The SDEE (Security Device Event Exchange) protocol was developed to communicate the events generated by security devices. Currently, only IDS events are supported, but the protocol is designed to be extensible, allowing additional event types to be defined and included.
The SDEE client establishes a session with the server by successfully authenticating with that server. Once authenticated, a session ID or session cookie is given to the client, which is included with all futures requests.
SDEE supports two methods for retrieving events: an event query and an event subscription. Both methods use SSL to query the SDEE server and retrieve the events. The event query method will retrieve all the events in a given time range. No connection is maintained in anyway. The event subscription, however, does maintain a connection and will support multiple "gets" to continue to retrieve events as they are available. Furthermore, multiple subscriptions are supported for a single session. In this case, each subscription would be configured to retrieve different events (either type or severity).
To either the query or subscription request, the server's response is received in the form of a SOAP document. The document may contain response or error messages, as well as one or more events.
$sdee = Net::SDEE->new(Username => 'sdeeuser', Type => 'subscription');