A-35
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
78-16527-01
Appendix A System Architecture
Communications
SDEE
IPS produces various types of events including intrusion alerts and status events. IPS communicates
events to clients such as management applications using the proprietary RDEP2. We have also developed
an IPS-industry leading protocol, SDEE, which is a product-independent standard for communicating
security device events. SDEE is an enhancement to the current version of RDEP2 that adds extensibility
features that are needed for communicating events generated by various types of security devices.
Systems that use SDEE to communicate events to clients are referred to as SDEE providers. SDEE
specifies that events can be transported using the HTTP or HTTP over SSL and TLS protocols. When
HTTP or HTTPS is used, SDEE providers act as HTTP servers, while SDEE clients are the initiators of
HTTP requests.
IPS includes Web Server, which processes HTTP or HTTPS requests. Web Server uses run-time loadable
servlets to process the different types of HTTP requests. Each servlet handles HTTP requests that are
directed to the URL associated with the servlet. The SDEE server is implemented as a web server servlet.
The SDEE server only processes authorized requests. A request is authorized if is originates from a web
server to authenticate the client’s identity and determine the client’s privilege level.
CIDEE
CIDEE specifies the extensions to SDEE that are used by the Cisco IPS. The CIDEE standard specifies
all possible extensions that are supported by IPS. Specific systems may implement a subset of CIDEE
extensions. However, any extension that is designated as being required MUST be supported by all
systems.
CIDEE specifies the IPS-specific security device events as well as the IPS extensions to SDEE’s
<evIdsAlert> element.
CIDEE supports the following events:
•
<evError>—Error event
Generated by the CIDEE provider when the provider detects an error or warning condition. The
<evError> event contains error code and textual description of the error.
•
<evStatus>—Status message event
Generated by CIDEE providers to indicate that something of potential interest occurred on the host.
Different types of status messages can be reported in the status event—one message per event. Each
type of status message contains a set of data elements that are specific to the type of occurrence that
the status message is describing. The information in many of the status messages may be useful for
audit purposes. Errors and warnings are not considered status information and are reported using
<evError> rather than <evStatus>.
•
<evShunRqst>—Block request event
Generated to indicate that a block action is to be initiated by the service that handles network
blocking.
The following is a CDIEE extended event example:
<sd:events xmlns:cid="http://www.cisco.com/cids/2004/04/cidee"
xmlns:sd=“http://example.org/2003/08/sdee”>
<sd:evIdsAlert eventId="1042648730045587005" vendor="Cisco“ severity="medium">
<sd:originator>
<sd:hostId>Beta4Sensor1</sd:hostId>
<cid:appName>sensorApp</cid:appName>
<cid:appInstanceId>8971</cid:appInstanceId>