Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IDS/IPS logging, and SDM replacement?

I'm reviewing for my CCNA Security exam. I've got several books that I'm using for study materials..the Cisco press blue softcover, CCNA Security Study Guide by Tim Broyles...

Now, I've seen arguments about how the IDS "pulls" data. The books are unclear, and I'm trying to get a definitive answer.

In the IDS chapter in Cisco's book, discussion at the end of the chapter talks about how the IDS uses SDEE to pull the data. But it shows two examples of config lines, SDEE and Log, and it goes on to say that SDEE and Syslog are the protocols used to grab the alerts. But then, in the next paragraph, it says to that it uses HTTP (and further says HTTPS is more secure) to gather the data.

So, in googling to try and find resolution, I made the water murkier. I saw everything from those dreaded " I just took the exam..." and various other answers.

I'm thinking that syslog is not a protocol. Syslog is a venue where data is stored and can be retrieved and viewed by various applications like Solar Winds, etc. So, I'm thinking SDEE uses HTTPS (which is a protocol) to grab the data. But, I want to ensure I have my ducks in a row before the exam.

So, can someone with AUTHORITY please advise what the heck IDS uses to pull the data?

Now the 2nd part of this concerns dreaded SDM. SDM is at v 2.5, and there have been no updates/tweaks to it. I never see anyone in the RW use it. I'm sure that there's something better out there, yet Cisco is insisting on hammering that home on their CCNA security exam. What is SDM being replaced with? What should I start working with if I want to go on and get my CCNP Security certification?

Thanks much...testing on Tuesday


IDS/IPS logging, and SDM replacement?

The confusion you are seeing is because IPS (or IDS) exists on two entirely different platforms; the router IOS and the IPS sensor appliance. These two types of IPS devices are managed and report events very differently.

The Router IOS PS feature can report events (signature hits) via syslog (and yes, that is a real protocol, just not a very secure one for carrying sensitive information like signature events) and SDEE. The Appliance IPS Sensors can only report events via SDEE (and SNMP Traps, if optioned on a per-signature basis to do so).

SDEE is a "pull" protocol, meaning the Sensor acts as the host and the client "asks" for signature events. This allows multiple clients to get a feed off one sensor and not have to maintain message synchronization. SDEE is an XML formatted protocol (so it's self documenting) and is carried over HTTPS.

- Bob

CreatePlease to create content