Of Dragons, Elephants & Aliens: A decade of OSSIM

April 16, 2013 | Dominique Karg
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

2003-2013

With the launch of our new Unified Security Management virtual appliances, it’s hard not to look back at the origins of our ‘baby’— OSSIM—that spawned both our company and our commercial USM platform. Join me for a little nostalgic walk down memory lane…

It’s been almost 10 years since we published the first compressed package containing just the source files of what would grow into what AlienVault OSSIM is today on Sourceforge.net.

The INSTALL file started like this to give you an idea:

In order to get os-sim up and working you need (at least) the following, satisfying all their dependencies:

  • Mysql 4.0.13
  • OpenNMS 1.0.2
  • PostgreSQL 7.3.2
  • Tomcat
  • Ntop 2.2.0 (patched, patch included)
  • A bunch of perl modules
  • A working experimental rrdtool release (1.1.0)
  • Apache 1.3.28, php 4.3.2.
  • Snort 2.0
  • Spade
  • Nmap 3.27
  • Acid v0.9.6b20
  • Mrtg 2.9.29

Eat that. I especially love the “at least”, because I remember there was more. Most of it you had to compile from scratch, some of it required cross-linking or patching (rrdtool against many, spade into snort), etc…

I’ll be the first one to admit that I learned most of what I know about software development by doing it, and by doing it on OSSIM. And I didn’t learn the KISS principle until many years after starting the project.

Bottleneck 1: Pure compilation

2004

Looking back, there were two tools and their respective installation methods that inspired me at the beginning of coding OSSIM, in relation to installation and customization: NFR and Dragon.

With NFR you’d insert a bootable CD into a computer, it’d dump everything onto the system converting it into sort of a black box. Dragon was the opposite. You had very specific requirements, had to fight your way through dependencies, things would break, but – oh wonder of wonders – you could hack things together and make it do what you wanted. With this in mind, my thinking was clear: the extremely difficult OSSIM install was just another step for users to get familiarized with everything and they should be happy about it. Fortunately the world doesn’t work like that and I’m not the only one who steered away from that philosophy ☺.

So, after listening to feedback and knowing someone would cast us into GNU/Hell at some point if we continued down that path, we thought: ok, let’s at least package this stuff. The reason why we chose Debian is because the only one that had the guts to take on this task was David Gil, and Debian is/was his favorite distribution, so .debs it was ☺.

Bottleneck 2: Tool interaction

2005

So, with the packages out and delivered we told ourselves: we did it, now everyone downloading OSSIM will be able to install it, use it, contribute back and this will be happier than a good old fashioned baby boom. Wrong.

We had just moved the bottleneck a little bit further down the user experience. People would be able to install the 30+ packages now, but there would be absolutely no interaction between them until you tweaked the 60+ configuration files and database entries by yourself.

So, of course, we needed better documentation.

Bottleneck 3: The neverending story

2006

We did pride ourselves on the many different things that we could do with OSSIM. In fact, I remember thinking: “I love it when people come up with a new use of the correlation engine which I would’ve never thought about”. The consequence of this though, was that we had to try and contemplate every single use case/possibility in the documentation and forums, thus driving ourselves nuts (it drove me nuts at least, I’d answer posts non-stop day and night everyday of the week until I’d burn out, walk away and come back to the forums months later).

No way we can handle all the possible use cases through documentation, time to make things simpler.

Intermission

2007

In March of 2007 AlienVault was born by popular demand. Well, not quite, but the amount of requests for paid support, customization and similar services made it a no-brainer to start a company, and that’s exactly what we did.

One of the tightest secrets around the company is the origin of its name, AlienVault. There are many versions of this story, some more accurate than others, but here’s mine: it was pure randomness, as so many things in life are. I had a little script into which [co-founder] Julio (Casal) and I fed two-word lists made of both innovative terms and established words related to security. The script would generate pairings of the innovative, or “cool”, words with words from the second list of established security terms (the “serious” words).  We got halfway through the “a’s” on the cool list when we hit upon a word combination—Alien Vault—whose trademark, brand and domain names were available worldwide. But this can’t be the truth, can it? :P

Bottleneck 4: The benevolent dictatorship

2008

We introduced ossim-reconfig at this point, a tool that would edit all the different files, database entries, and recompile executables with the right ip addressing, create installers for agents, etc.

On paper and for a while it was wonderful, but guess what -- users still managed to break things and we still had not addressed the most fundamental problem: I have this thing installed, now what can I do with it and what will it do for me?

We had a handful of extremely happy users who were hardcore coders/hackers/security analysts themselves and could fix stuff on the fly, wouldn’t mind debugging some previously unheard of use case, would work around the reconfig stomping on their fixes and so on.

This definitely had to end, so what options did we have left? Well, a virtual machine for one, and an installer for the other part.

Bottleneck 5: Updates

VMOSSIM Flashback: 2006
2009

I remember VMOSSIM with nostalgia. It was fun to set it up for the $100K VMWare challenge (which I still don’t know why we didn’t win), set up the torrent distribution and see how the activity on the forums and the user involvement grew exponentially. Aaah, the good old days. But soon reality caught up again: a new release was due, a new VMOSSIM came out but users didn’t want to start again from zero on every update.

This time we knew we had the solution: an easy to use installer with a reconfiguration tool that would allow updates through packages, would make things easier to use but still appeal to the power user. I don’t have to tell you that we got it wrong again, do I?

Bottleneck 6: I hate hardware

2010

So with all this in place, usability bottlenecks were shifting again and we now had two separate camps: users with hardware problems and users who still got lost at security management.

At this point we were already deeply into a commercially backed open source software model with AlienVault, so making people use our software was not only a matter of pride but a matter of paying salary at the end of the month.

Bottleneck 7: Price

2011

Every time I saw pricing on alternative solutions from other SIEM vendors, I thought, “this is abusive, what a way to exploit a necessity”. I won’t point my finger at any particular competitor, but let’s say that their outrageous licensing prices haven’t helped in getting SIEM to be mainstream at all.
Finally: virtual appliance

2013

So, with price nowadays being an important factor we get to the following list of requirements learned through experience and banging heads against walls, (remember, during more than half of OSSIM’s 10 year history, we did not have a strong, dedicated customer-oriented mindset, it was all for the “love of art” and the fun of it):

  • Clear purpose(s)
  • Ease of installation
  • Ease of updating
  • No hardware issues
  • Clear documentation
  • Free and paid assistance

Well, it only took us 10 years to meet all of the above criteria, but with 4.2 I can now with a clear conscience say: we did it. And I’m proud of the team that made it possible, of the customers who pushed us in the right direction, of the users who made it through hell and back with us and, in general, to everyone who understands the complexity of such a monumental project and supports it in every phase. Thank you all for jumping on the train at some point or the other during this journey, and to those who have now been riding with us for a shorter amount of time let me tell you: the seats were not always leather, meal and drinks were not always included but the crew has always been the best you can get.

Cheers guys to 10 years of fun and awesomeness, here is to 10 more!

Dominique Karg

About the Author: Dominique Karg
Read more posts from Dominique Karg ›

TAGS:

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL CHAT