Table of Contents
Advertisement
Chapter 6
Configuring Network-based IDS and IPS Devices
Enable SDEE on the Cisco IOS Device with an IPS Module
In addition to enabling either Telnet or SSH for configuration discovery on a Cisco IOS device, you must
also enable SDEE on the device that supports IPS module. SDEE is used to publish events to MARS
about signatures that have fired.
To enable SDEE protocol on the Cisco IOS device that supports IPS module, perform the following
steps:
Log in to the Cisco IOS device using the enable password.
Step 1
Enter the following commands to enable MARS to retrieve the events from the IPS module:
Step 2
The "no ips notify log" causes the IPS modules to stop sending IPS events over syslog.
Note
Add an IPS Module to a Cisco Switch or Cisco ASA
You can enable in-line IPS functionality and signature detection in multi-purpose Cisco platforms. You
can identify an IDS-M2 running in a Cisco Switch or an ASA-SSM running in a Cisco ASA. To represent
either of these modules, you must define the settings for the module as part of the base platform, which
must be previously defined under Admin > System Setup > Security and Monitor Devices.
To add an IPS module to a Cisco Switch of Cisco ASA, follow these steps:
Click Admin > System Setup > Security and Monitor Devices.
Step 1
From the list of devices, select the Cisco switch or Cisco ASA to which you want to add the IPS module
Step 2
and click Edit.
Click Add Module.
Step 3
Select Cisco IPS 5.x in the Device Type list.
Step 4
78-17020-01
Router(config)#ip http secure-server
Router(config)#ip ips notify sdee
Router(config)#ip sdee subscriptions 3
Router(config)#ip sdee events 1000
Router(config)#no ip ips notify log
User Guide for Cisco Security MARS Local Controller
Cisco IPS Modules
6-11
Advertisement
Table of Contents
Troubleshooting
