Just a short post in order to wish everybody a happy 2010. 2009 has been an awesome year for OSSIM and 2010 promises to be even better; hope it's been as this for all of you too. Will be updating on that after holidays.

As said, happy new year! :-)

School year is starting again and so were I feeling too after coming back from the beach :-). Relax time is over tho and there's a lot of exciting stuff going on around AlienVault/OSSIM.

First of all I'd like to mention our new look&feel. After releasing 2.1 we decided the web should be undergoing a long-needed revamp, so here it is. As you may have noticed too, we unified the looks of the original ossim.net site and integrated it into the community section, very much like MySQL does (was inspired on them actually).

Another important addition is the new Roadmap. Now that we're becoming a serious project with a serious company behind, we've got to take care of things like these which we might have neglected in the past.
You'll see that the next major release, 2.2, is scheduled for the 15th of February 2010. We're already working on the items planned for that, and I wanted to share a quick screenshot of what will be the unified report for hosts and networks. Basically you'll be able to right click on any host anywhere on the system and get out a quick overview of anything that the system knows about it. Here are two quick screenshots (work in progress ofc):

Anyway, this is just one of the many improvements there will be, so stay tuned...

Now comes the shameless plug. As part of the website redesign we also started to launch the online courses and training at elearning.alienvault.com. Right now there are only two courses available, the "OSSIM Essentials" and "Build your own plugin" ones. If this initiative succeeds we'll continue to invest into it and prepare all the others, which in the end should cover all the material covered by the presential courses.
Prices are really cheap for promotion, 50 euro for around 3 or 4 hours worth of training, and although I'm biased I think they really do a good job in introducing OSSIM to those who're new to it, even if they're lacking deep computer or security skills.
So, if yuou're interested or know someone who could be, please give it a try. It's worth the money, we put a ton of work into it and it will help support your favourite SIM *grin*.

And here ends the plug and the post. I'm working right now on a plugin wizard which I'll be talking about soon. Once finished it will raise the amount of plugins available for OSSIM by around 2000 ;-)

If you haven't played Little BiG Planet before I must say it's an incredible fun, original and refreshing game to play. A bit short tho but it's supposed to benefit from community content, which I haven't tested.
Warning: don't read any further if you're under 18 (or was it 21?) and/or don't have much of a sense of humour.

This morning while walking back to my seat I had a look at how our poor Elmo ended after the whole financial crisis staff, and he resembled a bit of the sackman in LBP. Here's a pic of him:

There's a whole bunch of addons we've unlocked for him, ranging from the AntiSwineFluMask to the beach sandals, his flags denoting various political and sexual orientations, his lupanar flyer or his RJ45 directly into the brain.

See you at the webinar this thursady ;-)

The story starts as following. A couple of years ago Dr. Anton Chuvakin (for those who might not know him a well renowned security professional and speaker) made a prediction for 2006: that a Credible Open-Source SIM would not arrive.

A year later he said this goal hasn't been reached (as predicted). I remember being quite pissed off and upset at that time, but his point was right. Development had been slow, we didn't have resources and everything was a bit stalled. But that has changed and AlienVault is about two years old now, we made a huge step forward and I think OSSIM is nowadays more than S/MB as well as Enteprise ready. (And sadly our resources are still very limited compared of those which Arcsight, Symantec or others might have).

Yesterday I followed a couple of quick twitter exchanges where I'd like to quote the most significant ones:

• I agree but S/M of SMB probably won't have the capabilities to run something like OSSIM and it's not robust enough for Ent.
• @anton_chuvakin mind you, I simply asked if OSSIM had the potential, not that it was there yet... as always, I wonder, isn't there a better way?
• @falconsview Re: opn src #SIEM Well, show me a sizable deployment (and not one hand-built by its creators) and I will believe you.
• @anton_chuvakin Will you change your mind about opensource SIEM if I get you access to a sizable deployment not created by it's authors ? :P
• @dkarg Re: open src #SIEM Yes, I probably will.

So, there it is, Andrew Hay (another renowned security expert) and Anton say that:

1. OSSIM is not a SIEM.
2. OSSIM is too difficult for S/MB and not reliable enough for the Enterprise

So what do I need? I for myself have received news/feedback of pretty big OSSIM installations and have had my hands on another bunch of them. Ranging from 100 person Real Estate companies to >40000pc governmnet environments with distributed deployments and thousands of events per second (this last one using the COSS version of course). But, the point as mentioned by Anton is that we don't have our hands in it, the testimonial has to come from someone who's got a deployment running not managed by us. Both S/MB as well as large enterprise deployments are valid since there are two points to prove. I'd really like to hear from a large company which is supposedly using Splunk+OSSIM, can't say the name but that would be a good example :-).

So, if any of you reading this is in that situation please let Mr. Chuvakin and Mr. Hay know about it so they hopefully can change their minds on the subject. There's contact information on their respective homepages. Otherwise I'll have to eat my words and admit that OSSIM is no Open Source SIEM (like in The Matrix, "there's no spoon").

Thanks in advance for any help :-)

PS: BTW, we did a first run of the webinar yesterday, thanks everybody for assisting and apologies for the, well, mishappenings. I got quite nervous, next demo will be better.

Edit 2009/06/20: Fixed a misunderstanding on who predicted what, see the comments.

I wanted to share this news entry with everybody visiting this site. This has very little to do with OSSIM or AlienVault and of course this is my own opinion, not necessarily shared by them.

A week ago I had read a sad sentence convicting those who're running the Pirate Bay torrent tracking site. Now I'm pleased to see that not everybody has sold their soul to what's "supposed to be politcally correct": Telenor, the norwegian ISP hosting the pirate bay have told the copyright lawyers to shove their demands where Long John Silver couldn't see 'em even with his good eye and a very long spyglass.

My sincere admiration (both to TPB admins and Telenor), I'm pre-ordering my support t-shirt right now :-)

More information here.

I just became a proud Certified ASS, that is, Certified Application Security Specialist (don't think wrong). Just check the official badge on the right :-)

To all those collecting CISAs, CISSPs, CISMs and so on, I whole-heartedly encourage you to also become an ASS. Become an ASS today, quoting the foundation's site:

• 1. No need to study - Candidates use our exclusive certification process to prove their Stated History of Individual Training via self-validation, which reflects their real-world experiences.
• 2. No need to take exams - After self validation, candidates agree to the Oath of Office and Code of Ethics. This process ensures only the most experienced ASS achieve certified status, without the need for a test.
• 3. Lowest Cost - There is no cost to become a Certified ASS! While many candidates have long been considered ASS's, they can now validate that claim with true certification at no cost.
• 4. Reflects the real world of security - By eliminating costly training programs and standardized tests, the Institute created a process that matches the standard management, processes for enterprise application security, and consistent with today's industry best-practices.

• 1. No need to pay for costly employee training.
• 2. Be assured that you only employ the highest quality ASS's.
• 3. Guarantee compliance with all regulations and industry standards.

I just wanted to share a quick mail we've received tonight at AlienVault. I'm hiding the user's identity until he grants me permission to disclose it, which I doubt he'll do btw.

The mail did read as following:

Subject: Port scan from you guys to my server from 207.158.15.208. Cease and desist.

I installed your ossim product and now you are port scanning my servers?

You are scanning [insert FQDN here] servers right now and I am picking
it up on my IDS coming from 207.158.15.208.

Can you explain why you would be doing this?

You had better have a good explanation or I guarantee your company
will be written up in all the security publications I write in and I
will recommend that nobody ever use your product.

Amazing, ain't? No previous contact, no double checking, nothing, just going ahead, threatening, menacing and being bold.

Hello Hugo,

have you ever heard about kindness going a long way? Well, it usually works.

If you had kindly requested information about this, either on the
forums (where hundreds of happy users would've been eager to answer
you), on the irc, even on this contact address, I'd have answered with
a nice: "Hey Hugo, no worries, the 1.0.6 iso comes with an
automatic, free, nessus plugin feed which gets checked on a daily
basis. Due to the huge amount of users we've got we noticed rsync
starting to duplicate itself, launching multiple instances which in
turn get denied, provoking some sort of false positives". I even
would've offered you help on sorting it out if that weren't the cause,
which I'm pretty sure is.

But... here you come, threatening, menacing with bad manners. So the answer is.

Hugo, I encourage you to post the above mail to all the security
publications you write in. I'm sure your mail has the possibility to
become one of those long lasting laughers which will be used as
openings in security conferences all over the world for the next few
years.
Not enough with this, I offer you to also publish it on the ossim
forums. I for sure will post it on my blog (no worries, unless you
grant me permission to do so I'll hide your name and mail) for other
fellow users to comment on it.

 And, on top, I offer you a free refund for OSSIM. Oh, wait, you
haven't paid a single cent for it...

So please, just deinstall OSSIM right now, that will solve both our
problems or I guarantee your name will be written up in all the
security publications I write in and I will recommend that nobody ever
lets you use their product. I'd feel bad coding OSSIM and knowing that
you would benefit from it.

With kind regards,

Dominique Karg

PS: Any views or opinions presented in this email are solely those of
the author, that is, me and do not represent those of the company

Things like these keep opensource developers motivated. *sigh*

Update 2009/03/27: the story goes on.

We've got bad news. Our former CEO/CTO/CSO/COO or whatever his role was decided to quit the company in a somewhat... harsh manner.
Being in the final stages of a release as we are, after his recent losses due to the global crisis, he decided to drop. *Mourn*

This is a short description of what happened to my girlfriend at a bank recently. It's not about millions, it's a short sum of money, but the way the bank tried to steal it from us is outrageous. I'll write it (exceptionally) in spanish, since it's happened here in Madrid at a "Banco Santander" office. I'll write a short sum up in english at the end :-)
This is no rant. I'm complaining about bank abuse and I've got no newspaper or anything similar where I can publish it.

Lo sucedido

Esto es el relato sin adornos de como el Banco Santander intentó robar hace poco a mi novia todo lo que tenia ingresado en el banco. Como ya decía en inglés, no es una pataleta, quiero denunciar un robo pero no tengo mejor sitio donde hacerlo.
A la historia...

Hace 6 meses le abrimos una cuenta a su madre, que vive en el extranjero, para cobrar la pensión. Para celebrar este memorable hecho, ingresamos 50 euros a la cuenta para dar la bienvenida a su madre.
A buena hora....

Seis meses despues y tras informarnos de tasas de transferencia internacionales resulta que no compensa en absoluto ingresarla en españa y transferirle; mejor pagar el impuesto revolucionario del pais de destino directamente. Así que decidimos cerrar la cuenta y usar esos 50 euros para comprarle ropa a su sobrino (al de mi novia) que esta pasando una fase familiar "compleja".
Solicitamos la cancelacion y... oh sorpresa, tenemos que abonar 8 euros con algunos decimales para poder cancelar la cuenta, habiendo perdido los 50 ya por supuesto.
La amable cajera nos lo explica: liquidacion anual 27 con algo. Gastos de emision de tarjeta (que nunca recibimos ni usamos) 12 euros. Gastos de cancelacion 17 euros. Total: debemos 8 euros a un banco que ha tenido 50 euros nuestros durante 6 meses sin darnos nada a cambio.

Aquí ahora debería venir una larga lista de amargas quejas sobre el sisteema financiero, los bancos, la politica de la cutrez y mezquindad que domina nuestra sociedad actualmente, pero dejemoslo ahi.
La amable cajera tras consultarlo con la directora de la sucursal decidio devolvernos el importe integro ante lo sangrante y absurdo de la situacion, con lo que al final la experiencia fue positiva despues de todo. Mi mas profundo respeto a este acto de humanidad al igual que mi mas profundo desprecio hacia los que soportan y promueven este tipo de estafa encubierta. Asi no me extraña que el Santander diera unos beneficios de 8876 millones en 2008.

English synopsis

Long story short. We opened an account (at the Banco Santander) six months ago, entered 50 euros, wanted to cancel it last week after not having used it because international transfer fees were way too high on thihs bank and, to our inmense surprise, not only had we lost the 50 euros but we were supposed to pay an additional 8 euros to cancel the account. They charged us 27 euros of yearly maintenance, 12 euros for a credit card we never received nor used and another 17 as cancellation fees. The story had a happy ending tho: the nice people at the bank decided on their own to give us our 50 euros back without charging us anything, nice move :-). Aaah, and as a side note, this bank had a netto benefit of 8876 million last year.

Although I'm not a big fan of all those social network thinggies, I joined facebook in order to check on a friend's pictures. Being there I decided to create a group for ossim in order to check in on fellow OSSIM users in a more "informal" manner, as opposed to linkedin.

If you're curious about other users using ossim, feel free to join: http://www.facebook.com/group.php?gid=42954697060.

Cheers all :-)