When you try to edit the Taxonomy settings for a user generated directive in OSSIM the changes do not save. Instead the webpage updates and shows the old settings.
This happened for me when I upgraded to 4.3.4.
To fix you can clear out the taxonomy values in the alarm_taxonomy table and then re-enter them using the webGUI. The problem seems to be that OSSIM adds a second entry to the table rather than updating the existing one.
1. SSH to the OSSIM box holding the mysql database
2. Backup your database before editing the tables
3. Then type
ossim-db select * from alarm_taxonomy WHERE sid like '5000%';
This should list the taxonomy for your generated directives (since they’re all in the 50000 range. For the exact sids check the /etc/ossim/server/<GUID>/user.xml file.
Now to clear the problem directive that won’t update (for example sid number 500010)
delete from alarm_taxonomy WHERE sid='500010';
Now open the web interface and the taxonomy for that directive should have cleared. Now edit it and set it correctly and restart the ossim-server by clicking on the button at the top.
Your taxonomy settings should have updated OK.
Filed under: Alienvault OSSIM, SIEM Tagged: alienvault, OSSIM
