https://community.cisco.com/t5/network-security/ips-event-monitoring/m-p/2457441#M45598 <P>&nbsp;</P><P>Dear All,</P><P>&nbsp;</P><P>I&nbsp;have deployed Cisco ASA 5525 IPS for one of our customer in inline mode in internet block. I am redirecting traffic from ASA towards built-in IPS module using ACL ( permit ip any any), class map and global service policy. I have verified that built-in IPS module is inspecting the traffic as the hits are increasing on ACL, service policy &amp; show stats virtual-sensor.</P><P>But there are no events related to end user traffic appearing. I tried to activate RFC 1918 signature ( which is by default retired) just to verify that events are triggering or not and after activating this signature I received lot of events.</P><P>However customer wants to see all the traffic being inspected by the IPS so how I can achieve that ?</P><P>&nbsp;</P><P>Thanks &amp; Regards,</P><P>Mujeeb</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 10 Mar 2019 13:11:21 GMT rmujeeb81 2019-03-10T13:11:21Z https://community.cisco.com/t5/network-security/ips-event-monitoring/m-p/2457441#M45598 <P>&nbsp;</P><P>Dear All,</P><P>&nbsp;</P><P>I&nbsp;have deployed Cisco ASA 5525 IPS for one of our customer in inline mode in internet block. I am redirecting traffic from ASA towards built-in IPS module using ACL ( permit ip any any), class map and global service policy. I have verified that built-in IPS module is inspecting the traffic as the hits are increasing on ACL, service policy &amp; show stats virtual-sensor.</P><P>But there are no events related to end user traffic appearing. I tried to activate RFC 1918 signature ( which is by default retired) just to verify that events are triggering or not and after activating this signature I received lot of events.</P><P>However customer wants to see all the traffic being inspected by the IPS so how I can achieve that ?</P><P>&nbsp;</P><P>Thanks &amp; Regards,</P><P>Mujeeb</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 10 Mar 2019 13:11:21 GMT https://community.cisco.com/t5/network-security/ips-event-monitoring/m-p/2457441#M45598 rmujeeb81 2019-03-10T13:11:21Z https://community.cisco.com/t5/network-security/ips-event-monitoring/m-p/2457442#M45600 <P>The AIP-SSM does not support syslog as an alert format.</P><P>The default method to receive alert information from the AIP-SSM is through Security Device Event Exchange (SDEE). Another option is to configure individual signatures in order to generate a SNMP trap as an action to take when they are triggered.</P><P>Refer <A href="https://supportforums.cisco.com/discussion/12180461/cisco-asa-5585-syslog-options-ips">this</A> discussion</P><P>&nbsp;</P><P>HTH</P><P>"Please rate helpful posts"</P> Thu, 24 Apr 2014 12:25:15 GMT https://community.cisco.com/t5/network-security/ips-event-monitoring/m-p/2457442#M45600 Poonam Garg 2014-04-24T12:25:15Z https://community.cisco.com/t5/network-security/ips-event-monitoring/m-p/2457443#M45601 <P>&nbsp;</P><P>Hi ,</P><P>&nbsp;</P><P>So how we can forward the alert information (SDEE) to the management/monitoring tool ?</P><P>&nbsp;</P><P>Thanks &amp; Regards</P> Sun, 27 Apr 2014 08:14:25 GMT https://community.cisco.com/t5/network-security/ips-event-monitoring/m-p/2457443#M45601 rmujeeb81 2014-04-27T08:14:25Z https://community.cisco.com/t5/network-security/ips-event-monitoring/m-p/2457444#M45602 <P>The IPS sensor is a SDEE provider (with a built-in web server and SDEE servlet). SDEE specifies that events can be transported using the HTTP or HTTP over SSL and TLS protocols. When HTTP or HTTPS is used, SDEE providers act as HTTP servers, while SDEE clients are the initiators of HTTP requests.</P><P>When properly configured, clients {such as IME (IPS Manager Express) and CS-MARS} connect to the sensor via HTTPS (TLS/SSL) or HTTP, authenticate, and if successful, exchange data. SDEE is the preferred protocol for data exchange. The sensor's web server and SDEE servlet are both running by-default. As such, generally the only configuration necessary on the sensor is to allow a SDEE client access is to <A href="https://supportforums.cisco.com/document/64051/idsips-top-commonly-encountered-problems-and-solutions">add a permit entry for the SDEE client's IP address to the sensor's access-list</A>.</P><P>&nbsp;</P><P class="pB1_Body1">The SDEE server (IPS Module) only processes authorized requests. A request is authorized if is originates from a web server to authenticate the identity of the client and determine the privilege level of the client. SDEE Client (IME) pulls the IPS events.</P><P class="pB1_Body1">&nbsp;</P><P class="pB1_Body1">HTH</P><P class="pB1_Body1">&nbsp;</P><P class="pB1_Body1">"Please rate helpful posts"</P> Sun, 27 Apr 2014 11:07:24 GMT https://community.cisco.com/t5/network-security/ips-event-monitoring/m-p/2457444#M45602 Poonam Garg 2014-04-27T11:07:24Z