OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Slighter, Tim (tslighter_at_itc.nrcs.usda.gov)
Date: Fri Sep 20 2002 - 08:34:40 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
    majordomoiss.net Contact issforum-owneriss.net for help with any problems!
    ----------------------------------------------------------------------------

    For all following this thread. In case it is not spelled out by ISS, the 3
    rules things applies to that you cannot have more than 3 content
    specifications in one signature. As for the idea about using the snort.conf
    file...great idea, I stripped it down to where all that applies is in this
    file and then customized the *.rules files as well. i ran the Tronschecker
    and everything ran just fine without any errors. YET, even though the
    tronschecker went fine and Trons is enabled along with the file being
    specified....ISS still has not picked up one of these signatures..even
    though I am running snort in parallel with the exact same signatures and
    more or less the same snort.conf file and alerts are coming in just fine in
    snort but ISS has not picked up a thing yet that is Trons related. Anyone
    have any ideas or know about this ? thanks

    -----Original Message-----
    From: glenn marquez [mailto:glennmarquezyahoo.com]
    Sent: Tuesday, September 17, 2002 7:55 PM
    To: tslighteritc.nrcs.usda.gov; byasmohesowasbm.intnet.mu;
    issforumiss.net
    Subject: RE: TRONS Module for NS 7.0

    TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
    majordomoiss.net Contact issforum-owneriss.net for help with any
    problems!
    ----------------------------------------------------------------------------

    You can check your trons rule first if this is correct
    and compatible to use by the RealSecure. On the
    command line go to the directory of the RealSecure 6.5
    Console. Below is the format of the command.

    System drive:\Progarm Files\ISS\RealSecure 6.5
    Console\tronschecker -i inputfilename -o
    outputfilename

    Where:
    Inputfilename specifies the name of the file
    containing your trons rules.
    Outputfilename specifies the name of the file to write
    any error messages to.

    Best Regards,
    glennmarquez

    -----Original Message-----
    From: Slighter, Tim
    [mailto:tslighteritc.nrcs.usda.gov]
    Sent: Tuesday, September 17, 2002 11:49 PM
    To: MOHESOWA BYAS; issforumiss.net
    Subject: RE: TRONS Module for NS 7.0

    TO UNSUBSCRIBE: email "unsubscribe issforum" in the
    body of your message to majordomoiss.net Contact
    issforum-owneriss.net for help with any problems!
    ----------------------------------------------------------------------------

    Question for you, because I am having some issues too.
     Are you using ONLY 3 rules in the first ruleset file
    ? What I have done is created a lot of files with 3
    rules in them only. What I have done in addition to
    this is included the other files in each consecutive
    file using the "include" statement. I was very
    careful not to use any modifiers and also specified
    each and every "var" in every single file. According
    to the instructions, I should have done everything
    right, but it still is not working. However, the ISS
    Daemone does start and does update with the TRONS file
    that I am using. But, when I launch the attack that
    has an alert in the TRONS file, the ISS Console does
    not display it. I gave up eventually and am inserting
    all of these as url_content signatures in the policy.
    Curious where you are and what you have managed to
    accomplish.

    -----Original Message-----
    From: MOHESOWA BYAS
    [mailto:byasmohesowasbm.intnet.mu]
    Sent: Tuesday, September 17, 2002 3:52 AM
    To: issforumiss.net
    Subject: RE: TRONS Module for NS 7.0

    TO UNSUBSCRIBE: email "unsubscribe issforum" in the
    body of your message to majordomoiss.net Contact
    issforum-owneriss.net for help with any problems!
    ----------------------------------------------------------------------------

    Hi there I have tried the steps below, it does not
    work however, I'm getting the following error
    messages:

    Sensor_Error: Failed to initialised the TRONS module

    Sensor_Error: "here the path of the rules file is
    given", and the error message is that the rules files
    cannot be opened

    The rules files has been manually copied to the
    network sensor.

    TRONS has been enabled from the console, and the path
    of the riles file has been put for the trons.filename
    parameter

    Please help,
    Regards

    -----Original Message-----
    From: Richard Culshaw [mailto:RCulshawesign.com.au]
    Sent: Tuesday, July 23, 2002 02:25
    To: Stephen Cooper; issforumiss.net
    Subject: RE: TRONS Module for NS 7.0

    TO UNSUBSCRIBE: email "unsubscribe issforum" in the
    body of your message to majordomoiss.net Contact
    issforum-owneriss.net for help with any problems!
    ----------------------------------------------------------------------------

    Hi there,

    yes I have enabled it, it was really quite simple... I
    found out how to do from reading the knowledgebase at
    iss.

    1. you create a rule file and put that text file on
    your sensor somewhere. 2. You go into the properties
    of the sensor from the workgroup manager, locate the
    sensor in the managed assets window, right click on it
    and select properties, on one of the tabs you see all
    the properties you can set, scroll down til you see
    trons enable and set that to true, then point the
    trons rules to the .rules file that you placed on the
    sensor in question. click ok. 3. that is it.

    The only annoying thing that I found with creating
    snort rules for real secure is that you cannot use the
    NOT (!) operator when specifying addresses
    i.e.: ![192.168.1.0], this is really handy when
    creating rules.

    Richard

    -----Original Message-----
    From: Stephen Cooper [mailto:Stephen.Cooperbis.org]
    Sent: Monday, 22 July 2002 5:33 PM
    To: issforumiss.net
    Subject: TRONS Module for NS 7.0

    TO UNSUBSCRIBE: email "unsubscribe issforum" in the
    body of your message to majordomoiss.net Contact
    issforum-owneriss.net for help with any problems!
    ----------------------------------------------------------------------------

    Hello,

    Has anyone turned this on?

    Would you be willing to share your experience on how
    one enables a Snort ruleset to work with Realsecure?

    Regards

    Stephen

    DISCLAIMER: Any e-mail messages from the Bank for
    International Settlements are sent in good faith, but
    shall not be binding nor construed as constituting any
    obligation on the part of the Bank.

    CONFIDENTIALITY NOTICE: This e-mail contains
    confidential information, which is intended only for
    the use of the recipient(s) named above. If you have
    received this communication in error, please notify
    the sender immediately via e-mail and return the
    entire message. Thank you for your assistance.

    __________________________________________________
    Do you Yahoo!?
    Yahoo! News - Today's headlines
    http://news.yahoo.com