TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
This is something that I would assume is a basic toolkit item from ISS. A
Java program, PERL script, etc., that will do "bulk" changes to a policy
file. Or, is there one and I have I just not seen it?
Kurt
"Lindley, Jim
(ISSAtlanta)" To: "'[EMAIL PROTECTED]'"
<JLindley@iss <[EMAIL PROTECTED]>,
[EMAIL PROTECTED]
.net> cc:
Sent by: Subject: RE: Removing RSKill from Policy
files
owner-issforu
[EMAIL PROTECTED]
11/14/2001
10:56 AM
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
David:
The policy files are simple text files. You just need to run the file thru
a perl script that looks for
\RSKILL\];
at the end of a line and
Enabled =B 1;
on the next line. Change the above one (1) into a zero (0) so that the
line
reads
Enabled =B 0;
This turns off the RSKill response.
Then use the GUI to apply the new policy file to the sensors.
try
open(POLICYIN,"fred.policy");
open(POLICYOUT,"sam.policy");
while ($line = <POLICYIN>)
{
if ($line =~ /\\RSKILL\\\];$/)
{
print(POLICYOUT $line);
$line = <POLICYIN>;
$line =~ s/0/1/;
print(POLICYOUT $line);
}
else
{
print(POLICYOUT $line);
}
}
close(POLICYIN);
close(POLICYOUT);
end
Or you may use an editor capable of performing a multi-line search and
replace.
James R Lindley
Global Operations Training Manager
Managed Security Services
Internet Security Systems Inc
6303 Barfield Road
Atlanta GA 30328
Vox: 404-236-3009
Cell: 404-388-3169
An unquenchable thirst for Pierian waters.
ISS. The Power To Protect.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Monday, November 12, 2001 9:59 AM
To: [EMAIL PROTECTED]
Subject: Removing RSKill from Policy files
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
Does anyone know of a script or method of removing the RSKill option
from all signatures within a policy file? I have a policy file (Network
sensor 5.0) that has the RSKill option active on multiple signatures. I
need to disable the RSKill on all signatures within this policy file and
the only way I've found so far is the GUI screen and selecting each
individual signature and disabling RSKill. As there are several hundred
signatures that would need to be changed and I have multiple policy
files to update I need a faster method. The policy files appear to be
flat text files and I believe a script could modify all signatures.
I've spoken with ISS Support and they don't have a script or know of
another method outside of the GUI interface.
Thanks,
David T. Sczepanski
Central Operations Security
Lockheed Martin Technology Services Group
(919)541-4815
