• Support
  • Forums
  • Blogs

Best Recent Content

  • AlienVault v5.4 Functional Release

    As of Wednesday, June 28 2017, AlienVault USM and OSSIM v5.4 are now generally available for all existing and new customers. Users can update their system(s) through the console or web UI (see upgrade instructions for more information). For customers using the Managed Appliance Service, please not that AlienVault Support will be contacting you to schedule your update.

    Please take a few minutes to carefully read these release notes before upgrading.

    Feature releases will change the behavior of the system with new functionality. AlienVault encourages users to first apply the upgrade to a test system to understand and learn the new functionality before upgrading production systems. Carefully read the enhancement summary and change log below before upgrading your system.


    Training Webcasts
    Join us to learn what's new in v5.4! Check out the training schedule below and sign-up:
    What's new in USM v5.4? - Thursday, June 29th

    CPU Requirement
    The upgrade to v5.4 requires the CPU to support the SSSE3 (Supplemental Streaming SIMD Extensions 3) instruction set. Please see this Knowledge Base article for more details.

    New for USM only

    • Auto-updates for Threat Intelligence and Plugins - Users will no longer need to log into the system to update their feeds. They can enable auto-updates and then schedule the updates to run at a desired time.
    • New reports for ISO 27002 and NIST/FERPA - We've added 18 new reports for ISO 27002 and 10 new reports for NIST/FERPA compliance.

    New for USM and OSSIM

    • Hyper-V support - Deployment of AlienVault USM on Hyper-V v3.0+ (Windows Server 2008 SP2 and later) is now officially supported!
    • Export reports to XLS - Users will now be able to export their reports to XLS format in addition to PDF. This should provide much more flexibility with the extended uses and modification of the exported data.
    • Optimized NIDS rulesets for better performance and better matching (fewer false positives and more indicators identified).
    • Plugin Builder (previously called Smart Event Collector or ASEC) - We now have an intuitive way for users to create their own custom plug-ins from log files. After uploading a sample log file, users will use a guided set-up flow to easily create their custom plug-in.
    • Alerting on netflow (*NOTE: only available for "All in One" deployments that do not utilize a remote sensor)- There are a great deal of anomalies that can be detected through netflow, such as an unusual amount of bandwidth used by a host or a large number of flows generated. These cases often find successful exfiltration attempts since a host is now acting differently on a network. Now, you can use USM to generate alarms and get alerted when your netflow goes above or below set thresholds.
    • Quick OTX lookup from right-click menu - Right-click on any IP in the Alarms and Events view to search for details in OTX, making environmental awareness easier than ever.

