zaph0d has asked for the wisdom of the Perl Monks concerning the following question:

Does anyone have or know of a script for parsing .policy files from ISS's RealSecure IDS? I've got a bunch of them I need to be able to manipulate, and I'd rather not reinvent the wheel on this one. thx.

Replies are listed 'Best First'.
Re: ISS .policy parser
by Fletch (Bishop) on Jun 20, 2005 at 17:26 UTC

    You might get more useful answers if you'd give a sample of what one of the files looks like . . .

    (I mean I did the build and packaging for the Solaris RS 5 years ago and I can't even remember what the files look liked . . . :)

    --
    We're looking for people in ATL

[reply]
      sorry, here's a part of it: 
      [\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\];
CheckDescription    =S    Brute force password attack may have succede
+d;
Enabled    =B    1;
Priority    =L    2;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\];
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\BANNER\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\BLOCK\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\DISABLE\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\DISPLAY\];
Choice    =S    Default;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\LOGDB\];
Choice    =S    LogWithoutRaw;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\RSKILL\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\SUSPEND\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\SNMP\];
Enabled    =B    1;
Choice    =S    Default;
[\Advanced\Rules\Correlation Rules\Change_password_attack\];
CheckDescription    =S    Detect brute force password change attack;
Enabled    =B    0;
Priority    =L    3;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\];
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\BAN
+NER\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\BLO
+CK\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\DIS
+ABLE\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\DIS
+PLAY\];
Choice    =S    Default;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\LOG
+DB\];
Choice    =S    LogWithoutRaw;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\RSK
+ILL\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\SUS
+PEND\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\SNM
+P\];
Enabled    =B    1;
Choice    =S    Default;

      [download]
      i can hack something together, but its a lower priority then what i have time for now. just wondering if anyone has something like it already.
[reply]
[d/l]

Back to Seekers of Perl Wisdom