Introduction

Today I would to share something interesting we're working on: Risk/Availability/Vulnerability indicator Maps.

The purpose was to fit the most important information that can be gained from ossim all over it's interface, into a simple to use, simple to manage and simple to analyze interface.
We already had an approach to both, to using maps (images) and to aggregate/organize different input into meta-objets (what we called business processes). But, both of them had the same problem: they were complex and they were ugly.

Just a quick note to throw some attention at the major changes we are making to the OSSIM documentation section.

We're sort-of hiding deprecated or non-important documentation, reorganizing existing one and releasing new stuff such as configuration instructions forthird party devices.

Enjoy :-)

While coding the session monitor a couple of weeks ago I developed a quick script which could query ntop for session information. Jaime started using it for graphing now, so I thought it might be useful to soembody. Please find the code below.

After having used their service for quite some time I received the announcement that they wanted to start charging users a samll fee. I'm talking about Zattoo. Quoting their site:

Well, completely free obviously not anymore, but that doesn't matter. I don't know how well known / widely used this service is outside of Europe, but I've got many frieds here that actually used it.

Fact is I wanted to see a soccer match last evening on my computer, in order to let my GF watch here stuff on the big screen. I decided to pay the 2.40 euro (as can be seen here, sending the two sms with ZAT to 7766. After two hours I still didn't have my code (so bye bye match) and after 24 hours and two mails, both using the support form as well as the info email address I'm still waiting for an answer/activation code.

2.40 ain't that much money, but things like these are very annoying. Until I get an answer from them I consider this new "pay-per-view" service a true SCAM, con, swindle, grift, gaffle, bunko, flim flam, stratagem, or scheme (wikipedia ;-) ), since after using the service for a couple of months and getting confident with the people at Zattoo I've paid for a service which I haven't received yet, there's no info about reclamations, payment confirmation, receipt, etc etc...

Update 2008/08/18 - First contact from Zattoo, quite dissapointing

Got a mail last night from them:

So next task: write to the friendly people at the other company. I feel like this will take a long long time...

My mail to the new company, I wonder how long it will take them to answer:

Remember the pictures I posted some months ago while we were moving in ? Well, office looks much better now, so I decided to bring the cam along and take some pictures. Our office is situated between two emblematic building in Madrid, the Torres Blancas and the Puerta de America hotel.

AV Office 2008/08

In the meantime we're still working on the 1.0.6 updater, which will feature, among others:

Antivirus (clamav)

Mod-security

GLPI

The new nessus feed

System upgrade

Security fixes

Automatic Nagios config

Bugfixes and more...

The directive editor and reporting probably won't make it into this release, since we want to release before we merge all of the GSoC 2008 data into the main CVS.

Back with a quick status update. I hope this will be the last "misc" message in a while, so I can start uploading useful content again.

First of all, I hope everything's having a nice summer (or winter ;-)). I had my small share of holiday too, and expect to have another week of two during the next months.

We've decided to start working on an alternative feed for Nessus after Tenable having changed licensing again.

Excluding even non-profit organizations and testing purposes completely from the feed seems contrary to the open source spirits, so we'll be investing a considerable amount of effort and money into providing a high quality feed for everyone.

The final workings of it is still unclear, but we're aiming at the Sourcefire model: if you subscribe you'll get them instantly, everybody else gets them with a slight delay (we're discussing a one to four week delay).

One of the goals we've got is getting a good bunch of people interested on this and willing to participate (sort of a Consortium maybe, although we're starting it internally right now) so if you could please share this with people who could have the skill/knowledge to contribute to this, I'd be more than grateful.

Last but not least we're looking into a way of ensuring that the effort put into this by everyone won't be abused in any ways, so if anybody has got suggestions about model/licensing/etc it would be great to hear them.

Edit: Due to licensing warnings from Tenable I had to rewrite some terminology.

At last, time for a short break. I'll be off starting tomorrow until July 27th, down to the "Costa del Sol" with my beloved girlfriend, in order to get some sun, beach and Tintos de verano.

The rest will be more than needed, since the next 1/2 year will be stressing:

• The nessus feed means loads of work, tho we've got around 4k new plugins going for the launch at 2008/07/31.
• Upcoming Installer update/release, we've neglected it somehow and need to catch up with some bugfixes and new features.
• We plan on opening another office in the US and maybe somewhere in Asia.
• Random stuff which will jump in for sure and randomly get on my nerves.

So, for all of you who're planning holidays too, enjoy them, for those who stay, well, enjoy it too ;-).

I'm writing these lines to cheer at my co-worker (@AlienVault) Santiago "Santi" Gonzalez, who went to Bogota for a couple of weeks in order to implement OSSIM as security event and information monitoring solution at Campus Party in Colombia.
I know this place is lacking some "useful" content lately, but I expect to have a bit more time in a couple of weeks; have had a huge workload lately.

Back to the party. You can check out some pictures at Flickr, it's quite of a mess but I'll try to update this entry tomorrow with some interesting pictures.

So, as always this is a nice place to test ossim, do some benchmarks and improve some stuff. The party in Valencia is due to the end of this month and we hope we'll be there too :-)

Last but not least, a big hug to my friends in Turkiye. Another co-worker (Juanma) has been there a couple of weeks ago doing some training; he's enjoyed it alot and I hope the people undergoing the ossim training too.

Edit 2008/07/10: removed links to sites that contain information about AlienVault customers.

I've got some tests to do with a Cisco 6513 ACE-10 card. My testing environment is very limited and I'd greatly appreciate getting some feedback from someone knowledgeable with that thing.

Having someone help me setup a quick test environment with two hosts balancing http would be awesome of course, but any help is greatly appreciated.

Should you have any feedback please contact me at dk@ossim.net. TYIA.

I'm proud to announce the avilability of our brand new forum infrastructure. We were getting really tired in the end by the lack of features of the sf.net forums, so we decided to setup FUDForum on ossim.net

I for myself am very motivated by this changes, I was getting crazy with the old environment and promised myselft to answer many more things on these new forums.
Enjoy: ossim.net forums.

Yay ! we're proud to announce that ossim has been chosen to take part int he google summer of code program. Brian, now it's your turn ;-).
I'll post another entry when we've got more information about how this works.

Congratulations!
Your organization "OSSIM: Open Source Security Information Management" has been accepted in to the 
Google Summer of Code(tm) 2008. You have been assigned as primary point of contact and as an 
administrator for your organization.
please visit http://code.google.com/soc/mentor_step1.html and sign up using your Google Account.
Thanks.
- Your friendly Google Summer of Code administrators

Remember the couple of posts I made back in November in the tuning section ? Well, I finally got the time to look into this issue again and have made some interesting discoveries the last couple of days. I'm really enjoying this.

The following table illustrates some comparisons between a stock Base 1.3.9 (ossim patched) and the tuned rewrite I've got running right now. These optimizations are now part of our appliance offering (updates for already deployed ones on the way) and will be released to the public afterwards. Thanks to everybody that has been helping me on this, specially to the people at #ossim in freenode ;-).

A couple of days ago I was fixing the fortinet/fortigate with the kind help of a Swiss OSSIM user (thanks Mikael ;-) ) and I wrote this little piece of python in order to help me out with it. Now I'm using it a lot to debug plugins so I guess more people could benefit from this also :-)
And well, I'll paste a sample plugin debugging session in order to give ideas.
BTW, this assumes basic knowledge of regular expressions, check this Regexp Primer out if you want to refresh that knowledge. And BTW2, some log lines are broken for readability.

We just switched offices, the old one was getting too small. Here is a picture where we're still setting up everything, taken from my seat holding up the pc, showing various AlienVault staff testing wifi, hanging around or just tryting to avoid the hard work :-)

I wanted to point you at two things I think that are important, things that we've been neglecting in the past months.

1. IRC Channel: we've ignored this way of communication for quite some time but enough of that, I added a "fire up BitchX" postit on my desk so from now on I'll spend as much time there as I can, and hopefully other ossim users / developers too. See you at irc.freenode.org, channel #ossim
2. Bug tracking mechanism: honestly, I never liked the one provided by sf.net so I followed a suggestion from a friendly guy at #ossim and installed FlySpray as a bug tracking system. Check it out at http://www.ossim.net/bugs/ (Need to add the virtualhost for bugs.ossim.net :-) ).

We've released OSSIM 0.9.9 this week, release which was followed by a post to BugTraq regarding some XSS and SQL vulnerabilities present on OSSIM.
After having fixed those vulnerabilities we're now releasing:

• OSSIM Installer 1.0.4 (the recommended installation method)
• OSSIM Updater 1.0.4 (the recommended updating method for those running versions 1.0 - 1.0.3)
• OSSIM 0.9.9-3 Debian packages.
• OSSIM 0.9.9p1 for those who need source code.

We're proud to announce the soon-to-be-available 1.0.4 installer (versioning wise it could be 1.1 or even higher because of all of the changes but, well, we called it 1.0.4), both as a standalone ISO image as well as the updater.

We've been working very hard the past months on this, the updater has been a nightmare. It's much easier to make an installer than an updater...

For those wanting to try it out, just download update.pl and run it on a 1.0 - 1.0.3 installed image (should work with the images we've released inbetween on the forums too). Be warned tho, we're still on final testing phases and there might be some issues in there, any sort of testing will be more than welcome.

Basically the installer will backup all the databases and /etc/*, /usr/share/ossim*, install new packages (ossim 0.9.9), new deps (ossec, munin, fprobe) and tune some other things.
Anyway, as said, there are backups and it shouldn't be too hard to get it back working if something fails.

A few hints if you're going to try it out:

• Default values for most of questions are fine. If unsure just press enter.
• "auto" is the recommended way to go for new users, "expert" allows for a more fine grained setup.
• We experienced occassional hangs at the munin plugin setup step. Had to kill the following process on another terminal in order to continue with the installation process
• After everything has been installed you have to log in and upgrade the web part, it should work like a charm :-)
• Right now requires internet access; we'll publish an offline updater too of course

Check a sample installer output if you're curious.

Here is a more detailed list of the most important changes:

New software:

• Included OSSEC (http://www.ossec.net/)
• Included Munin for sensor monitorization (http://munin.projects.linpro.no/)
• Included FProbe for high traffic environments (http://fprobe.sourceforge.net/)
• OSSIM core upgrade
• Included and updated bleeding snort rules

• Intrushield plugin
• Ntop connections being rewritten through the server, no need to open port 3000 to then anymore.
• Partitioning switched to manual on installation
• Database optimization code included
• Added some database indexes for query speedup
• Updater support
• Experimental agent event consolidation
• Agent event statistics

• Updated realsecure/proventia plugin
• Updated FW1 plugin
• Update IIS plugin
• Database types optimized
• Updated pam_unix rules
• Updated ssh rules
• Updated cross correlation information

• Localization now working
• Fixed some server issues