|
There are two forms of hank rules: front-end and back-end. Front-end rules are what are distributed around from person to person. They describe an attack, its name, its catalog number, its severity. That front-end file is then transformed via an XML style sheet transformation (xslt) to a back-end file, which is a tree of hank events. That xslt determines what firewalling is applied to which rules, if any, along with any other policy transformations (like reporting policies, etc.) You can take a front-end file and transform it using any of the policy transforms in the hank source tree, or you can write your own. Use the libxsl application, xsltproc, like this: xsltproc ./policy-strict.xsl ./hank_rules_final.xml > ./hank_rules_backend.xml If you don't want to do that, then here is a harmless back-end file with which to play. It results from transforming the below front-end file using the file "policy-none.xsl" from the hank source code. You can find a front-end rules file here. Since it's xml, you'll probably have to download it rather than view it, as it is liable to confuse your browser. To create your own front-end rule file, just run a command like this on a random snort ruleset: rick% cat snort.conf | ../cvs/hank/snort_converter.pl 1 > hank_rules_final.xml |