IDS mailing list archives
RE: Editing ISS RealSecure Network Sensor policy from commandline
From: "Sekurity Wizard" <s.wizard () boundariez com>
Date: Thu, 21 Jul 2005 18:22:17 -0400
** CAUTION ** I did this, with Desktop Protector (same engine, different flavor) for our deployment of 15,000 desktops/laptops. I had accidentally missed a > somewhere, and what happened next was horriffic. It imported without incident, and pushed to 1 site (testing, whew!) with 900 agents. Next thing that happened is all agents stopped reporting, and the Agent Manager started logging mass errors, and essentially crashed, while service continued to run. I have asked ISS repeatedly for a mass-updater or policy validation script or tool... Nothing. Maybe en-masse we can get ISS to do this? Good luck! s. Wizard -----Original Message----- From: Jonathan Glass (GMail) [mailto:jonathan.glass () gmail com] Sent: Wednesday, July 20, 2005 8:05 PM To: Jim Cc: focus-ids () securityfocus com Subject: Re: Editing ISS RealSecure Network Sensor policy from commandline Jim wrote:
Is there any way to edit the Network Sensor (version 7) policy with a text editor, and reliably apply this policy? I work for a fairly large MSP and some of our customers require event filters to be added in large numbers. Adding these one-at-a-time in the
Policy Editor is VERY painful. For example, one customer yesterday requested that 10 source IPs ignore 9 signatures when talking to 2 destination IPs. I would go insane if I had to add 180 individual
entries by hand.
I found the "current.policy" file on the sensor itself, but it seems that changes to this file are not visible in the console's Policy Editor. For example, if I edit one of the filters in current.policy and then "Edit Current Policy" from the Site Protector console, the changes are not there. This is the case no matter whether I stop the sensor/daemon from the OS shell or using Stop/Start in Site Protector. Please let me know if there's any way to do this! I've scoured Google for about 2 days now, and a couple other employees here have asked ISS for help with this and have gotten nowhere. Thanks very much. ----------------------------------------------------------------------- - Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ----------------------------------------------------------------------- -
Have you tried exporting the policy as an XML file, making the change, and re-importing it? Not sure if that helps at all, but that's the best i can come up with off the top of my head. Jonathan Glass ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Editing ISS RealSecure Network Sensor policy from commandline Jim (Jul 20)
- Re: Editing ISS RealSecure Network Sensor policy from commandline Jonathan Glass (GMail) (Jul 21)
- Re: Editing ISS RealSecure Network Sensor policy from commandline ismail syed (Jul 21)
- <Possible follow-ups>
- RE: Editing ISS RealSecure Network Sensor policy from commandline Palmer, Paul (ISSAtlanta) (Jul 21)
- RE: Editing ISS RealSecure Network Sensor policy from commandline Sekurity Wizard (Jul 22)