DK 'Log

I'm not dead nor is the blog, it's just that twitter is so much easier for busy/lazy people

I intend to write four more tutorial series pretty soon, namely

• Netflow stuff
• Kismet stuff
• OpenVPN inter-component config, setup and tricks
• Multiuser samples/setup

I hope to be able to bring out one every two weeks aprox, let's see how that works.

A quick saturday update. We just released OSSIM 2.2 with a ton of new features, have a look here. New screenshots and videos up on AlienVault too.

This release is quite complex featuring a whole lot of new features as well as a rewrite of old ones. Please don't hesitate posting on the forums if you've got any doubt or catch any bug.

I know I haven't been very active on the forums myself (what the heck, weren't able to answer during the last months) but the whole devel team @Alienvault will make an extra effort there too in order to make this the best release we had so far. At a technical level it is without a doubt.

I for myself am very excited, RSA and BSidesSF next week :-))).

Hello all,

we're looking for somebody to assist us in the elaboration of documentation around OSSIM, it's components and Open Source Security in general. We require strong knowledge both in English written skills as well as experience on OSSIM. We are willing to pay on a per-work basis up to 3000 or 4000 . a month, with an option to get a permanent contract if the initial work is satisfying.

I don't want to sound harsh, but the two aforementioned requirements are a must and a strong filter. The english has to be perfect (much better than mine of course :-) ) and knowledge of OSSIM has to be deep, based on interest and/or experience already present before reading this job offering. I mean, even if your english is perfect don't try to download OSSIM, check out a couple of things and apply, or if you know lots and lots about OSSIM don't start with an intensive english course.

If you're interested we'd like you to send in a sample of your work along with a curriculum vitae. We don't care about your nationality or where you are located. the payment will remain the same of course. The sample we're asking for would be to document the current alarm section (Incidents->Alarms). Think about a user that's new to OSSIM, clicks on the help in order to see what that alarm panel means and gets to that document you've written. The desired document format would be pdf, although when documentation gets live some sort of wiki is going to be used. Remember, there are three things that should excel in this sample:

• We should raise our eyebrows in awe at your english written skills.
• We should be impressed by the deep knowledge of OSSIM that we can see in those words.
• On the other hand, this is no technical document, it should be clear for a new OSSIM user with little or no previous SIEM experience.

Please send this sample to "jcasal" and "dk", both at the alienvault.com domain. If you include "OSSIM Documentation Writer" in the subject you'll ensure it will reach us asap :-).

Good luck!

Just before vacation we're going to do another webinar in order to introduce our recently released version 2.1. It's very similar to the previous two we've done, so if you've already attended I'd suggest skipping this one (we're going to vary the content often) but for those who've missed it: meet you the 30th :-)

I got talked into speaking at a webinar next week (well, we've got another one this week but it's already crowded so I'm only posting next weeks link. And since this week's is my first webinar ever the second one should be better anyway), namely about Open Source Information Security: Reduce Costs while Improving Security Profile & Compliance. That's it, nice and short name as I like and love them.

I don't know how it work out, guess it shouldn't be very boring and registration is free so if you want to join in you're more than welcome. Additionally you get something called CPE credits for attending (sounds like experience points ;-)).
Here is an excerpt from the description:

A friend of mine is preparing a speech at a security conference this summer around OSSIM. He asked if I could get some feedback, case-studies or anything that could backup and enrichen his speech, this is what this post is for :-).

So please, should you have anything (wether it's good or bad, happy or sad) to say around OSSIM (or should you know about anybody how does) which you would like to share write to feedback@ (created the alias so I wouldn't miss anything, feedback is very important to us).

Anything from "I use OSSIM" to complete papers is welcome, tho in order to avoid confusions I'd please ask to include these couple of lines at the beginning of the mail:

Name (leave empty for anonymous):
Company (leave empty for anonymous or substitute for "english university" or "canadian oil platform" or similar):
Is it ok to tell/foward this?: yes/no (if the answer is 'no' then no one but me will know about this :P)
Is it ok to publish this on ossim.net/alienvault.com?: yes/no

Here again for copy & paste:

Name:
Company:
Ok to tell/forward?:
Ok to publish on ossim.net/alienvault.com?:

I'm happy to announce the availability of the next beta, AV Installer beta6. (md5: 21204ecf2949a1d9ac9838b3c694b72d.

Again, thanks a ton to everybody testing the betas and reporting bugs / improvements, with your help this is already the best release that's been published ever for OSSIM.

The betatesting process is reaching the point where we're going to freeze code and just fix bugs. OpenVAS is now fully integrated and running like a charm, the compliance framework runs out of te box for ISO27001 (install beta6, "apt-get install ossim-compliance" and go to reports->reporting server), many new directives have been added and old ones fixed. A quick warning: OpenVAS takes ages to start the first time, if it looks like it hangs during init don't worry, after maybe 5 or 10 minutes it will get through.

Next steps will be to ensure everything is working, get a new dashboard for PCI and ISO2700[12] compliance, integrate the SEM part (without signing) into the public server, put the new policy interface in place and double check distributed architecture scripts. After this release the final version, throw a party and get a couple of weeks off ;-)

I hope you enjoy this beta.

Just uploaded a new AlienVault OSSIM installer beta, Beta 5. As always, thanks a ton to everybody helping out on testing. Besides Anton, Greg, Kristian and Stephan there are many others helping, both on forums or anonymously (found some old friend's domain names in the apache log for update checks, greets to Turkiye and France ;-))

As to the actual release:
Jasperserver got updated to 3.5 (Gannt charts, finally), many bugs have been fixed, some new directives, new snort packages, new misc tools and many more. Sensor and server profiles have been updated too, as well as monit scripts and database.

I expect three more betas, which would mean around three more testing weeks. There are some key features that still need some throughout testing:

- Distributed deployment.
- Jasper tuning and sample reports.
- New policy interface (beta6).

There are two factors which we can't control but which would make this release perfect:

- Lenny OpenVAS packages.
- MySQL 5.1 making it into lenny stable.

I've already done some testing with partitions in the new mysql and the results are astonishing. Arcsight here we come :P

If you want bug Norbert Tretkowski and the guys at OpenVAS to hurry up. (Just kidding, they're all doing a great job :-))

Just a last notice: next week there will be a slowdown on updates/fixes, it's holidays around here and I'm taking a couple of days off with my lovely girlfriend. We'll be heading to the beach so while she enjoys the sun I'll be able to code towards this next relelase :D.

After the short break in doing useful things here a quick teaser on how the sem looks inside today's beta4 (will be uploading this afternoon and post the link tomorrow). Enjoy :-)

(Click to enlarge)

(Click to enlarge)

(Click to enlarge)

Just wanted to write that we're back up. Have had the host hosting ossim and alienvault down for some hours, it seems like there's been a short power outage on the provider side, and then the pf firewall on the openbsd host went back in some sort of "block everything" mode. Adding to that apache didn't start with ssl enabled and good bunch of the mysql tables had crashed too. Aaah, and it's supposed to be holiday here today ;-).

Good luck to Mike and the people at m5hosting getting everything back up and running.

Update 20090320: Everything seems fine now and I must say I'm very pleased with how they did handle all of thhis at m5. I wanted to post this diagram reflecting the power infrastructure at the provider for those curious, I for myself have never had a second thought about how actually a large datacenter could look at power level. The post-outage report also makes for some interesting read.