2010/07/20 -
AlienVault is proud to announce the immediate availability of the AlienVault
Open Source and Professional SIEM version 2.3.
AlienVault is proud to announce the immediate availability of the AlienVault Open Source and Professional SIEM version 2.3.
Among the enhancements delivered with version 2.3 is the ability to create
customized views in the SIEM analyzer. The policy engine has been rebuilt to
provide even greater ease of use and the remote distributed scanning has
been improved. As well, database upgrades are now done automatically
without any need of user management. The Report Wizard in the Professional
SIEM version provides greatly improved reporting capabilities with more than
1,800 new canned reports and dramatically simplified custom report
generation.
For more detailed information about the enhancements to the AlienVault SIEM
family, please follow the link below to view content created to illustrate
these new capabilities available in version 2.3:
Online
Presentation: What's New in OSSIM 2.3?
For new systems, please check out the new
installer.
You can upgrade your system as usual in order to get it from 2.2 to 2.3.
You may be required to install patches during your upgrade, please read
these release
notes
carefully. The upgrade is straightforward but there are a couple of
important things to be aware of, as described in the release notes.
Keep in mind, you will need to perform an apt-get update && apt-get
dist-upgrade even after a fresh install.
2010/03/11 - Some new features and security vulnerabilities fixed: Alienvault Open source SIEM 2.2.1 released, please upgrade.
We announce the immediate availability of the AlienVault Open Source SIEM version 2.2.1.
There are some new fixes and improvements, as well as some vulnerabilities fixed. Please check the 2.2.1 release notes
Nahuel Grisolia at Cybsec Security Systems has discovered a series of security vulnerabilities affecting OSSIM to the 2.2 release.
Please, remember to upgrade your installation with:
apt-get update
apt-get dist-upgrade
Check out the Advisores for more details.
2010/02/20 - Alienvault Open Source SIEM 2.2 released.
We're proud to announce the immediate availability of the AlienVault Open Source SIEM version 2.2.
This release is another important milestone for OSSIM, as it consolidates it as a real alternative to the best-of-breed commercial SIEM systems on the market.
The professional version features a major overhaul on the multi-customer, multi-user functionality offering true multitenancy and faster collection and correlation speeds than ever before, both for SIEM and logging functionality.
There are too many new features, changes and improvements to mention them here, so we decided to create some extra content in order to explain them:
Video: What's New in OSSIM 2.2?
Online Presentation: What's New in OSSIM 2.2?
You can upgrade your system as usual in order to get it from 2.1.5 to 2.2. For new systems, please check out the completely rewritten installer:
- More user friendly to use than ever.
- True multi-profile: install only what you want.
- Automatic component configuration for distributed environments.
- Much more...
Note: the 2.2 installer requires internect connectivity as of now, in order to download some fonts required for reporting which we can't redistribute within the installer. Installation is possible without internet connectivity for all profiles that don't require the "Framework" profile. Framework profile can be installed without internet connectivity but reports will break. In order to fix them an "apt-get install msttcorefonts" will be required.
If you're upgrading, please read these release notes carefully. Upgrade is straightforward but there are a couple of important things to be aware of.
And remember, make sure to apt-get update && apt-get dist-upgrade even after a fresh install, there are some things that didn't make into this release which we'll be releasing shortly after it, during the next weeks:
- OpenVAS 3.0
- New snort references
- Snort 3.0
- Suricata
- Additional reports
Last but not least, if you want to have a live demo come join us at booth #553 at the RSA 2010 in SF.
2010/02/09 - What's New in OSSIM 2.2?
New features and enhancements that will be included in the next release. OSSIM 2.2 will become available for download within the next two weeks.
Video: What's New in OSSIM 2.2?
Online Presentation: What's New in OSSIM 2.2?
We are also proud to announce our new Youtube Channel: AlienVault TV. We will be uploading videos during the next months, so stay tuned!
2010/02/04 - AlienVault at ShmooCon and Linux Journal
AlienVault is proud to announce it's presence at the Shmoocon (ShmooLabs) 2010 starting tomorrow in Washington DC. We've send one of our appliances that way along with our VP of Sales and Marketing, who'll be hanging around and having some fun while we finish off the last bits of the upcoming release. You'll identify him by hist blue corporate shirt with the AVT logo :-). He'll be showing off a pre-release of our upcoming 2.2 version, so don't hesitate to bug him with your questions if you see him around.
On the other hand AlienVault's Open Source SIEM has been featured inside the March 2010 issue of Linux Journal with a very detailed article spanning over 6 pages. You can get the article here, thanks a ton to the folks at Linux Journal for granting us the redistribution rights. Kudos Jeramiah on the great article.
2010/01/14 - OSSIM included in the SANS G20 Security Controls automation tool list
The SANS institute periodically publishes a list of tools which automate part or all of the "CAG 20 Critical Security Controls".
