This document explains how to use monitor events generated by Cisco IOS Intrusion Prevention System (IOS-IPS) using the IPS Manager Express (IME).
Cisco IOS IPS is a software-based deep-packet inspection feature that effectively mitigates a wide range of network attacks.
Cisco IME is a simple, GUI-based IPS management software.
Readers of this document should have knowledge of these topics.
The information in this document is based on Cisco IOS Intrusion Prevention System using the IPS Manager Express.
For more information on document conventions, refer to Cisco Technical Tips Conventions.
For IME to support IOS IPS, the router needs to run Cisco IOS Software Releases 12.3(14)T7 and 12.4(15)T2 or newer. IME can support up to 10 devices.
Note: IME only supports event monitoring for IOS IPS. Configuration is not supported.
IME uses SDEE to get events from IOS IPS. SDEE notification is disabled by default and must be manually enabled. To use SDEE, the router's web server must be enabled. By default, IME tries to establish a secure connection to the router using HTTPS (TCP 443). This requires a digital certificate to be configured on the router. Optionally, IME can be configured to support an unsecure connection using HTTP (TCP 80).
Enable SDEE notification:
Router(config)# ip ips notify sdee
Router(config)#ip http secure-server
Enable HTTP (Optional):
Router(config)# ip http server
Download and install IME. Run IME. Then, click Add.
Note: The default setting uses HTTPS and port 443 to connect to the router. You can also choose to connect using HTTP only, and change the port to 80.
If using HTTPS, you are presented with a screen to accept the self-signed certificate from the router. Click Yes.
Once correctly added, you will see the following:
Note: If HTTPS is used to connect to the router, any changes to the certificate on the router will require the device to be rediscovered into IME. To refresh the certificate in IME, double click the router under the Device list. Then, click OK to make sure IME connects to the router to get the new certificate. Click Yes to accept the updated certificate.
Viewing Events: Click Event Monitoring. Make sure you select the router under "Sensor Name".
Note: By default, in the view settings under the "Threat Rating" field, the value is set to ">=70" . This value makes the result display signatures only with threat rating above and equal to 70.
To view all severity signatures keep the "Threat Rating" field blank.