How to enable SDEE on AIP-SSM

Unanswered Question
Jul 15th, 2009

Hi,

What are the steps to enable SDEE on AIP-SSM in Cisco ASA.

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
pccw258103 Wed, 07/15/2009 - 04:37

The AIP-SSM does not support syslog as an alert format.

The default method to receive alert information from the AIP-SSM is through Security Device Event Exchange (SDEE).

Another option is to configure individual signatures in order to generate a SNMP trap as an action to take when they are triggered.

To install Cisco IPS Manager Express (IME), with one application, you can provision, monitor, troubleshoot, and generate reports for as many as five IDS, IPS, or IOS IPS devices.

tech_trac Wed, 07/15/2009 - 05:00

I am querying the AIP-SSM from MARS for the past events but it does not show any record. Devices/modules were added successfully in MARS.

'show events' on AIP-SSM does throw out several records.

pccw258103 Wed, 07/15/2009 - 07:02

CS-MARS extracts the logs from Cisco IPS 5.x and 6.x devices and modules using SDEE. SDEE communications are secured with Secure Sockets Layer/Transport Layer Security (SSL/TLS). Therefore, CS-MARS must have HTTPS access to the Cisco IPS sensor. This requires configuration of the Cisco IPS sensor as well as CS-MARS.

To allow access, HTTPS access must be enabled on the Cisco IPS sensor, and the IP address of CS-MARS must be defined as an allowed host, one that can access the sensor to pull events. In addition, an administrative account to be used by CS-MARS should be configured locally on the Cisco IPS sensor. As a best practice, this account should be set with a user role of viewer to ensure only the minimum necessary access privileges are granted. This account should not be used for any other purposes.

Event Data Collected from Cisco IPS

There three types of event data that CS-MARS may extract from a Cisco IPS sensor:

Event alerts

Trigger packet data

Packet data (IP logging)

Verify that CS-MARS Pulls Events from a Cisco IPS Device

The first step for verifying if CS-MARS can pull events from a Cisco IPS sensor is to confirm both are able to communicate. To that end, select the test connectivity option under the Cisco IPS device configuration (Admin > System Setup > Security and Monitor Devices). A "Connectivity Successful" message indicates both systems are able to communicate.

The second step is to perform an action to knowingly trigger a signature on the Cisco IPS sensor. As an example, type the following URL on a browser, replacing x.x.x.x by the IP address or hostname of a web server located on a subnet monitored by the Cisco IPS sensor.

ttp://x.x.x.x/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\

This action should be interpreted as a WWW IIS unicode directory traversal attack, triggering Cisco IPS signatures numbers 5114 and 5081.

tech_trac Wed, 07/15/2009 - 11:11

Thanks for that. I tried all of it, the connectivity, administrative account etc, yet I don't see the events coming to MARS.

I don't think I have to try out any signature triggers as I could already see events populating under 'show events past 00:01:00' on the AIP-SSM.

Not sure how to go further. IDSM's however are pushing events to MARS successfully. Issue is only with AIP-SSM.

Actions

This Discussion