The story starts as following. A couple of years ago Dr. Anton Chuvakin (for those who might not know him a well renowned security professional and speaker) made a prediction for 2006: that a Credible Open-Source SIM would not arrive.

A year later he said this goal hasn't been reached (as predicted). I remember being quite pissed off and upset at that time, but his point was right. Development had been slow, we didn't have resources and everything was a bit stalled. But that has changed and AlienVault is about two years old now, we made a huge step forward and I think OSSIM is nowadays more than S/MB as well as Enteprise ready. (And sadly our resources are still very limited compared of those which Arcsight, Symantec or others might have).

Yesterday I followed a couple of quick twitter exchanges where I'd like to quote the most significant ones:

• I agree but S/M of SMB probably won't have the capabilities to run something like OSSIM and it's not robust enough for Ent.
• @anton_chuvakin mind you, I simply asked if OSSIM had the potential, not that it was there yet... as always, I wonder, isn't there a better way?
• @falconsview Re: opn src #SIEM Well, show me a sizable deployment (and not one hand-built by its creators) and I will believe you.
• @anton_chuvakin Will you change your mind about opensource SIEM if I get you access to a sizable deployment not created by it's authors ? :P
• @dkarg Re: open src #SIEM Yes, I probably will.

So, there it is, Andrew Hay (another renowned security expert) and Anton say that:

1. OSSIM is not a SIEM.
2. OSSIM is too difficult for S/MB and not reliable enough for the Enterprise

So what do I need? I for myself have received news/feedback of pretty big OSSIM installations and have had my hands on another bunch of them. Ranging from 100 person Real Estate companies to >40000pc governmnet environments with distributed deployments and thousands of events per second (this last one using the COSS version of course). But, the point as mentioned by Anton is that we don't have our hands in it, the testimonial has to come from someone who's got a deployment running not managed by us. Both S/MB as well as large enterprise deployments are valid since there are two points to prove. I'd really like to hear from a large company which is supposedly using Splunk+OSSIM, can't say the name but that would be a good example :-).

So, if any of you reading this is in that situation please let Mr. Chuvakin and Mr. Hay know about it so they hopefully can change their minds on the subject. There's contact information on their respective homepages. Otherwise I'll have to eat my words and admit that OSSIM is no Open Source SIEM (like in The Matrix, "there's no spoon").

Thanks in advance for any help :-)

PS: BTW, we did a first run of the webinar yesterday, thanks everybody for assisting and apologies for the, well, mishappenings. I got quite nervous, next demo will be better.

Edit 2009/06/20: Fixed a misunderstanding on who predicted what, see the comments.

I got talked into speaking at a webinar next week (well, we've got another one this week but it's already crowded so I'm only posting next weeks link. And since this week's is my first webinar ever the second one should be better anyway), namely about Open Source Information Security: Reduce Costs while Improving Security Profile & Compliance. That's it, nice and short name as I like and love them.

I don't know how it work out, guess it shouldn't be very boring and registration is free so if you want to join in you're more than welcome. Additionally you get something called CPE credits for attending (sounds like experience points ;-)).
Here is an excerpt from the description:

A friend of mine is preparing a speech at a security conference this summer around OSSIM. He asked if I could get some feedback, case-studies or anything that could backup and enrichen his speech, this is what this post is for :-).

So please, should you have anything (wether it's good or bad, happy or sad) to say around OSSIM (or should you know about anybody how does) which you would like to share write to feedback@ (created the alias so I wouldn't miss anything, feedback is very important to us).

Anything from "I use OSSIM" to complete papers is welcome, tho in order to avoid confusions I'd please ask to include these couple of lines at the beginning of the mail:

Name (leave empty for anonymous):
Company (leave empty for anonymous or substitute for "english university" or "canadian oil platform" or similar):
Is it ok to tell/foward this?: yes/no (if the answer is 'no' then no one but me will know about this :P)
Is it ok to publish this on ossim.net/alienvault.com?: yes/no

Here again for copy & paste:

Name:
Company:
Ok to tell/forward?:
Ok to publish on ossim.net/alienvault.com?:

I'm happy to announce the availability of the next beta, AV Installer beta6. (md5: 21204ecf2949a1d9ac9838b3c694b72d.

Again, thanks a ton to everybody testing the betas and reporting bugs / improvements, with your help this is already the best release that's been published ever for OSSIM.

The betatesting process is reaching the point where we're going to freeze code and just fix bugs. OpenVAS is now fully integrated and running like a charm, the compliance framework runs out of te box for ISO27001 (install beta6, "apt-get install ossim-compliance" and go to reports->reporting server), many new directives have been added and old ones fixed. A quick warning: OpenVAS takes ages to start the first time, if it looks like it hangs during init don't worry, after maybe 5 or 10 minutes it will get through.

Next steps will be to ensure everything is working, get a new dashboard for PCI and ISO2700[12] compliance, integrate the SEM part (without signing) into the public server, put the new policy interface in place and double check distributed architecture scripts. After this release the final version, throw a party and get a couple of weeks off ;-)

I hope you enjoy this beta.

I wanted to share this news entry with everybody visiting this site. This has very little to do with OSSIM or AlienVault and of course this is my own opinion, not necessarily shared by them.

A week ago I had read a sad sentence convicting those who're running the Pirate Bay torrent tracking site. Now I'm pleased to see that not everybody has sold their soul to what's "supposed to be politcally correct": Telenor, the norwegian ISP hosting the pirate bay have told the copyright lawyers to shove their demands where Long John Silver couldn't see 'em even with his good eye and a very long spyglass.

My sincere admiration (both to TPB admins and Telenor), I'm pre-ordering my support t-shirt right now :-)

More information here.

Just uploaded a new AlienVault OSSIM installer beta, Beta 5. As always, thanks a ton to everybody helping out on testing. Besides Anton, Greg, Kristian and Stephan there are many others helping, both on forums or anonymously (found some old friend's domain names in the apache log for update checks, greets to Turkiye and France ;-))

As to the actual release:
Jasperserver got updated to 3.5 (Gannt charts, finally), many bugs have been fixed, some new directives, new snort packages, new misc tools and many more. Sensor and server profiles have been updated too, as well as monit scripts and database.

I expect three more betas, which would mean around three more testing weeks. There are some key features that still need some throughout testing:

- Distributed deployment.
- Jasper tuning and sample reports.
- New policy interface (beta6).

There are two factors which we can't control but which would make this release perfect:

- Lenny OpenVAS packages.
- MySQL 5.1 making it into lenny stable.

I've already done some testing with partitions in the new mysql and the results are astonishing. Arcsight here we come :P

If you want bug Norbert Tretkowski and the guys at OpenVAS to hurry up. (Just kidding, they're all doing a great job :-))

Just a last notice: next week there will be a slowdown on updates/fixes, it's holidays around here and I'm taking a couple of days off with my lovely girlfriend. We'll be heading to the beach so while she enjoys the sun I'll be able to code towards this next relelase :D.

I just became a proud Certified ASS, that is, Certified Application Security Specialist (don't think wrong). Just check the official badge on the right :-)

To all those collecting CISAs, CISSPs, CISMs and so on, I whole-heartedly encourage you to also become an ASS. Become an ASS today, quoting the foundation's site:

• 1. No need to study - Candidates use our exclusive certification process to prove their Stated History of Individual Training via self-validation, which reflects their real-world experiences.
• 2. No need to take exams - After self validation, candidates agree to the Oath of Office and Code of Ethics. This process ensures only the most experienced ASS achieve certified status, without the need for a test.
• 3. Lowest Cost - There is no cost to become a Certified ASS! While many candidates have long been considered ASS's, they can now validate that claim with true certification at no cost.
• 4. Reflects the real world of security - By eliminating costly training programs and standardized tests, the Institute created a process that matches the standard management, processes for enterprise application security, and consistent with today's industry best-practices.

• 1. No need to pay for costly employee training.
• 2. Be assured that you only employ the highest quality ASS's.
• 3. Guarantee compliance with all regulations and industry standards.

After the short break in doing useful things here a quick teaser on how the sem looks inside today's beta4 (will be uploading this afternoon and post the link tomorrow). Enjoy :-)

(Click to enlarge)

(Click to enlarge)

(Click to enlarge)

I just wanted to share a quick mail we've received tonight at AlienVault. I'm hiding the user's identity until he grants me permission to disclose it, which I doubt he'll do btw.

The mail did read as following:

Subject: Port scan from you guys to my server from 207.158.15.208. Cease and desist.

I installed your ossim product and now you are port scanning my servers?

You are scanning [insert FQDN here] servers right now and I am picking
it up on my IDS coming from 207.158.15.208.

Can you explain why you would be doing this?

You had better have a good explanation or I guarantee your company
will be written up in all the security publications I write in and I
will recommend that nobody ever use your product.

Amazing, ain't? No previous contact, no double checking, nothing, just going ahead, threatening, menacing and being bold.

Hello Hugo,

have you ever heard about kindness going a long way? Well, it usually works.

If you had kindly requested information about this, either on the
forums (where hundreds of happy users would've been eager to answer
you), on the irc, even on this contact address, I'd have answered with
a nice: "Hey Hugo, no worries, the 1.0.6 iso comes with an
automatic, free, nessus plugin feed which gets checked on a daily
basis. Due to the huge amount of users we've got we noticed rsync
starting to duplicate itself, launching multiple instances which in
turn get denied, provoking some sort of false positives". I even
would've offered you help on sorting it out if that weren't the cause,
which I'm pretty sure is.

But... here you come, threatening, menacing with bad manners. So the answer is.

Hugo, I encourage you to post the above mail to all the security
publications you write in. I'm sure your mail has the possibility to
become one of those long lasting laughers which will be used as
openings in security conferences all over the world for the next few
years.
Not enough with this, I offer you to also publish it on the ossim
forums. I for sure will post it on my blog (no worries, unless you
grant me permission to do so I'll hide your name and mail) for other
fellow users to comment on it.

 And, on top, I offer you a free refund for OSSIM. Oh, wait, you
haven't paid a single cent for it...

So please, just deinstall OSSIM right now, that will solve both our
problems or I guarantee your name will be written up in all the
security publications I write in and I will recommend that nobody ever
lets you use their product. I'd feel bad coding OSSIM and knowing that
you would benefit from it.

With kind regards,

Dominique Karg

PS: Any views or opinions presented in this email are solely those of
the author, that is, me and do not represent those of the company

Things like these keep opensource developers motivated. *sigh*

Update 2009/03/27: the story goes on.

Just wanted to write that we're back up. Have had the host hosting ossim and alienvault down for some hours, it seems like there's been a short power outage on the provider side, and then the pf firewall on the openbsd host went back in some sort of "block everything" mode. Adding to that apache didn't start with ssl enabled and good bunch of the mysql tables had crashed too. Aaah, and it's supposed to be holiday here today ;-).

Good luck to Mike and the people at m5hosting getting everything back up and running.

Update 20090320: Everything seems fine now and I must say I'm very pleased with how they did handle all of thhis at m5. I wanted to post this diagram reflecting the power infrastructure at the provider for those curious, I for myself have never had a second thought about how actually a large datacenter could look at power level. The post-outage report also makes for some interesting read.