While coding the session monitor a couple of weeks ago I developed a quick script which could query ntop for session information. Jaime started using it for graphing now, so I thought it might be useful to soembody. Please find the code below.

We've decided to start working on an alternative feed for Nessus after Tenable having changed licensing again.

Excluding even non-profit organizations and testing purposes completely from the feed seems contrary to the open source spirits, so we'll be investing a considerable amount of effort and money into providing a high quality feed for everyone.

The final workings of it is still unclear, but we're aiming at the Sourcefire model: if you subscribe you'll get them instantly, everybody else gets them with a slight delay (we're discussing a one to four week delay).

One of the goals we've got is getting a good bunch of people interested on this and willing to participate (sort of a Consortium maybe, although we're starting it internally right now) so if you could please share this with people who could have the skill/knowledge to contribute to this, I'd be more than grateful.

Last but not least we're looking into a way of ensuring that the effort put into this by everyone won't be abused in any ways, so if anybody has got suggestions about model/licensing/etc it would be great to hear them.

Edit: Due to licensing warnings from Tenable I had to rewrite some terminology.

I'm writing these lines to cheer at my co-worker (@AlienVault) Santiago "Santi" Gonzalez, who went to Bogota for a couple of weeks in order to implement OSSIM as security event and information monitoring solution at Campus Party in Colombia.
I know this place is lacking some "useful" content lately, but I expect to have a bit more time in a couple of weeks; have had a huge workload lately.

Back to the party. You can check out some pictures at Flickr, it's quite of a mess but I'll try to update this entry tomorrow with some interesting pictures.

So, as always this is a nice place to test ossim, do some benchmarks and improve some stuff. The party in Valencia is due to the end of this month and we hope we'll be there too :-)

Last but not least, a big hug to my friends in Turkiye. Another co-worker (Juanma) has been there a couple of weeks ago doing some training; he's enjoyed it alot and I hope the people undergoing the ossim training too.

Edit 2008/07/10: removed links to sites that contain information about AlienVault customers.

Yay ! we're proud to announce that ossim has been chosen to take part int he google summer of code program. Brian, now it's your turn ;-).
I'll post another entry when we've got more information about how this works.

Congratulations!
Your organization "OSSIM: Open Source Security Information Management" has been accepted in to the 
Google Summer of Code(tm) 2008. You have been assigned as primary point of contact and as an 
administrator for your organization.
please visit http://code.google.com/soc/mentor_step1.html and sign up using your Google Account.
Thanks.
- Your friendly Google Summer of Code administrators

Recently I stumbled across an interesting article talking about Microsoft, Opensource and ITIL where ossim was being mentioned. (the article can also be found googling for "ossim itil microsoft" in case the link breaks).

I've never been very keen about learning ITIL either (although I've heard about it everywhere during the last year) but this really caught my attention. In that paper ossim gets referenced only on the "security management" section, but I think that's mainly caused by ossim being hard to install, setup and understand when that article was written, so I thought I give it another try from my point of view, taking the included tools into account for the different ITIL sections.

So, the goal of this article would be to extend and improve that other article, giving a thought about how I'd approach all those ITIL recommendations from an OSSIM point of view.

The Information Technology Infrastructure Library is comprised by two main sets and a series of subsets (from what I've read on that article and the wikipedia):

• Service Support
• Service Delivery

Note: The definitions after each topic have been quoted from the MS article since they're small and concise.

The windows event log

As an introduction to windows event logging I recommend reading the following article: Monitoring and Troubleshooting Using Event Logs. It's the first interesting one I've found after googling for an introduction.

Quoting the article, which also talks about EventCombMT.exe which we'll mention later:

This article reviews best practices for working with Windows event logs including how to interpret 
event messages, how to configure event logs, how to search and filter events, how to view events on 
remote systems, and how to use EventCombMT.exe and other tools to monitor events on multiple systems.

Introduction

In order to answer to a recent forum post I had to do a quick research since it had been some time since I last tested this.
The exact question was:

Hello,

Is there a document talking about how the directives are processed?  One question
that I have is if you have multiple directives created and an event comes in
that matches the initial states of more than a single directive will both actually
process the event, or only the first match (which I think is the case)?

Thanks for any clarification you can provide.

Stephen

• SSH password failed (plugin_sid 1)
• SSH password accepted (plugin_sid 7)

• Test directive 21, grouping one login failure and one success
• Test directive 22, grouping one login failure and one success
• Test directive 23, used in the second case, grouping those two

1. The need. The Hype.

Compliance

• ISO27001/17799
• SOX
• HIPAA
• PCI
• Basel II
• NIST 800-53
• Many more...

Centralized logging

Data mining

We've just posted a new document at http://www.ossim.com. You can see it on the right, it's a case study about a deployment we've done this summer.

The environment was very interesting, around 6000 people doing all sort of weird things on a very high traffic and throughput environment. Get the actual document, it's marketing focused so it does have some very nice sounding phrases in it ;-).

In a couple of months there's another campus party, this time at Sao Paulo, Brazil. I'm pretty sure OSSIM will be present there too and we'll be having fun again. (Not forgetting the hard work, I only were a couple of days there, before the event, but my two co-workers Juan and Roberto did a great job working 14-hour shifts).

Following are a couple of pictures I took at the last event:

Well, kindof at least...

Since Apple's iPhone is basically a stripped down MacosX and it has some nice toys to play with, I thought I'd give the provided python port a try and fire up the OSSIM agent. As expected everything worked like a charm and getting ossim up & running was very easy. Here is the rest of it.

I'd like to share my first actual success on mysql tuning, after having spent a couple of days reading everything I could about the matter (and still waiting for the books to arrive).
From what I've seen a very important point on DB optimization is the right table design, followed by the right queries and finally optimizing DB parameters. Since I don't know enough yet about optimal DB design I'll skip that phase (tho I'll definetively accomplish it during the next weeks/months) and examining some queries.

After enabling log_slow_queries, one of the first queries popping out continuously was the following:

SELECT *, inet_ntoa(src_ip) as aux_src_ip, inet_ntoa(dst_ip) as aux_dst_ip FROM event_tmp order by id desc limit 1;

I've finally decided to learn everything I could about MySQL performance tuning; we're working on highly tuned appliances and this is a must for high-traffic environments.
I'd like to share my first findings on interesting stuff and encourage comments on the matter, which seems as deep as any science.

These last days we've discussing about this at the office and we couldn't agree about the type of database configuration using MySQL was optimal for the broadest range of users.
It's much easier to tune everything if you already know the exact environment, available hardware and so on, rather than trying to tune a database for a broad range of people going to install a product.

I thought I'd post a plugin tree I just hacked together here. It uses a javascript library and could be useful to someone.
I'm not posting the complete tree here since the page is about 1MB big.

This post will be the first of a series of tutorials describing how to accompliush certain useful things using OSSIM. A friendly IT teacher from Oklahoma suggested that it would be a good idea, and I have to agree. And on top, it's relaxing :-).

So here we go, this first installment will focus on deploying OCS Inventory on a couple of hosts, getting them to log to the central ossim server and see how it shows up in our interface. This will demonstrate the powerful cross-platform inventory capabilities built into ossim thanks to the new OCS integration.

The test environment consists of 6 devices:

• Apple 10.5 Leopard
• Debian 4.0 Linux inside Parallels
• IPhone MacosX
• OpenBSD 4.x
• Windows XP inside Parallels
• Yellow Dog Linux running on a PS3

Let's get a first meaningful update running too.

We have been working hard these last weeks to get the installer out and polish some outstanding issues. After the initial releases, our priorities are now focused on:

• Get an updater done (will be included with 1.0.4)
• Fix some remaining issues (two persons have reported hangs at specific OS installation stages)
• Allow for easy installation of specific graph plugins depending on scenario (ISO, Inventory, Nessus, etc...)

In the meantime, we preinstalled OSSEC (thanks Daniel for your help), fixed the Nagios plugin, fixed rrd_plugin which was missing a config line and added Munin to the sensor pages for performance monitorization.