Webinar around OS Security and OSSIM
Mon, 15 Jun 2009

I got talked into speaking at a webinar next week (well, we've got another one this week but it's already crowded so I'm only posting next weeks link. And since this week's is my first webinar ever the second one should be better anyway), namely about Open Source Information Security: Reduce Costs while Improving Security Profile & Compliance. That's it, nice and short name as I like and love them.

I don't know how it work out, guess it shouldn't be very boring and registration is free so if you want to join in you're more than welcome. Additionally you get something called CPE credits for attending (sounds like experience points ;-)).
Here is an excerpt from the description:

During this seminar we will describe and demonstrate the implementation of an enterprise ready system comprised of more than 15 well known Open Source tools, with the goal of showing attendees that Open Source technology can be leveraged to provide a reliable and comprehensive alternative to commercial solutions, at a fraction of the cost, without sacrificing functionality or ease of use.

posted at: 14:08 | path: /ossim | permanent link to this entry | 4 comments |
Tags: , , ,



Request for case-studies, testimonials, comments and feedback
Tue, 05 May 2009

A friend of mine is preparing a speech at a security conference this summer around OSSIM. He asked if I could get some feedback, case-studies or anything that could backup and enrichen his speech, this is what this post is for :-).

So please, should you have anything (wether it's good or bad, happy or sad) to say around OSSIM (or should you know about anybody how does) which you would like to share write to feedback@ (created the alias so I wouldn't miss anything, feedback is very important to us).

Anything from "I use OSSIM" to complete papers is welcome, tho in order to avoid confusions I'd please ask to include these couple of lines at the beginning of the mail:

Name (leave empty for anonymous):
Company (leave empty for anonymous or substitute for "english university" or "canadian oil platform" or similar):
Is it ok to tell/foward this?: yes/no (if the answer is 'no' then no one but me will know about this :P)
Is it ok to publish this on ossim.net/alienvault.com?: yes/no

Here again for copy & paste:

Name:
Company:
Ok to tell/forward?:
Ok to publish on ossim.net/alienvault.com?:

Last but not least, this is no commercial action, you won't be contacted by anybody nor will you be included in any spam database; I'm just curious and want to help a friend out :-)

posted at: 10:06 | path: /ossim | permanent link to this entry | 0 comments |



New Instaler beta: 1.2beta6
Sat, 02 May 2009

I'm happy to announce the availability of the next beta, AV Installer beta6. (md5: 21204ecf2949a1d9ac9838b3c694b72d.

Again, thanks a ton to everybody testing the betas and reporting bugs / improvements, with your help this is already the best release that's been published ever for OSSIM.

The betatesting process is reaching the point where we're going to freeze code and just fix bugs. OpenVAS is now fully integrated and running like a charm, the compliance framework runs out of te box for ISO27001 (install beta6, "apt-get install ossim-compliance" and go to reports->reporting server), many new directives have been added and old ones fixed. A quick warning: OpenVAS takes ages to start the first time, if it looks like it hangs during init don't worry, after maybe 5 or 10 minutes it will get through.

Next steps will be to ensure everything is working, get a new dashboard for PCI and ISO2700[12] compliance, integrate the SEM part (without signing) into the public server, put the new policy interface in place and double check distributed architecture scripts. After this release the final version, throw a party and get a couple of weeks off ;-)

I hope you enjoy this beta.

posted at: 09:29 | path: /ossim | permanent link to this entry | 7 comments |
Tags: , ,



Here comes another beta, beta #5
Fri, 03 Apr 2009

Just uploaded a new AlienVault OSSIM installer beta, Beta 5. As always, thanks a ton to everybody helping out on testing. Besides Anton, Greg, Kristian and Stephan there are many others helping, both on forums or anonymously (found some old friend's domain names in the apache log for update checks, greets to Turkiye and France ;-))

As to the actual release:
Jasperserver got updated to 3.5 (Gannt charts, finally), many bugs have been fixed, some new directives, new snort packages, new misc tools and many more. Sensor and server profiles have been updated too, as well as monit scripts and database.

I expect three more betas, which would mean around three more testing weeks. There are some key features that still need some throughout testing:

- Distributed deployment.
- Jasper tuning and sample reports.
- New policy interface (beta6).

There are two factors which we can't control but which would make this release perfect:

- Lenny OpenVAS packages.
- MySQL 5.1 making it into lenny stable.

I've already done some testing with partitions in the new mysql and the results are astonishing. Arcsight here we come :P

If you want bug Norbert Tretkowski and the guys at OpenVAS to hurry up. (Just kidding, they're all doing a great job :-))

Just a last notice: next week there will be a slowdown on updates/fixes, it's holidays around here and I'm taking a couple of days off with my lovely girlfriend. We'll be heading to the beach so while she enjoys the sun I'll be able to code towards this next relelase :D.

posted at: 19:02 | path: /ossim | permanent link to this entry | 2 comments |
Tags: ,



Teaser screenshots on beta4 + SEM + future
Fri, 27 Mar 2009

After the short break in doing useful things here a quick teaser on how the sem looks inside today's beta4 (will be uploading this afternoon and post the link tomorrow). Enjoy :-)

SEM with the new interface
(Click to enlarge)

Next, (not included yet in beta4) the new policy:

Policy with the new interface
(Click to enlarge)

Finally, (not included yet in beta4) the new host group configuration:

Host Group Configuration with the new interface
(Click to enlarge)

posted at: 09:37 | path: /ossim | permanent link to this entry | 2 comments |
Tags: ,



Power failure at service provider - ossim.net and alienvault.com downtime
Fri, 20 Mar 2009

Just wanted to write that we're back up. Have had the host hosting ossim and alienvault down for some hours, it seems like there's been a short power outage on the provider side, and then the pf firewall on the openbsd host went back in some sort of "block everything" mode. Adding to that apache didn't start with ssl enabled and good bunch of the mysql tables had crashed too. Aaah, and it's supposed to be holiday here today ;-).

Good luck to Mike and the people at m5hosting getting everything back up and running.

Update 20090320: Everything seems fine now and I must say I'm very pleased with how they did handle all of thhis at m5. I wanted to post this diagram reflecting the power infrastructure at the provider for those curious, I for myself have never had a second thought about how actually a large datacenter could look at power level. The post-outage report also makes for some interesting read.

posted at: 11:07 | path: /ossim | permanent link to this entry | 0 comments |



Installer 1.2 beta3 available
Thu, 19 Mar 2009

And another quick post. New beta is out, thanks a ton to everybody reporting bugs. This time there aren't big change, but a ton of small glitches have been fixed. Grab it here.(550MB aprox). As the last time, updates will focus on a beta3 base although they should work fine with others too.

posted at: 08:45 | path: /ossim | permanent link to this entry | 0 comments |



Tutorial 8: OSSIM + JAsperServer + iReport Tutorial
Tue, 17 Mar 2009

This eigth installment of the tutorial series will focus on a feature which will be revolutionary for OSSIM for sure: tight jasperserver integration for custom/periodic reports with the guarantee of a strong BI suite. The upcoming installer release will include both Tomcat as well as JasperServer ready to use and with sample preloaded reports and datasources. (Note: Installer beta2 users can already test some of this out, although no real tight integration until beta4 will be in place).

If you haven't heard about JasperServer nor iReport you can them check out JasperServer and iReport for some background. Quoting those two pages:

"JasperServer is a high-performance business intelligence platform and report server designed for developers and businesses. Deploy JasperServer when end-users need to create their own ad hoc queries, reports, charts, crosstabs, dashboards, or it becomes necessary to secure, store, schedule, distribute, share, drill-down, or interact with reports."

"iReport is a graphical report tool for report designers, developers, and power-users. iReport provides complete coverage of all the reporting capabilities in JasperReports, JasperServer, and Jasper4Salesforce, including the creation of parameterized reports, pixel-perfect production reports, and remote JasperServer repository management".

I'm no jasperreports expert myself, I used it for report creation and I'm sure there are tons of tips and tricks experts can provide. Any comments and feedback that help improving this article will be greatly appreciated :-)

During this tutorial the following steps will be covered:

  • OSSIM - iReport - JasperServer integration
  • Assumptions
  • iReport download and setup
  • OSSIM for iReport setup
  • Sample report: top events by risk/ocurrence.
  • Uploading this report to jasperserver
  • What to do next?
  • Tips and Tricks.
  • Sharing your work/fun: the Alien Forge.


::read more

posted at: 11:25 | path: /ossim/tutorials | permanent link to this entry | 2 comments |
Tags: , ,



Installer 1.2 beta2 available
Sat, 07 Mar 2009

Just a quick notice about beta2 being out. Tons of bugs have been this weeks, cheers to everybody helping. Updates for the upcoming week should apply to both but will be focused on beta2(550MB aprox).

Among the fixes, there are:

  • Forensics panel visual and functionality fixes. Click here for a teaser.
  • New auto-update notification. When enabled the system checks for rule/directive/plugin or code updates once a day, presenting a visual notification to the user about the update and it's contents.
  • Snort should work fine now. Included some custom AlienVault rules for directives.
  • About 20 new high-quality correlation directives detecting real world threats.
  • Plugin .cfg and .sql fixes.
  • Ossim configuration menu fixes (issue ossim-setup from commandline in order to check it out).
  • Many bugfixes.

posted at: 08:28 | path: /ossim | permanent link to this entry | 3 comments |



Upcoming Installer testing version
Sat, 28 Feb 2009

I'm proud to announce the availability of the first public testing release of the upcoming installer. We're in final stages of testing now, and tho there are still known issues it's time to get community feedback on it. Many many thanks to anybody willing to help test this iso. Please keep in mind that it's a testing version, not intended for production. We can't even ensure that at the end of the testing period there will be a seamless upgrade into the stable distribution ;-)

First a quick note on versioning. The new installer will have two versions, one for each architecture:

  • Installer 1.2: amd64 (that is, most of the 64bit capable processors out there, including Xeons).
  • Installer 1.1: i386 (old 32bit).
  • Our intention, right now, is to maintain the 1.1 as long as needed and focus on the 1.2(64bit). Functionality will be exactly the same (if it doesn't involve too much work, we've got limited resources. Jasper/Tomcat integration for example will be limited to 1.2) on both but our development platform is entirely 64bit based due to performance reasons, so there might be a slight delay.
    We're not excluding anyone tho, we're going to maintain updates for 32bit while there is a large enough user base on it and 32bit users can test the 64bit version on vmware without problems.

    The installer testing version can be found at http://data.alienvault.com/ossim-installer_1.2.beta1.iso. Next I'll list how to install it (along with update guidelines), known issues right now (and how to report new ones) and a short list of some of the stuff included in this release.


    Download it

    Highlighting the download: http://data.alienvault.com/ossim-installer_1.2.beta1.iso.


    Installing it

    Grab the iso, install it. After installation, in order to get a clean testing and updating environment (we're working on solving this right now) issue an:

    apt-get remove ossim-cd-setup
    
    This will erase the monstrous package we used before, leaving the files tho (since they're uncompressed from within a .tgz). More on this later.
    After this:
    apt-get update; apt-get upgrade
    
    You might get an gpg inoxious error; I'm working on getting the packages gpg signed, thanks Jonathan for the script when it arrives :-))


    Bugtracking/reporting

    We did setup a specific forum for this. Please post any discovered bugs in there, and please check the rest of the 1.2 forum in case somebody might have reported the issue before.
    Before reporting a bug please issue an "apt-get update; apt-get upgrade", your bug might have been fixed.


    Known issues

    There are several issues that I'm aware of right now, which I'm working on:

    • Jasperserver password change might break jasperserver.
    • SEM doesn't work out of the box (haven't commited the code to the cvs yet).
    • /home/ossim/dist/ doesn't get cleaned up.
    • Creating new tabs breaks existing tabs at executive panel.
    • Memory issues (adding tomcat to the mix didn't help the already large memory requirements)
    • Passwords doesn't get changed / adapted for everything.
    • the reconfig bug when passwords contain "&, ', ; or \"" is still present.
    • repository is missing gpg signatures


    Feature highlight

    There are many things we'll be proud of this new release, just to name a few (all of them will be provided before the final release via updates):

    1. Completely new forensics console. Based on ACID and BASE we decided to incorporate the code into our own cvs; we just have too many specific needs and need to cover them. Check out the following screenshots:
    2. Disk based event storage (a.k.a. SEM) (will be updating a screenshot asap)
    3. Interactive risk maps (seen them before)
    4. Reporting plugins using JasperServer. This will be a major breakthrough, allowing for easy to share reporting plugins, scheduled reports, auto-emailing of reports and much more.
    5. Shellcode interpretation plugin for forensics.
    6. OSSEC 2.0
    7. Many new plugins.
    8. Updated directives, cross correlation and inventory correlation tables.
    9. Complete debian package based update/upgrade mechanism, including offline updates. No more custom ossim-updates.
    10. Many more...

    We want this release to be as good as possible, and your feedback is crucial for that. Please download it, throw it into a VM, make your evil tests and report back on the forum thread mentioned above.

    Enjoy.

    posted at: 16:41 | path: /ossim | permanent link to this entry | 0 comments |
    Tags: , , , , ,



    Categories

    / (57)
        code/ (1)
        feed/ (1)
        friends/ (1)
        ossim/ (37)
            installer/ (3)
            plugins/ (2)
            tuning/ (3)
            tutorials/ (8)
        personal/ (16)
            campus/ (2)
            opinion/ (1)
            travel/ (1)
        rants/ (1)



    Dominique Karg
    (feel free to get in touch)
    Friend's blogs:








    RSS




    < June 2009
    MoTuWeThFrSaSu
    1 2 3 4 5 6 7
    8 91011121314
    15161718192021
    22232425262728
    2930     




    Archives

    2009-Jun
    2009-May
    2009-Apr
    2009-Mar
    2009-Feb
    2009-Jan
    2008-Dec
    2008-Oct
    2008-Aug
    2008-Jul
    2008-May
    2008-Mar
    2008-Feb
    2008-Jan
    2007-Dec
    2007-Nov




    Tags




    Made with PyBlosxom