RE: Editing ISS RealSecure Network Sensor policy from commandline

["Sekurity Wizard" <s.wizard () boundariez com>]

** CAUTION **

        I did this, with Desktop Protector (same engine, different
flavor) for our deployment of 15,000 desktops/laptops.  I had
accidentally missed a > somewhere, and what happened next was horriffic.
It imported without incident, and pushed to 1 site (testing, whew!) with
900 agents.  Next thing that happened is all agents stopped reporting,
and the Agent Manager started logging mass errors, and essentially
crashed, while service continued to run.

        I have asked ISS repeatedly for a mass-updater or policy
validation script or tool... Nothing.  Maybe en-masse we can get ISS to
do this?

Good luck!
        s. Wizard 

-----Original Message-----
From: Jonathan Glass (GMail) [mailto:jonathan.glass () gmail com] 
Sent: Wednesday, July 20, 2005 8:05 PM
To: Jim
Cc: focus-ids () securityfocus com
Subject: Re: Editing ISS RealSecure Network Sensor policy from
commandline

Jim wrote:

> Is there any way to edit the Network Sensor (version 7) policy with a 
> text editor, and reliably apply this policy?
>
> I work for a fairly large MSP and some of our customers require event 
> filters to be added in large numbers. Adding these one-at-a-time in the

> Policy Editor is VERY painful.  For example, one customer yesterday 
> requested that 10 source IPs ignore 9 signatures when talking to 2 
> destination IPs.  I would go insane if I had to add 180 individual
entries by hand.
> I found the "current.policy" file on the sensor itself, but it seems 
> that changes to this file are not visible in the console's Policy 
> Editor.  For example, if I edit one of the filters in current.policy 
> and then "Edit Current Policy" from the Site Protector console, the 
> changes are not there.  This is the case no matter whether I stop the 
> sensor/daemon from the OS shell or using Stop/Start in Site Protector.
>
> Please let me know if there's any way to do this!  I've scoured Google 
> for about
> 2 days now, and a couple other employees here have asked ISS for help 
> with this and have gotten nowhere.
>
> Thanks very much.
>
>
> -----------------------------------------------------------------------
> -
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from 
> CORE IMPACT.
> Go to 
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> -----------------------------------------------------------------------
> -
>
>
>  
Have you tried exporting the policy as an XML file, making the change,
and re-importing it?  Not sure if that helps at all, but that's the best
i can come up with off the top of my head.

Jonathan Glass


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------