I'm happy to announce the availability of the next beta, AV Installer beta6. (md5: 21204ecf2949a1d9ac9838b3c694b72d.

Again, thanks a ton to everybody testing the betas and reporting bugs / improvements, with your help this is already the best release that's been published ever for OSSIM.

The betatesting process is reaching the point where we're going to freeze code and just fix bugs. OpenVAS is now fully integrated and running like a charm, the compliance framework runs out of te box for ISO27001 (install beta6, "apt-get install ossim-compliance" and go to reports->reporting server), many new directives have been added and old ones fixed. A quick warning: OpenVAS takes ages to start the first time, if it looks like it hangs during init don't worry, after maybe 5 or 10 minutes it will get through.

Next steps will be to ensure everything is working, get a new dashboard for PCI and ISO2700[12] compliance, integrate the SEM part (without signing) into the public server, put the new policy interface in place and double check distributed architecture scripts. After this release the final version, throw a party and get a couple of weeks off ;-)

I hope you enjoy this beta.

Just uploaded a new AlienVault OSSIM installer beta, Beta 5. As always, thanks a ton to everybody helping out on testing. Besides Anton, Greg, Kristian and Stephan there are many others helping, both on forums or anonymously (found some old friend's domain names in the apache log for update checks, greets to Turkiye and France ;-))

As to the actual release:
Jasperserver got updated to 3.5 (Gannt charts, finally), many bugs have been fixed, some new directives, new snort packages, new misc tools and many more. Sensor and server profiles have been updated too, as well as monit scripts and database.

I expect three more betas, which would mean around three more testing weeks. There are some key features that still need some throughout testing:

- Distributed deployment.
- Jasper tuning and sample reports.
- New policy interface (beta6).

There are two factors which we can't control but which would make this release perfect:

- Lenny OpenVAS packages.
- MySQL 5.1 making it into lenny stable.

I've already done some testing with partitions in the new mysql and the results are astonishing. Arcsight here we come :P

If you want bug Norbert Tretkowski and the guys at OpenVAS to hurry up. (Just kidding, they're all doing a great job :-))

Just a last notice: next week there will be a slowdown on updates/fixes, it's holidays around here and I'm taking a couple of days off with my lovely girlfriend. We'll be heading to the beach so while she enjoys the sun I'll be able to code towards this next relelase :D.

After the short break in doing useful things here a quick teaser on how the sem looks inside today's beta4 (will be uploading this afternoon and post the link tomorrow). Enjoy :-)

(Click to enlarge)

(Click to enlarge)

(Click to enlarge)

And another quick post. New beta is out, thanks a ton to everybody reporting bugs. This time there aren't big change, but a ton of small glitches have been fixed. Grab it here.(550MB aprox). As the last time, updates will focus on a beta3 base although they should work fine with others too.

Just a quick notice about beta2 being out. Tons of bugs have been this weeks, cheers to everybody helping. Updates for the upcoming week should apply to both but will be focused on beta2(550MB aprox).

Among the fixes, there are:

• Forensics panel visual and functionality fixes. Click here for a teaser.
• New auto-update notification. When enabled the system checks for rule/directive/plugin or code updates once a day, presenting a visual notification to the user about the update and it's contents.
• Snort should work fine now. Included some custom AlienVault rules for directives.
• About 20 new high-quality correlation directives detecting real world threats.
• Plugin .cfg and .sql fixes.
• Ossim configuration menu fixes (issue ossim-setup from commandline in order to check it out).
• Many bugfixes.

I'm proud to announce the availability of the first public testing release of the upcoming installer. We're in final stages of testing now, and tho there are still known issues it's time to get community feedback on it. Many many thanks to anybody willing to help test this iso. Please keep in mind that it's a testing version, not intended for production. We can't even ensure that at the end of the testing period there will be a seamless upgrade into the stable distribution ;-)

First a quick note on versioning. The new installer will have two versions, one for each architecture:

Installer 1.2: amd64 (that is, most of the 64bit capable processors out there, including Xeons).

Installer 1.1: i386 (old 32bit).

The installer testing version can be found at http://data.alienvault.com/ossim-installer_1.2.beta1.iso. Next I'll list how to install it (along with update guidelines), known issues right now (and how to report new ones) and a short list of some of the stuff included in this release.

Download it

Highlighting the download: http://data.alienvault.com/ossim-installer_1.2.beta1.iso.

Installing it

Grab the iso, install it. After installation, in order to get a clean testing and updating environment (we're working on solving this right now) issue an:

apt-get remove ossim-cd-setup

apt-get update; apt-get upgrade

Bugtracking/reporting

We did setup a specific forum for this. Please post any discovered bugs in there, and please check the rest of the 1.2 forum in case somebody might have reported the issue before.
Before reporting a bug please issue an "apt-get update; apt-get upgrade", your bug might have been fixed.

