Cisco IDS/IPS

You can integrate a Cisco IDS/IPS security device with JSA.

The Cisco IDS/IPS DSM for JSA collects Cisco IDS/IPS for events by using the Security Device Event Exchange (SDEE) protocol.

The SDEE specification defines the message format and the protocol that is used to communicate the events that are generated by your Cisco IDS/IPS security device. JSA supports SDEE connections by polling directly to the IDS/IPS device and not the management software, which controls the device.

Note:

You must have security access or web authentication on the device before you connect to JSA.

After you configure your Cisco IDS/IPS device, you must configure the SDEE protocol in JSA. When you configure the SDEE protocol, you must define the URL that is used to access the device. An example of a URL that defines the device is https//www.example.com/cgi-bin/sdee-server.

You must use http or https in the URL, which is specific to your Cisco IDS version.

When you use RDEP (for Cisco IDS 4.0), ensure that the URL has /cgi-bin/event-server at the end of the URL. An example URL is https://www.example.com/cgi-bin/event-server.
When you use SDEE/CIDEE (for Cisco IDS 5.x and later), ensure that the URL has /cgi-bin/sdee-server at the end of the URL. An example URL is https://www.example/cgi-bin/sdee-server.

SDEE Log Source Parameters for Cisco IDS/IPS

If JSA does not automatically detect the log source, add a Cisco Intrusion Prevention System (IPS) log source on the JSA Console by using the Security Device Event Exchange (SDEE) protocol.

The following table describes the parameters that require specific values to collect syslog events from Cisco IDS/IPS devices:

Table 1: SDEE Log Source Parameters for the Cisco IDS/IPS DSM
Parameter	Value
Log Source type	Cisco Intrusion Prevention System (IPS)
Protocol Configuration	SDEE
Log Source Identifier	Type an IP address, host name, or name to identify the SDEE event source. The identifier helps you determine which events came from your Cisco IDS/IPS device.
URL	Type the URL address to access the log source, for example, `https://www.mysdeeserver.com/cgi-bin/sdee-server`. You must use an `http` or `https` in the URL. Here are some options: If you are using SDEE/CIDEE (for Cisco IDS v5.x and later), check that `/cgi-bin/sdee-server` is at the end of the URL. For example, `https://www.my-sdee-server/cgi-bin/sdee-server` If you are using RDEP (for Cisco IDS v4.0), check that `/cgi-bin/event-server` is at the end of the URL. For example, `https://www.my-rdep-server.com/cgi-bin/event-server`
Username	Type the user name. This user name must match the SDEE URL user name that is used to access the SDEE URL. The user name can be up to 255 characters in length.
Password	Type the user password. This password must match the SDEE URL password that is used to access the SDEE URL. The password can be up to 255 characters in length.
Events / Query	Type the maximum number of events to retrieve per query. The valid range is 0 - 501 and the default is 100.
Force Subscription	Select this check box if you want to force a new SDEE subscription. By default, the check box is selected. The check box forces the server to drop the least active connection and accept a new SDEE subscription connection for this log source. Clearing the check box continues with any existing SDEE subscription.
Severity Filter Low	Select this check box if you want to configure the severity level as low. Log sources that support SDEE return only the events that match this severity level. By default, the check box is selected.
Severity Filter Medium	Select this check box if you want to configure the severity level as medium. Log sources that support SDEE return only the events that match this severity level. By default, the check box is selected.
Severity Filter High	Select this check box if you want to configure the severity level as high. Log sources that support SDEE return only the events that match this severity level. By default, the check box is selected.