AlienVault's OSSIM has been pointed out by the users as helping in the automation of part 6, "Maintenance, Monitoring, and Analysis of Security Audit Logs", along with Splunk, Arcsight, Intellitactics and Trusted Computer Solutions.
Thanks to all of you who're using OSSIM and voted it into such a prominent list :-)
2009/12/16 - Security vulnerabilities found, upgrade your AV Open Source SIEM today.
Nahuel Grisolia at Cybsec Security Systems has discovered a series o
f security vulnerabilities affecting OSSIM up to the 2.1.5-3 release. Check out the Advisores for more details. Basically three types of bugs have been spotted:
- SQL Injections (previous login to the platform required)
- Arbitrary file upload
- Remote code execution
If you've upgraded to 2.1.5-4 you've got the updates already, if not please update asap.
We'd like to thank Cybsec for the manner this join disclosure has been approached; it's always nice to be contacted before public disclosure.
2009/11/11 - Upcoming webinar
Next week we'll be joining on a webinar entitled "Open Source Security Information Management: How to Reduce Costs, enhance Security and improve Compliance". We're doing this together with the folks at NopSec, register link here.
There will be some chat around how to get good security at a lower price and then a live demo of the system. For those already confident and/or using OSSIM this could be the appealing part since we're going to preview a bunch of version 2.2 features:
- New security scanner interface
- Host and Network reports
- System-wide datamining / postcorrelation
2009/09/21 - Security vulnerabilities found, upgrade your AV Open Source SIEM today.
Sintsov Alexey at Digital Security Research Group has discovered a series o
f security vulnerabilities in the OSSIM 2.1 and 2.1.1 releases. Check out the Advisory for more details. Basically three types of bugs have been spotted:
- SQL Injections (previous login to the platform required)
- Linked XSS
- Unauthorized access to information
If you've been upgrading these last days/weeks you've got the updates already, if not please update asap.
We'd like to thank DSecRG for the manner this join disclosure has been approached; it's always nice to be c
ontacted before public disclosure.
2009/07/09 - A new OSSIM: AlienVault Open Source SIEM version 2.1 released.
Thanks to the amazing activity, and development effort over the last year we're proud to announce the immediate availability of the latest version of OSSIM (Download).
Particularly during the last few months a significant effort has been made to raise OSSIM to the level of the best SIEMs available in the market, be they proprietary or open source. It is now up to the rapidly growing community of users, developers and integrators to continue the momentum. What we all now have in our hands is a vast improvement compared to what we had two years ago. It is a completely new tool, that provides sophisticated SIEM and SEM functionality on par with any other solution.
Many features have been improved and a number added, from a low level installer through package management, code optimizations and enhancements to packet capture speed, easier integration and configuration, and a completely rebuilt interface with tighter inter-element integration.
The following are just a few of the enhancements included in this release:
- Completely rewritten policy management.
- Compliance modules.
- New interface, enhanced usability.
- Integrated knowledge database.
- Added reporting server for custom user-generated reports.
- Multiple profiles can be configured for distributed systems: sensors, server, database, etc...
- Fully integrated package system providing frequent usability and security fixes.
- Nessus -> OpenVAS migration.
- Amazing packet capture speed improvements using PFRing (64 bit version only).
- Now using OSSEC 2.x
- Many more...
After years of patching ACID/BASE and adapting them to our needs we finally made the decision to fork BASE. There are too many changes to detail, but if you try it out you'll see the huge difference in both performance and usability.
As part of this major upgrade process OSSIM has seen it's license change from BSD to GPLv2. This move was necessary for both the users and contributors and the development team and the company behind the project. If you're curious about this change you can check out this thread for more information.
During these last two years we've also tried to build a sustainable business model through AlienVault (http://www.alienvault.com). Again, this was necessary for all involved since it has provided the necessary funds to hire additional development people while stile maintaining 95% of code free and open source. The remaining 5% makes up the commercial offering. The solutions have been differentiated as follows:
- AlienVault - The Open Source SIEM
- AlienVault - Professional SIEM Demo
- AlienVault - Professional SIEM
A new website will be launched soon to clarify all of this. What is important is that "The Open Source SIEM" solution is the OSSIM project, which is our main interest, our flagship project, and will remain so. The other two solutions are a limited version of the high-performance server and the full version of the high performance server + MSSP capability/features.
Besides the pro version we're also releasing a security feed (directives, plugins, snort rules, prioritizations, cross correlation tables and many more) and some other stuff. You can check them out at http://www.alienvault.com.
We've also reworked the entire screenshots section. (Here you can see some of the new screens.)
We hope you enjoy the new release!