Known issues

There are several issues that I'm aware of right now, which I'm working on:

• Jasperserver password change might break jasperserver.
• SEM doesn't work out of the box (haven't commited the code to the cvs yet).
• /home/ossim/dist/ doesn't get cleaned up.
• Creating new tabs breaks existing tabs at executive panel.
• Memory issues (adding tomcat to the mix didn't help the already large memory requirements)
• Passwords doesn't get changed / adapted for everything.
• the reconfig bug when passwords contain "&, ', ; or \"" is still present.
• repository is missing gpg signatures

Feature highlight

There are many things we'll be proud of this new release, just to name a few (all of them will be provided before the final release via updates):

1. Completely new forensics console. Based on ACID and BASE we decided to incorporate the code into our own cvs; we just have too many specific needs and need to cover them. Check out the following screenshots:
   • standard alert view
   • event trend
2. Disk based event storage (a.k.a. SEM) (will be updating a screenshot asap)
3. Interactive risk maps (seen them before)
4. Reporting plugins using JasperServer. This will be a major breakthrough, allowing for easy to share reporting plugins, scheduled reports, auto-emailing of reports and much more.
5. Shellcode interpretation plugin for forensics.
6. OSSEC 2.0
7. Many new plugins.
8. Updated directives, cross correlation and inventory correlation tables.
9. Complete debian package based update/upgrade mechanism, including offline updates. No more custom ossim-updates.
10. Many more...

We want this release to be as good as possible, and your feedback is crucial for that. Please download it, throw it into a VM, make your evil tests and report back on the forum thread mentioned above.

Enjoy.

We're proud to announce the soon-to-be-available 1.0.4 installer (versioning wise it could be 1.1 or even higher because of all of the changes but, well, we called it 1.0.4), both as a standalone ISO image as well as the updater.

We've been working very hard the past months on this, the updater has been a nightmare. It's much easier to make an installer than an updater...

For those wanting to try it out, just download update.pl and run it on a 1.0 - 1.0.3 installed image (should work with the images we've released inbetween on the forums too). Be warned tho, we're still on final testing phases and there might be some issues in there, any sort of testing will be more than welcome.

Basically the installer will backup all the databases and /etc/*, /usr/share/ossim*, install new packages (ossim 0.9.9), new deps (ossec, munin, fprobe) and tune some other things.
Anyway, as said, there are backups and it shouldn't be too hard to get it back working if something fails.

A few hints if you're going to try it out:

• Default values for most of questions are fine. If unsure just press enter.
• "auto" is the recommended way to go for new users, "expert" allows for a more fine grained setup.
• We experienced occassional hangs at the munin plugin setup step. Had to kill the following process on another terminal in order to continue with the installation process
• After everything has been installed you have to log in and upgrade the web part, it should work like a charm :-)
• Right now requires internet access; we'll publish an offline updater too of course

Check a sample installer output if you're curious.

Here is a more detailed list of the most important changes:

New software:

• Included OSSEC (http://www.ossec.net/)
• Included Munin for sensor monitorization (http://munin.projects.linpro.no/)
• Included FProbe for high traffic environments (http://fprobe.sourceforge.net/)
• OSSIM core upgrade
• Included and updated bleeding snort rules

• Intrushield plugin
• Ntop connections being rewritten through the server, no need to open port 3000 to then anymore.
• Partitioning switched to manual on installation
• Database optimization code included
• Added some database indexes for query speedup
• Updater support
• Experimental agent event consolidation
• Agent event statistics

• Updated realsecure/proventia plugin
• Updated FW1 plugin
• Update IIS plugin
• Database types optimized
• Updated pam_unix rules
• Updated ssh rules
• Updated cross correlation information

• Localization now working
• Fixed some server issues

This tutorial tries to show the first common steps you could perform if you're new to ossim and just finished installation, without knowing what to do next.
The tutorial will cover:

• Policies
• Initial Inventory
• Scans
• Scheduled scans
• What to do next

This post will be the first of a series of tutorials describing how to accompliush certain useful things using OSSIM. A friendly IT teacher from Oklahoma suggested that it would be a good idea, and I have to agree. And on top, it's relaxing :-).

So here we go, this first installment will focus on deploying OCS Inventory on a couple of hosts, getting them to log to the central ossim server and see how it shows up in our interface. This will demonstrate the powerful cross-platform inventory capabilities built into ossim thanks to the new OCS integration.

The test environment consists of 6 devices:

• Apple 10.5 Leopard
• Debian 4.0 Linux inside Parallels
• IPhone MacosX
• OpenBSD 4.x
• Windows XP inside Parallels
• Yellow Dog Linux running on a PS3

Let's get a first meaningful update running too.

We have been working hard these last weeks to get the installer out and polish some outstanding issues. After the initial releases, our priorities are now focused on:

• Get an updater done (will be included with 1.0.4)
• Fix some remaining issues (two persons have reported hangs at specific OS installation stages)
• Allow for easy installation of specific graph plugins depending on scenario (ISO, Inventory, Nessus, etc...)

In the meantime, we preinstalled OSSEC (thanks Daniel for your help), fixed the Nagios plugin, fixed rrd_plugin which was missing a config line and added Munin to the sensor pages for performance monitorization.