a previously quarantine request was processed." ::= { tpt-sms-eventsV2 2 } tptSmsQuarantineReleaseRequest NOTIFICATION-TYPE OBJECTS { tptSmsQuarantineNotifyId, tptSmsQuarantineNotifyData } STATUS current
58
Traps
DESCRIPTION "SMS asking an external NMS to unquarantine an endstation using the data embedded in the request" ::= { tpt-sms-eventsV2 3 } tptSmsQuarantineReleaseAck NOTIFICATION-TYPE OBJECTS { tptSmsQuarantineNotifyId, tptSmsQuarantineNotifyData } STATUS current DESCRIPTION "External NMS notifying the SMS that a previously unquarantine request was processed." ::= { tpt-sms-eventsV2 4 } tptSmsQuarantinePolicyNotification NOTIFICATION-TYPE OBJECTS { tptSmsQuarantinePolicyMatchData } STATUS current DESCRIPTION "SMS sending notification of a policy match" ::= { tpt-sms-eventsV2 5 } tptSmsUnQuarantineRequest NOTIFICATION-TYPE OBJECTS { tptSmsQuarantineNotifyId, tptSmsQuarantineDeviceIP, tptSmsQuarantineDeviceMAC } STATUS current DESCRIPTION "Inverse of tptSMSQuarantineCommand - command the SMS to unquarantine an endstation. You can explicitly specify a quarantined host ID if you know it; otherwise, you may specify the IP only, in which case the SMS will look up the MAC; or the IP+MAC." ::= { tpt-sms-eventsV2 6 } tptSmsQuarantineCommand NOTIFICATION-TYPE OBJECTS { tptSmsQuarantineDeviceIP, tptSmsQuarantinePolicyName } STATUS current DESCRIPTION "Inverse of tptSmsUnquarantineRequest Command the SMS to quarantine an endstation. SMS will look up the MAC." ::= { tpt-sms-eventsV2 14 } -- Lifecycle traps tptSmsBoot NOTIFICATION-TYPE OBJECTS { } STATUS current DESCRIPTION "SMS: system has booted" ::= { tpt-sms-eventsV2 7 } tptSmsReboot NOTIFICATION-TYPE OBJECTS { } STATUS current DESCRIPTION "SMS: system is rebooting"
59
::= { tpt-sms-eventsV2 8 } tptSmsShuttingDown NOTIFICATION-TYPE OBJECTS { } STATUS current DESCRIPTION "SMS: system is shutting down" ::= { tpt-sms-eventsV2 9 } tptSmsReady NOTIFICATION-TYPE OBJECTS { } STATUS current DESCRIPTION "SMS: system is ready" ::= { tpt-sms-eventsV2 10 } tptSmsAuthenticationError NOTIFICATION-TYPE OBJECTS { } STATUS current DESCRIPTION "SMS: authentication error" ::= { tpt-sms-eventsV2 11 } tptSmsEgpNeighborDownstate NOTIFICATION-TYPE OBJECTS { } STATUS current DESCRIPTION "SMS: EGP neighbor to downstate" ::= { tpt-sms-eventsV2 12 } tptSmsSystemRestart NOTIFICATION-TYPE OBJECTS { } STATUS current DESCRIPTION "SMS: server process has restarted" ::= { tpt-sms-eventsV2 13 }
-- The following variables are for use in the varbinds of traps only. -- They cannot be retrieved by the NMS. tptSmsQuarantineNotifyId OBJECT-TYPE SYNTAX INTEGER (0..2147483647) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "A unique incrementing integer assigned for each quarantine event." ::= { tpt-sms-notifypayload 1 } tptSmsQuarantineNotifyData OBJECT-TYPE SYNTAX OCTET STRING
60
Traps
MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "A string consisting of the parameters used to identify the device to quarantine. The format is NAME:VALUE with multiple parameters separated by a newline" ::= { tpt-sms-notifypayload 2 } tptSmsQuarantinePolicyMatchData OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "A string consisting of the parameters used to identify the matching policy" ::= { tpt-sms-notifypayload 3 } tptSmsQuarantineNotifyType OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "A string consisting of the parameters used to identify the matching policy" ::= { tpt-sms-notifypayload 4 } tptSmsQuarantineDeviceIP OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "An IP address used as a trap parameter." ::= { tpt-sms-notifypayload 5 } tptSmsQuarantineDeviceMAC OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "A MAC address used a a trap parameter" ::= { tpt-sms-notifypayload 6 } tptSmsQuarantineSwitchPort OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "A port number or index used as a trap parameter" ::= { tpt-sms-notifypayload 7 }
61
tptSmsQuarantineEndpointUser OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "A string consisting of the parameters used to identify the matching policy" ::= { tpt-sms-notifypayload 8 } tptSmsQuarantineNotifyActionList OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "A string consisting of the parameters used to identify the matching policy" ::= { tpt-sms-notifypayload 9 } tptSmsQuarantineNotifyParamList OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "A string consisting of the parameters used to identify the matching policy" ::= { tpt-sms-notifypayload 10 } tptSmsQuarantineNotifyOptionList OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "A string consisting of the parameters used to identify the matching policy" ::= { tpt-sms-notifypayload 11 } tptSmsQuarantinePolicyName OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "The name of an SMS Quarantine Policy. If the named policy does not exists on the SMS, a default will be chosen." ::= { tpt-sms-notifypayload 12 } -- Quarantine data groups tptSmsQuarantineDataGroup OBJECT-GROUP OBJECTS { tptSmsQuarantineNotifyId, tptSmsQuarantineNotifyData,
