I am sure you could simply open the file which has the policy settings and write a script which parses the file, changes a "0" to a "1" for particular signatures, and then saves the file. You then would have to reapply the policy. I have never done this before, but I don't see why it wouldn't work. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 02, 2003 7:59 PM To: [EMAIL PROTECTED] Subject: RE: [ISSForum] Attack Policy Best Practice
Michael, The RSKILL is enabled by default on a lot of the signatures in the policy files. I simply used those settings. If you want to enable or disable the RSKILL option on certain signatures, you WILL have to open the policy and check/uncheck the RSKILL option on each signature (same as the email). The response file enables the sensor to respond to the RSKILL option. It is not a global setting for each signature but rather a setting that dictates whether the sensor will actually perform the RSKILL. In other words - If the RSKILL option is checked on a signature in the policy and the signature is triggered but the RSKILL option is not selected in the sensor response file, the sensor won't perform an RSKILL. On the other hand, if the RSKILL is checked in the response file and a signature is triggered that does not have the RSKILL option checked, the sensor still won't perform the RSKILL. I think ISS set it up this way so that you can install a policy on multiple sensors and then specify per sensor how to respond. The same goes with the email option as well as all of the other options that are configurable in the policies and response files. Hope this helps. P.S. I am rather new to the ISS platform myself but I think I have a handle on this part of the configuration. If I am wrong, someone please let me know!!!! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 01, 2003 2:08 PM To: [EMAIL PROTECTED] Subject: RE: [ISSForum] Attack Policy Best Practice Hello Eric, Thank you for the response. I am still confused. Don't you have to go through each attack signature (rule) to enable RSKILL like you have to with the email/pager option? Or can you do it from a different location like the response ?? I guess my real question is .....do you enable the RSKILL from the policy or from the response ?? And what are the differences ?? My assumption is the response can do it globally and the policy can do it individually?? How off am I ? Michael >>> [EMAIL PROTECTED] 07/01/03 07:56AM >>> Michael, I simply used the defaults that were already in the policy and have had good successes with it blocking attacks that warrant such actions. Don't forget to configure a response file for the sensors and enable RSKILL. The thing I didn't like is that, in order to send emails/pages when being attacked, you have to go through each policy and rule and enable emails if you wish to be notified about such attacks. I realize that a person can accidentally create a flood of emails if they are not careful but, at a minimum, I want to be notified if anything suspicious is taking place without constantly monitoring the SiteProtector console (or am I dreaming??)... Good Luck!! Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, June 30, 2003 4:32 PM To: [EMAIL PROTECTED] Subject: [ISSForum] Attack Policy Best Practice Hi All, Quick question on creating (or 'deriving new') policy from ISS's default 'Attack Detector' policy. What are the recommended signatures to configure RSKILLS for to protect the internal network with a version 7 network sensor? Or do I have to go through the whole list and either guess at which ones I should be protected from or do I go through the present analysis and whatever tag names show up I configure the policy to send RSKILLS to. The latter seems a little backwards, as in configuring the protection AFTER the attack....Sorry if this is a dumb question OR the wrong place to ask this question but I am new with the ISS IDS. Thanks in advance! Michael
<<winmail.dat>>
