in reply to Re: ISS .policy parser
in thread ISS .policy parser

sorry, here's a part of it: 
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\];
CheckDescription    =S    Brute force password attack may have succede
+d;
Enabled    =B    1;
Priority    =L    2;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\];
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\BANNER\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\BLOCK\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\DISABLE\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\DISPLAY\];
Choice    =S    Default;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\LOGDB\];
Choice    =S    LogWithoutRaw;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\RSKILL\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\SUSPEND\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Brute_force_login_likely_successful
+\Response\SNMP\];
Enabled    =B    1;
Choice    =S    Default;
[\Advanced\Rules\Correlation Rules\Change_password_attack\];
CheckDescription    =S    Detect brute force password change attack;
Enabled    =B    0;
Priority    =L    3;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\];
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\BAN
+NER\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\BLO
+CK\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\DIS
+ABLE\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\DIS
+PLAY\];
Choice    =S    Default;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\LOG
+DB\];
Choice    =S    LogWithoutRaw;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\RSK
+ILL\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\SUS
+PEND\];
Enabled    =B    0;
[\Advanced\Rules\Correlation Rules\Change_password_attack\Response\SNM
+P\];
Enabled    =B    1;
Choice    =S    Default;

[download]
i can hack something together, but its a lower priority then what i have time for now. just wondering if anyone has something like it already.

In Section Seekers of Perl Wisdom