Guest

Cisco Intrusion Prevention System

Monitor Events Generated by Cisco IOS Intrusion Prevention System using IPS Manager Express

Document ID: 113576

Updated: Jun 28, 2012

Contributed by Sid Chandrachud, Cisco TAC Engineer.

   Print

Introduction

This document explains how to use monitor events generated by Cisco IOS Intrusion Prevention System (IOS-IPS) using the IPS Manager Express (IME).

Cisco IOS IPS is a software-based deep-packet inspection feature that effectively mitigates a wide range of network attacks.

Cisco IME is a simple, GUI-based IPS management software.

Prerequisites

Requirements

Readers of this document should have knowledge of these topics.

  • Cisco IOS Intrusion Prevention System

  • IPS Manager Express

Components Used

The information in this document is based on Cisco IOS Intrusion Prevention System using the IPS Manager Express.

Conventions

For more information on document conventions, refer to Cisco Technical Tips Conventions.

Features

Requirement:

For IME to support IOS IPS, the router needs to run Cisco IOS Software Releases 12.3(14)T7 and 12.4(15)T2 or newer. IME can support up to 10 devices.

Note: IME only supports event monitoring for IOS IPS. Configuration is not supported.

Configuration

IME uses SDEE to get events from IOS IPS. SDEE notification is disabled by default and must be manually enabled. To use SDEE, the router's web server must be enabled. By default, IME tries to establish a secure connection to the router using HTTPS (TCP 443). This requires a digital certificate to be configured on the router. Optionally, IME can be configured to support an unsecure connection using HTTP (TCP 80).

Configuring the Router

  1. Enable SDEE notification:

    Router(config)# ip ips notify sdee
  2. Enable HTTPS:

    Router(config)#ip http secure-server
  3. Enable HTTP (Optional):

    Router(config)# ip http server

Configuring IME

  1. Download and install IME. Run IME. Then, click Add.

    Download IME:

    http://www.cisco.com/cisco/software/navigator.html?mdfid=278875433&flowid=4460

    ptn_113576-01.gif

    Note: The default setting uses HTTPS and port 443 to connect to the router. You can also choose to connect using HTTP only, and change the port to 80.

  2. If using HTTPS, you are presented with a screen to accept the self-signed certificate from the router. Click Yes.

    ptn_113576-02.gif

    Once correctly added, you will see the following:

    ptn_113576-03.gif

    Note: If HTTPS is used to connect to the router, any changes to the certificate on the router will require the device to be rediscovered into IME. To refresh the certificate in IME, double click the router under the Device list. Then, click OK to make sure IME connects to the router to get the new certificate. Click Yes to accept the updated certificate.

  3. Viewing Events: Click Event Monitoring. Make sure you select the router under "Sensor Name".

    Note: By default, in the view settings under the "Threat Rating" field, the value is set to ">=70" . This value makes the result display signatures only with threat rating above and equal to 70.

    To view all severity signatures keep the "Threat Rating" field blank.

    ptn_113576-04.gif

Related Information

Updated: Jun 28, 2012
Document ID: 113576