The Security Device Event Exchange (SDEE) protocol was developed to communicate the events generated by security devices.
The SDEE client establishes a session with the server by successfully authenticating with that server. Once authenticated, a session ID or session cookie is given to the client, which is included with all future requests.
SDEE supports two methods for retrieving events:
a. An event query.
b. Event subscription.
Both methods use SSL to query the SDEE server and retrieve the events.
IPS produces different types of events including intrusion alerts and status events. IPS communicates events to clients such as management applications using SDEE.
Systems that use SDEE to communicate events to clients are referred to as SDEE providers. SDEE specifies that events can be transported using the HTTP or HTTP over SSL and TLS protocols. When HTTP or HTTPS is used, SDEE providers act as HTTP servers, while SDEE clients are the initiators of HTTP requests.
IPS includes Web Server, which processes HTTP or HTTPS requests. Web Server uses run-time loadable servlets to process the different types of HTTP requests. Each servlet handles HTTP requests that are directed to the URL associated with the servlet. The SDEE server is implemented as a web server servlet.
The SDEE server only processes authorized requests. A request is authorized if it originates from a web server to authenticate the identity of the client and determine the privilege level of the client.
IME uses SDEE to retrieve events from the event store of IPS. Any 3rd party SDEE server can also connect to the IPS and pull events from it.
General Open Subscriptions = 1 <--- Blocked Subscriptions = 0 Maximum Available Subscriptions = 5 <--- Maximum Events Per Retrieval = 500 Subscriptions sub-1-97ae4503 State = Read Pending Last Read Time = 17:07:54 UTC Mon Aug 09 2010 Last Read Time (nanoseconds) = 1281373674222327000 sub-2-a1b6691b State = Open Last Read Time = 17:07:27 UTC Mon Aug 09 2010 Last Read Time (nanoseconds) = 1281373647796374000 sub-3-30a920a4 State = Open Last Read Time = 16:15:57 UTC Mon Aug 09 2010 Last Read Time (nanoseconds) = 1281370557298374000 sub-4-85194f8f State = Open Last Read Time = 15:57:51 UTC Sun Aug 01 2010 Last Read Time (nanoseconds) = 1280678271287811000
IPS# show stat web-server listener-443 session-7 remote host = 188.8.131.52 <---- ( Device connecting to IPS) session is persistent = yes number of requests serviced on current connection = 317 last status code = 200 last request method = GET last request URI = cgi-bin/sdee-server <----- ( Device using SDEE ) last protocol version = HTTP/1.1 session state = processingActionsState session-0 remote host = 184.108.40.206 session is persistent = no number of requests serviced on current connection = 1 last status code = 200 last request method = GET last request URI = cgi-bin/sdee-server last protocol version = HTTP/1.1 session state = processingGetServlet number of server session requests handled = 95731 number of server session requests rejected = 0 total HTTP requests handled = 142699 maximum number of session objects allowed = 40 number of idle allocated session objects = 8 number of busy allocated session objects = 2 summarized log messages number of TCP socket failure messages logged = 0 number of TLS socket failure messages logged = 0 number of TLS protocol failure messages logged = 0 number of TLS connection failure messages logged = 6 number of TLS crypto warning messages logged = 0 number of TLS expired certificate warning messages logged = 0 number of receipt of TLS fatal alert message messages logged = 2 crypto library version = 220.127.116.11