AW: Editing ISS RealSecure Network Sensor policy from commandline
From: Knorr Markus (Markus.Knorr_at_eon-is.com)
Date: 07/21/05
- Previous message: Gianpiero Porchia: "Re: NetFlow for IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 21 Jul 2005 08:08:18 +0200 To: "Jim" <gunmetalx@gmail.com>, <focus-ids@securityfocus.com>
Hi Jim,
I have some experience with troubleshooting RS 7.0 Policies.
To implement what you want you have to export the specific Policy in the Policy Editor.
After you saved the Policy on the harddisk you could open the policy-file with an text editor (i´d used "vim"). As my intention on editing the policy was for troubleshooting reasons i could not provide more information on your question. But by viewing the file you would realize that the syntax isn´t difficult to understand.
Hope that helps
So long
Markus
Dipl.Wirt.-Inf. Markus Knorr
Competence Center Security
T +49 9 31 3 00-15 09
F +49 9 31 3 00-15 36
markus.knorr@eon-is.com
E.ON IS GmbH
Bismarckstraße 9-11
D-97080 Würzburg
www.eon-is.com
> -----Ursprüngliche Nachricht-----
> Von: news [mailto:news@sea.gmane.org] Im Auftrag von Jim
> Gesendet: Mittwoch, 20. Juli 2005 19:17
> An: focus-ids@securityfocus.com
> Betreff: Editing ISS RealSecure Network Sensor policy from commandline
>
>
> Is there any way to edit the Network Sensor (version 7)
> policy with a text editor, and reliably apply this policy?
>
> I work for a fairly large MSP and some of our customers
> require event filters to be added in large numbers. Adding
> these one-at-a-time in the Policy Editor is VERY painful.
> For example, one customer yesterday requested that 10 source
> IPs ignore 9 signatures when talking to 2 destination IPs. I
> would go insane if I had to add 180 individual entries by hand.
>
> I found the "current.policy" file on the sensor itself, but
> it seems that changes to this file are not visible in the
> console's Policy Editor. For example, if I edit one of the
> filters in current.policy and then "Edit Current Policy" from
> the Site Protector console, the changes are not there. This
> is the case no matter whether I stop the sensor/daemon from
> the OS shell or using Stop/Start in Site Protector.
>
> Please let me know if there's any way to do this! I've
> scoured Google for about 2 days now, and a couple other
> employees here have asked ISS for help with this and have
> gotten nowhere.
>
> Thanks very much.
>
>
> --------------------------------------------------------------
> ----------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------
> ----------
>
>
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
- Previous message: Gianpiero Porchia: "Re: NetFlow for IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
