Cheers to our guys at Campus Party Colombia :-)
Wed, 02 Jul 2008

I'm writing these lines to cheer at my co-worker (@AlienVault) Santiago "Santi" Gonzalez, who went to Bogota for a couple of weeks in order to implement OSSIM as security event and information monitoring solution at Campus Party in Colombia.
I know this place is lacking some "useful" content lately, but I expect to have a bit more time in a couple of weeks; have had a huge workload lately.

Back to the party. You can check out some pictures at Flickr, it's quite of a mess but I'll try to update this entry tomorrow with some interesting pictures.

The two guys we've hired from a company at Bogotá in order to give us local asistance over there also have started posting on a couple of blogs created specifically for this event:

Warning: they're in pseudo-spanish/english.

There's not much info there yet but they should be updating it after the event is over.

So, as always this is a nice place to test ossim, do some benchmarks and improve some stuff. The party in Valencia is due to the end of this month and we hope we'll be there too :-)

Last but not least, a big hug to my friends in Turkiye. Another co-worker (Juanma) has been there a couple of weeks ago doing some training; he's enjoyed it alot and I hope the people undergoing the ossim training too.

posted at: 20:10 | path: /personal/campus | permanent link to this entry | 0 comments |
Tags: , , ,



An alternative solution to Nessus Feed licensing issues
Fri, 13 Jun 2008

We've decided to start working on an alternative Nessus feed after Tenable having changed licensing again.

Excluding even non-profit organizations and testing purposes completely from the feed seems contrary to the open source spirits, so we'll be investing a considerable amount of effort and money into providing a high quality feed for everyone.

The final workings of it is still unclear, but we're aiming at the Sourcefire model: if you subscribe you'll get them instantly, everybody else gets them with a slight delay (we're discussing a one to four week delay).

One of the goals we've got is getting a good bunch of people interested on this and willing to participate (sort of a Consortium maybe, although we're starting it internally right now) so if you could please share this with people who could have the skill/knowledge to contribute to this, I'd be more than grateful.

Last but not least we're looking into a way of ensuring that the effort put into this by everyone won't be abused in any ways, so if anybody has got suggestions about model/licensing/etc it would be great to hear them.

Adding a small slashdot badge too, this could be good to draw some attention on it and attract collaborators.




posted at: 10:44 | path: /ossim | permanent link to this entry | 0 comments |
Tags: , , , ,



Help request on a Cisco issue.
Tue, 27 May 2008

I've got some tests to do with a Cisco 6513 ACE-10 card. My testing environment is very limited and I'd greatly appreciate getting some feedback from someone knowledgeable with that thing.

Having someone help me setup a quick test environment with two hosts balancing http would be awesome of course, but any help is greatly appreciated.

Should you have any feedback please contact me at dk@ossim.net. TYIA.

posted at: 15:53 | path: /personal | permanent link to this entry | 2 comments |
Tags: , ,



New Forums
Thu, 15 May 2008

I'm proud to announce the avilability of our brand new forum infrastructure. We were getting really tired in the end by the lack of features of the sf.net forums, so we decided to setup FUDForum on ossim.net

I for myself am very motivated by this changes, I was getting crazy with the old environment and promised myselft to answer many more things on these new forums.
Enjoy: ossim.net forums.

posted at: 19:25 | path: /ossim | permanent link to this entry | 0 comments |
Tags: , ,



You are invited to take part in The Google Summer of Code(tm) 2008
Mon, 17 Mar 2008

Yay ! we're proud to announce that ossim has been chosen to take part int he google summer of code program. Brian, now it's your turn ;-).
I'll post another entry when we've got more information about how this works.

Congratulations!
Your organization "OSSIM: Open Source Security Information Management" has been accepted in to the 
Google Summer of Code(tm) 2008. You have been assigned as primary point of contact and as an 
administrator for your organization.
please visit http://code.google.com/soc/mentor_step1.html and sign up using your Google Account.
Thanks.
- Your friendly Google Summer of Code administrators

posted at: 20:46 | path: /ossim | permanent link to this entry | 0 comments |
Tags: , ,



Forensic database performance optimizations
Fri, 14 Mar 2008

Remember the couple of posts I made back in November in the tuning section ? Well, I finally got the time to look into this issue again and have made some interesting discoveries the last couple of days. I'm really enjoying this.

The following table illustrates some comparisons between a stock Base 1.3.9 (ossim patched) and the tuned rewrite I've got running right now. These optimizations are now part of our appliance offering (updates for already deployed ones on the way) and will be released to the public afterwards. Thanks to everybody that has been helping me on this, specially to the people at #ossim in freenode ;-).


