• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

Alarms that share Directive IDs

SherlockSherlock

New Life Form

Hello all,

We ran into an issue today where a customer USM and our federated server had conflicting Directive IDs. Alienvault seems to assign all user-contributed directives the IDs 500000-999999. This is an issue because when a USM has a user contributed directive of 500002 and the Federated Server has contributed directive of 500002 the wrong information can potentially be populated in the alarm. This is what happened to us.

Our solution was to edit /etc/ossim/server/user.xml and change the line <category name="User Contributed" xml_file="user.xml" mini="500000" maxi="999999" /> to <category name="User Contributed" xml_file="user.xml" mini="600000" maxi="999999" />. This will theoretically will allow you to create 1000 user contributed directives without running into another conflict like the one we ran into (you can do more if desired). You then need to change all of the user-contributed directive IDs in the user.xml so they fall within the new range. This file is in /etc/ossim/server also. You will then need to kick ossim with “service ossim-server restart” and you should be good to go.

This will most likely only be a problem for people who use alienvault for managed services but I thought I would share.

-Mr. Holmes (with assistance from Watson)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Share post:

Sign In or Register to comment.