cloudxtreme / polman Goto Github PK

polman is aimed at makeing rule administration
for IPS/IDS sensors easy and powerfull.

You can load different rule-sets into a RuleDB, say
you load Sourcefire VRT rules in to ruledb snort2903
and you also load Emerging Threats snort 2.9.0 rules
into the same db.

Then you should have a large repo of rules to play with :)

If you also have suricata sensors, you can have
a ruledb for suricata10, and load the vrt rules
and the corrosponding ET-suricata rules into it.

Currently, polman will activate all rules in the ruledb
that is default activated from the the vendor (vrt/et/others),
on the sensors that are associated with the ruledb.
The activatation happens the first time you write out
the rule file(s) to disk.

When you download new rules from vendor into the ruledb
specified rules dir, and updates the ruledb, next time
you write new rules to disk for a sensor, it will automagically
enable the rules that the upstream vendor ships in the
state enabled.

Enabling/Disabling rules on a sensor:
ATM, you can search msg, catagory, classification and metadata.
You can also search for all rules that are default enabled by
rule-set vendor (ET or VRT etc). Or you can easly enable a rule
by: "polman.pl -i $SENSORNAME -e <sid>"
or disable:
"polman.pl -i $SENSORNAME -d <sid>"

Turn of rules but "filenames" (category):
./polman.pl -i TESTS -m "-(dos|games|icmp_info|pop3|rpc|scada|scan|snmp|sql|voip)"
...
[*] Search term: -(dos|games|icmp_info|pop3|rpc|scada|scan|snmp|sql|voip)
[*] Search field: catagory
[*] Found 908 rule(s) matching search criterias...
...
[i] Do you want to Disable all rules for sensor panama? (y/N)?: y
...