TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
Follow up on own follow-up: It took about 48 hours but the TRONS events are finally starting to show up in the management console. Disregard any previous emails about TRONS not working. Thanks to all for the input -----Original Message----- From: Slighter, Tim [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 7:35 AM To: 'glenn marquez'; Slighter, Tim; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: TRONS Module for NS 7.0 TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- For all following this thread. In case it is not spelled out by ISS, the 3 rules things applies to that you cannot have more than 3 content specifications in one signature. As for the idea about using the snort.conf file...great idea, I stripped it down to where all that applies is in this file and then customized the *.rules files as well. i ran the Tronschecker and everything ran just fine without any errors. YET, even though the tronschecker went fine and Trons is enabled along with the file being specified....ISS still has not picked up one of these signatures..even though I am running snort in parallel with the exact same signatures and more or less the same snort.conf file and alerts are coming in just fine in snort but ISS has not picked up a thing yet that is Trons related. Anyone have any ideas or know about this ? thanks -----Original Message----- From: glenn marquez [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 17, 2002 7:55 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: TRONS Module for NS 7.0 TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- You can check your trons rule first if this is correct and compatible to use by the RealSecure. On the command line go to the directory of the RealSecure 6.5 Console. Below is the format of the command. System drive:\Progarm Files\ISS\RealSecure 6.5 Console\tronschecker -i inputfilename -o outputfilename Where: Inputfilename specifies the name of the file containing your trons rules. Outputfilename specifies the name of the file to write any error messages to. Best Regards, glennmarquez -----Original Message----- From: Slighter, Tim [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 17, 2002 11:49 PM To: MOHESOWA BYAS; [EMAIL PROTECTED] Subject: RE: TRONS Module for NS 7.0 TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Question for you, because I am having some issues too. Are you using ONLY 3 rules in the first ruleset file ? What I have done is created a lot of files with 3 rules in them only. What I have done in addition to this is included the other files in each consecutive file using the "include" statement. I was very careful not to use any modifiers and also specified each and every "var" in every single file. According to the instructions, I should have done everything right, but it still is not working. However, the ISS Daemone does start and does update with the TRONS file that I am using. But, when I launch the attack that has an alert in the TRONS file, the ISS Console does not display it. I gave up eventually and am inserting all of these as url_content signatures in the policy. Curious where you are and what you have managed to accomplish. -----Original Message----- From: MOHESOWA BYAS [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 17, 2002 3:52 AM To: [EMAIL PROTECTED] Subject: RE: TRONS Module for NS 7.0 TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Hi there I have tried the steps below, it does not work however, I'm getting the following error messages: Sensor_Error: Failed to initialised the TRONS module Sensor_Error: "here the path of the rules file is given", and the error message is that the rules files cannot be opened The rules files has been manually copied to the network sensor. TRONS has been enabled from the console, and the path of the riles file has been put for the trons.filename parameter Please help, Regards -----Original Message----- From: Richard Culshaw [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 23, 2002 02:25 To: Stephen Cooper; [EMAIL PROTECTED] Subject: RE: TRONS Module for NS 7.0 TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Hi there, yes I have enabled it, it was really quite simple... I found out how to do from reading the knowledgebase at iss. 1. you create a rule file and put that text file on your sensor somewhere. 2. You go into the properties of the sensor from the workgroup manager, locate the sensor in the managed assets window, right click on it and select properties, on one of the tabs you see all the properties you can set, scroll down til you see trons enable and set that to true, then point the trons rules to the .rules file that you placed on the sensor in question. click ok. 3. that is it. The only annoying thing that I found with creating snort rules for real secure is that you cannot use the NOT (!) operator when specifying addresses i.e.: ![192.168.1.0], this is really handy when creating rules. Richard -----Original Message----- From: Stephen Cooper [mailto:[EMAIL PROTECTED]] Sent: Monday, 22 July 2002 5:33 PM To: [EMAIL PROTECTED] Subject: TRONS Module for NS 7.0 TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Hello, Has anyone turned this on? Would you be willing to share your experience on how one enables a Snort ruleset to work with Realsecure? Regards Stephen DISCLAIMER: Any e-mail messages from the Bank for International Settlements are sent in good faith, but shall not be binding nor construed as constituting any obligation on the part of the Bank. CONFIDENTIALITY NOTICE: This e-mail contains confidential information, which is intended only for the use of the recipient(s) named above. If you have received this communication in error, please notify the sender immediately via e-mail and return the entire message. Thank you for your assistance. __________________________________________________ Do you Yahoo!? Yahoo! News - Today's headlines http://news.yahoo.com
