• Support
  • Forums
  • Blogs

AlienVault USM v5.5 Functional Release

SkylarTalleySkylarTalley

AlienVault Employee
+9

As of Wednesday, December 13 2017, AlienVault USM and AlienVault OSSIM v5.5 are now generally available for all existing and new customers. Users can update their system(s) through the console or web UI (see upgrade instructions for more information). For customers using the Managed Appliance Service, please not that AlienVault Support will be contacting you to schedule your update.

Please take a few minutes to carefully read these release notes before upgrading.

Feature releases will change the behavior of the system with new functionality. AlienVault encourages users to first apply the upgrade to a test system to understand and learn the new functionality before upgrading production systems. Carefully read the enhancement summary and change log below before upgrading your system.


Updates for USM and OSSIM

  • The HIDS server has been updated. As a result, you will notice new rules and decoders and that several HIDS related bugs (see Change Log below) have been resolved.
  • Simultaneous federation to a USM Appliance Federation Server and a USM Central instance is now supported.
  • The Datadog agent has been removed to address an update issue. This agent was added in the 5.4.3 release and was meant to be used as a diagnostic tool by AlienVault Support for select cases. We will address the update issue and re-add the agent in a subsequent release.


Documentation Updates


Change Log

  • ENG-106426 Fix for simultaneous federation to both USM Central and the Federation Server
  • ENG-106416 Datadog becomes enabled after update
  • ENG-106412 OSSIM Server errors when there are several contexts
  • ENG-106402 Ossec local_rules.xml intermittenly being written incorrectly on updates.
  • ENG-105885 OSSEC package in 5.4 version does not support SSL
  • ENG-103059 Fix for tracking FIM events for 0.0.0.0/0 Agents


Additional Upgrade Info for All Users on v5.1.1 and Earlier

chozian-DTIdirty_white_hatismael_mckratos

Share post:

Comments

  • Deployed in lab on both OSSIM and USM, upgrades went smooth with no issues.  Will monitor performance and logs.
    TimArnoldtracy.dangerdirty_white_hatJRVt001zMontiBBanks
  • Thanks hitman!
  • