IDS mailing list archives

Re: Editing ISS RealSecure Network Sensor policy from commandline

From: "Jonathan Glass (GMail)" <jonathan.glass () gmail com>
Date: Wed, 20 Jul 2005 20:05:12 -0400

Jim wrote:

Is there any way to edit the Network Sensor (version 7) policy with a text
editor, and reliably apply this policy?

I work for a fairly large MSP and some of our customers require event filters to
be added in large numbers. Adding these one-at-a-time in the Policy Editor is
VERY painful.  For example, one customer yesterday requested that 10 source IPs
ignore 9 signatures when talking to 2 destination IPs.  I would go insane if I
had to add 180 individual entries by hand.

I found the "current.policy" file on the sensor itself, but it seems that
changes to this file are not visible in the console's Policy Editor.  For
example, if I edit one of the filters in current.policy and then "Edit Current
Policy" from the Site Protector console, the changes are not there.  This is the
case no matter whether I stop the sensor/daemon from the OS shell or using
Stop/Start in Site Protector.

Please let me know if there's any way to do this!  I've scoured Google for about
2 days now, and a couple other employees here have asked ISS for help with this
and have gotten nowhere.

Thanks very much.


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing itwith real-world attacks from CORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.

------------------------------------------------------------------------

Have you tried exporting the policy as an XML file, making the change,
and re-importing it?  Not sure if that helps at all, but that's the best
i can come up with off the top of my head.

Jonathan Glass


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing itwith real-world attacks from CORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.

------------------------------------------------------------------------

Current thread:

Editing ISS RealSecure Network Sensor policy from commandline Jim (Jul 20)
- Re: Editing ISS RealSecure Network Sensor policy from commandline Jonathan Glass (GMail) (Jul 21)
- Re: Editing ISS RealSecure Network Sensor policy from commandline ismail syed (Jul 21)
- <Possible follow-ups>
- RE: Editing ISS RealSecure Network Sensor policy from commandline Palmer, Paul (ISSAtlanta) (Jul 21)
- RE: Editing ISS RealSecure Network Sensor policy from commandline Sekurity Wizard (Jul 22)