Contents
Introduction
This document explains how to use monitor events generated by Cisco IOS Intrusion Prevention System (IOS-IPS) using the IPS Manager Express (IME).
Cisco IOS IPS is a software-based deep-packet inspection feature that effectively mitigates a wide range of network attacks.
Cisco IME is a simple, GUI-based IPS management software.
Note: The content in this document was created by Sid Chandrachud, Cisco TAC Engineer.
Prerequisites
Requirements
Readers of this document should have knowledge of these topics.
-
Cisco IOS Intrusion Prevention System
-
IPS Manager Express
Components Used
The information in this document is based on Cisco IOS Intrusion Prevention System using the IPS Manager Express.
Conventions
For more information on document conventions, refer to Cisco Technical Tips Conventions.
Features
Requirement:
For IME to support IOS IPS, the router needs to run Cisco IOS Software Releases 12.3(14)T7 and 12.4(15)T2 or newer. IME can support up to 10 devices.
Note: IME only supports event monitoring for IOS IPS. Configuration is not supported.
Configuration
IME uses SDEE to get events from IOS IPS. SDEE notification is disabled by default and must be manually enabled. To use SDEE, the router's web server must be enabled. By default, IME tries to establish a secure connection to the router using HTTPS (TCP 443). This requires a digital certificate to be configured on the router. Optionally, IME can be configured to support an unsecure connection using HTTP (TCP 80).
Configuring the Router
-
Enable SDEE notification:
Router(config)# ip ips notify sdee
-
Enable HTTPS:
Router(config)#ip http secure-server
-
Enable HTTP (Optional):
Router(config)# ip http server
Configuring IME
-
Download and install IME. Run IME. Then, click Add.
Download IME:
http://www.cisco.com/cisco/software/navigator.html?mdfid=278875433&flowid=4460
Note: The default setting uses HTTPS and port 443 to connect to the router. You can also choose to connect using HTTP only, and change the port to 80.
-
If using HTTPS, you are presented with a screen to accept the self-signed certificate from the router. Click Yes.
Once correctly added, you will see the following:
Note: If HTTPS is used to connect to the router, any changes to the certificate on the router will require the device to be rediscovered into IME. To refresh the certificate in IME, double click the router under the Device list. Then, click OK to make sure IME connects to the router to get the new certificate. Click Yes to accept the updated certificate.
-
Viewing Events: Click Event Monitoring. Make sure you select the router under "Sensor Name".
Note: By default, in the view settings under the "Threat Rating" field, the value is set to ">=70" . This value makes the result display signatures only with threat rating above and equal to 70.
To view all severity signatures keep the "Threat Rating" field blank.
Related Information
Open a Support Case 
(Requires a Cisco Service Contract.)
Related Cisco Support Community Discussions
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.