Re: Is there an IPS policy xsd/dtd schema available?

gdntsoc · ‎10-01-2007

Could someone share IPS policy schema to interpret the structure of information received from IPS transaction server?

Also, I am looking for references to documentation on IPS 6.x transaction server. Does that information exist somewhere?

Thanks in advance,

mhellman · ‎10-04-2007

I tried making sense of that mess of an XML document before finally giving up and just building my own line-based parser and data structure. Let us know if you make any progress.

gdntsoc · ‎10-08-2007

Since I couldn't find any documentation on how to retrieve the signature policy from SDEE server, I've decided to simply copy the default.xml & sig0.xml and join it myself.

I started finding information that for some reason is showing up on the CLI and in CSM but not in any of the two files (default.xml & sig0.xml) I'm referencing:

See an example from default.xml attached.

Output from CLI... notice the action & status fields..

Could you explain why in the world the information would be missing in the default.xml file? Unless there is some sort of algorithm that I am not aware of?

mhellman · ‎10-08-2007

Certain settings use default values and won't necessarily be set in either document. For example, if a signature entry does not have an enabled or retired value, it's enabled status is true and its retired value is false.

gdntsoc · ‎10-08-2007

Is that a reliable assumption? It also appears that a "Severity" and some times "Action" fields don't show up for a particular sig. What would be the assumption there?

Thanks,

mhellman · ‎10-08-2007

I have found it to be. Go into the gui and click 'add' on a signature policy. Those are pretty much the defaults. I'm sure there is a file somewhere that defines these as well, I just haven't bothered to look for it. for severity and action, the defaults are medium and produce-alert.