Tag Archives: alienvault

OSSIM directive taxonomy settings do not update / save

When you try to edit the Taxonomy settings for a user generated directive in OSSIM the changes do not save. Instead the webpage updates and shows the old settings.

This happened for me when I upgraded to 4.3.4.

To fix you can clear out the taxonomy values in the alarm_taxonomy table and then re-enter them using the webGUI. The problem seems to be that OSSIM adds a second entry to the table rather than updating the existing one.

1. SSH to the OSSIM box holding the mysql database
2. Backup your database before editing the tables
3. Then type

select * from alarm_taxonomy WHERE sid like '5000%';

This should list the taxonomy for your generated directives (since they’re all in the 50000 range. For the exact sids check the /etc/ossim/server/<GUID>/user.xml file.

Now to clear the problem directive that won’t update (for example sid number 500010)

delete from alarm_taxonomy WHERE sid='500010';

Now open the web interface and the taxonomy for that directive should have cleared. Now edit it and set it correctly and restart the ossim-server by clicking on the button at the top.

Your taxonomy settings should have updated OK.

Tagged ,

Alienvault OSSIM: Asset page broken after upgrading to 4.4

After upgrading OSSIM to 4.4.0 (or 4.4.1) the Asset section may show the error:

Operation was not completed due to an database error

If you then check the status of the table on the CLI you’ll find the table is missing!

alienvault:~# ossim-db
mysql> select * from asset limit 1;
ERROR 1146 (42S02): Table 'alienvault.asset' doesn't exist
mysql> quit

To resolve re-run the SQL upgrade script which should recreate your table (albeit empty):

cd /usr/share/ossim/include/upgrades
gunzip 4.4.0_mysql.sql.gz
gunzip 4.4.1_mysql.sql.gz
ossim-db < 4.4.0_mysql.sql
ossim-db < 4.4.1_mysql.sql

Then reload the Assets page and it should work.

Tagged , , ,

How to run Alienvault OSSIM 4.2 in (custom) text mode

This is also a fix for

  1. GUI installer hanging on “Configure network” when you try and enter the IP address
  2. Configuring disk setup
  3. Selecting which components to install

These options were available in 4.1 but were removed from the boot menu of the installer in 4.2.

The options are still there though. To run the custom text installer do the following:

  1. Boot from the OSSIM 4.2 CD
  2. At the installer menu highlight USM 4.2 (the top one)
  3. Hit the TAB button
  4. Edit the kernel boot line so it shows as (all one line)
/install.amd/vmlinux preseed/file=/cdrom/preseed debian/priority=low preseed/interactive=true vga=normal initrd=/install.amd/initrd.gz quiet ALLinONEauto --

5. Then hit enter to boot into custom text mode.

For the lazy out there you can also:

  1. Put the 4.1 installer CD in the CDROM and boot to the menu.
  2. Swap the CD over and put in the 4.2 CD
  3. Select custom text mode from the menu

It’ll then boot.


Tagged , , ,

PHP-IDS warning when submitting rule on Alienvault OSSIM 4.x

When building a new correlation rule in Alienvault OSSIM 4.x you may get an error like:

"Sorry, operation not completed due to security reasons. An attack attempt has been logged to the system"


This is caused by the PHP-IDS implementation within OSSIM and can be fixed by adding an exemption rule:

  1. In the error note the “Variable” that caused the error. In this example it was Get.product_list
  2. SSH to your OSSIM server
  3. Open the file /usr/share/ossim/include/php-ids.ini in your favourite editor.
  4. In the [General] section are a list of exceptions. Scroll to the bottom of the exceptions list and add a new entry:
exceptions[] = GET.product_list

5. Restart ossim-framework and try submitting the rule again.

service ossim-framework restart
Tagged ,

Transferring user-created correlation directives between servers on OSSIM 4

It takes a while to create correlation directives through the GUI so if you have to do this several times on different OSSIM servers it can get a bit tiresome. Here is how to transfer the directives you’ve created from one server to another:

1. Create your directive(s) on an OSSIM server
2. SSH to the server and cd to /etc/ossim/server/uid/, where uid is a generated string. This is specific to the install and will be different on the source and destination server.
3. In the folder is a file named user.xml. Open it using your favourite editor (vim?). This file contains the configuration for your directives in xml format. Copy and paste the contents into notepad ready to be transferred to the new OSSIM server.

