When building a new correlation rule in Alienvault OSSIM 4.x you may get an error like:
"Sorry, operation not completed due to security reasons. An attack attempt has been logged to the system"
This is caused by the PHP-IDS implementation within OSSIM and can be fixed by adding an exemption rule:
- In the error note the “Variable” that caused the error. In this example it was Get.product_list
- SSH to your OSSIM server
- Open the file /usr/share/ossim/include/php-ids.ini in your favourite editor.
- In the [General] section are a list of exceptions. Scroll to the bottom of the exceptions list and add a new entry:
exceptions = GET.product_list
5. Restart ossim-framework and try submitting the rule again.
service ossim-framework restart