2009/06/15 - Open Source Security / OSSIM webinar on June 25th
We'll be participating at a short webinar (around 1 hour) on the topic mentioned above with the title "Open Source Information Security: Reduce Costs while Improving Security Profile & Compliance". If you're curious you're welcome to register, it's completely free. There will be some talk about opensource and economy after which we'll switch over to describe ossim components and do a brief (15min) live demo showing latest improvements enhancements.
2009/03/31 - April 1st, Conficker day
As part of the effort to prevent as much damage as possible coming from the famous Conficker worm, we're releasing this directive made by the AlienVault VRT to the public. Originally it's been part of the subscription but we feel the need to make it publicly avaible, so that all OSSIM users can detect/protect themselves.
This worm has an extremely random and unpredictable behaviour so it's very hard to find a patter for it, so we had to rely 100% on the anomaly detection algorythms. This directive looks for hosts communicating to many different hosts via udp using a fixed source port. That way we can mimmick Conficker's p2p behaviour.
You can grab the directive or copy and paste the code below into any of your directive xml files:
<directive id="6017" name="Possible Conficker P2P Communication Behaviour" priority="4">
<rule type="detector" name="Peer Scanning" reliability="1"
occurrence="1" from="ANY" to="ANY" port_from="ANY"
port_to="ANY" plugin_id="1104" plugin_sid="1,3" protocol="UDP">
<rules>
<rule type="detector" name="Peer Scanning" reliability="+1" time_out="7" occurrence="10"
from="1:SRC_IP" to="ANY" port_from="1:SRC_PORT" port_to="ANY"
plugin_id="1104" plugin_sid="1,3" sticky="true"
sticky_different="DST_IP" protocol="UDP">
<rules>
<rule type="detector" name="Peer Scanning" reliability="+1" time_out="20" occurrence="30"
from="1:SRC_IP" to="ANY" port_from="1:SRC_PORT" port_to="ANY"
plugin_id="1104" plugin_sid="1,3" sticky="true"
sticky_different="DST_IP" protocol="UDP">
<rules>
<rule type="detector" name="Peer Scanning" reliability="+2" time_out="100" occurrence="90"
from="1:SRC_IP" to="ANY" port_from="1:SRC_PORT" port_to="ANY"
plugin_id="1104" plugin_sid="1,3" sticky="true"
sticky_different="DST_IP" protocol="UDP">
<rules>
<rule type="detector" name="Peer Scanning" reliability="+3" time_out="3600" occurrence="2000"
from="1:SRC_IP" to="ANY" port_from="1:SRC_PORT" port_to="ANY"
plugin_id="1104" plugin_sid="1,3" sticky="true"
sticky_different="DST_IP" protocol="UDP"/>
</rules>
</rule>
</rules>
</rule>
</rules>
</rule>
</rules>
</rule>
</directive>
2009/03/13 - Goodbye BSD, welcome GPL
Today, the 13th of March 2009 OSSIM has switched licenses from BSD-Style to GPL. We think that this was a necessary move that will benefit the entire OSSIM user base.
For more information please check this topic.
2009/03/10 - Gsoc 2009
OSSIM has applied to be accepted into the Google Summer of Code for 2009. Last year we had great projects, it was a very nice experience and we hope we can also have nice results this year. You can find more information in the OSSIM Forums. A list of project ideas can be found at this page. Feel free to suggest your own ideas in the forums.
2009/02/12 - Licensing Update
Just a quick update on the licensing feedback we requested. Conclusions can be seen on this post. Expect a more in-depth explanation on the blogs pretty soon.
2009/02/04 - Plugin Galore
We're pleased to announce the availability of X new plugins which have been commited during the last hours. Thanks to everybody who contributed, specially to Sylvain and friends at Conix.
The full listing of new plugins can be seen below. Of course these will be included in the upcoming 1.1 release.
- WMWare Workstation
- OpteNEt
- Nepenthes
- ISA Server
- Aladdin
- Avast
- Bro-IDS
- Enterasys Dragon
- Honeyd
- MCAfee Antivirus
- Sidewinder
- SonicWall
- Trendmicro
- Cyberguard
- VSftpd
- Bind
Some of them are missing tons of sids, as always logs would be more than appreciated.
2009/01/19 - Licensing discussion
We'd like to encourage anybody interested in the OSSIM project to join the discussion regarding licensing issues we've opened on the forums.
Any feedback is more than welcome.
2008/09/04 - AlienVault OSSIM Installer 1.0.6
We're proud to announce the immediate availability of the AlienVault OSSIM Installer 1.0.6, along with the 1.0.6 updater. This release is a major maintenance release before our upcoming feature release which will be numbered 1.1.
This release features the following improvements, among others:
- Lots os OS bugfixes
- Monitor plugins fixes. Session monitor now ported to new agent format
- Some new packages: lsof, fprobe, iptraf, etc...
- The new feed for nessus, which will maintain the vulnerability tests up-to-date.
- Antivirus using clam-av and freshclam for updates.