The file starts with the xml header at the top:

<?xml version="1.0" encoding="UTF-8"?>

Each directive is enclosed in a <directive> tag, for example:

<directive id="500001" name="My example directive" priority="3">

Make a note of the ids of each directive, they’ll need to be distinct on the new server.

4. SSH to the new server and cd to /etc/ossim/server/uid/, where uid is a generated string.
5. Open the user.xml and if there are any rules created find the directive with the highest id. Go back to the directives you copied from the source server in notepad and amend the directive ids so they start on an id not in use. For instance if you highest id on the destination server is 50007 then start using 50008:

<directive id="500008" name="My example directive #1" priority="3">
<directive id="500009" name="My example directive #2" priority="3">
<directive id="500010" name="My example directive #3" priority="3">

6. Open the user.xml file on the destination server and scroll to the bottom. Paste the edited directives into the file.

7. Save the file and then restart ossim-server (service ossim-server restart).

8. Logon to OSSIM throught the GUI and check to see if your copied directives are in the list.

Tagged ,

Offline update of Alienvault OSSIM

Alienvault OSSIM has a built in upgrade mechanism for updates. However, not all installs exist in locations with an active internet connection. To get around this you can either

  1. Mirror the update repository locally down from Alienvault and hack the update script
  2. Download the CD/DVD and hack the update script!

This is a description of the latter method.

Start by downloading the CD from the Alienvault OSSIM website and mount the iso on the server to be updated.

When the alienvault-update runs it tried to download an update script. You can grab this from the website. For v4 this script is located at http://data.alienvault.com/RELEASES/alienvault4_update-script. Download the script and write a copy to the OSSIM server to run manually.

The script uses apt-get to get the updates from alienvault but those packages are also on the CD we downloaded. Add in the CD as a source by typing:

apt-cdrom add

This adds in the CD as a source into /etc/apt/sources.list, for example:

deb cdrom:[Debian GNU/Linux 6.0.6 _Squeeze_ - Unofficial amd64 DVD Binary-1 20121002-12:02]/ squeeze main non-free

Comment out the other lines that refer to debian in this file by putting a hash (#) in front of them:

#deb http://ftp.us.debian.org/debian/ squeeze main contrib
#deb-src http://ftp.us.debian.org/debian/ squeeze main contrib
#deb http://security.debian.org/ squeeze/updates main contrib
#deb-src http://security.debian.org/ squeeze/updates main contrib

Save the file and open the downloaded update script. Find the part of the script that says “download-only” and remove that option. For instance:

apt-get dist-upgrade --download-only -y --force-yes

change to

apt-get dist-upgrade -y --force-yes

When you’ve changed all the lines with “download-only” in them you’re ready to run the update script.

As root run the script, for example:

sh ./alienvault4_update-script

and watch as the packages are updated. Once done reboot and verify the system has been updated by browsing to Configuration -> Sensors or by using the command

ossim-server -v
Tagged ,

Enabling Open Threat Exchange (AV-OTX) in Alienvault

The Alienvault website has several posts about Open Threat Exchange but I wasn’t able to find instructions on how to enable it. Eventually I found the option hidden away in the advanced menu.

Here’s how to set it up:

1. Open the OSSIM web interface and click on the Configuration menu then Main

2. Select the Advanced tab and then select Open Threat Exchange

3. Select Yes from the dropdown to contribute to OTX

4. Click on the activation link. This takes you to the Alienvault website.

5. Fill out the form and submit it.

6. You’ll then get an email from Alienvault with a confirmation link. Click it and you will get a page saying that you’ve activated OTX.

7. Now go back to the OSSIM page and click on the Send Now button. This evaluates the threats your system has picked up and it will then show you a page like this one:

8. Click Send Now to send the details to Alienvault so they can be distributed to others.

Tagged , , , , ,

Updating snort and openvas rules

Openvas and snort rules in Alienvault OSSIM are deployed as part of the updates. However, you can update them more frequently directly from the Openvas and Snort repositories.