62
Traps
tptSmsQuarantinePolicyMatchData} STATUS current DESCRIPTION "Payload of SMS quarantine traps consisting of a unique identifier and a parseable string" ::= { tpt-sms-groups 1 } tptSmsQuarantineNotifyGroup NOTIFICATION-GROUP NOTIFICATIONS { tptSmsQuarantineRequest, tptSmsQuarantineReleaseRequest, tptSmsQuarantinePolicyNotification } STATUS current DESCRIPTION "SMS quarantine traps sent to an NMS to indicate devices that require a quarantine operation" ::= { tpt-sms-groups 2 } tptSmsQuarantineNotifyAckGroup NOTIFICATION-GROUP NOTIFICATIONS { tptSmsQuarantineAck, tptSmsQuarantineReleaseAck } STATUS current DESCRIPTION "SMS quarantine traps sent to an SMS system to indicate devices that have been quarantined" ::= { tpt-sms-groups 3 } tptSmsQuarantineRequestGroup NOTIFICATION-GROUP NOTIFICATIONS { tptSmsQuarantineCommand, tptSmsUnQuarantineRequest } STATUS current DESCRIPTION "SMS quarantine traps received to indicate devices that require a (un)quarantine operation" ::= { tpt-sms-groups 4 } END
63
Monitoring
SMS MIB Files
TPT-SMSMIBS The TPT-SMSMIBS file defines monitoring functions. To download this file, log in to the TippingPoint Threat Management Center (TMC) web site at https://tmc.tippingpoint.com, navigate to the Documentation area for this product release, and select Enterprise MIB files.
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --- TippingPoint Technologies, Inc -- Copyright information is in the DESCRIPTION section of the MODULE-IDENTITY. --- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - TPT-SMSMIBS DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-IDENTITY FROM SNMPv2-SMI tpt-products, tpt-reg FROM TIPPINGPOINT-REG-MIB ;
tpt-smsMIBs MODULE-IDENTITY LAST-UPDATED "0508121508Z" ORGANIZATION "TippingPoint Technologies, Inc." CONTACT-INFO "www.tippingpoint.com" DESCRIPTION "Sub-tree for objects and events on the SMS. Copyright 2001-2005 TippingPoint Technologies, Inc. All rights reserved. This document contains confidential and proprietary information to TippingPoint Technologies, Inc. Use of this document is subject to the terms and conditions of TippingPoint's Non-Disclosure Agreement. " ::= { tpt-products 4 }
64
Monitoring
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --- SMS top level MIBs --- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - tpt-sms-conf OBJECT-IDENTITY STATUS current DESCRIPTION "This sub-tree is for conformance. (OBJECT-GROUP, NOTIFICATION-GROUP, MODULE-COMPLIANCE)" ::= { tpt-smsMIBs 1 } tpt-sms-objs OBJECT-IDENTITY STATUS current DESCRIPTION "This sub-tree is for all managed objects on the SMS." ::= { tpt-smsMIBs 2 } tpt-sms-events OBJECT-IDENTITY STATUS current DESCRIPTION "This sub-tree is for all events (NOTIFICATIONTYPE) and payload variables that are needed for notifications." ::= { tpt-smsMIBs 3 } -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --- Conformance top level MIBS --- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - tpt-sms-groups OBJECT-IDENTITY STATUS current DESCRIPTION "This sub-tree is for all groups. (OBJECT-GROUP, NOTIFICATION-GROUP)" ::= { tpt-sms-conf 1 } tpt-sms-compls OBJECT-IDENTITY STATUS current DESCRIPTION "This sub-tree is for all compliance MIBs. (MODULE-COMPLIANCE)" ::= { tpt-sms-conf 2 }
65
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --- Notification top level MIBs --- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - tpt-sms-eventsV2 OBJECT-IDENTITY STATUS current DESCRIPTION "This sub-tree is for all notification MIBs for a SMS." ::= { tpt-sms-events 0 } tpt-sms-notifypayload OBJECT-IDENTITY STATUS current DESCRIPTION "This sub-tree is for all MIB variables sent as part of a notification payload sent by a SMS." ::= { tpt-sms-events 1 } -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --- Model numbers --- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - tpt-sms-family OBJECT-IDENTITY STATUS current DESCRIPTION "Registration for the TPT security management system." ::= { tpt-reg 3 }
END
Public MIB Files

