Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
347
Views
0
Helpful
1
Replies

IDIOM or SDEE

darin.marais
Level 4
Level 4

‎03-31-2006 06:49 AM - edited ‎03-10-2019 01:57 AM

What determines whether the alarm type is collected by secmon as IDIOM or SDEE.

I have some Version 5.1(1p1)S222.0 sensors that appear under alarm type IDIOM and some Version 5.1(1p1)S222.0 sensors the show up as SDEE on the SecMon 2.2 console.

How do you configure the alarm type for a sensor?

Thanks in advance.

Labels:
0 Helpful
1 Reply 1

darin.marais
Level 4
Level 4

‎04-05-2006 08:12 AM

There is a big difference in the way vms2.3 fetches the events from a v4 sensor as compared with a v5 sensor

Version 4 uses

last request method = GET

last request URI = cgi-bin/event-server

The signature part that contains the subsigid looks like this:

Netsky.AB .pif

Version 5 uses

last request method = GET

last request URI = cgi-bin/sdee-server

The signature part that contains the subsigid looks like this:

-

9

Is this configurable?

Are alerts that come from v5 sensor stored in both the sdee server as well as the event server?

The issues that I have is the sub signature is not reported correctly on the console of SecMon for an SDEE event and as a work around I work like to revert to using the event server

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card