As of Cisco IOS Release 12.3(11)T, Cisco IOS IPS provides two
methods to report IPS intrusion alerts. These methods are Cisco IOS logging,
Syslog, and Security Device Event Exchange (SDEE)
.
 |
NOTE:
Effective Cisco IOS Release 12.3(11)T, the Post Office protocol is no
longer supported.
|
SDEE is a new standard that specifies the format of messages and
protocol used to communicate events generated by security devices, such as the
exchange of IPS messages between IPS clients and IPS servers. Some of the
benefits of SDEE are shown in Figure
. SDEE is
flexible, so that all vendors can support address compatibility. This allows
mixed IPS vendor environments to have one network management alert interface.
ICSA is currently proposing as the unified industry protocol format for all
vendors to communicate with network management applications. SDEE uses a pull
mechanism, meaning that requests come from the network management application
and the IPS/IPS router responds. SDEE utilizes HTTP and XML to provide a
standardized interface. The Cisco IOS IPS router will still send IPS alerts via
Syslog.
SDEE is always running, but it does not receive and process
events from IPS unless SDEE notification is enabled. If it is not enabled and a
client sends a request, SDEE will respond with a fault response message,
indicating that notification is not enabled.
Storing SDEE Events in
the Buffer
When SDEE notification is enabled using the ip ips
notify sdee command, 200 hundred events can automatically be stored
in the buffer. When SDEE notification is disabled, all stored events are lost.
A new buffer is allocated when the notifications are re-enabled.
When
specifying the size of an events buffer, note the following functionality:
- It is circular. When the end of the buffer is reached, the buffer will
start overwriting the earliest stored events. If overwritten events have not
yet been reported, a buffer overflow notice will be received.
- If a new, smaller buffer is requested, all events that are stored in the
previous buffer will be lost.
- If a new, larger buffer is requested, all existing events will be
saved.
SDEE Prerequisites
To use SDEE, the HTTP server must be
enabled with the ip http server command. If the HTTP server
is not enabled, the router cannot respond to the SDEE clients because it cannot
not see the requests.
To specify the method of event notification, use
the ip ips notify command in global configuration mode
. To disable
event notification, use the no form of this command.
The default number of events is 100. Raising the number of events past 100
may cause memory and performance impacts because each event in the event queue
requires 32 KB of memory.