IDS mailing list archives

Previous By Date Next
Previous By Thread Next

importing Snort rules into ISS RealSecure and/or Proventia?

From: "Robin Brown" <brownian.motion2000 () gmail com>
Date: Thu, 23 Oct 2008 16:46:09 -0400
Has anyone out there had success with importing Snort rules into ISS
RealSecure and/or Proventia?
Supposedly you can import snort style rules into ISS's SiteProtector
policies with the OpenSignature policies.
The import feature said it would only take xml files so I used Word to
convert my .rules file to a xml
However SiteProtector told me that that the file was not a valid OpenSignature

The example format given by ISS definitely looks snort rule compatible
   alert tcp any any -> any any (msg:"Search google in binary form";
content:"|77 2E 67 6f 6F 67 6c 65|";nocase;sid:1000;)

I gave using Excel to make the conversion a go but that wasn't helpful

I manually created my rules in OpenSignature with apparently no issues.
The variables $HOME_NET and $EXTERNAL_NET may have given issue since I
also have not found a location to set them in SiteProtector

My 2 main theories why the import failed are that:
1.  Perhaps Office products added  extra garbage that caused the XML
file to not be properly formated.
My attempt to export my manually created OpenSignature rules only gave
me an XML file that only displayed placeholder for each of the
rules/policies not the actual rules/policies that I created...  Thus
it was not useful in demonstrating how to correct my formatting...

2. Perhaps SiteProtector cannot handle variables and thus leaving
$HOME_NET and $EXTERNAL_NET as is in the rule invalidated it as a
policy.
After all  TronsChecker.exe The OpenSignature rule checker didn't like
$HOME_NET and $EXTERNAL_NET
Is SiteProtector OpenSignature incapable of handling simple variables?

Any one have any input?
I would be greatly appreciative

RB

My apologises to anyone who is seeing this message a 2nd time.  I over
looked a setting which caused my question to bounce when I sent it to
focus-ids.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: