Hello all,

we're looking for somebody to assist us in the elaboration of documentation around OSSIM, it's components and Open Source Security in general. We require strong knowledge both in English written skills as well as experience on OSSIM. We are willing to pay on a per-work basis up to 3000 or 4000 . a month, with an option to get a permanent contract if the initial work is satisfying.

I don't want to sound harsh, but the two aforementioned requirements are a must and a strong filter. The english has to be perfect (much better than mine of course :-) ) and knowledge of OSSIM has to be deep, based on interest and/or experience already present before reading this job offering. I mean, even if your english is perfect don't try to download OSSIM, check out a couple of things and apply, or if you know lots and lots about OSSIM don't start with an intensive english course.

If you're interested we'd like you to send in a sample of your work along with a curriculum vitae. We don't care about your nationality or where you are located. the payment will remain the same of course. The sample we're asking for would be to document the current alarm section (Incidents->Alarms). Think about a user that's new to OSSIM, clicks on the help in order to see what that alarm panel means and gets to that document you've written. The desired document format would be pdf, although when documentation gets live some sort of wiki is going to be used. Remember, there are three things that should excel in this sample:

• We should raise our eyebrows in awe at your english written skills.
• We should be impressed by the deep knowledge of OSSIM that we can see in those words.
• On the other hand, this is no technical document, it should be clear for a new OSSIM user with little or no previous SIEM experience.

Please send this sample to "jcasal" and "dk", both at the alienvault.com domain. If you include "OSSIM Documentation Writer" in the subject you'll ensure it will reach us asap :-).

Good luck!

The story starts as following. A couple of years ago Dr. Anton Chuvakin (for those who might not know him a well renowned security professional and speaker) made a prediction for 2006: that a Credible Open-Source SIM would not arrive.

A year later he said this goal hasn't been reached (as predicted). I remember being quite pissed off and upset at that time, but his point was right. Development had been slow, we didn't have resources and everything was a bit stalled. But that has changed and AlienVault is about two years old now, we made a huge step forward and I think OSSIM is nowadays more than S/MB as well as Enteprise ready. (And sadly our resources are still very limited compared of those which Arcsight, Symantec or others might have).

Yesterday I followed a couple of quick twitter exchanges where I'd like to quote the most significant ones:

• I agree but S/M of SMB probably won't have the capabilities to run something like OSSIM and it's not robust enough for Ent.
• @anton_chuvakin mind you, I simply asked if OSSIM had the potential, not that it was there yet... as always, I wonder, isn't there a better way?
• @falconsview Re: opn src #SIEM Well, show me a sizable deployment (and not one hand-built by its creators) and I will believe you.
• @anton_chuvakin Will you change your mind about opensource SIEM if I get you access to a sizable deployment not created by it's authors ? :P
• @dkarg Re: open src #SIEM Yes, I probably will.

So, there it is, Andrew Hay (another renowned security expert) and Anton say that:

1. OSSIM is not a SIEM.
2. OSSIM is too difficult for S/MB and not reliable enough for the Enterprise

So what do I need? I for myself have received news/feedback of pretty big OSSIM installations and have had my hands on another bunch of them. Ranging from 100 person Real Estate companies to >40000pc governmnet environments with distributed deployments and thousands of events per second (this last one using the COSS version of course). But, the point as mentioned by Anton is that we don't have our hands in it, the testimonial has to come from someone who's got a deployment running not managed by us. Both S/MB as well as large enterprise deployments are valid since there are two points to prove. I'd really like to hear from a large company which is supposedly using Splunk+OSSIM, can't say the name but that would be a good example :-).

So, if any of you reading this is in that situation please let Mr. Chuvakin and Mr. Hay know about it so they hopefully can change their minds on the subject. There's contact information on their respective homepages. Otherwise I'll have to eat my words and admit that OSSIM is no Open Source SIEM (like in The Matrix, "there's no spoon").

Thanks in advance for any help :-)

PS: BTW, we did a first run of the webinar yesterday, thanks everybody for assisting and apologies for the, well, mishappenings. I got quite nervous, next demo will be better.

Edit 2009/06/20: Fixed a misunderstanding on who predicted what, see the comments.

I got talked into speaking at a webinar next week (well, we've got another one this week but it's already crowded so I'm only posting next weeks link. And since this week's is my first webinar ever the second one should be better anyway), namely about Open Source Information Security: Reduce Costs while Improving Security Profile & Compliance. That's it, nice and short name as I like and love them.

I don't know how it work out, guess it shouldn't be very boring and registration is free so if you want to join in you're more than welcome. Additionally you get something called CPE credits for attending (sounds like experience points ;-)).
Here is an excerpt from the description:

I'm happy to announce the availability of the next beta, AV Installer beta6. (md5: 21204ecf2949a1d9ac9838b3c694b72d.

Again, thanks a ton to everybody testing the betas and reporting bugs / improvements, with your help this is already the best release that's been published ever for OSSIM.

The betatesting process is reaching the point where we're going to freeze code and just fix bugs. OpenVAS is now fully integrated and running like a charm, the compliance framework runs out of te box for ISO27001 (install beta6, "apt-get install ossim-compliance" and go to reports->reporting server), many new directives have been added and old ones fixed. A quick warning: OpenVAS takes ages to start the first time, if it looks like it hangs during init don't worry, after maybe 5 or 10 minutes it will get through.

Next steps will be to ensure everything is working, get a new dashboard for PCI and ISO2700[12] compliance, integrate the SEM part (without signing) into the public server, put the new policy interface in place and double check distributed architecture scripts. After this release the final version, throw a party and get a couple of weeks off ;-)

I hope you enjoy this beta.

Just uploaded a new AlienVault OSSIM installer beta, Beta 5. As always, thanks a ton to everybody helping out on testing. Besides Anton, Greg, Kristian and Stephan there are many others helping, both on forums or anonymously (found some old friend's domain names in the apache log for update checks, greets to Turkiye and France ;-))

As to the actual release:
Jasperserver got updated to 3.5 (Gannt charts, finally), many bugs have been fixed, some new directives, new snort packages, new misc tools and many more. Sensor and server profiles have been updated too, as well as monit scripts and database.

I expect three more betas, which would mean around three more testing weeks. There are some key features that still need some throughout testing:

- Distributed deployment.
- Jasper tuning and sample reports.
- New policy interface (beta6).

There are two factors which we can't control but which would make this release perfect:

- Lenny OpenVAS packages.
- MySQL 5.1 making it into lenny stable.

I've already done some testing with partitions in the new mysql and the results are astonishing. Arcsight here we come :P

If you want bug Norbert Tretkowski and the guys at OpenVAS to hurry up. (Just kidding, they're all doing a great job :-))

Just a last notice: next week there will be a slowdown on updates/fixes, it's holidays around here and I'm taking a couple of days off with my lovely girlfriend. We'll be heading to the beach so while she enjoys the sun I'll be able to code towards this next relelase :D.

I'm proud to announce the availability of the first public testing release of the upcoming installer. We're in final stages of testing now, and tho there are still known issues it's time to get community feedback on it. Many many thanks to anybody willing to help test this iso. Please keep in mind that it's a testing version, not intended for production. We can't even ensure that at the end of the testing period there will be a seamless upgrade into the stable distribution ;-)

First a quick note on versioning. The new installer will have two versions, one for each architecture:

Installer 1.2: amd64 (that is, most of the 64bit capable processors out there, including Xeons).

Installer 1.1: i386 (old 32bit).

The installer testing version can be found at http://data.alienvault.com/ossim-installer_1.2.beta1.iso. Next I'll list how to install it (along with update guidelines), known issues right now (and how to report new ones) and a short list of some of the stuff included in this release.

Download it

Highlighting the download: http://data.alienvault.com/ossim-installer_1.2.beta1.iso.

Installing it

Grab the iso, install it. After installation, in order to get a clean testing and updating environment (we're working on solving this right now) issue an:

apt-get remove ossim-cd-setup

apt-get update; apt-get upgrade

Bugtracking/reporting

We did setup a specific forum for this. Please post any discovered bugs in there, and please check the rest of the 1.2 forum in case somebody might have reported the issue before.
Before reporting a bug please issue an "apt-get update; apt-get upgrade", your bug might have been fixed.

Known issues

There are several issues that I'm aware of right now, which I'm working on:

• Jasperserver password change might break jasperserver.
• SEM doesn't work out of the box (haven't commited the code to the cvs yet).
• /home/ossim/dist/ doesn't get cleaned up.
• Creating new tabs breaks existing tabs at executive panel.
• Memory issues (adding tomcat to the mix didn't help the already large memory requirements)
• Passwords doesn't get changed / adapted for everything.
• the reconfig bug when passwords contain "&, ', ; or \"" is still present.
• repository is missing gpg signatures

Feature highlight

There are many things we'll be proud of this new release, just to name a few (all of them will be provided before the final release via updates):

