Is there an IPS policy xsd/dtd schema available?

Unanswered Question
Oct 1st, 2007
User Badges:

Could someone share IPS policy schema to interpret the structure of information received from IPS transaction server?


Also, I am looking for references to documentation on IPS 6.x transaction server. Does that information exist somewhere?


Thanks in advance,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
mhellman Thu, 10/04/2007 - 11:00
User Badges:
  • Blue, 1500 points or more

I tried making sense of that mess of an XML document before finally giving up and just building my own line-based parser and data structure. Let us know if you make any progress.

gdntsoc Mon, 10/08/2007 - 10:09
User Badges:

Since I couldn't find any documentation on how to retrieve the signature policy from SDEE server, I've decided to simply copy the default.xml & sig0.xml and join it myself.


I started finding information that for some reason is showing up on the CLI and in CSM but not in any of the two files (default.xml & sig0.xml) I'm referencing:


See an example from default.xml attached.


Output from CLI... notice the action & status fields..


Could you explain why in the world the information would be missing in the default.xml file? Unless there is some sort of algorithm that I am not aware of?



mhellman Mon, 10/08/2007 - 10:21
User Badges:
  • Blue, 1500 points or more

Certain settings use default values and won't necessarily be set in either document. For example, if a signature entry does not have an enabled or retired value, it's enabled status is true and its retired value is false.

gdntsoc Mon, 10/08/2007 - 12:08
User Badges:

Is that a reliable assumption? It also appears that a "Severity" and some times "Action" fields don't show up for a particular sig. What would be the assumption there?


Thanks,

mhellman Mon, 10/08/2007 - 12:15
User Badges:
  • Blue, 1500 points or more

I have found it to be. Go into the gui and click 'add' on a signature policy. Those are pretty much the defaults. I'm sure there is a file somewhere that defines these as well, I just haven't bothered to look for it. for severity and action, the defaults are medium and produce-alert.

Actions

This Discussion