0

I do not know if the question is considered to be related to programming, but I'll try anyway. I'm new to the Alienvault OSSIM System. I'm trying to learn how to make my own rules, but unfortunately I am having some difficulty. I created a simple rule in the rules file "local.rules" inside of the Snort rules folder.

alert icmp any any <> any any (msg:"simple ping rule."; icode:0; itype:0; classtype:icmp-event; sid:250888; rev:5;)

This rule triggers after an icmp ping from any machine to any machine. I checked if Snort deals with this rule, and indeed its records appear in the snort log file.

From The searches I've done about this, I realized that after a change in the rules files I must run the script below for the purpose of mapping rules files.

perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/

Then I created the following OSSIM rule in local_rules.xml file:

<group name="local,syslog,">
    <rule id="100020" level="2">
      <if_sid>250888</if_sid>
      <description>it's a new rule that i write myself!!</description>
    </rule>
</group>

After a system reboot I sent some pings to the machine, but the rule did not appear as an occurrence in the alert log. And in the OSSIM system error log this appears:

2014/08/06 11:30:59 rules_list: Signature ID '250888' not found. Invalid 'if_sid'.

Can someone explain to me what I am doing wrong?

Xavier
  • 3,423
  • 23
  • 36
Froike
  • 1
  • 2

2 Answers2

0

I'm not familiar with Alienvault OSSIM System, but from a snort standpoint, this is an invalid sid for a local rule. SIDs for local rules must be >= 1,000,000 as these are reserved for rules included with the Snort distribution (See documentation on this here). Perhaps try changing the sid to 1000000 (or 1250888 if you want to keep the 250888 part).

johnjg12
  • 1,083
  • 8
  • 17
  • Hi, and thanks for your replay. I have tried this in few versions (eg 2588, 250888, 5000000, 1250888). It's conductor to the same problem. – Froike Aug 10 '14 at 13:00
0

If you create a rule in snort you don't need to create a rule local_rules.xml

after you change the local.rules of snort

any any (msg:"simple ping rule."; icode:0; itype:0; classtype:icmp-event; sid:250888; rev:5;)

and do this command

perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/

go to web interface > configuration > THREAT INTELLIGENCE > Data source > Data source id 1001

In Search input write the sid of your rule (250888) and you will find you're rule

hamza
  • 16
  • 1