- mod-security for better self protection
- New plugins and enhancement
- Many more
Feature highlight: nagios integration is better than ever. Scan a network, insert a host, create a host group, enable nagios for it and everything will get inserted into Nagios.
As written before we're preparing a major feature upgrade release, which will include contributed stuff for reporting, a graphical directive editor and all great stuff which the Google Summer of Code 2008 has provided to the project.
With this release we've fixed dependency issues which made it quite dangerous to use apt-get update && apt-get upgrade, in order to maintain the system updated. That means you can try using it at your own risk in order to stay 100% updated all the time.
The recommended way tho is through the ossim-update system. We're going to release lots of minor revisions after testing that nothing breaks with that; we understand that a 6 month gap between os upgrades is unacceptable and can lead to serious security risks.
We hope you enjoy this new release.
2008/08/01 - Plugin Feed released
Dear community,
AlienVault is proud to announce the immediate avilability of an alternative, free, nessus plugin feed.
We intend to turn this feed into a real community driven effort, and already are in talks with various organizations as well as developers and companies. We'd really like to thank the Telefonica Vulnerability Reasearch Team for having been the first ones to step in and help on the subject.
The initial version of this feed will feature continous updates of security checks for various Linux operating systems, Windows (both generic as well as ActiveX) checks and remote vulnerability plugins. During the next weeks we'll include more operating systems (Solaris, MacosX and *BSD should be next), a complete rewrite of the windows smb and registry access libraries and much more.
Finally, there are some outstanding issues when using Nessus 3 for scanning. Since we don't have access to the source code they're harder to debug.
For more information please check the AV Free Feed For Nessus. Any type of feedback is more than welcome.
The AlienVault Team
2008/07/29 - Scheduled Maintenance
In relation with the upcoming feed release we're going to take the server hosting ossim.net and others down tomorrow starting around 10:00 AM UTC. Sorry for the inconvenience this may cause to anybody.
2008/06/13 - OSSIM announces the continuation of a Free Feed For Nessus
After the recent change of licensing terms with nessus feed we've decided to continue with a Free Feed For Nessus. Read more here.
More info to come during the following days/weeks, we've thought a lot about this and really think this could benefit a wider community.
As a side note we're already talking with individuals/organizations willing to join on this. If you're interested in the effort please drop us a line.
2008/05/06 - GSoC Update
Almost forgot to post this. As written before, OSSIM has been assigned 6 student slots by google.
The following projects are planned for this summer:
And no, although there are some curious surname coincidences, they're not cousins ;-).
2008/04/10 - AV Installer 1.0.5p1 update
Just a quick not in order to inform that we've released a small update. This update fixes the stream preprocessor on the installed snort version, solving an issue where snort would eat up 100% of cpu and die after a couple of minutes. Also, we've linked the update script to //usr/sbin so after this update it can be run as "ossim-update".
2008/03/25 - Summer of code 2008
We're proud to announce that google will be sponsoring development for OSSIM (among many other projects) during it's summer of code program. Have a look at our ideas page for more information, as weel as at the GSoC page.
Update 2008/03/26: Please be aware that application deadline for students is 2008/03/31!
Here is a post Jake from OSVDB made yesterday on bugtraq which resumes it quite well.
Just a quick heads up in case you have been hiding under a rock.....
Google's Summer of Code 2008 is officially on.
Full details at http://code.google.com/soc/2008/
Google will begin accepting student applications on Monday, March 24, 2008!
Please help spread the word and encourage all eligible students to apply for
one of the security related projects!
OSVDB: The Open Source Vulnerability Database:
http://osvdb.org/blog/?p=231
OSSIM: Open Source Security Information Management:
http://www.ossim.net/dokuwiki/doku.php?id=ideas
Nmap Security Scanner:
http://nmap.org/GoogleGrants.html
The Electronic Frontier Foundation/Tor Project:
https://www.torproject.org/volunteer.html.en#Projects
SoC Timeline:
http://code.google.com/opensource/gsoc/2008/faqs.html#0.1_timeline
2008/03/11 - 1.0.5 update: Important Fixes
We just released an updater package for the OSSIM Installer. A couple of major issues slipped into 1.0.4, release which we couldn't test enough prior to public release due to the security fixes it contained.
The errors involve snort and ossec logging / parsing. Both of them are broken as in 1.0.4 for various reasons (1.0.4 snortunified plugin not matching the snort unified output filename and agent not sending multi-line log lines correctly).
For 1.0.3 users, please download the standalone updater file from the AlienVault Download section. 1.0.4 users should be able to just run the /home/ossim/dist/ossim-update.pl command and get their system updated.
No ISO will be released for 1.0.5 since the changes are actually minimal, so for new users please install 1.0.4 and run /home/ossim/dist/ossim-update.pl after installation in order to get a working 1.0.5.
Enjoy!
Older news archive
News 
