++++++++++++++++++++++ issPolicy v1.01 README ++++++++++++++++++++++ 1. INSTALL Installing issPolicy requires a Perl interpreter to be available on the system. The "issPolicy" utility has been successfully tested on Linux using Perl v5.8. The "issPolicy" utility has been successfully tested on Win32 using ActivePerl v5.8. Only standard/core Perl modules are required to run this utility. 2. RUNNING THE UTILITY Before being able to run this utility, you will need a policy. You can obtain the policy by exporting it from the database to a ".policy" file. If you are using ISS SiteProtector, you can export the policy in the following manner from the SiteProtector Console: (1) Go to "Sensor" > "Manage" > "Policy" (2) Select a RealSecure Network Sensor Policy or Proventia Inline Appliance Policy from the list and click on the "Export" button (3) Select the target directory into which to export the policy. Click the "Export" button. The utility has a directory called "policies", containing several icons used in the static HTML page. In order to see these icons in a generated HTML Policy, ensure that the HTML output file is generated inside a directory containing those icons (i.e. the "policies" directory). It's a good idea to therefore copy the policies over to the "policies" directory and running issPolicy in the following manner: Linux/Unix: " issPolicy --input 'policies/.policy' --output 'policies/.html' " Win32: " perl issPolicy --input 'policies\.policy' --output 'policies\.html' " Running issPolicy without input, output, or options will display the utility's help: ------ # ./issPolicy issPolicy v1.01 / Kristof Philipsen [kphilipsen@gmail.com] Usage: ./issPolicy [options] --input --output [OPTIONS] - Signatures Options [--sigs-enabled | --sigs-disabled] display enabled or disabled signatures [--sigs-high | --sigs-medium | --sigs-low] display signatures matching a specific priority level [--sigs-drop] display signatures with DROP enabled (*) [--drop-option 1|2|3] display signatures matching a specific DROP configuration (requires '--sigs-drop') (*) (1 = ConnectionWithReset / 2 = Connection / 3 = Packet) [--sigs-dynamicblock] display signatures with response DYNAMICBLOCK enabled (requires '--sigs-drop') (*) [--dynamicblock-option 1|2|3] display signatures matching a specific DYNAMICBLOCK configuration (requires '--sigs-drop' and '--sigs-dynamicblock') (*) (1 = IsolateTrojan / 2 = BlockWorm / 3 = BlockIntruder) [OPTIONS] - IP Filters Options [--filters-enabled | --filters-disabled] display enabled or disabled ip filters [OPTIONS] - Event Filters Options [--events-enabled | --events-disabled] display enabled or disabled event filters (*) = Option only works on Proventia Inline Appliance Policies ------ The following is a more detailed explanation of the various parameters and option switches for issPolicy: --input This is the location and the name of the ISS Proventia Inline Appliance or ISS RealSecure Network Sensor Policy file. Usually these types of files have a ".policy" suffix. (i.e. "AttackBlocker_inline.policy") --output This is the location and the name of the HTML file to be generated from the Policy file. Usually these types of files have a ".html" or ".htm" suffix. (i.e. "AttackBlocker_inline.html") --sigs-enabled Selecting this option ONLY displays signatures which are ENABLED in the policy --sigs-disabled Selecting this option ONLY displays signatures which are DISABLED in the policy --sigs-high Selecting this option ONLY displays signatures which have their priority level set to HIGH --sigs-medium Selecting this option ONLY displays signatures which have their priority level set to MEDIUM --sigs-low Selecting this option ONLY displays signatures which have their priority level set to LOW --sigs-drop Selecting this option ONLY displays signatures which have DROP enabled in the policy This option only works on Proventia Inline Appliance Policies --drop-option 1 Selecting this option REQUIRES the "--sigs-drop" option to be used as well Selecting this option ONLY displays signatures which have DROP enabled and the 'ConnectionWithReset' Drop Option configured in the policy This option only works on Proventia Inline Appliance Policies --drop-option 2 Selecting this option REQUIRES the "--sigs-drop" option to be used as well Selecting this option ONLY displays signatures which have DROP enabled and the 'Connection' Drop Option configured in the policy This option only works on Proventia Inline Appliance Policies --drop-option 3 Selecting this option REQUIRES the "--sigs-drop" option to be used as well Selecting this option ONLY displays signatures which have DROP enabled and the 'Packet' Drop Option configured in the policy This option only works on Proventia Inline Appliance Policies --sigs-dynamicblock Selecting this option REQUIRES the "--sigs-drop" option to be used as well Selecting this option ONLY displays signatures which have DROP and DYNAMICBLOCK enabled in the policy This option only works on Proventia Inline Appliance Policies --dynamicblock-option 1 Selecting this option REQUIRES the "--sigs-drop" and "--sigs-dynamicblock" options to be used as well Selecting this option ONLY displays signatures which have DROP and DYNAMICBLOCK enabled and the 'IsolateTrojan' DynamicBlock Option configured in the policy This option only works on Proventia Inline Appliance Policies --dynamicblock-option 2 Selecting this option REQUIRES the "--sigs-drop" and "--sigs-dynamicblock" options to be used as well Selecting this option ONLY displays signatures which have DROP and DYNAMICBLOCK enabled and the 'BlockWorm' DynamicBlock Option configured in the policy This option only works on Proventia Inline Appliance Policies --dynamicblock-option 3 Selecting this option REQUIRES the "--sigs-drop" and "--sigs-dynamicblock" options to be used as well Selecting this option ONLY displays signatures which have DROP and DYNAMICBLOCK enabled and the 'BlockIntruder' DynamicBlock Option configured in the policy This option only works on Proventia Inline Appliance Policies --filters-enabled Selecting this option ONLY displays User-defined IP Filters which are ENABLED in the policy --filters-disabled Selecting this option ONLY displays User-defined IP Filters which are DISABLED in the policy --events-enabled Selecting this option ONLY displays User-defined Event Filters which are ENABLED in the policy --events-disabled Selecting this option ONLY displays User-defined Event Filters which are DISABLED in the policy !! Please note the options evaluation mechanism works as follows: When multiple options are selected, the HTML Policy will be generated for a signature if and only if ALL of the criteria in the options are met (This is evaluated on a per options block basis (Signatures, IP Filters, Event Filters)). !!Thus issPolicy works as a logical AND and NOT and logical OR!! Example: The command "issPolicy --sigs-enabled --sigs-high --sigs-drop --sigs-dynamicblock" => WONT display all signatures that are ENABLED or HIGH or have DROP or DYNAMICBLOCK enabled .. but .. => WILL display all signatures that are ENABLED and HIGH and have DROP and DYNAMICBLOCK enabled 3. LICENSE issPolicy is provided freely (without charge) under the GNU Public License. Please refer to the LICENSE file in the issPolicy main directory for more information on this license. The issPolicy utility is not officially supported by and in no way affiliated with Internet Security Systems or its representatives. 4. QUESTIONS If you have any questions, comments, or bugs, please feel free to contact me at kphilipsen@gmail.com. You can also check the issPolicy website for updates: http://packet.sequenced.org/projects/isspolicy/