::read more

posted at: 09:10 | path: /ossim/tuning | permanent link to this entry | 0 comments |
Tags: , , ,



Tutorial 6: Plugin writing primer
Tue, 11 Mar 2008

A couple of days ago I was fixing the fortinet/fortigate with the kind help of a Swiss OSSIM user (thanks Mikael ;-) ) and I wrote this little piece of python in order to help me out with it. Now I'm using it a lot to debug plugins so I guess more people could benefit from this also :-)
And well, I'll paste a sample plugin debugging session in order to give ideas.
BTW, this assumes basic knowledge of regular expressions, check this Regexp Primer out if you want to refresh that knowledge. And BTW2, some log lines are broken for readability.



::read more

posted at: 11:38 | path: /ossim/tutorials | permanent link to this entry | 2 comments |
Tags: , ,



We've moved !
Fri, 07 Mar 2008

We just switched offices, the old one was getting too small. Here is a picture where we're still setting up everything, taken from my seat holding up the pc, showing various AlienVault staff testing wifi, hanging around or just tryting to avoid the hard work :-)


posted at: 17:35 | path: /personal | permanent link to this entry | 0 comments |
Tags: ,



User feedback
Wed, 05 Mar 2008

I wanted to point you at two things I think that are important, things that we've been neglecting in the past months.

  1. IRC Channel: we've ignored this way of communication for quite some time but enough of that, I added a "fire up BitchX" postit on my desk so from now on I'll spend as much time there as I can, and hopefully other ossim users / developers too. See you at irc.freenode.org, channel #ossim
  2. Bug tracking mechanism: honestly, I never liked the one provided by sf.net so I followed a suggestion from a friendly guy at #ossim and installed FlySpray as a bug tracking system. Check it out at http://www.ossim.net/bugs/ (Need to add the virtualhost for bugs.ossim.net :-) ).

So, if you've got bugs or suggestions for ossim, please start posting them there. And if you just want to hang out with us join on the IRC nchannel.

During the next days I'll post an update on currenct development, we're working on some exciting features right now ;-)

posted at: 20:01 | path: /ossim | permanent link to this entry | 0 comments |
Tags: , ,



AlienVault OSSIM Installer 1.0.4 released
Fri, 22 Feb 2008
After having written the whole thing a reduced version for those with little time available seems in place.

We've released OSSIM 0.9.9 this week, release which was followed by a post to BugTraq regarding some XSS and SQL vulnerabilities present on OSSIM.
After having fixed those vulnerabilities we're now releasing:

Upgrade is encouraged to all OSSIM users.


::read more

posted at: 23:34 | path: /ossim/installer | permanent link to this entry | 0 comments |



1.0.4 Installer / updater coming :-)
Fri, 15 Feb 2008

We're proud to announce the soon-to-be-available 1.0.4 installer (versioning wise it could be 1.1 or even higher because of all of the changes but, well, we called it 1.0.4), both as a standalone ISO image as well as the updater.

We've been working very hard the past months on this, the updater has been a nightmare. It's much easier to make an installer than an updater...

For those wanting to try it out, just download update.pl and run it on a 1.0 - 1.0.3 installed image (should work with the images we've released inbetween on the forums too). Be warned tho, we're still on final testing phases and there might be some issues in there, any sort of testing will be more than welcome.

Basically the installer will backup all the databases and /etc/*, /usr/share/ossim*, install new packages (ossim 0.9.9), new deps (ossec, munin, fprobe) and tune some other things.
Anyway, as said, there are backups and it shouldn't be too hard to get it back working if something fails.

A few hints if you're going to try it out:

  • Default values for most of questions are fine. If unsure just press enter.
  • "auto" is the recommended way to go for new users, "expert" allows for a more fine grained setup.
  • We experienced occassional hangs at the munin plugin setup step. Had to kill the following process on another terminal in order to continue with the installation process
  • After everything has been installed you have to log in and upgrade the web part, it should work like a charm :-)
  • Right now requires internet access; we'll publish an offline updater too of course

Check a sample installer output if you're curious.


Get the 1.0.4 (beta) updater here.


