• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

Policies don't work

hermanherman

I am new to OSSIM (v 4.14). I have problem with policies. I have OSSIM (server+sensor) on single server. It generates a lot of events (mostly avapi):
ossec: Successful sudo to ROOT executed
from ossec-sudo (event ID:5402) in /home/avapi/
and:
snort: "ET POLICY Python-urllib/ Suspicious User Agent"
which is some HTTP GET to google server (no idea which process generates it)

And I want to filter out them with 2 policies I made in Default policy group. Each policy has defined event type as new DS group (for particular event id's mentioned above), source as my OSSIM server+sensor address, destination as ANY, sensor: ANY and Policy consequences-SIEM: all No.

Policies reloaded.

But events still show up. What is wrong?

 

Share post:

Comments

  • Having the same problem with a policy that is supposed to suppress events for a monitoring account logging into my firewalls. Have you submitted a bug report? 
  • seems that this is a bug that we follow since 4.3

    as i see there are many issues that cover this annoying behaviour first at all you should look at your database (you can install phpmyadmin for easy navigate throught tables) then look into policy table and you can try to understand if something goes wrong with that policy because many times happens that policy stop working because of a db error and the row that correspond to the policy.

    for me it fix sometimes this issues but some too much specific policy still didnt work at all

    Regards
  • edited January 2015
    @IanHayes, Nope. I haven't.
    @s_secure, The problem is not that policy suddenly stopped working, it never worked.
  • have you checked your db if that policy is correctly added as others?
  • It's seams, that I found solution.
    you can read
    https://www.alienvault.com/forums/discussion/4357/how-are-assets-linked-to-events#latest
    in answer is

    Add <idm mssp="false"/> at the end of /etc/ossim/server/config.xml (immediately before </config>), then restart the ossim-server process.

    After that events start linking to assets, and you can add assets as source or destination in policy.
  • @s_secure, Nope I haven't.
    @deltabank, It seems to be a working solution! Thank you.
Sign In or Register to comment.