** CAUTION **
I did this, with Desktop Protector (same engine, different
flavor) for our deployment of 15,000 desktops/laptops. I had
accidentally missed a > somewhere, and what happened next was horriffic.
It imported without incident, and pushed to 1 site (testing, whew!) with
900 agents. Next thing that happened is all agents stopped reporting,
and the Agent Manager started logging mass errors, and essentially
crashed, while service continued to run.
I have asked ISS repeatedly for a mass-updater or policy
validation script or tool... Nothing. Maybe en-masse we can get ISS to
do this?
Good luck!
s. Wizard
-----Original Message-----
From: Jonathan Glass (GMail) [mailto:jonathan.glass@gmail.com]
Sent: Wednesday, July 20, 2005 8:05 PM
To: Jim
Cc: focus-ids@securityfocus.com
Subject: Re: Editing ISS RealSecure Network Sensor policy from
commandline
Jim wrote:
Is there any way to edit the Network Sensor (version 7) policy with a
text editor, and reliably apply this policy?
I work for a fairly large MSP and some of our customers require event
filters to be added in large numbers. Adding these one-at-a-time in the
Policy Editor is VERY painful. For example, one customer yesterday
requested that 10 source IPs ignore 9 signatures when talking to 2
destination IPs. I would go insane if I had to add 180 individual
entries by hand.
I found the "current.policy" file on the sensor itself, but it seems
that changes to this file are not visible in the console's Policy
Editor. For example, if I edit one of the filters in current.policy
and then "Edit Current Policy" from the Site Protector console, the
changes are not there. This is the case no matter whether I stop the
sensor/daemon from the OS shell or using Stop/Start in Site Protector.
Please let me know if there's any way to do this! I've scoured Google
for about
2 days now, and a couple other employees here have asked ISS for help
with this and have gotten nowhere.
Thanks very much.
-----------------------------------------------------------------------
-
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
-----------------------------------------------------------------------
-
Have you tried exporting the policy as an XML file, making the change,
and re-importing it? Not sure if that helps at all, but that's the best
i can come up with off the top of my head.
Jonathan Glass
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