Here is a more detailed list of the most important changes:

New software:

  • Included OSSEC (http://www.ossec.net/)
  • Included Munin for sensor monitorization (http://munin.projects.linpro.no/)
  • Included FProbe for high traffic environments (http://fprobe.sourceforge.net/)
  • OSSIM core upgrade
  • Included and updated bleeding snort rules

New features:
  • Intrushield plugin
  • Ntop connections being rewritten through the server, no need to open port 3000 to then anymore.
  • Partitioning switched to manual on installation
  • Database optimization code included
  • Added some database indexes for query speedup
  • Updater support
  • Experimental agent event consolidation
  • Agent event statistics

Updated features:
  • Updated realsecure/proventia plugin
  • Updated FW1 plugin
  • Update IIS plugin
  • Database types optimized
  • Updated pam_unix rules
  • Updated ssh rules
  • Updated cross correlation information

Bugfixes
  • Localization now working
  • Fixed some server issues

posted at: 20:52 | path: /ossim/installer | permanent link to this entry | 1 comments |
Tags: ,



Interesting log collection / SIM collection document
Fri, 01 Feb 2008
Just a short post pointing at a very interesting study published by the "Bundesamt fuer Sicherheit in der Informationstechnik" (part of the German Government dedicated to IT Security) about log analysis. Sadly it's in german and I don't know if they're going to translate it but I wanted to point at it since OSSIM is included as one of aprox fifteen products. Get it here.

posted at: 15:35 | path: /ossim | permanent link to this entry | 1 comments |
Tags: , ,



Greetings from Istanbul
Fri, 25 Jan 2008

After having spent five days in this nice city I wanted to say goodbye through a post. It's the second time I went here (sadly both times I had to work but I'll come back for fun someday, that for sure) and I really enjoyed the stay.

This time I had a nicer Hotel than last time, right in the city center. Although I didn't enjoy the breakfast at the hotel a single day (I'd rather sleep 15 mins longer) I'll remember these days again for the food: unending mountains of food at all hours.
Last night we went to the Garibaldi which was a delicious goodbye dinner with live music. Besides that not much more to tell, intense but fun work, some WoW, some traffic jams, missing my girlfriend a real lot and kebaps, kebaps, kebaps...

A hearty greeting to my friends in Istanbul. You've tried to make me explode with food but again you didn't succeeed.
Which reminds me, this time I've learned the trick. It's considered bad manner to refuse a dish when getting it offered, and you get it continously. But if you offer back insistently then they'll think about it twice when feeding you up.

While I write these lines the Muezzin are calling to prayer. It's an interesting sound and reminds me that although very similar to our city, it's still quite a different culture. (I'm pretty sure I've heard that article ending before, inside a "Lonely planet" issue or something like that :P)

posted at: 09:39 | path: /personal/travel | permanent link to this entry | 0 comments |
Tags: ,



OSSIM applied to ITIL
Thu, 17 Jan 2008

Recently I stumbled across an interesting article talking about Microsoft, Opensource and ITIL where ossim was being mentioned. (the article can also be found googling for "ossim itil microsoft" in case the link breaks).

I've never been very keen about learning ITIL either (although I've heard about it everywhere during the last year) but this really caught my attention. In that paper ossim gets referenced only on the "security management" section, but I think that's mainly caused by ossim being hard to install, setup and understand when that article was written, so I thought I give it another try from my point of view, taking the included tools into account for the different ITIL sections.

So, the goal of this article would be to extend and improve that other article, giving a thought about how I'd approach all those ITIL recommendations from an OSSIM point of view.

The Information Technology Infrastructure Library is comprised by two main sets and a series of subsets (from what I've read on that article and the wikipedia):

  • Service Support
  • Service Delivery

Note: The definitions after each topic have been quoted from the MS article since they're small and concise.



::read more

posted at: 17:33 | path: /ossim | permanent link to this entry | 1 comments |
Tags: ,



Happy New Year
Mon, 07 Jan 2008

Happy new year to everybody.

After moving together with my lovely girlfriend, spending some time with the family during the holidays and getting my undead warlock to lvl 54 it's time to get back to work.

We've got many exciting things in mind involving ossim for 2008 and quite a bit of surprises (positive ones of course :-) ). During the next couple of months we're going to focus on:

  • Releasing a new installer version. Starting with 1.0.4 we'll also supply upgrade tools so no worries, it won't be necessary to download and reinstall the whole thing again.
  • Further improving documentation. We intend to release online courses soon for remote training, including vmware laboratories.
  • Improving ossim. Fixing bugs :-)

posted at: 09:37 | path: /personal | permanent link to this entry | 0 comments |
Tags:



Tutorial 5: Windows event logging
Wed, 19 Dec 2007

The windows event log

As an introduction to windows event logging I recommend reading the following article: Monitoring and Troubleshooting Using Event Logs. It's the first interesting one I've found after googling for an introduction.

Quoting the article, which also talks about EventCombMT.exe which we'll mention later:

This article reviews best practices for working with Windows event logs including how to interpret 
event messages, how to configure event logs, how to search and filter events, how to view events on 
remote systems, and how to use EventCombMT.exe and other tools to monitor events on multiple systems.