    Documentation Updates

    Change Log

    • ENG-105493 Fixed wrong breadcrumb messages on Event and Alarm pages
    • ENG-105414 Moved to using DSA for log signing
    • ENG-105406 Fixed AlienVault Community link on support section is not working
    • ENG-105388 Hide ISO 27001 compliance mapping page and report
    • ENG-105372 AV forwarding: fixed issue where more than one av-forward process is executed at the same time in the child server
    • ENG-105363 AV forwarding: fixed issue where forward process is not stopped if pid file does not exist
    • ENG-105353 AV forwarding: fixed server socket timeout in idle state
    • ENG-105312 AlienVault Forward - forwarder is unable to manage too large avcache
    • ENG-105309 Fixed Vuln Scans / Hids deployment requiring insecure SMBv1
    • ENG-105306 Poor error handling in OTX pulse sync is creating denial of service attack from USM/OSSIM clients
    • ENG-105224 Fixed issue where message sent date changes to current date upon reading the message in the Message Center
    • ENG-105184 SIEM query performance optimization (investigation)
    • ENG-105168 New NIST/FERPA reports
    • ENG-105148 New ISO 27002 Reports
    • ENG-105139 Fixed issue where Alienvault-forward stops sending alarms to Fed after mysql error reloading hierarchy
    • ENG-105126 Fixed issue where configuration backup does not include config.yml
    • ENG-105110 Improved log message for parsing timeout in agent
    • ENG-105084 Fixed Fed Server displaying wrong directive event name
    • ENG-105082 Error updating to 5.3.6 if a sensor is configured with sflow
    • ENG-105068 Removed deprecated scripts from sudoers
    • ENG-105059 Addressed Potential SQL injection in OssimDB.exec_query()
    • ENG-105057 Message Center message has broken URL for backup password
    • ENG-105034 Fixed issue with SIEM page taking an exceptionally long time to filter on Alienvault-HIDS
    • ENG-105029 HA resources allocated to both nodes
    • ENG-105024 Fixed defect resolving IP on a string.
    • ENG-105019 Cannot set up NetFlow sources using 'sflow'
    • ENG-104987 Fixed Grouped by username SIEM queries not working
    • ENG-104980 Fixed bulk delete in Message Center only Deletes 50 at a time
    • ENG-104977 Disabling and Enabling Policies is not tracked by User Activity monitoring
    • ENG-104974 Fixed GSW rewriting default networks list
    • ENG-104969 Updated OSSEC to 2.8.3 for Linux platform
    • ENG-104962 updateplugins.pl script breaks with double quotes introduced by new plugins
    • ENG-104944 Fixed delay defect while resolving hostnames (Ironport plugin)
    • ENG-104943 Fixed issue with agent not being able to start a remote logs parser
    • ENG-104928 Fixed incorrect number of rows is exported in pdf/csv in SIEM reports
    • ENG-104920 Addressed unneeded messages in Web UI when using bulk selecting option for tickets
    • ENG-104914 Fixed alarm search showed incorrect result when source and destination ip are the same
    • ENG-104895 Fixed a SIEM DB backup possibly bringing down a USM
    • ENG-104865 Updated useractivity log messages
    • ENG-104853 Fixed duplicated alert details on email when multiple recipients
    • ENG-104851 Fixed Ossec config issue - not processing logs from ossec-single-line
    • ENG-104850 Fixed Ossec firewall log is enabled on all installs, but not used by our plugin.
    • ENG-104839 Fixed typo: "Pre-scan localy" during vulnerability scan configuration
    • ENG-104808 Fixed GUI deleting more Ossec agents than the selected one
    • ENG-104793 Error message does not indicate a network is already defined
    • ENG-104788 Message center is breaking URL links embedded in system messages.
    • ENG-104705 Remove the word "reverse" from "Enable Reverse DNS Resolution"
    • ENG-104603 Ticket Creation of Grouped View Alarms - Fixed link to Alarms \
    • ENG-104555 Added support for src/dst HOME_NET in policies
    • ENG-104545 Fixed !SRC_ip failing on custom directives
    • ENG-104473 Fixed Hostname replaced with {resolv_ip($hostname)} in some scenarios
    • ENG-104383 Fixed Ticket Report - Date Range not showing correct results.
    • ENG-104359 Fixed USM not processing events when event backup is running
    • ENG-104346 Addressed smart event collection maximum file size issue
    • ENG-104343 Improve smart event collector web UI (Plugin Builder)
    • ENG-104339 Alert on netflow - *Note, this functionality will only work on AIO deployments without a remote sensor.
    • ENG-104319 Added list of invalid characters displayed next to password input field in web interface
    • ENG-104307 Improvement to Agent's logrotate handling
    • ENG-104189 Update OSSEC to 2.8.3 - xpath filters do not work with current 2.8.2 version
    • ENG-104018 Addressed AlienVault-rhythm appears to be matching incorrectly
    • ENG-103872 Added export reports to XLS
    • ENG-103854 ParserDatabase.py logging
    • ENG-103853 Fixed reconnect issue in Forward with more than one upper server
    • ENG-103818 User activity - log OSSEC activity changes
    • ENG-103791 Schedule clean up table log_action
    • ENG-103789 Add OTX lookup to right-click menu on IPs
    • ENG-103739 Deprecate macheted process from smart event collector (asec)
    • ENG-103712 VPN: Federated server uses admin ip of child USM intead vpn ip to display child USM Raw logs
    • ENG-103697 [Low load] Web UI displays alarms still being correlated despite they are reached the last correlation level
    • ENG-103652 'Asset logs not being processed' for assets that are not forwarding logs
    • ENG-103480 Suricata keeps filling up /var/log/suricata and crashing system
    • ENG-103457 Added new device types for asset management
    • ENG-103450 Add read user log_action table
    • ENG-103398 Fixed asset scan schedule is not properly stored for remote sensor and will be reset after agent restart
    • ENG-103381 Fixed OSSEC Stops After Midnight and Needs To Be Restarted
    • ENG-103243 Added support for src/dst !HOME_NET in policies
    • ENG-103213 Fixed unable to re-enable asset availability monitoring
    • ENG-103074 Changed how Suricata reports proxy-hidden communications
    • ENG-103016 Be able to schedule auto-updates for threat intelligence & plugins (not platform) - USM only
    • ENG-102950 Addressed Insufficient permissions for custom_tasks.ylm file
    • ENG-102760 Fixed activity with OTX IP Reputation reports are not working properly
    • ENG-102682 Added (custom) plugins to configuration backups
    • ENG-101869 Fixed toggling availability "on" does not work if a plugin has been previously enabled for the same host
    • ENG-101832 Fixed [Configuration - Administration - Main] Log to syslog option doesn't work properly
    • ENG-100765 Fixed firewall enable/disable option in console and web UI is not working

