>>CS-MARS - uses an SDEE subscription

One of the things I've noticed with the latest version of CSMARS is that it doesn't use persistent connections to the IPS sensors, but rather connects on a schedule. Does that preclude CSMARS from using the SDEE subscription model? The documentation I have suggest that this does not preclude CSMARS from using a subscription, but I'm curious.

A persistent connection is not required for using SDEE subscriptions.

When a subscription is started the server will return a subscription ID to the client.

This subscription ID is not tied to that connection.

The Client just needs to use that subscription ID in any GET requests for that subscription.

So a Client using even HTTP 1.0 with only a single GET per connection can still be used for an SDEE subscription.

MARS's method of closing a connection after retreiving a chunk of data, and then opening a new connection for a GET of new data is fully supported.

In fact we have built specific options into SDEE to handle error situations that can specifically occur when using multiple connections for a single subscription.

This also means that a device like MARS that is rebooted can store off the subscription ID before reboot, and then execute a new connection after reboot continuing the same subscription with that subscription ID.

So, Does it mean RDEP is not used now in version 5.x?

Thank you for the information,

Regards

IPS software version 5.0 communicates events using the Security Device Event Exchange (SDEE) protocol; however, version 5.0 still uses RDEP for communicating configuration (IDM) and IP log information

M.

The Version 4.x RDEP contains 3 different types of communcations.

- Event Subscriptions/Queries (alerts, status, and error messages)

- Execution Control Transactions (adding blocks, adding IP Logs, reset, etc..)

- Configuration Control Transactions (changing sensor configurations)

In Version 5.x and 6.0 the SDEE server was added for Subscription and Queries of events.

All events quereied through the SDEE server will be in the new SDEE format with CIDEE extensions.

However, RDEP Subscription/Queries are still supported, but the events queried through RDEP will be in the older RDEP format and will NOT contain any new SDEE fields that were added in 5.x and 6.0.

(NOTE: This RDEP support for subscriptions and queries will be removed in a future IPS version. The support in 5.x and 6.0 was put in so that users could have a couple of years to transition from RDEP to SDEE for event monitoring)

Version 5.x and 6.0 still use the Version 4.x Execution Control Transactions, and have added new ones as well.

Version 5.x and 6.0 use a new set of IDCONF Control Transactions for managing configuration. The version 4.x Configuration Control Transactions are not supported in 5.x and 6.x.

marcabal,

Is there any new documentation that describes the [new] specification. I have some older stuff, but I believe it must be out of date.

The date on the SDEE spec I have is:

Jeff Platzer

Cisco Systems

August 20, 2003

I believe that is the latest SDEE specification.

However, understand that SDEE is really just a base that can be used by any company. SDEE allows for extensions that can be company specific.

For Cisco those extensions are in the "Cisco Intrusion Detection Event Exchange (CIDEE) Standard". CIDEE will be rev'd any time we add new fields.

If enough other companies want to use the same fields, then they would eventually be added to the SDEE standard for use by all companies.

So what you need is the latest CIDEE specification. I just checked on CCO and it does not appear to be updated for the latest 6.0 changes.

I would suggest contacting the TAC and requesting a copy of the latest CIDEE Schema.

The latest CIDEE standard I have states:

Revised 20-April-2004

Is the the most recent?

The latest CIDEE version for IPS version 6.0 is dated 30-August-2006.

I can provide this doc if needed.

Jeff

Jeff -

Can you email this doc to me? My email address is jay.walker@swinc.com.

Thanks!

Jay Walker

Jay/Jeff,

Could someone share or redirect me to the latest CIDEE specs for IPS v6.x?

Thanks in advance,

Michael

This is what I have.