Filter
Top Products
A-34
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix A System Architecture
Communications
SDEE
The Cisco IPS produces various types of events including intrusion alerts and status events. The IPS
communicates events to clients such as management applications using the proprietary IPS-industry
leading protocol, SDEE, which is a product-independent standard for communicating security device
events. SDEE adds extensibility features that are needed for communicating events generated by various
types of security devices.
Systems that use SDEE to communicate events to clients are referred to as SDEE providers. SDEE
specifies that events can be transported using the HTTP or HTTP over SSL and TLS protocols. When
HTTP or HTTPS is used, SDEE providers act as HTTP servers, while SDEE clients are the initiators of
HTTP requests.
The IPS includes the web server, which processes HTTP or HTTPS requests. The web server uses
run-time loadable servlets to process the different types of HTTP requests. Each servlet handles HTTP
requests that are directed to the URL associated with the servlet. The SDEE server is implemented as a
web server servlet.
The SDEE server only processes authorized requests. A request is authorized if is originates from a web
server to authenticate the identity of the client and determine the privilege level of the client.
CIDEE
CIDEE specifies the extensions to SDEE that are used by the Cisco IPS. The CIDEE standard specifies
all possible extensions that are supported by the Cisco IPS. Specific systems may implement a subset of
CIDEE extensions. However, any extension that is designated as being required MUST be supported by
all systems. CIDEE specifies the Cisco IPS-specific security device events and the IPS extensions to the
SDEE evIdsAlert element.
CIDEE supports the following events:
• evError—Error event
Generated by the CIDEE provider when the provider detects an error or warning condition. The
evError event contains error code and textual description of the error.
• evStatus—Status message event
Generated by CIDEE providers to indicate that something of potential interest occurred on the host.
Different types of status messages can be reported in the status event—one message per event. Each
type of status message contains a set of data elements that are specific to the type of occurrence that
the status message is describing. The information in many of the status messages are useful for audit
purposes. Errors and warnings are not considered status information and are reported using evError
rather than evStatus.
• evShunRqst—Block request event
Generated to indicate that a block action is to be initiated by the service that handles network
blocking.
The following is a CDIEE extended event example:
<sd:events xmlns:cid="http://www.cisco.com/cids/2004/04/cidee"
xmlns:sd=“http://example.org/2003/08/sdee”>
<sd:evIdsAlert eventId="1042648730045587005" vendor="Cisco“ severity="medium">
<sd:originator>
<sd:hostId>Beta4Sensor1</sd:hostId>
<cid:appName>sensorApp</cid:appName>
<cid:appInstanceId>8971</cid:appInstanceId>
</sd:originator>