    Security Advisories

    • ENG-105735 Vulnerable Debian Package - libffi (CVE-2017-1000376) - AlienVault 5.4 is not vulnerable.
    • ENG-105733 Vulnerable Debian Package - libgcrypt20 (CVE-2017-9526) - AlienVault 5.4 is not vulnerable.
    • ENG-105722 Vulnerable Debian Package - linux (multiple CVE's) - AlienVault 5.4 is not vulnerable.
    • ENG-105691 Vulnerable Debian Package - rtmpdump (multiple CVE's) - AlienVault 5.4 is not vulnerable.
    • ENG-105659 Vulnerable Debian Package - nss (multiple CVE's) - AlienVault 5.4 is not vulnerable.
    • ENG-105651 "Vulnerable Debian Package - openldap (CVE-2017-9287) - AlienVault 5.4 is not vulnerable.
    • ENG-105647 "Vulnerable Debian Package - sudo (CVE-2017-1000367) - AlienVault 5.4 is not vulnerable.
    • ENG-105630 Vulnerable Debian Package - libtasn1-6 (CVE-2017-6891) - AlienVault 5.4 is not vulnerable.
    • ENG-105626 Vulnerable Debian Package - samba (CVE-2017-7494) - AlienVault 5.4 is not vulnerable.
    • ENG-105614 Vulnerable Debian Package - tiff (multiple CVE's) - AlienVault 5.4 is not vulnerable.
    • ENG-105608 Vulnerable Debian Package - freetype (multiple CVE's) - AlienVault 5.4 is not vulnerable.
    • ENG-105600 Vulnerable Debian Package - bind9 (multiple CVE's) - AlienVault 5.4 is not vulnerable.
    • ENG-105523 Vulnerable Debian Package - mysql-5.5 (multiple CVE's) - AlienVault 5.4 is not vulnerable.
    • ENG-105488 Vulnerable Debian Package - icu (multiple CVE's) - AlienVault 5.4 is not vulnerable.
    • ENG-105481 Vulnerable Debian Package - jasper (multiple CVE's) - AlienVault 5.4 is not vulnerable.
    • ENG-105382 Vulnerable Debian Package - eject (CVE-2017-6964) - AlienVault 5.4 is not vulnerable.
    • ENG-105324 Vulnerable Debian Package - samba (CVE-2017-2619) - AlienVault 5.4 is not vulnerable.
    • ENG-105319 Vulnerable Debian Package - wireshark (multiple CVE's) - AlienVault 5.4 is not vulnerable.
    • ENG-105078 Vulnerable Debian Package - mongodb (CVE-2016-6494) - AlienVault 5.4 is not vulnerable.

    See the Security Advisory for USM and OSSIM v5.4 for more information.

    Additional Upgrade Info for All Users on v5.1.1 and Earlier

  • OTX Release Notes

    Release Notes - OTX Portal - 7/24/17 Release

    Support for YARA rules including:
    • Addition of YARA rule as an indicaor type
    • Text editor to create and format YARA rules
    • Scanning tool to check rules for false positives
    • Addition of endpoint to consume rules via API
    Release Notes - OTX Portal - 4/27/17 Release
    • TAXII implemented allowing OTX users to consume their group subscriptions via TAXII server
    • Group comments added allowing additional collaboration in OTX security groups
    • OTX UI will show related indicators to IOC's uploaded for new pulses
    Release Notes - OTX Portal - 3/9/17 Release
    • UI enhancements to improve IOC extraction from pulses
    • Updated Group pages to show newest pulses first
    • Better reason codes from whitelisted indicators
    Release Notes - OTX Portal - 3/2/17 Release
    • UI improvements including TLP definitions on pulses
    • Better ordering of top pulses
    • Addition of anti-virus detections for URL indicators
    Release Notes - OTX Portal - 2/24/17 Release
    • Users can now view whois data when viewing indicator details pages for domains. This additional data provides more context for investigating the indicator.
    Release Notes - OTX Portal - 2/16/17 Release
    • Updated rendering of pulse titles to better display non-ascii text included in titles.
    • When viewing a pulse it is now possible to see whether the pulse was created through the API or the web interface. It is also possible to use the search modifier "pulse_source:" to filter pulses from the web or API.
    • Fixed a defect which prevented users from resetting their avatar
    • Improved results when searching for CVE
    Release Notes - OTX Portal - 2/9/17 Release
    • Infrastructure updates and usability tweaks
    • API Examples - now on the API page we provide links to other projects that have built-in OTX integrations using our API.  Take a look and see how it is done and if there is anything you can use! otx.alienvault.com/api
    • Users can now pivot from a pulse to see additional pulses related to the same adversary, industry, or country by clicking the hyperlink
    • Updated API docs to better explain Pulse update endpoint (PUT /api/v1/pulses/<pulse_id>). This allows for simple addition / deletion of indicators form existing pulses.
    Release Notes - OTX Portal - 2/2/17 Release
    • Infrastructure updates and usability tweaks
    Release Notes - OTX Portal - 1/26/17 Release
    • Infrastructure updates and usability tweaks
    Release Notes - OTX Portal - 1/19/17 Release
    • Infrastructure updates and usability tweaks
    Release Notes - OTX Portal - 1/12/17 Release
    • Infrastructure updates and usability tweaks
    Release Notes - OTX Portal - 1/5/17 Release
    • Infrastructure updates and usability tweaks
    Release Notes - OTX Portal - 12/29/16 Release
    • Infrastructure updates and usability tweaks
    • Resolved an issues with OTX & Internet Explorer

