Is there an IPS policy xsd/dtd schema available?

Unanswered Question
Oct 1st, 2007

Could someone share IPS policy schema to interpret the structure of information received from IPS transaction server?

Also, I am looking for references to documentation on IPS 6.x transaction server. Does that information exist somewhere?

Thanks in advance,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
mhellman Thu, 10/04/2007 - 11:00

I tried making sense of that mess of an XML document before finally giving up and just building my own line-based parser and data structure. Let us know if you make any progress.

gdntsoc Mon, 10/08/2007 - 10:09

Since I couldn't find any documentation on how to retrieve the signature policy from SDEE server, I've decided to simply copy the default.xml & sig0.xml and join it myself.

I started finding information that for some reason is showing up on the CLI and in CSM but not in any of the two files (default.xml & sig0.xml) I'm referencing:

See an example from default.xml attached.

Output from CLI... notice the action & status fields..

Could you explain why in the world the information would be missing in the default.xml file? Unless there is some sort of algorithm that I am not aware of?

mhellman Mon, 10/08/2007 - 10:21

Certain settings use default values and won't necessarily be set in either document. For example, if a signature entry does not have an enabled or retired value, it's enabled status is true and its retired value is false.

gdntsoc Mon, 10/08/2007 - 12:08

Is that a reliable assumption? It also appears that a "Severity" and some times "Action" fields don't show up for a particular sig. What would be the assumption there?

Thanks,

mhellman Mon, 10/08/2007 - 12:15

I have found it to be. Go into the gui and click 'add' on a signature policy. Those are pretty much the defaults. I'm sure there is a file somewhere that defines these as well, I just haven't bothered to look for it. for severity and action, the defaults are medium and produce-alert.

Actions

This Discussion