ISS SiteProtector

ISS RealSecure Workgroup Manager hit its end-of-life back in January, I was asked to work on upgrading that to their new product SiteProtect 2.0.
Its always kind of funny when an upgrade is not only mandatory but it makes like more difficult. Siteprotect seems to similar to Cisco VMS. The idea is that we should be able to manage everything from one location. The scanners, the host sensors, the network sensors all come together in one lovely stew.
I guess I should start with the things I like. Unlike Cisco, they provide a console in addition to an administrative website. Its nice to have that option. Also the website doesn’t use up all available memory unlike Cisco’s java loving beast of a website. Updates were rather simple. It is also possible to schedule recurring updates.
I am rather perturbed about reporting. Under the old version, I was able to create graphs based on tops senders and receivers of attacks as well as the top attacks. I could then filter down and create more focused reports such as what were the top attacks attempted on server X.
The new system has reporting as an add-in module (ca-ching). I thought the analysis tab could be useful for creating a report but it has a limit of 500 lines by default. Not so helpful.
I may be able to create the reports but querying the SQL database. But the hardest part there looks like figuring out what base number system they are using to store the IP addresses so I can convert them back.
At least its something to work on as we start the new workweek.