    Release Notes - OTX Portal - 12/15/16 Release
    • Network IDS Indicator Detail - OTX now provides support for indicators in the form of Network Intrusion Detection System rules. Included in the details pages of this new indicator type is access to data from our network of OTX participants which provides insight into the origin of attacks related to the rules. Authenticated users will be able to see the IP address of any attacker that has caused this rule to trigger on the NIDS rule details pages.
    • Expanded Indicator Metadata - Users can now provide additional details related to the indicators they share within new pulses. The system now provides the ability for the author to add a title and description for each indicator to share more details of the malicious activity reported. This allows for the categorization of indicators to help describe their role in the reported threat.
    • Private Indicators - Pulse authors can now set indicators as 'private.' This setting allows authors to create public pulses with indicators that are only available to private groups.
    Release Notes - OTX Portal - 12/8/16 Release
    • Infrastructure updates and usability tweaks
    Release Notes - OTX Portal - 12/1/16 Release
    • Infrastructure updates and usability tweaks
    Release Notes - OTX Portal - 11/24/16 Release
    • Infrastructure updates and usability tweaks
    Release Notes - OTX Portal - 11/17/16 Release
    • Infrastructure updates and usability tweaks
    Release Notes - OTX Portal - 11/10/16 Release
    • Infrastructure updates and usability tweaks
    Release Notes - OTX Portal - 11/3/16 Release
    • Infrastructure updates and usability tweaks
    Release Notes - OTX Portal - 10/28/16 Release

    New Elements:
    • Pulse Locking - Authors of a pulse can now 'lock' the pulse to prevent it from being published to any additional groups. If you have a private pulse and do not want it shared beyond the scope you set, this feature should be used. Any user in a group who can view your private pulse can then publish it to another group unless this flag is set.
    • Enhanced Searching - The search box now provides typeahead support for the search modifiers supported by the system, making it easier to craft artisan searches.
    • UI Load Performance - The table showing the indicator details found on the Pulse pages has been updated to improve the loading time for pulses with large sets of indicators.

    Release Notes - OTX Portal - 10/10/16 Release

    New Elements:
    • Enhanced Search - Indicator Support: Users can now view and search for indicators in the system. In the browse page, users can search for indicators including a new partial search to help identify matches across different indicator types. Note: at this point search is limited to indicators explicitly added to pulses by users of the system. Additional information may be available for indicators that have been analyzed by the OTX analysis systems and will require an exact search string to locate.
    • URL Pulse Extraction Issue: Fixed issue which causes certain URL's to cause an error during the pulse extraction process. In particular on domains hosting more than one blog across different domains (using SNI) were affected by this issue. 

    Release Notes - OTX Portal - 9/30/16 Release
    New Elements:
    • Usability Fix: When viewing the details of a pulse the summary of the related countries now renders low volume countries in a group titled 'other' to prevent the labels from overflowing the visible area.
    • Pulses now support new metadata. You can add industries, targeted countries and an adversary to a pulse during creation or as part of a suggested edit to a pulse. These fields are now available as search modifers using the syntax "industry:<search term>", "country:<search term>", and "adversary:<search term>"
    • OTX will now occasionally survey users to gather information on our NPS (Net Promotor Score). The survey should not appear for any one user more than once every three months! Hope it is not a bother and that you like what we have done
    Release Notes - OTX Portal - 9/22/16 Release
    • Mixed content when displaying tags
    New Elements:
    • Create API endpoint for updating pulse

    p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px 'Helvetica Neue'; color: #aaaaaa; -webkit-text-stroke: #aaaaaa; background-color: #0e0f0f}
    span.s1 {font-kerning: none}
    span.s2 {font-kerning: none; color: #6fa6c6; -webkit-text-stroke: 0px #6fa6c6}

    p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px 'Helvetica Neue'; color: #aaaaaa; -webkit-text-stroke: #aaaaaa; background-color: #0e0f0f}
    span.s1 {font-kerning: none}

    p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px 'Helvetica Neue'; color: #aaaaaa; -webkit-text-stroke: #aaaaaa; background-color: #0e0f0f}
    span.s1 {font-kerning: none}
  • Default Plugins

    At the very least, you can see a list of current plugins on their official PDF Plugin list: