in reply to ISS .policy parser

You might get more useful answers if you'd give a sample of what one of the files looks like . . .

(I mean I did the build and packaging for the Solaris RS 5 years ago and I can't even remember what the files look liked . . . :)

--
We're looking for people in ATL

Replies are listed 'Best First'.
Re^2: ISS .policy parser
by zaph0d (Beadle) on Jun 20, 2005 at 17:53 UTC
    sorry, here's a part of it: 
    [\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\];
CheckDescription    =S    Brute force password attack may have succede
+d;
Enabled    =B    1;
Priority    =L    2;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\];
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\BANNER\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\BLOCK\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\DISABLE\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\DISPLAY\];
Choice    =S    Default;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\LOGDB\];
Choice    =S    LogWithoutRaw;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\RSKILL\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\SUSPEND\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\SNMP\];
Enabled    =B    1;
Choice    =S    Default;
[\Advanced\Rules\Correlation Rules\Change_password_attack\];
CheckDescription    =S    Detect brute force password change attack;
Enabled    =B    0;
Priority    =L    3;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\];
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\BAN
+NER\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\BLO
+CK\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\DIS
+ABLE\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\DIS
+PLAY\];
Choice    =S    Default;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\LOG
+DB\];
Choice    =S    LogWithoutRaw;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\RSK
+ILL\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\SUS
+PEND\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\SNM
+P\];
Enabled    =B    1;
Choice    =S    Default;

    [download]
    i can hack something together, but its a lower priority then what i have time for now. just wondering if anyone has something like it already.
[reply]
[d/l]

In Section Seekers of Perl Wisdom