Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

AW: Editing ISS RealSecure Network Sensor policy from commandline

from [Knorr Markus] Network Security [Permanent Link]
Subject: AW: Editing ISS RealSecure Network Sensor policy from commandline
Date: Thu, 21 Jul 2005 08:08:18 +0200 
Hi Jim,
I have some experience with troubleshooting RS 7.0 Policies.
To implement what you want you have to export the specific Policy in the Policy 
Editor.
After you saved the Policy on the harddisk you could open the policy-file with 
an text editor (i´d used "vim"). As my intention on editing the policy was for 
troubleshooting reasons i could not provide more information on your question. 
But by viewing the file you would realize that the syntax isn´t difficult to 
understand.

Hope that helps

So long

Markus

Dipl.Wirt.-Inf. Markus Knorr
Competence Center Security
T +49 9 31 3 00-15 09
F +49 9 31 3 00-15 36
markus.knorr@eon-is.com
E.ON IS GmbH
Bismarckstraße 9-11
D-97080 Würzburg
www.eon-is.com 
 


-----Ursprüngliche Nachricht-----
Von: news [mailto:news@sea.gmane.org] Im Auftrag von Jim
Gesendet: Mittwoch, 20. Juli 2005 19:17
An: focus-ids@securityfocus.com
Betreff: Editing ISS RealSecure Network Sensor policy from commandline


Is there any way to edit the Network Sensor (version 7) 
policy with a text editor, and reliably apply this policy?

I work for a fairly large MSP and some of our customers 
require event filters to be added in large numbers. Adding 
these one-at-a-time in the Policy Editor is VERY painful.  
For example, one customer yesterday requested that 10 source 
IPs ignore 9 signatures when talking to 2 destination IPs.  I 
would go insane if I had to add 180 individual entries by hand.

I found the "current.policy" file on the sensor itself, but 
it seems that changes to this file are not visible in the 
console's Policy Editor.  For example, if I edit one of the 
filters in current.policy and then "Edit Current Policy" from 
the Site Protector console, the changes are not there.  This 
is the case no matter whether I stop the sensor/daemon from 
the OS shell or using Stop/Start in Site Protector.

Please let me know if there's any way to do this!  I've 
scoured Google for about 2 days now, and a couple other 
employees here have asked ISS for help with this and have 
gotten nowhere.

Thanks very much.


--------------------------------------------------------------
----------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------
----------




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • AW: Editing ISS RealSecure Network Sensor policy from commandline, Knorr Markus <=
Previous by Date:  Re: NetFlow for IDS, Gianpiero Porchia
Next by Date:  Re: Firewalls (was Re: IDS evaluations procedures), Richard Bejtlich
Previous by Thread:  RE: Firewalls (was Re: IDS evaluations procedures), Biswas, Proneet
Next by Thread:  RE: IDS Signature Confidence, THolman
Indexes:  [Date] [Thread] [Top] [All Lists]