PHP-IDS warning when submitting rule on Alienvault OSSIM 4.x


When building a new correlation rule in Alienvault OSSIM 4.x you may get an error like:

"Sorry, operation not completed due to security reasons. An attack attempt has been logged to the system"

PHP-IDS-CreateRuleOSSIM

This is caused by the PHP-IDS implementation within OSSIM and can be fixed by adding an exemption rule:

  1. In the error note the “Variable” that caused the error. In this example it was Get.product_list
  2. SSH to your OSSIM server
  3. Open the file /usr/share/ossim/include/php-ids.ini in your favourite editor.
  4. In the [General] section are a list of exceptions. Scroll to the bottom of the exceptions list and add a new entry:
exceptions[] = GET.product_list

5. Restart ossim-framework and try submitting the rule again.

service ossim-framework restart
Advertisements
Tagged ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: