DK 'Log

After the short break in doing useful things here a quick teaser on how the sem looks inside today's beta4 (will be uploading this afternoon and post the link tomorrow). Enjoy :-)

(Click to enlarge)

(Click to enlarge)

(Click to enlarge)

I just wanted to share a quick mail we've received tonight at AlienVault. I'm hiding the user's identity until he grants me permission to disclose it, which I doubt he'll do btw.

The mail did read as following:

Subject: Port scan from you guys to my server from 207.158.15.208. Cease and desist.

I installed your ossim product and now you are port scanning my servers?

You are scanning [insert FQDN here] servers right now and I am picking
it up on my IDS coming from 207.158.15.208.

Can you explain why you would be doing this?

You had better have a good explanation or I guarantee your company
will be written up in all the security publications I write in and I
will recommend that nobody ever use your product.

Amazing, ain't? No previous contact, no double checking, nothing, just going ahead, threatening, menacing and being bold.

Hello Hugo,

have you ever heard about kindness going a long way? Well, it usually works.

If you had kindly requested information about this, either on the
forums (where hundreds of happy users would've been eager to answer
you), on the irc, even on this contact address, I'd have answered with
a nice: "Hey Hugo, no worries, the 1.0.6 iso comes with an
automatic, free, nessus plugin feed which gets checked on a daily
basis. Due to the huge amount of users we've got we noticed rsync
starting to duplicate itself, launching multiple instances which in
turn get denied, provoking some sort of false positives". I even
would've offered you help on sorting it out if that weren't the cause,
which I'm pretty sure is.

But... here you come, threatening, menacing with bad manners. So the answer is.

Hugo, I encourage you to post the above mail to all the security
publications you write in. I'm sure your mail has the possibility to
become one of those long lasting laughers which will be used as
openings in security conferences all over the world for the next few
years.
Not enough with this, I offer you to also publish it on the ossim
forums. I for sure will post it on my blog (no worries, unless you
grant me permission to do so I'll hide your name and mail) for other
fellow users to comment on it.

 And, on top, I offer you a free refund for OSSIM. Oh, wait, you
haven't paid a single cent for it...

So please, just deinstall OSSIM right now, that will solve both our
problems or I guarantee your name will be written up in all the
security publications I write in and I will recommend that nobody ever
lets you use their product. I'd feel bad coding OSSIM and knowing that
you would benefit from it.

With kind regards,

Dominique Karg

PS: Any views or opinions presented in this email are solely those of
the author, that is, me and do not represent those of the company

Things like these keep opensource developers motivated. *sigh*

Update 2009/03/27: the story goes on.

Just wanted to write that we're back up. Have had the host hosting ossim and alienvault down for some hours, it seems like there's been a short power outage on the provider side, and then the pf firewall on the openbsd host went back in some sort of "block everything" mode. Adding to that apache didn't start with ssl enabled and good bunch of the mysql tables had crashed too. Aaah, and it's supposed to be holiday here today ;-).

Good luck to Mike and the people at m5hosting getting everything back up and running.

Update 20090320: Everything seems fine now and I must say I'm very pleased with how they did handle all of thhis at m5. I wanted to post this diagram reflecting the power infrastructure at the provider for those curious, I for myself have never had a second thought about how actually a large datacenter could look at power level. The post-outage report also makes for some interesting read.

And another quick post. New beta is out, thanks a ton to everybody reporting bugs. This time there aren't big change, but a ton of small glitches have been fixed. Grab it here.(550MB aprox). As the last time, updates will focus on a beta3 base although they should work fine with others too.

This eigth installment of the tutorial series will focus on a feature which will be revolutionary for OSSIM for sure: tight jasperserver integration for custom/periodic reports with the guarantee of a strong BI suite. The upcoming installer release will include both Tomcat as well as JasperServer ready to use and with sample preloaded reports and datasources. (Note: Installer beta2 users can already test some of this out, although no real tight integration until beta4 will be in place).

If you haven't heard about JasperServer nor iReport you can them check out JasperServer and iReport for some background. Quoting those two pages:

"JasperServer is a high-performance business intelligence platform and report server designed for developers and businesses. Deploy JasperServer when end-users need to create their own ad hoc queries, reports, charts, crosstabs, dashboards, or it becomes necessary to secure, store, schedule, distribute, share, drill-down, or interact with reports."

"iReport is a graphical report tool for report designers, developers, and power-users. iReport provides complete coverage of all the reporting capabilities in JasperReports, JasperServer, and Jasper4Salesforce, including the creation of parameterized reports, pixel-perfect production reports, and remote JasperServer repository management".

I'm no jasperreports expert myself, I used it for report creation and I'm sure there are tons of tips and tricks experts can provide. Any comments and feedback that help improving this article will be greatly appreciated :-)

During this tutorial the following steps will be covered:

• OSSIM - iReport - JasperServer integration
• Assumptions
• iReport download and setup
• OSSIM for iReport setup
• Sample report: top events by risk/ocurrence.
• Uploading this report to jasperserver
• What to do next?
• Tips and Tricks.
• Sharing your work/fun: the Alien Forge.

We've got bad news. Our former CEO/CTO/CSO/COO or whatever his role was decided to quit the company in a somewhat... harsh manner.
Being in the final stages of a release as we are, after his recent losses due to the global crisis, he decided to drop. *Mourn*

Just a quick notice about beta2 being out. Tons of bugs have been this weeks, cheers to everybody helping. Updates for the upcoming week should apply to both but will be focused on beta2(550MB aprox).

Among the fixes, there are:

• Forensics panel visual and functionality fixes. Click here for a teaser.
• New auto-update notification. When enabled the system checks for rule/directive/plugin or code updates once a day, presenting a visual notification to the user about the update and it's contents.
• Snort should work fine now. Included some custom AlienVault rules for directives.
• About 20 new high-quality correlation directives detecting real world threats.
• Plugin .cfg and .sql fixes.
• Ossim configuration menu fixes (issue ossim-setup from commandline in order to check it out).
• Many bugfixes.