Re: Editing ISS RealSecure Network Sensor policy from commandline

[Jim B <gunmetalx () gmail com>]

On 7/21/05, Palmer, Paul (ISSAtlanta) <PPalmer () iss net> wrote:
> Jim asks: "Is there any way to edit the Network Sensor (version 7)
> policy with a text editor, and reliably apply this policy?"
>
> This is probably a better topic for the issforum mailing list. However,
> a quick answer:
>
> The policies themselves are text based so can be easily edited with a
> text editor of your choice. With Site Protector, the "master" copies of
> these policies are stored within its database. Therefore, use the
> console's policy editor to export the policy to a flat file, edit the
> policy by hand, and then use the policy editor re-import the policy into
> the database. If I recall correctly, the console will automatically ask
> you if you wish to reapply the updated policy to all sensors that use it
> when you re-import.
>
> I hope this helps.
>
> Paul


Paul (and others):

thanks for the responses on this topic.  Indeed, the
"export/edit/import" process works fine.  I also wrote a couple shell
scripts (a la Cygwin) to generate multiple event filters when there
are several src/dst pairs involved.  Makes it much easier and faster,
and less error-prone, than doing it manually.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------