Re: importing Snort rules into ISS RealSecure and/or Proventia?



While OpenSignature is not a word processor, it does look I needed to
be more specific with which OpenSignature product am talking about.
I am not talking about about the digital signature product available
on sourceforge but rather OpenSource the feature within ISS which
allows you to create custom signatures in ISS Proventia and
RealSecure. The ruleset very nearly matches the rules for making
Snort signatures. Snort has a few more options but ISS OpenSource
allows you to use all the most common features.

I

I want to be able to add the list of Snort signatures I receive from
the CERT to ISS OpenSource in an efficient and easily repeatable
manner.
While I would love to set up a Snort engine and simply add the rules
to their native environment, my organization is commited to using ISS
as the IDS/IPS.
Currently all that I am able to do is verify the list of rules as
compatible with ISS using Tronschecker.exe tool.
Then manually enter each rule into the OpenSignature interface in SiteProtector.
While that is easy enough to do with a long list it is time consuming.
It would be far more efficient to be able to verify the rules with
Tronschecker.exe then convert the list to an appropriately formated
XML file so that it can be imported into SiteProtector.


documents.iss.net/literature/proventia/OpenSignatureUserGuide.pdf

- A snippet of the description from the OpenSignatureUserGuide

The OpenSignature feature uses a flexible rules language that allows
you to write
customized, pattern-matching intrusion detection signatures to detect
threats that are not
detected by IBM ISS Intrusion Prevention System (IPS) products.
Benefits Use the Open Signature feature to set up the following:
● Audit signatures for Layer 6 and 7 applications that are specific to
your environment
● Signatures that name a specific attack variant for customized
reporting purposes
(instead of relying on the IBM ISS vulnerability protection, which
uses a generic name
for many threats)
Requirements The OpenSignature feature is integrated into the IBM ISS
Protocol Analysis Module
(PAM) as a rule interpreter. OpenSignature relies on PAM and the IBM
ISS intrusion
prevention product you have installed on your network in order to work.
Supported agents You can use the OpenSignature feature with the
following agents:
● Proventia Intrusion Prevention Appliance versions 1.2 and later
● Proventia Desktop
● RealSecure Network Sensor
Important: These guidelines assume that you are managing these agents
through the
SiteProtector Console, and that you are not manually editing
configuration files.
Syntax information Proper syntax in essential for well-constructed
OpenSignature rules. The following
guidelines are available:
● "General Syntax" on page 9
● "Content Keyword Modifiers" on page 10
● "PCRE and Post-PCRE Keyword Modifiers" on page 12
● "Optional Keyword Modifiers" on page 14

On Sat, Oct 25, 2008 at 2:45 AM, <marlbred@xxxxxxxxxxx> wrote:
I have to ask.
If I remember correctly your OpenSignature is a word processor.
Have you tried writting your rules as a text file and importing it to snort?

Hope I am not that far off.
smokintech



Date: Thu, 23 Oct 2008 16:46:09 -0400
From: brownian.motion2000@xxxxxxxxx
To: focus-ids@xxxxxxxxxxxxxxxxx
Subject: importing Snort rules into ISS RealSecure and/or Proventia?

Has anyone out there had success with importing Snort rules into ISS
RealSecure and/or Proventia?
Supposedly you can import snort style rules into ISS's SiteProtector
policies with the OpenSignature policies.
The import feature said it would only take xml files so I used Word to
convert my .rules file to a xml
However SiteProtector told me that that the file was not a valid
OpenSignature

The example format given by ISS definitely looks snort rule compatible
alert tcp any any -> any any (msg:"Search google in binary form";
content:"|77 2E 67 6f 6F 67 6c 65|";nocase;sid:1000;)

I gave using Excel to make the conversion a go but that wasn't helpful

I manually created my rules in OpenSignature with apparently no issues.
The variables $HOME_NET and $EXTERNAL_NET may have given issue since I
also have not found a location to set them in SiteProtector

My 2 main theories why the import failed are that:
1. Perhaps Office products added extra garbage that caused the XML
file to not be properly formated.
My attempt to export my manually created OpenSignature rules only gave
me an XML file that only displayed placeholder for each of the
rules/policies not the actual rules/policies that I created... Thus
it was not useful in demonstrating how to correct my formatting...

2. Perhaps SiteProtector cannot handle variables and thus leaving
$HOME_NET and $EXTERNAL_NET as is in the rule invalidated it as a
policy.
After all TronsChecker.exe The OpenSignature rule checker didn't like
$HOME_NET and $EXTERNAL_NET
Is SiteProtector OpenSignature incapable of handling simple variables?

Any one have any input?
I would be greatly appreciative

RB

My apologises to anyone who is seeing this message a 2nd time. I over
looked a setting which caused my question to bounce when I sent it to
focus-ids.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------



________________________________
Store, manage and share up to 5GB with Windows Live SkyDrive. Start
uploading now

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------