The publicly available UCD-SNMP and UCD-DISKIO ucdavis MIB definitions can be used to query SMS Health values. These files can be downloaded from the following locations: http://net-snmp.sourceforge.net/docs/mibs/ http://net-snmp.sourceforge.net/docs/mibs/UCD-SNMP-MIB.txt http://net-snmp.sourceforge.net/docs/mibs/UCD-DISKIO-MIB.txt
66
Monitoring
Health Monitoring
The following table lists the OIDs that are used to graph and display values in the SMS Health section of the SMS client.
Table 7- 1: SMS Health Section OIDs Section CPU Description CPU_USER CPU_SYS CPU_IDLE Filesystem FS_DSKPATH FS_DEVPATH FS_TOTAL FS_AVAIL FS_USED FS_PERCENT FS_IPERCENT High Availability Memory HA SWAP_TOTAL SWAP_AVAIL REALMEM_TOTAL REALMEM_AVAIL Network Traffic ETH0_RX_BYTES ETH0_RX_PACKETS ETH0_RX_ERRORS ETH0_RX_DROPPED ETH0_RX_FIFO_ERRORS ETH0_RX_FRAME_ERRORS ETH0_RX_COMPRESSED ETH0_TX_BYTES ETH0_TX_PACKETS ETH0_TX_ERRORS ETH0_TX_DROPPED ETH0_TX_FIFO_ERRORS OID 1.3.6.1.4.1.2021.11.50.0 1.3.6.1.4.1.2021.11.52.0 1.3.6.1.4.1.2021.11.53.0 1.3.6.1.4.1.2021.9.1.2 1.3.6.1.4.1.2021.9.1.3 1.3.6.1.4.1.2021.9.1.6 1.3.6.1.4.1.2021.9.1.7 1.3.6.1.4.1.2021.9.1.8 1.3.6.1.4.1.2021.9.1.9 1.3.6.1.4.1.2021.9.1.10 1.3.6.1.4.1.2021.8.1.101.34 1.3.6.1.4.1.2021.4.3.0 1.3.6.1.4.1.2021.4.4.0 1.3.6.1.4.1.2021.4.5.0 1.3.6.1.4.1.2021.4.6.0 1.3.6.1.4.1.2021.8.1.101.1 1.3.6.1.4.1.2021.8.1.101.2 1.3.6.1.4.1.2021.8.1.101.3 1.3.6.1.4.1.2021.8.1.101.4 1.3.6.1.4.1.2021.8.1.101.5 1.3.6.1.4.1.2021.8.1.101.6 1.3.6.1.4.1.2021.8.1.101.7 1.3.6.1.4.1.2021.8.1.101.8 1.3.6.1.4.1.2021.8.1.101.9 1.3.6.1.4.1.2021.8.1.101.10 1.3.6.1.4.1.2021.8.1.101.11 1.3.6.1.4.1.2021.8.1.101.12
67
Table 7- 1: SMS Health Section OIDs Section Network Traffic Description ETH0_TX_CARRIER_ERRORS ETH0_TX_COMPRESSED ETH0_MULTICAST ETH0_COLLISIONS ETH1_RX_BYTES ETH1_RX_PACKETS ETH1_RX_ERRORS ETH1_RX_DROPPED ETH1_RX_FIFO_ERRORS ETH1_RX_FRAME_ERRORS ETH1_RX_COMPRESSED ETH1_TX_BYTES ETH1_TX_PACKETS ETH1_TX_ERRORS ETH1_TX_DROPPED ETH1_TX_FIFO_ERRORS ETH1_TX_CARRIER_ERRORS ETH1_TX_COMPRESSED ETH1_MULTICAST ETH1_COLLISIONS Temperature TEMPERATURE OID 1.3.6.1.4.1.2021.8.1.101.13 1.3.6.1.4.1.2021.8.1.101.14 1.3.6.1.4.1.2021.8.1.101.15 1.3.6.1.4.1.2021.8.1.101.16 1.3.6.1.4.1.2021.8.1.101.17 1.3.6.1.4.1.2021.8.1.101.18 1.3.6.1.4.1.2021.8.1.101.19 1.3.6.1.4.1.2021.8.1.101.20 1.3.6.1.4.1.2021.8.1.101.21 1.3.6.1.4.1.2021.8.1.101.22 1.3.6.1.4.1.2021.8.1.101.23 1.3.6.1.4.1.2021.8.1.101.24 1.3.6.1.4.1.2021.8.1.101.25 1.3.6.1.4.1.2021.8.1.101.26 1.3.6.1.4.1.2021.8.1.101.27 1.3.6.1.4.1.2021.8.1.101.28 1.3.6.1.4.1.2021.8.1.101.29 1.3.6.1.4.1.2021.8.1.101.30 1.3.6.1.4.1.2021.8.1.101.31 1.3.6.1.4.1.2021.8.1.101.32 1.3.6.1.4.1.2021.8.1.101.33
68

