IDS mailing list archives
Re: importing Snort rules into ISS RealSecure and/or Proventia?
From: "Robin Brown" <brownian.motion2000 () gmail com>
Date: Sat, 25 Oct 2008 13:31:04 -0400
While OpenSignature is not a word processor, it does look I needed to be more specific with which OpenSignature product am talking about. I am not talking about about the digital signature product available on sourceforge but rather OpenSource the feature within ISS which allows you to create custom signatures in ISS Proventia and RealSecure. The ruleset very nearly matches the rules for making Snort signatures. Snort has a few more options but ISS OpenSource allows you to use all the most common features. I I want to be able to add the list of Snort signatures I receive from the CERT to ISS OpenSource in an efficient and easily repeatable manner. While I would love to set up a Snort engine and simply add the rules to their native environment, my organization is commited to using ISS as the IDS/IPS. Currently all that I am able to do is verify the list of rules as compatible with ISS using Tronschecker.exe tool. Then manually enter each rule into the OpenSignature interface in SiteProtector. While that is easy enough to do with a long list it is time consuming. It would be far more efficient to be able to verify the rules with Tronschecker.exe then convert the list to an appropriately formated XML file so that it can be imported into SiteProtector. documents.iss.net/literature/proventia/OpenSignatureUserGuide.pdf - A snippet of the description from the OpenSignatureUserGuide The OpenSignature feature uses a flexible rules language that allows you to write customized, pattern-matching intrusion detection signatures to detect threats that are not detected by IBM ISS Intrusion Prevention System (IPS) products. Benefits Use the Open Signature feature to set up the following: ● Audit signatures for Layer 6 and 7 applications that are specific to your environment ● Signatures that name a specific attack variant for customized reporting purposes (instead of relying on the IBM ISS vulnerability protection, which uses a generic name for many threats) Requirements The OpenSignature feature is integrated into the IBM ISS Protocol Analysis Module (PAM) as a rule interpreter. OpenSignature relies on PAM and the IBM ISS intrusion prevention product you have installed on your network in order to work. Supported agents You can use the OpenSignature feature with the following agents: ● Proventia Intrusion Prevention Appliance versions 1.2 and later ● Proventia Desktop ● RealSecure Network Sensor Important: These guidelines assume that you are managing these agents through the SiteProtector Console, and that you are not manually editing configuration files. Syntax information Proper syntax in essential for well-constructed OpenSignature rules. The following guidelines are available: ● "General Syntax" on page 9 ● "Content Keyword Modifiers" on page 10 ● "PCRE and Post-PCRE Keyword Modifiers" on page 12 ● "Optional Keyword Modifiers" on page 14 On Sat, Oct 25, 2008 at 2:45 AM, <marlbred () hotmail com> wrote:
I have to ask. If I remember correctly your OpenSignature is a word processor. Have you tried writting your rules as a text file and importing it to snort? Hope I am not that far off. smokintechDate: Thu, 23 Oct 2008 16:46:09 -0400 From: brownian.motion2000 () gmail com To: focus-ids () securityfocus com Subject: importing Snort rules into ISS RealSecure and/or Proventia? Has anyone out there had success with importing Snort rules into ISS RealSecure and/or Proventia? Supposedly you can import snort style rules into ISS's SiteProtector policies with the OpenSignature policies. The import feature said it would only take xml files so I used Word to convert my .rules file to a xml However SiteProtector told me that that the file was not a valid OpenSignature The example format given by ISS definitely looks snort rule compatible alert tcp any any -> any any (msg:"Search google in binary form"; content:"|77 2E 67 6f 6F 67 6c 65|";nocase;sid:1000;) I gave using Excel to make the conversion a go but that wasn't helpful I manually created my rules in OpenSignature with apparently no issues. The variables $HOME_NET and $EXTERNAL_NET may have given issue since I also have not found a location to set them in SiteProtector My 2 main theories why the import failed are that: 1. Perhaps Office products added extra garbage that caused the XML file to not be properly formated. My attempt to export my manually created OpenSignature rules only gave me an XML file that only displayed placeholder for each of the rules/policies not the actual rules/policies that I created... Thus it was not useful in demonstrating how to correct my formatting... 2. Perhaps SiteProtector cannot handle variables and thus leaving $HOME_NET and $EXTERNAL_NET as is in the rule invalidated it as a policy. After all TronsChecker.exe The OpenSignature rule checker didn't like $HOME_NET and $EXTERNAL_NET Is SiteProtector OpenSignature incapable of handling simple variables? Any one have any input? I would be greatly appreciative RB My apologises to anyone who is seeing this message a 2nd time. I over looked a setting which caused my question to bounce when I sent it to focus-ids. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------________________________________ Store, manage and share up to 5GB with Windows Live SkyDrive. Start uploading now
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- importing Snort rules into ISS RealSecure and/or Proventia? Robin Brown (Oct 24)
- Message not available
- Re: importing Snort rules into ISS RealSecure and/or Proventia? Robin Brown (Oct 27)
- Message not available