issPolicy [v1.01]
ABOUT
issPolicy is a free open-source utility for converting an ISS RealSecure Network Sensor and ISS Proventia Inline Appliance Policy to a static HTML file.
Written in Perl, issPolicy allows for granular parsing of ISS RSNS and ISS Proventia policies (also refer to the "support" section), and supports a wide
variety of features (see "features" section) allowing the HTML generation to be customized based on different policy parameters.
Mirror Sites:
http://isspolicy.sequenced.org (Brussels, Belgium, EU)
http://packet.sequenced.org/projects/isspolicy (Houston, Texas, US)
SUPPORT
issPolicy supports the following ISS SiteProtector (<= SP5) policy formats:
- ISS RealSecure Network Sensor 7.0
Tested and works correctly
- ISS Proventia G-Series Inline Appliance 8.0
Tested and works correctly
- ISS Proventia A-Series Appliance
Tested and works correctly
FEATURES
issPolicy automatically detects whether the policy is a ISS RealSecure Network Sensor or ISS Proventia Inline Appliance policy and generates a static HTML file
based on the policy type and its features.
issPolicy extracts the following information from the ISS RealSecure Network Sensor Policy:
- Signatures Policy (Signature Name, Signature Description, Signature Status, Signature Priority, Configured Responses, Logging Type)
- IP Filters Policy (Filter Name, Filter Description, Filter Status, Protocol, Source Address, Source Port, Destination Address, Destination Port)
- Event Filters Policy (Filter Name, Filter Description, Filter Status, Filtered Event, Source Address, Source Port, Destination Address, Destination Port)
issPolicy extracts the following information from the ISS Proventia Inline Appliance Policy:
- Signatures Policy (Signature Name, Signature Description, Signature Status, Signature Priority, Configured Responses, Logging Type, Drop Options, DynamicBlock Options)
- IP Filters Policy (Filter Name, Filter Description, Filter Status, Protocol, Source Address, Source Port, Destination Address, Destination Port)
- Event Filters Policy (Filter Name, Filter Description, Filter Status, Filtered Event, Source Address, Source Port, Destination Address, Destination Port)
issPolicy contains various useful options allowing for a tailored HTML Policy file to be generated, based on one or more of the following criteria:
- Signature Policy Criteria:
- Whether signature is enabled or disabled
- Based on signature priority (High, Medium, or Low)
- Whether drop is enabled [only on ISS Proventia Inline Appliance Policies]
- Based on drop options (ConnectionWithReset, Connection, or Packet) [only on ISS Proventia Inline Appliance Policies]
- Whether dynamicblock is enabled [only on ISS Proventia Inline Appliance Policies]
- Based on dynamicblock options (IsolateTrojan, BlockWorm, BlockIntruder) [only on ISS Proventia Inline Appliance Policies]
- IP Filter Policy Criteria:
- Whether IP filter is enabled or disabled
- Event Filter Policy Criteria:
- Whether Event Filter is enabled or disabled
issPolicy uses an "API" structured format, pushing the entire policy to hash arrays, allowing the possibility for other output methods to be developed (CSV, XML, etc...)
EXAMPLES
The following list of examples demonstrates what issPolicy can do both for ISS RealSecure Network Sensor, as well as ISS Proventia Inline Appliance Policies and shows how the different
features of issPolicy can help you generate the most efficient HTML Policy to suit your needs.