Techd93 Smsextrnlinterface

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Techd93 Smsextrnlinterface

Загружено:

Авторское право:

Доступные форматы

HP TippingPoint Security Management System SMS External Interface Guide

SMS Version 3.2

Part number: TECHD-00000093 First edition: September 2010

Security Management System SMS External Interface Guide

Chapter 1. SMS Web Services API

SMS External Interface Guide

Chapter 2. Active Response

Chapter 3. Remote Profile Management

SMS External Interface Guide

Chapter 4. Remote Administration Management

Chapter 5. Reputation Management

Chapter 6. Packet Trace

Chapter 7. MIB Files for the SMS

SMS External Interface Guide

SMS External Interface Guide

SMS External Interface Guide

SMS External Interface Guide

About This Documentation

SMS External Interface Guide

SMS External Interface Guide

SMS External Interface Guide

SMS External Interface Guide

SMS External Interface Guide

SMS External Interface Guide

SMS Web Services API

SMS External Interface Guide 7

Chapter 1. SMS Web Services API

SMS External Interface Guide

SMS External Interface Guide 9

Chapter 1. SMS Web Services API

format (optional) limit (optional)

GetOldestRecord Get NewestRecord

SMS External Interface Guide

You use the API according to the following sequence:

SMS External Interface Guide 11

Chapter 1. SMS Web Services API

SMS Schema Reference

SMS v 3.1 Changes

SMS Schema Changes

SMS External Interface Guide

SMS Schema Reference

Existing databases can be altered to accommodate these changes.

SMS External Interface Guide 13

Chapter 1. SMS Web Services API

SMS v 3.0 Changes

SMS External Interface Guide

SMS Schema Reference

SMS External Interface Guide 15

Chapter 1. SMS Web Services API

SMS External Interface Guide

SMS Schema Reference

SMS External Interface Guide 17

Chapter 1. SMS Web Services API

SMS External Interface Guide

SMS Schema Reference

SMS External Interface Guide 19

Chapter 1. SMS Web Services API

SMS External Interface Guide

SMS Schema Reference

SMS External Interface Guide 21

Chapter 1. SMS Web Services API

SMS External Interface Guide