1. Completely new forensics console. Based on ACID and BASE we decided to incorporate the code into our own cvs; we just have too many specific needs and need to cover them. Check out the following screenshots:
   • standard alert view
   • event trend
2. Disk based event storage (a.k.a. SEM) (will be updating a screenshot asap)
3. Interactive risk maps (seen them before)
4. Reporting plugins using JasperServer. This will be a major breakthrough, allowing for easy to share reporting plugins, scheduled reports, auto-emailing of reports and much more.
5. Shellcode interpretation plugin for forensics.
6. OSSEC 2.0
7. Many new plugins.
8. Updated directives, cross correlation and inventory correlation tables.
9. Complete debian package based update/upgrade mechanism, including offline updates. No more custom ossim-updates.
10. Many more...

We want this release to be as good as possible, and your feedback is crucial for that. Please download it, throw it into a VM, make your evil tests and report back on the forum thread mentioned above.

Enjoy.

While coding the session monitor a couple of weeks ago I developed a quick script which could query ntop for session information. Jaime started using it for graphing now, so I thought it might be useful to soembody. Please find the code below.

We've decided to start working on an alternative feed for Nessus after Tenable having changed licensing again.

Excluding even non-profit organizations and testing purposes completely from the feed seems contrary to the open source spirits, so we'll be investing a considerable amount of effort and money into providing a high quality feed for everyone.

The final workings of it is still unclear, but we're aiming at the Sourcefire model: if you subscribe you'll get them instantly, everybody else gets them with a slight delay (we're discussing a one to four week delay).

One of the goals we've got is getting a good bunch of people interested on this and willing to participate (sort of a Consortium maybe, although we're starting it internally right now) so if you could please share this with people who could have the skill/knowledge to contribute to this, I'd be more than grateful.

Last but not least we're looking into a way of ensuring that the effort put into this by everyone won't be abused in any ways, so if anybody has got suggestions about model/licensing/etc it would be great to hear them.

Edit: Due to licensing warnings from Tenable I had to rewrite some terminology.

I'm writing these lines to cheer at my co-worker (@AlienVault) Santiago "Santi" Gonzalez, who went to Bogota for a couple of weeks in order to implement OSSIM as security event and information monitoring solution at Campus Party in Colombia.
I know this place is lacking some "useful" content lately, but I expect to have a bit more time in a couple of weeks; have had a huge workload lately.

Back to the party. You can check out some pictures at Flickr, it's quite of a mess but I'll try to update this entry tomorrow with some interesting pictures.

So, as always this is a nice place to test ossim, do some benchmarks and improve some stuff. The party in Valencia is due to the end of this month and we hope we'll be there too :-)

Last but not least, a big hug to my friends in Turkiye. Another co-worker (Juanma) has been there a couple of weeks ago doing some training; he's enjoyed it alot and I hope the people undergoing the ossim training too.

Edit 2008/07/10: removed links to sites that contain information about AlienVault customers.

Yay ! we're proud to announce that ossim has been chosen to take part int he google summer of code program. Brian, now it's your turn ;-).
I'll post another entry when we've got more information about how this works.

Congratulations!
Your organization "OSSIM: Open Source Security Information Management" has been accepted in to the 
Google Summer of Code(tm) 2008. You have been assigned as primary point of contact and as an 
administrator for your organization.
please visit http://code.google.com/soc/mentor_step1.html and sign up using your Google Account.
Thanks.
- Your friendly Google Summer of Code administrators

Recently I stumbled across an interesting article talking about Microsoft, Opensource and ITIL where ossim was being mentioned. (the article can also be found googling for "ossim itil microsoft" in case the link breaks).

I've never been very keen about learning ITIL either (although I've heard about it everywhere during the last year) but this really caught my attention. In that paper ossim gets referenced only on the "security management" section, but I think that's mainly caused by ossim being hard to install, setup and understand when that article was written, so I thought I give it another try from my point of view, taking the included tools into account for the different ITIL sections.

So, the goal of this article would be to extend and improve that other article, giving a thought about how I'd approach all those ITIL recommendations from an OSSIM point of view.

The Information Technology Infrastructure Library is comprised by two main sets and a series of subsets (from what I've read on that article and the wikipedia):

• Service Support
• Service Delivery

Note: The definitions after each topic have been quoted from the MS article since they're small and concise.

The windows event log

As an introduction to windows event logging I recommend reading the following article: Monitoring and Troubleshooting Using Event Logs. It's the first interesting one I've found after googling for an introduction.

