ca's hips, is better than tiny?

I tried registering for the CA HIPS evaluation

They sent me an email, but the Download Hyperlink was missing in the spot where it was suppose to be.

I called them up and got put on hold forever and never resolved the problem.

 

Is this ruleset for CA-HIPS or Tiny 2005?

I'm wondering if CA is using "SnortImp.exe" or a version that converts Snort Rulesets into .xml format?

I wonder if this ruleset will work in Tiny 2005

 

This is the ruleset for CA HIPS but it might work for Tiny 2005.

Edit: Just tried in Tiny 2005 and it doesn't work.

 

I tried it too, but it did not work for me. CVSCorp tell me it worked for him. I have no clue why it work for some and for some not. IDS /IPs feature is no longer listet in Admin-center when i use the "CA IDS.xml". I got an Internet Explorer script error with URL res://webui.dll/ids/ids-rules.htm. maybe he has a different version of webui.dll. My version is 6.00.8.

 

Thanks, NathanX for the IDS file. TPF's xml file wouid not work in CA's version. Will see if CA's xml file can be incorporated into TPF.

Worked for me.

1) Made a Backup.
2) Deleted the IDS.xml file.
3) Replace with CA's xml file.
4) Rename the file to IDS.xml.
5) Restore the Backup.

Everything the same except the IDS/IPS rules are CA's. Only thing is that CA's is 1.08 MB's and TPF's is 1.66 MB's.

 

Robert, the only reason it works because you left ids.xml_ file in you backup folder which is an identical copy of the ids.xml file. The firewall seems to pulls the ids signatures from it. You can verify this by deleting the ids.xml and restarting the firewall. It will regenerate the ids.xml file. However you are still using the old ids signatures that you had in your backup.

If you delete both files (ids.xml & ids.xml_) restart the firewall then use Ca ids signature file it will not work. However using the old ids.xml it will work and generate ids.xml_ file.

You can also verify if you have the new ids rules because both files will have the same timestamp and size (1.08mb vs 1.66mb).

I've spent a few hours testing and came to the conclusion as it stands now the new sigs from Ca do not work for Tiny 2005. I hope others can verify my findings. Cheers

 

I took a closer look on both "IDS.xml". Seems to be able
including (and modifying!) "CA Ruleset" into original "IDS.xml" of
TPF. CA HIPS Toolkit Test Harness handles the rules a bit different to
TP, thats why TPF don't understand CAs "IDS.xml". An Example. Next rules are the same. 1. in TPF 2. in CA.


1: <Rule al="Monitor" ar="Prevent" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21"
remport="*" name="FTP ADMw0rm ftp login attempt" sid="576">
<Token id="content" type="str" nocase="1">USER</Token>
<Token id="content" type="str" distance="1" nocase="1">w0rm</Token>
<Token id="pcre" type="str">=/^USER\s+w0rm/smi</Token>
</Rule>

2: <Rule al="Severity1" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21"
remport="*" name="FTP ADMw0rm ftp login attempt" sid="576">
<Token unique_id="1" id="flow" type="str">TS,ES</Token>
<Token unique_id="2" id="content" type="str" nocase="1">USER</Token>
<Token unique_id="3" id="content" type="str" distance="1" nocase="1">w0rm</Token>
<Token unique_id="4" id="pcre" type="str">=/^USER\s+w0rm/smi</Token>
</Rule>


Differences aren`t that big, only have to remove"Token unique_id= "x" " and modify "al="Severity1" " to "Monitor", so i will try to get newer rules into
original TPF.XML. Will be a lot of work and don`t have much time,
but maybe in two days i can present you an actual IDS.xml for TPF.

 

You are correct, Nathan.

Why cannot create rules from Activity monitor within a user account? That does not make any sense. Hope they fix that in the next build.

Got to admit though. CA improved on TPF by adding features without striping the true power of the firewall.

 

Yes, you are correct. After i modded the ids.xml to incorporate those changes it parsed perfectly through Tiny 2005. It seems it will be easy to modify future ids sigs from Ca into tiny.

I agree! Now comes the decision will i stay with TPF or change to Ca's offering. One deciding factor will come down to will it be compatible with Vista.