Event Data Structures; Ips Events - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

MainApp

Event Data Structures

The various functional units communicate the following seven types of data:
•
•
•
•
•
•
•
All seven types of data are referred to collectively as IPS data. The six event types—intrusion, error,
status, control transaction log, network access, and debug—have similar characteristics and are referred
to collectively as IPS events. IPS events are produced by the several different applications that make up
the IPS and are subscribed to by other IPS applications. IPS events have the following characteristics:
•
•
Control transactions involve the following types of requests:
•
•
•
•
•
Control transactions have the following characteristics:
•
•
IPS data is represented in XML format as an XML document. The system stores user-configurable
parameters in several XML files.

IPS Events

IPS applications generate IPS events to report the occurrence of some stimulus. The events are the data,
such as the alerts generated by SensorApp or errors generated by any application. Events are stored in a
local database known as the Event Store.
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
A-8
Intrusion events—Produced by SensorApp. The sensor detects intrusion events.
Error events—Caused by hardware or software malfunctions.
Status events—Reports of a change in the application's status, for example, that its configuration
has been updated.
Control transaction log events—The sensor logs the result of a control transaction.
Network access events—Actions for the Network Access Controller, for example, a block request.
Debug events—Highly detailed reports of a change in the application's status used for debugging.
Control transaction data—Data associated with control transactions, for example, diagnostic data
from an application, session logs, and configuration data to or from an application.
They are spontaneously generated by the application instances configured to do so. There is no
request from another application instance to generate a particular event.
They have no specific destination. They are stored and then retrieved by one or more application
instances.
Request to update an application instance's configuration data
Request for an application instance's diagnostic data
Request to reset an application instance's diagnostic data
Request to restart an application instance
Request for the Network Access Controller, such as a block request
They always consist of a request followed by a response.
The request and response may have an arbitrary amount of data associated with them. The response
always includes at least a positive or negative acknowledgment.
They are point-to-point transactions.
Control transactions are sent by one application instance (the initiator) to another application
instance (the responder).
Appendix A System Architecture
78-16527-01