API - Cisco IDS/IPS
Since Cisco introduced its first Intrusion Detection System (IDS), the company has progressively developed more sophisticated protocols for communicating events to remote users and applications. Early Cisco IDS systems supported the POP (Post Office Protocol) standard, which was replaced by the proprietary Remote Data Exchange Protocol (RDEP).
With the release of Cisco's Intrusion Prevention System (IPS) 5.0 software, the company published a new open standard called Security Device Event Exchange (SDEE), sometimes referred to as RDEP2, that supports subscription-based remote event collection. The RDEP protocol was deprecated in IPS version 6.0 and may not be supported in the future. Therefore, LogRhythm has adopted the SDEE protocol for event collection from Cisco IDS/IPS sensors.
Prerequisites
- To collect event messages from a Cisco IDS/IPS device, LogRhythm release 4.1 or higher must be installed. The Windows version of the LogRhythm Agent must be used as the collection point; Linux and UNIX agents do not support the Cisco IDS/IPS message source.
- The Windows host system that will be used as the collection point must be able to establish a secure HTTPS connection to the sensor. You can verify this by using a web browser on the Windows host to connect to the Cisco sensor.
- A System Monitor Pro Agent is required to collect event messages from one or more Cisco IDS/IPS sensors.
Configure the Cisco Sensor
Before a Cisco IDS/IPS sensor allows a remote user or application to collect events, the sensor's web server must be configured properly. This section lists the applicable sensor settings. Consult the appropriate version of your Cisco documentation for instructions about how to verify and/or modify these settings.
The Cisco SDEE service operates as a web server on the sensor. To configure the Cisco sensor to accept secure HTTPS connections, ensure that the following sensor settings have been configured:
| Cisco IPS Setting | Description |
|---|---|
| Allowed Hosts | Add the LogRhythm Windows Agents host information. |
| Users | Ensure a user name is available in the Administrator (not recommended) or Viewer (recommended) role. |
| Enable TLS/SSL | Ensure this setting is enabled. |
| Web Server Port | Select a port for the HTTPS listener. The default port is 443. |
Configure the sdee.ini File
Copy the sdee.ini configuration file to the LogRhythm Agent config directory: C:\Program Files\LogRhythm\LogRhythm System Monitor\config\sdee.ini
If you intend to use this agent to collect event messages from more than one Cisco IDS/IPS device then you need to make a separate copy of this file for each device. You may rename the file if necessary. In addition, you need to create a Log Message Source type for each device.
The following settings are specified in that file:
| Setting | Default Value | Description |
|---|---|---|
| Host | CHANGE_THIS | Cisco IPS sensor host IP address |
| HostPort | 443 | Cisco IPS sensor host IP address |
| HttpsProtocol | SSL3 | Cisco IPS web server HTTPS protocol. Can be SSL3 or TLS |
| URISchema | https | URI schema used for constructing the URL for the sensor connection. Can be https or http |
| HostUsername | CHANGE_THIS | Cisco IPS username |
| HostPassword | CHANGE_THIS | Password for Retina CS user name. The password must be encrypted using the lrcrypt command line utility. Usage: lrcrypt [-e passwordtoencrypt] [path\inifile] For more information on how to use the LogRhythm Encryption Utility, see Deployment Security. |
| EventTypes | CHANGE_THIS | Enter one or more event types separated by commas (evAlert, evError, evStatus, evShunRqst) to collect only the event types you have specified. Leave this setting blank to collect all available event types. |
| AlertSeverities | CHANGE_THIS | Enter one or more alert severity levels separated by commas (informational, low, medium, high) to collect only the specified levels. Leave this setting blank to collect all available alert severity levels. This setting has no effect when alert events are filtered out by the EventTypes setting. |
| ErrorSeverities | CHANGE_THIS | Enter one or more error severity levels separated by commas (warning, error, fatal) to collect only the specified levels you specify. Leave this setting blank to collect all available error severity levels. This setting has no effect when error events are filtered out by the EventTypes setting. |
| MustHaveAlarmTraits | CHANGE_THIS | Enter the alarm traits to include by using one of these formats:
Leave this setting blank to prevent filtering alarms by trait. The effects of the MustHaveAlarmTraits and MustNotHaveAlarmTraits settings are combined. |
| MustNotHAveAlarmTraits | CHANGE_THIS | Enter the alarm traits to exclude by using one of these formats:
Leave this setting blank to prevent filtering alarms by trait. The effects of the MustHaveAlarmTraits and MustNotHaveAlarmTraits settings are combined. |
| StartTime | CHANGE_THIS | Enter the date and time of the oldest event that you wish to collect from the sensor. Leave this setting blank to collect all events stored on the sensor’s hard drive. This setting allows you to filter out historical events that may be months old and of no value. When used, this setting must be entered using the format yyyy-mm-ddThh:mm:ss and the time must be in UTC time. Note that this format requires two-digits for all date and time values except the year, which must be four digits long. For example:
|
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
The name of the log message source is API - Cisco IDS/IPS. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the Flat File Settings tab, enter the following:
File Path. <path to log file, including the file name and extension>