Quoting the article, which also talks about EventCombMT.exe which we'll mention later:

This article reviews best practices for working with Windows event logs including how to interpret 
event messages, how to configure event logs, how to search and filter events, how to view events on 
remote systems, and how to use EventCombMT.exe and other tools to monitor events on multiple systems.

Introduction

In order to answer to a recent forum post I had to do a quick research since it had been some time since I last tested this.
The exact question was:

Hello,

Is there a document talking about how the directives are processed?  One question
that I have is if you have multiple directives created and an event comes in
that matches the initial states of more than a single directive will both actually
process the event, or only the first match (which I think is the case)?

Thanks for any clarification you can provide.

Stephen

• SSH password failed (plugin_sid 1)
• SSH password accepted (plugin_sid 7)

• Test directive 21, grouping one login failure and one success
• Test directive 22, grouping one login failure and one success
• Test directive 23, used in the second case, grouping those two

1. The need. The Hype.

Compliance

• ISO27001/17799
• SOX
• HIPAA
• PCI
• Basel II
• NIST 800-53
• Many more...

Centralized logging

Data mining

We've just posted a new document at http://www.ossim.com. You can see it on the right, it's a case study about a deployment we've done this summer.

The environment was very interesting, around 6000 people doing all sort of weird things on a very high traffic and throughput environment. Get the actual document, it's marketing focused so it does have some very nice sounding phrases in it ;-).

In a couple of months there's another campus party, this time at Sao Paulo, Brazil. I'm pretty sure OSSIM will be present there too and we'll be having fun again. (Not forgetting the hard work, I only were a couple of days there, before the event, but my two co-workers Juan and Roberto did a great job working 14-hour shifts).

Following are a couple of pictures I took at the last event:

Well, kindof at least...

Since Apple's iPhone is basically a stripped down MacosX and it has some nice toys to play with, I thought I'd give the provided python port a try and fire up the OSSIM agent. As expected everything worked like a charm and getting ossim up & running was very easy. Here is the rest of it.

I'd like to share my first actual success on mysql tuning, after having spent a couple of days reading everything I could about the matter (and still waiting for the books to arrive).
From what I've seen a very important point on DB optimization is the right table design, followed by the right queries and finally optimizing DB parameters. Since I don't know enough yet about optimal DB design I'll skip that phase (tho I'll definetively accomplish it during the next weeks/months) and examining some queries.

After enabling log_slow_queries, one of the first queries popping out continuously was the following:

SELECT *, inet_ntoa(src_ip) as aux_src_ip, inet_ntoa(dst_ip) as aux_dst_ip FROM event_tmp order by id desc limit 1;

I've finally decided to learn everything I could about MySQL performance tuning; we're working on highly tuned appliances and this is a must for high-traffic environments.
I'd like to share my first findings on interesting stuff and encourage comments on the matter, which seems as deep as any science.

These last days we've discussing about this at the office and we couldn't agree about the type of database configuration using MySQL was optimal for the broadest range of users.
It's much easier to tune everything if you already know the exact environment, available hardware and so on, rather than trying to tune a database for a broad range of people going to install a product.

I thought I'd post a plugin tree I just hacked together here. It uses a javascript library and could be useful to someone.
I'm not posting the complete tree here since the page is about 1MB big.

This post will be the first of a series of tutorials describing how to accompliush certain useful things using OSSIM. A friendly IT teacher from Oklahoma suggested that it would be a good idea, and I have to agree. And on top, it's relaxing :-).

So here we go, this first installment will focus on deploying OCS Inventory on a couple of hosts, getting them to log to the central ossim server and see how it shows up in our interface. This will demonstrate the powerful cross-platform inventory capabilities built into ossim thanks to the new OCS integration.

The test environment consists of 6 devices:

• Apple 10.5 Leopard
• Debian 4.0 Linux inside Parallels
• IPhone MacosX
• OpenBSD 4.x
• Windows XP inside Parallels
• Yellow Dog Linux running on a PS3

Let's get a first meaningful update running too.

We have been working hard these last weeks to get the installer out and polish some outstanding issues. After the initial releases, our priorities are now focused on:

• Get an updater done (will be included with 1.0.4)
• Fix some remaining issues (two persons have reported hangs at specific OS installation stages)
• Allow for easy installation of specific graph plugins depending on scenario (ISO, Inventory, Nessus, etc...)

In the meantime, we preinstalled OSSEC (thanks Daniel for your help), fixed the Nagios plugin, fixed rrd_plugin which was missing a config line and added Munin to the sensor pages for performance monitorization.