This document explains how to use monitor events generated by Cisco IOS
Intrusion Prevention System (IOS-IPS) using the IPS Manager Express (IME).
Cisco IOS IPS is a software-based deep-packet inspection feature that
effectively mitigates a wide range of network attacks.
Cisco IME is a simple, GUI-based IPS management software.
Readers of this document should have knowledge of these topics.
The information in this document is based on Cisco IOS Intrusion
Prevention System using the IPS Manager Express.
For more information on document conventions, refer to
Technical Tips Conventions.
For IME to support IOS IPS, the router needs to run Cisco IOS Software
Releases 12.3(14)T7 and 12.4(15)T2 or newer. IME can support up to 10 devices.
Note: IME only supports event monitoring for IOS IPS. Configuration is not
IME uses SDEE to get events from IOS IPS. SDEE notification is disabled
by default and must be manually enabled. To use SDEE, the router's web server
must be enabled. By default, IME tries to establish a secure connection to the
router using HTTPS (TCP 443). This requires a digital certificate to be
configured on the router. Optionally, IME can be configured to support an
unsecure connection using HTTP (TCP 80).
Enable SDEE notification:
Router(config)# ip ips notify sdee
Router(config)#ip http secure-server
Enable HTTP (Optional):
Router(config)# ip http server
Download and install IME. Run IME. Then, click
Note: The default setting uses HTTPS and port 443 to connect to the
router. You can also choose to connect using HTTP only, and change the port to
If using HTTPS, you are presented with a screen to accept the
self-signed certificate from the router. Click Yes.
Once correctly added, you will see the following:
Note: If HTTPS is used to connect to the router, any changes to the
certificate on the router will require the device to be rediscovered into IME.
To refresh the certificate in IME, double click the router under the Device
list. Then, click OK to make sure IME connects to the router
to get the new certificate. Click Yes to accept the updated
Viewing Events: Click Event Monitoring. Make sure
you select the router under "Sensor Name".
Note: By default, in the view settings under the "Threat Rating" field,
the value is set to ">=70" . This value makes the result display signatures
only with threat rating above and equal to 70.
To view all severity signatures keep the "Threat Rating" field