Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
903
Views
10
Helpful
3
Replies

IPS Event Monitoring

rmujeeb81
Level 1
Level 1

‎04-23-2014 10:07 PM - edited ‎03-10-2019 06:11 AM

 

Dear All,

 

I have deployed Cisco ASA 5525 IPS for one of our customer in inline mode in internet block. I am redirecting traffic from ASA towards built-in IPS module using ACL ( permit ip any any), class map and global service policy. I have verified that built-in IPS module is inspecting the traffic as the hits are increasing on ACL, service policy & show stats virtual-sensor.

But there are no events related to end user traffic appearing. I tried to activate RFC 1918 signature ( which is by default retired) just to verify that events are triggering or not and after activating this signature I received lot of events.

However customer wants to see all the traffic being inspected by the IPS so how I can achieve that ?

 

Thanks & Regards,

Mujeeb

 

 

Labels:
0 Helpful
3 Replies 3

Poonam Garg
Level 3
Level 3

‎04-24-2014 05:25 AM

The AIP-SSM does not support syslog as an alert format.

The default method to receive alert information from the AIP-SSM is through Security Device Event Exchange (SDEE). Another option is to configure individual signatures in order to generate a SNMP trap as an action to take when they are triggered.

Refer this discussion

 

HTH

"Please rate helpful posts"

rmujeeb81
Level 1
Level 1
In response to Poonam Garg

‎04-27-2014 01:14 AM

 

Hi ,

 

So how we can forward the alert information (SDEE) to the management/monitoring tool ?

 

Thanks & Regards

0 Helpful

Poonam Garg
Level 3
Level 3

‎04-27-2014 04:07 AM

The IPS sensor is a SDEE provider (with a built-in web server and SDEE servlet). SDEE specifies that events can be transported using the HTTP or HTTP over SSL and TLS protocols. When HTTP or HTTPS is used, SDEE providers act as HTTP servers, while SDEE clients are the initiators of HTTP requests.

When properly configured, clients {such as IME (IPS Manager Express) and CS-MARS} connect to the sensor via HTTPS (TLS/SSL) or HTTP, authenticate, and if successful, exchange data. SDEE is the preferred protocol for data exchange. The sensor's web server and SDEE servlet are both running by-default. As such, generally the only configuration necessary on the sensor is to allow a SDEE client access is to add a permit entry for the SDEE client's IP address to the sensor's access-list.

 

The SDEE server (IPS Module) only processes authorized requests. A request is authorized if is originates from a web server to authenticate the identity of the client and determine the privilege level of the client. SDEE Client (IME) pulls the IPS events.

 

HTH

 

"Please rate helpful posts"

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card