Openvas Plugin Update Script

Most of this is directly from the Alienvault configuration guide, but in assorted places. Here’s the script to update the openvas rules:

openvas-nvt-sync --wget /etc/init.d/openvas-scanner restart 
perl /usr/share/ossim/scripts/vulnmeter/updateplugins.pl migrate

Save this as a .sh file (e.g. update-openvas-plugins.sh) and chmod to 700 with owner root

chmod 700 update-openvas-plugins.sh 
chown root.root update-openvas-plugins.sh

Then add to root’s crontab:

crontab -e

and add the following line:

0 3 * * 6 /bin/sh /scripts/update-openvas-plugins.sh

where this one runs weekly on Saturday at 3am. For more info on editing crontab see here.

Snort Plugin Update Script

Here’s the script to update snort:

perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/
/etc/init.d/ossim-server restart

If the box is just a snort collector and doesn’t have the ossim-server running you’ll want to change that last line to read:

/etc/init.d/snort restart


/etc/init.d/snort_eth1 restart

Where eth1 is the interface snort is attached to.

Then edit crontab again and add in the line:

0 4 * * 6 /bin/sh /scripts/update-snort-rules.sh

This one runs every Saturday at 4am.

Tagged , , , , , , , , , ,

Changing default editor from Joe’s Own Editor to vim in Alienvault OSSIM

Personally I find the default editor in Alienvault OSSIM a real pain to use, especially when I’m trying to edit crontabs.

Here’s a quick way to change it:

1. Logon to the system via SSH with the account you want to change the editor on

2. Open the bashrc for that user:

vi ~/bashrc

3. At the bottom add in

export EDITOR=vi

4. Then hit the escape key and type


to save.

If you want nano just use nano in-place of vi. Then the next time you open crontab it’ll use your preferred editor (e.g. vi or nano).


Tagged , , , , , ,

Snare plugin not working on AlienVault OSSIM

Alienvault OSSIM is a great open-source product but I recently struggled to get my Snare logs to show up in the Security Events (SIEM) viewer.

First of all follow the steps in the Snare setup guide.

Now that you’ve setup snare and enabled the plugin you should see the plugin running when you go to Configuration -> Collection -> Sensors -> Click on the SIEM host. The SnareWindows plugin should show up as ENABLED and UP.

Check the Security Events for snare logs. They should look like:

Snare: A service was successfully sent a start/stop control

If you don’t see any then try this:

1. SSH to the server

2. As root type

vi /etc/ossim/agent/plugins/snare.cfg

3. Find the line that says:


4. Comment it out by putting a # at the start of the line so it looks like this:


5. Now copy and paste the line and change the snare.log part to say messages so it looks like this:


6. Restart the ossim-agent

/etc/init.d/ossim-agent restart

Now go back and check your Security Events view. If your problem was the same as mine then your snare logs should now start appearing.


Perhaps the best way to reduce the CPU load caused by the agent parsing is to split the syslogs into separate log files using rsyslog. It needs a bit of planning in advance. Configure your snare installs to send their syslog messages to a particular facility, e.g. Local3. You can then setup rsyslog to split these into a new snare log.

Edit /etc/rsyslog.conf and scroll to the bottom and add in something like:

#Windows logs
if $syslogfacility-text == 'local3' then /var/log/snare.log

and restart the rsyslogd (/etc/init.d/rsyslog restart). Tail the /var/log/snare.log file to see if the logs are coming into the file correctly.

Now edit /etc/ossim/agent/plugins/snare.cfg and change the location line to point to this new log file:


Now edit the agent configuration file to include the plugin (/etc/ossim/agent/config.cfg). Scroll to the [plugins] section and check if the snare.cfg is listed. If it isn’t add it in:


now restart the agent service

/etc/init.d/ossim-agent restart

and check back in the GUI.

If you still get nothing in the GUI it could be that the logs that are coming into the log file don’t match  the regex’s in the snare.cfg. To test this take a small sample of your logs and create a test log file, e.g tail -100 /var/log/snare.log > /var/log/snare-test.log. Now use the following to test the regex’s:

/usr/share/ossim/scripts/regexp.py /var/log/snare-test.log /etc/ossim/agent/plugins/snare.cfg q

You should see some lines being matched.

Some logs to check for errors:







Tagged , , , , ,