Re: importing Snort rules into ISS RealSecure and/or Proventia?

["Robin Brown" <brownian.motion2000 () gmail com>]

While OpenSignature is not a word processor, it does look I needed to
be more specific with which OpenSignature product am talking about.
I am not talking about about the digital signature product available
on sourceforge but rather OpenSource the feature within ISS which
allows you to create custom signatures in ISS Proventia and
RealSecure.  The ruleset very nearly matches the rules for making
Snort signatures.   Snort has a few more options but ISS OpenSource
allows you to use all the most common features.

I

I want to be able to add the list of Snort signatures I receive from
the CERT to ISS OpenSource in an efficient and easily repeatable
manner.
While I would love to set up a Snort engine and simply add the rules
to their native environment, my organization is commited to using ISS
as the IDS/IPS.
Currently all that I am able to do is verify the list of rules as
compatible with ISS using Tronschecker.exe tool.
Then manually enter each rule into the OpenSignature interface in SiteProtector.
While that is easy enough to do with a long list it is time consuming.
It would be far more efficient to be able to verify the rules with
Tronschecker.exe  then convert the list to an appropriately formated
XML file so that it can be imported into SiteProtector.


documents.iss.net/literature/proventia/OpenSignatureUserGuide.pdf

- A snippet of the description from the OpenSignatureUserGuide

The OpenSignature feature uses a flexible rules language that allows
you to write
customized, pattern-matching intrusion detection signatures to detect
threats that are not
detected by IBM ISS Intrusion Prevention System (IPS) products.
Benefits Use the Open Signature feature to set up the following:
● Audit signatures for Layer 6 and 7 applications that are specific to
your environment
● Signatures that name a specific attack variant for customized
reporting purposes
(instead of relying on the IBM ISS vulnerability protection, which
uses a generic name
for many threats)
Requirements The OpenSignature feature is integrated into the IBM ISS
Protocol Analysis Module
(PAM) as a rule interpreter. OpenSignature relies on PAM and the IBM
ISS intrusion
prevention product you have installed on your network in order to work.
Supported agents You can use the OpenSignature feature with the
following agents:
● Proventia Intrusion Prevention Appliance versions 1.2 and later
● Proventia Desktop
● RealSecure Network Sensor
Important: These guidelines assume that you are managing these agents
through the
SiteProtector Console, and that you are not manually editing
configuration files.
Syntax information Proper syntax in essential for well-constructed
OpenSignature rules. The following
guidelines are available:
● "General Syntax" on page 9
● "Content Keyword Modifiers" on page 10
● "PCRE and Post-PCRE Keyword Modifiers" on page 12
● "Optional Keyword Modifiers" on page 14

On Sat, Oct 25, 2008 at 2:45 AM,  <marlbred () hotmail com> wrote:
> I have to ask.
> If I remember correctly your OpenSignature is a word processor.
> Have you tried writting your rules as a text file and importing it to snort?
>
> Hope I am not that far off.
> smokintech
>
>
>
> > Date: Thu, 23 Oct 2008 16:46:09 -0400
> > From: brownian.motion2000 () gmail com
> > To: focus-ids () securityfocus com
> > Subject: importing Snort rules into ISS RealSecure and/or Proventia?
> >
> > Has anyone out there had success with importing Snort rules into ISS
> > RealSecure and/or Proventia?
> > Supposedly you can import snort style rules into ISS's SiteProtector
> > policies with the OpenSignature policies.
> > The import feature said it would only take xml files so I used Word to
> > convert my .rules file to a xml
> > However SiteProtector told me that that the file was not a valid
> > OpenSignature
> >
> > The example format given by ISS definitely looks snort rule compatible
> > alert tcp any any -> any any (msg:"Search google in binary form";
> > content:"|77 2E 67 6f 6F 67 6c 65|";nocase;sid:1000;)
> >
> > I gave using Excel to make the conversion a go but that wasn't helpful
> >
> > I manually created my rules in OpenSignature with apparently no issues.
> > The variables $HOME_NET and $EXTERNAL_NET may have given issue since I
> > also have not found a location to set them in SiteProtector
> >
> > My 2 main theories why the import failed are that:
> > 1. Perhaps Office products added extra garbage that caused the XML
> > file to not be properly formated.
> > My attempt to export my manually created OpenSignature rules only gave
> > me an XML file that only displayed placeholder for each of the
> > rules/policies not the actual rules/policies that I created... Thus
> > it was not useful in demonstrating how to correct my formatting...
> >
> > 2. Perhaps SiteProtector cannot handle variables and thus leaving
> > $HOME_NET and $EXTERNAL_NET as is in the rule invalidated it as a
> > policy.
> > After all TronsChecker.exe The OpenSignature rule checker didn't like
> > $HOME_NET and $EXTERNAL_NET
> > Is SiteProtector OpenSignature incapable of handling simple variables?
> >
> > Any one have any input?
> > I would be greatly appreciative
> >
> > RB
> >
> > My apologises to anyone who is seeing this message a 2nd time. I over
> > looked a setting which caused my question to bounce when I sent it to
> > focus-ids.
> >
> > ------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it
> > with real-world attacks from CORE IMPACT.
> > Go to
> > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
> > to learn more.
> > ------------------------------------------------------------------------
>
>
> ________________________________
> Store, manage and share up to 5GB with Windows Live SkyDrive. Start
> uploading now

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------