« Combating Comment Spam in WordPress
Data Presentation: Stop the Flashy GUIs »

Cisco Secure IDS - RDEP

RDEP, or Remote Data Exchange Protocol, is a proprietary application-level communications protocol created by Cisco for their Secure IDS version 4 product. (Version 3 of the Cisco Secure IDS uses the Postoffice protocol, which is not covered here.)

RDEP is mainly a request/response protocol utilizing the HTTP/1.1 protocol. RDEP can run over both encrypted (TLS/SSL) or unencrypted connections. The messages are exchanged in the Intrusion Detection Interaction and Operations Messages (IDIOM) format, an XML specification developed by Cisco.

There are three types of request/response messages defined by RDEP:

  • Event Messages - IDS alarms (detected incidents), IDS server status or errors
  • IP Log - IP log data (in pcap format) from the servers
  • transaction Messages - Configuration and control of the IDS servers

Events

There are two possible ways of retrieving events, by query or by subscription. The client can query the server for a set of events with a specification, the server will then return all the events in a single IDIOM document. If the client wants to keep a live feed, it can subscribe to the server. With this connection, the client can retrieve events by sending subscription-get messages to the server. The first get will retrieve all current events that matches the get criteria, subsequent gets will retrieve events that are new since the last get.

IP Logs

The client has the ability to ask the server to create an IP log in the libpcap format. Once the IP log is available, the IP Log request message are used to retrieve the logs.

Transactions

Transactions are used to configure and control the IDS server. There’s not a lot of details in what commands can initiate, so if you have more information, I would love to hear from you.

Authentication

The RDEP protocol uses a modified HTTP BASIC method for authenticating to the server. The client sends the server an HTTP Authorization header like the web browser. Once authenticated, the server sends back a cookie which will be used for future requests.

Net::RDEP

Joe Minieri from Open Service has written a very useful Perl module, Net::RDEP. It can be used to retrieve events from the IDS server using either query or subscription. Thanks Joe.

Last Modified: Sunday, October 31st, 2004 @ 19:46

This entry was posted on Monday, November 1st, 2004 at 6:45 am and is filed under Logs. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.

Comments are closed.