Transferring user-created correlation directives between servers on OSSIM 4


It takes a while to create correlation directives through the GUI so if you have to do this several times on different OSSIM servers it can get a bit tiresome. Here is how to transfer the directives you’ve created from one server to another:

1. Create your directive(s) on an OSSIM server
2. SSH to the server and cd to /etc/ossim/server/uid/, where uid is a generated string. This is specific to the install and will be different on the source and destination server.
3. In the folder is a file named user.xml. Open it using your favourite editor (vim?). This file contains the configuration for your directives in xml format. Copy and paste the contents into notepad ready to be transferred to the new OSSIM server.

The file starts with the xml header at the top:

<?xml version="1.0" encoding="UTF-8"?>

Each directive is enclosed in a <directive> tag, for example:

<directive id="500001" name="My example directive" priority="3">

Make a note of the ids of each directive, they’ll need to be distinct on the new server.

4. SSH to the new server and cd to /etc/ossim/server/uid/, where uid is a generated string.
5. Open the user.xml and if there are any rules created find the directive with the highest id. Go back to the directives you copied from the source server in notepad and amend the directive ids so they start on an id not in use. For instance if you highest id on the destination server is 50007 then start using 50008:

<directive id="500008" name="My example directive #1" priority="3">
<directive id="500009" name="My example directive #2" priority="3">
<directive id="500010" name="My example directive #3" priority="3">

6. Open the user.xml file on the destination server and scroll to the bottom. Paste the edited directives into the file.

7. Save the file and then restart ossim-server (service ossim-server restart).

8. Logon to OSSIM throught the GUI and check to see if your copied directives are in the list.

Advertisements
Tagged ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: