IDS mailing list archives
Re: Editing ISS RealSecure Network Sensor policy from commandline
From: Jim B <gunmetalx () gmail com>
Date: Tue, 2 Aug 2005 12:13:19 -0400
On 7/21/05, Palmer, Paul (ISSAtlanta) <PPalmer () iss net> wrote:
Jim asks: "Is there any way to edit the Network Sensor (version 7) policy with a text editor, and reliably apply this policy?" This is probably a better topic for the issforum mailing list. However, a quick answer: The policies themselves are text based so can be easily edited with a text editor of your choice. With Site Protector, the "master" copies of these policies are stored within its database. Therefore, use the console's policy editor to export the policy to a flat file, edit the policy by hand, and then use the policy editor re-import the policy into the database. If I recall correctly, the console will automatically ask you if you wish to reapply the updated policy to all sensors that use it when you re-import. I hope this helps. Paul
Paul (and others): thanks for the responses on this topic. Indeed, the "export/edit/import" process works fine. I also wrote a couple shell scripts (a la Cygwin) to generate multiple event filters when there are several src/dst pairs involved. Makes it much easier and faster, and less error-prone, than doing it manually. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Editing ISS RealSecure Network Sensor policy from commandline Jim B (Aug 02)