::read more

posted at: 15:54 | path: /ossim/tutorials | permanent link to this entry | 10 comments |
Tags: , , , ,



Tutorial 4: Correlation engine primer
Mon, 10 Dec 2007

Introduction

In order to answer to a recent forum post I had to do a quick research since it had been some time since I last tested this.
The exact question was:

Hello,

Is there a document talking about how the directives are processed?  One question
that I have is if you have multiple directives created and an event comes in
that matches the initial states of more than a single directive will both actually
process the event, or only the first match (which I think is the case)?

Thanks for any clarification you can provide.

Stephen

This post gives a bit of insight to how the correlation engine works and features some simple, custom made directives that help me answer that question.

The test environment features two events belonging to the ssh plugin (plugin_id 4003):
  • SSH password failed (plugin_sid 1)
  • SSH password accepted (plugin_sid 7)
In order to test this I've created three directives (plugin_id 1505)
  • Test directive 21, grouping one login failure and one success
  • Test directive 22, grouping one login failure and one success
  • Test directive 23, used in the second case, grouping those two
So, with all of this in place it was easy to simulate this failing a login and succeeding afterwards.


::read more

posted at: 12:47 | path: /ossim/tutorials | permanent link to this entry | 3 comments |
Tags: , , ,



Tutorial 3: First recommended steps after installation
Fri, 07 Dec 2007

This tutorial tries to show the first common steps you could perform if you're new to ossim and just finished installation, without knowing what to do next.
The tutorial will cover:

  • Policies
  • Initial Inventory
  • Scans
  • Scheduled scans
  • What to do next
Many topics we'll cover on this tutorial can be extended checking the documentation wiki.


::read more

posted at: 16:53 | path: /ossim/tutorials | permanent link to this entry | 2 comments |
Tags: , ,



Tutorial 2: Syslog data mining with attached md5sum. AKA "Store 100% of data".
Thu, 06 Dec 2007

1. The need. The Hype.

There's obviously a need for storing vast amount of logs, and few things today aren't able to log into syslog. So it's just obvious to stumble upon that request every once in a while, and this tutorial illustrates the OSSIM approach at massive syslog data storage. Of course, where you say syslog you can say windows event log, snmp data, whatever generates a big amount of raw data.

Compliance

I don't know much yet about all of this compliance stuff (I were lucky, Julio always has been much more knowledgeable on that area than me so I could skip it) but I guess I'll have to start learning, there are just too many people asking for it and I'm getting very curious.

From what I've seen, a short list of regulations requiring, or at least strongly recommending a certain amount of raw data storage and reports are:
  • ISO27001/17799
  • SOX
  • HIPAA
  • PCI
  • Basel II
  • NIST 800-53
  • Many more...
(Searching for SIM and compliance information I see that's a major marketing point from vendors too, well, just for the records, ossim helps you to be compliant with all that stuff)

Centralized logging

Maybe the need is pure sysadmin's lazyness. You want to be able to answer to questions you get asked by your management / customers in the easiest possible way.
I heard this from a guy a couple of days ago: the more information about your network you've got, the more answers you can give, and that's exactly what SIM/SEM systems are good at.

Data mining

This is a bit redundant with the previous entry, but there are people that just don't care about exact data, but they're in desperate need of colorful graphs in order to be able to keep their bosses calm. Well, having logs from everything in your network allows for easy colorful report generation with little knowledge of the underlying data. The worthyness of those reports in the end will be highly questionable of course.


::read more

posted at: 20:10 | path: /ossim/tutorials | permanent link to this entry | 8 comments |
Tags: , , , , ,



A review of a commercial SIM
Wed, 05 Dec 2007

Some time ago, earlier this year, I had the opportunity to attend to a conference where one of the leading SIM vendors (according to gartner's magic quadrant at least) talked about their product. Although my opinion will always be biased and I tend to compare all that I see on this area with OSSIM, I also believe that I've got a solid base to judge others.
Anyway, since I know myself and making a review comparing more than five years of work with a 5 hour demo and some document browsing isn't fair, I won't say the name of this product.


::read more

posted at: 11:33 | path: /personal/opinion | permanent link to this entry | 2 comments |
Tags: , , ,



Categories

/ (28)
    ossim/ (20)
        installer/ (3)
        plugins/ (2)
        tuning/ (3)
        tutorials/ (6)
    personal/ (8)
        campus/ (2)
        opinion/ (1)
        travel/ (1)




RSS




< July 2008
MoTuWeThFrSaSu
  1 2 3 4 5 6
7 8 910111213
14151617181920
21222324252627
28293031   




Archives

2008-Jul
2008-Jun
2008-May
2008-Mar
2008-Feb
2008-Jan
2007-Dec
2007-Nov




Tags




Made with PyBlosxom