Examples using the ISS RealSecure Network Sensor 'Attack Detector' Policy (this is one of the default RSNS policies):
- issPolicy RealSecure Network Sensor Example #1
Command Line: "issPolicy --input policies/AttackDetector.policy --output policies/AttackDetector-01.html"
Description: Runs issPolicy on 'AttackDetector.policy' and outputs to 'AttackDetector-01.html'
Example: View HTML File (557Kb)
- issPolicy RealSecure Network Sensor Example #2
Command Line: "issPolicy --sigs-enabled --sigs-high --input policies/AttackDetector.policy --output policies/AttackDetector-02.html"
Description: Runs issPolicy on 'AttackDetector.policy' and outputs to 'AttackDetector-02.html' and displays only ENABLED HIGH level signatures
Example: View HTML File (261Kb)
- issPolicy RealSecure Network Sensor Example #3
Command Line: "issPolicy --sigs-disabled --sigs-low --input policies/AttackDetector.policy --output policies/AttackDetector-03.html"
Description: Runs issPolicy on 'AttackDetector.policy' and outputs to 'AttackDetector-03.html' and displays only DISABLED LOW level signatures
Example: View HTML File (65Kb)
Examples using the ISS Proventia Inline Appliance 'Attack Blocker Inline' Policy (this is one of the default Inline Appliance policies with some additional IP and Event Filters configured):
- issPolicy Proventia Inline Appliance Example #1
Command Line: "issPolicy --input policies/AttackBlocker_inline.policy --output policies/AttackBlocker_inline-01.html"
Description: Runs issPolicy on 'AttackBlocker_inline.policy' and outputs to 'AttackBlocker_inline-01.html'
Example: View HTML File (993Kb)
- issPolicy Proventia Inline Appliance Example #2
Command Line: "issPolicy --sigs-enabled --sigs-high --sigs-drop --drop-option 3 --input policies/AttackBlocker_inline.policy --output policies/AttackBlocker_inline-02.html"
Description: Runs issPolicy on 'AttackBlocker_inline.policy' and outputs to 'AttackBlocker_inline-02.html' and displays only ENABLED HIGH level signatures with DROP enabled and drop option 'Packet' configured
Example: View HTML File (18Kb)
- issPolicy Proventia Inline Appliance Example #3
Command Line: "issPolicy --sigs-enabled --sigs-drop --drop-option 1 --sigs-dynamicblock --dynamicblock-option 2 --filters-enabled --events-disabled --input policies/AttackBlocker_inline.policy --output policies/AttackBlocker_inline-03.html"
Description: Runs issPolicy on 'AttackBlocker_inline.policy' and outputs to 'AttackBlocker_inline-03.html' and displays only ENABLED signatures with DROP enabled and drop option 'ConnectionWithReset' configured and that have DYNAMICBLOCK enabled with dynamicblock option 'BlockWorm' and displays only enabled IP Filters and displays only disabled Event Filters
Example: View HTML File (6Kb)
DOWNLOADS
issPolicy is a utility written in Perl and thus requires a Perl Interpreter.
UNIX/POSIX: This utility has been successfully tested and works correctly on UNIX/POSIX Systems (Tested: Linux Red Hat 8.0) with Perl 5.8
Windows: This utility has been successfully tested and works correctly on Win32 Systems (Tested: Windows 2000, Windows XP, Windows Server 2003) with ActivePerl 5.8
The issPolicy utility is made available in two formats, TAR/GZ and ZIP:
More information on all issPolicy releases, including known and resolved issues, can be found on the issPolicy Release Information page.
LICENSE
The issPolicy utility is provided freely (without charge) under the open source GNU Public License.
The issPolicy utility is not officially supported by and in no way affiliated with Internet Security Systems or its representatives.
Note: In accordance with the GNU Public License, any use of copyrighted material (even with written permission from the copyright owner) violates the terms and conditions allowing the use of the GPL License. Therefore due to copyright laws governing the Internet Security Systems icons, the issPolicy utility uses icons which are different from, but equally represent the purpose of, those used in the ISS SiteProtector Product.
ACKNOWLEDGEMENTS
Thanks to all the guys in the lab, and especially Rich, Gabe, and Bao for extensively testing this tool and for providing their input allowing me to make this tool better.
I'd also like to thank some of the people at Internet Security Systems for their input and testing of this tool (You know who you are;).
SEARCH
Search the issPolicy website or the web for your relevant information:
CONTACT
If you have any questions, comments, ideas for new features, or bugs to report, please feel free to contact me (Kris Philipsen):
- email: kphilipsen[at]gmail.com
- webpage: http://sequenced.org/kris