SDEE

___________________________________________________________________________________________________

• The Security Device Event Exchange (SDEE) protocol was developed to communicate the events generated by security devices.

• The SDEE client establishes a session with the server by successfully authenticating with that server. Once authenticated, a session ID or session cookie is given to the client, which is included with all future requests.

• SDEE supports two methods for retrieving events:

a. An event query.

b. Event subscription.

• Both methods use SSL to query the SDEE server and retrieve the events.

IPS and SDEE

___________________________________________________________________________________________________

• IPS produces different types of events including intrusion alerts and status events. IPS communicates events to clients such as management applications using SDEE.

• Systems that use SDEE to communicate events to clients are referred to as SDEE providers. SDEE specifies that events can be transported using the HTTP or HTTP over SSL and TLS protocols. When HTTP or HTTPS is used, SDEE providers act as HTTP servers, while SDEE clients are the initiators of HTTP requests.

• IPS includes Web Server, which processes HTTP or HTTPS requests. Web Server uses run-time loadable servlets to process the different types of HTTP requests. Each servlet handles HTTP requests that are directed to the URL associated with the servlet. The SDEE server is implemented as a web server servlet.

• The SDEE server only processes authorized requests. A request is authorized if it originates from a web server to authenticate the identity of the client and determine the privilege level of the client.

• IME uses SDEE to retrieve events from the event store of IPS. Any 3rd party SDEE server can also connect to the IPS and pull events from it.
  

Configuration of SDEE on IPS:

__________________________________________________________________________________________________

• SDEE  is on by default on all IPS appliances and modules.

Whats needed for 3rd party SDEE servers to pull events from IPS ?

___________________________________________________________________________________________________

• On the IPS side one only needs to make sure that the reporting server's IP addresses are included in the 'Allowed Hosts/Networks.'
  

• On the reporting SDEE server side you need to specify: 
  

1. The IP address of the IPS appliance.

2. The username and password of the IPS appliance. (Any user privilege level).

3. The protocol the server will use to get the alerts from the appliance (TCP/443).

Troubleshooting

___________________________________________________________________________________________________

• CLI commands:

IPS# show stat sdee

General
   Open Subscriptions = 1  <---
   Blocked Subscriptions = 0
   Maximum Available Subscriptions = 5   <---
   Maximum Events Per Retrieval = 500
Subscriptions
   sub-1-97ae4503
      State = Read Pending
      Last Read Time = 17:07:54 UTC Mon Aug 09 2010
      Last Read Time (nanoseconds) = 1281373674222327000
   sub-2-a1b6691b
      State = Open
      Last Read Time = 17:07:27 UTC Mon Aug 09 2010
      Last Read Time (nanoseconds) = 1281373647796374000
   sub-3-30a920a4
      State = Open
      Last Read Time = 16:15:57 UTC Mon Aug 09 2010
      Last Read Time (nanoseconds) = 1281370557298374000
   sub-4-85194f8f
      State = Open
      Last Read Time = 15:57:51 UTC Sun Aug 01 2010
      Last Read Time (nanoseconds) = 1280678271287811000


IPS# show stat web-server
listener-443
   session-7
      remote host = 1.1.1.1   <----  ( Device connecting to IPS)
      session is persistent = yes
      number of requests serviced on current connection = 317
      last status code = 200
      last request method = GET
      last request URI = cgi-bin/sdee-server    <----- ( Device using SDEE )
      last protocol version = HTTP/1.1
      session state = processingActionsState
   session-0
      remote host = 14.0.25.115
      session is persistent = no
      number of requests serviced on current connection = 1
      last status code = 200
      last request method = GET
      last request URI = cgi-bin/sdee-server
      last protocol version = HTTP/1.1
      session state = processingGetServlet
   number of server session requests handled = 95731
   number of server session requests rejected = 0
   total HTTP requests handled = 142699
   maximum number of session objects allowed = 40
   number of idle allocated session objects = 8
   number of busy allocated session objects = 2
summarized log messages
   number of TCP socket failure messages logged = 0
   number of TLS socket failure messages logged = 0
   number of TLS protocol failure messages logged = 0
   number of TLS connection failure messages logged = 6
   number of TLS crypto warning messages logged = 0
   number of TLS expired certificate warning messages logged = 0
   number of receipt of TLS fatal alert message messages logged = 2
crypto library version = 6.2.1.0

• From GUI:

1. From your browser bar:   https://Ip-address-of-IPS/cgi-bin/sdee-server/  

2. Log in with username and password for the IPS.

3. You shall see xml data come back.

• Information about SDEE in the configuration guide op IPS :  http://tools.cisco.com/squish/6f332