IDS mailing list archives
RE: Editing ISS RealSecure Network Sensor policy from commandline
From: "Palmer, Paul (ISSAtlanta)" <PPalmer () iss net>
Date: Thu, 21 Jul 2005 11:46:37 -0400
Jim asks: "Is there any way to edit the Network Sensor (version 7) policy with a text editor, and reliably apply this policy?" This is probably a better topic for the issforum mailing list. However, a quick answer: The policies themselves are text based so can be easily edited with a text editor of your choice. With Site Protector, the "master" copies of these policies are stored within its database. Therefore, use the console's policy editor to export the policy to a flat file, edit the policy by hand, and then use the policy editor re-import the policy into the database. If I recall correctly, the console will automatically ask you if you wish to reapply the updated policy to all sensors that use it when you re-import. I hope this helps. Paul -----Original Message----- From: news [mailto:news () sea gmane org] On Behalf Of Jim Sent: Wednesday, July 20, 2005 1:17 PM To: focus-ids () securityfocus com Subject: Editing ISS RealSecure Network Sensor policy from commandline Is there any way to edit the Network Sensor (version 7) policy with a text editor, and reliably apply this policy? I work for a fairly large MSP and some of our customers require event filters to be added in large numbers. Adding these one-at-a-time in the Policy Editor is VERY painful. For example, one customer yesterday requested that 10 source IPs ignore 9 signatures when talking to 2 destination IPs. I would go insane if I had to add 180 individual entries by hand. I found the "current.policy" file on the sensor itself, but it seems that changes to this file are not visible in the console's Policy Editor. For example, if I edit one of the filters in current.policy and then "Edit Current Policy" from the Site Protector console, the changes are not there. This is the case no matter whether I stop the sensor/daemon from the OS shell or using Stop/Start in Site Protector. Please let me know if there's any way to do this! I've scoured Google for about 2 days now, and a couple other employees here have asked ISS for help with this and have gotten nowhere. Thanks very much. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Editing ISS RealSecure Network Sensor policy from commandline Jim (Jul 20)
- Re: Editing ISS RealSecure Network Sensor policy from commandline Jonathan Glass (GMail) (Jul 21)
- Re: Editing ISS RealSecure Network Sensor policy from commandline ismail syed (Jul 21)
- <Possible follow-ups>
- RE: Editing ISS RealSecure Network Sensor policy from commandline Palmer, Paul (ISSAtlanta) (Jul 21)
- RE: Editing ISS RealSecure Network Sensor policy from commandline Sekurity Wizard (Jul 22)