Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to enable SDEE on AIP-SSM

Hi,

What are the steps to enable SDEE on AIP-SSM in Cisco ASA.

Thanks.

4 REPLIES
New Member

Re: How to enable SDEE on AIP-SSM

The AIP-SSM does not support syslog as an alert format.

The default method to receive alert information from the AIP-SSM is through Security Device Event Exchange (SDEE).

Another option is to configure individual signatures in order to generate a SNMP trap as an action to take when they are triggered.

To install Cisco IPS Manager Express (IME), with one application, you can provision, monitor, troubleshoot, and generate reports for as many as five IDS, IPS, or IOS IPS devices.

New Member

Re: How to enable SDEE on AIP-SSM

I am querying the AIP-SSM from MARS for the past events but it does not show any record. Devices/modules were added successfully in MARS.

'show events' on AIP-SSM does throw out several records.

New Member

Re: How to enable SDEE on AIP-SSM

CS-MARS extracts the logs from Cisco IPS 5.x and 6.x devices and modules using SDEE. SDEE communications are secured with Secure Sockets Layer/Transport Layer Security (SSL/TLS). Therefore, CS-MARS must have HTTPS access to the Cisco IPS sensor. This requires configuration of the Cisco IPS sensor as well as CS-MARS.

To allow access, HTTPS access must be enabled on the Cisco IPS sensor, and the IP address of CS-MARS must be defined as an allowed host, one that can access the sensor to pull events. In addition, an administrative account to be used by CS-MARS should be configured locally on the Cisco IPS sensor. As a best practice, this account should be set with a user role of viewer to ensure only the minimum necessary access privileges are granted. This account should not be used for any other purposes.

Event Data Collected from Cisco IPS

There three types of event data that CS-MARS may extract from a Cisco IPS sensor:

Event alerts

Trigger packet data

Packet data (IP logging)

Verify that CS-MARS Pulls Events from a Cisco IPS Device

The first step for verifying if CS-MARS can pull events from a Cisco IPS sensor is to confirm both are able to communicate. To that end, select the test connectivity option under the Cisco IPS device configuration (Admin > System Setup > Security and Monitor Devices). A "Connectivity Successful" message indicates both systems are able to communicate.

The second step is to perform an action to knowingly trigger a signature on the Cisco IPS sensor. As an example, type the following URL on a browser, replacing x.x.x.x by the IP address or hostname of a web server located on a subnet monitored by the Cisco IPS sensor.

ttp://x.x.x.x/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\

This action should be interpreted as a WWW IIS unicode directory traversal attack, triggering Cisco IPS signatures numbers 5114 and 5081.

New Member

Re: How to enable SDEE on AIP-SSM

Thanks for that. I tried all of it, the connectivity, administrative account etc, yet I don't see the events coming to MARS.

I don't think I have to try out any signature triggers as I could already see events populating under 'show events past 00:01:00' on the AIP-SSM.

Not sure how to go further. IDSM's however are pushing events to MARS successfully. Issue is only with AIP-SSM.

950
Views
9
Helpful
4
Replies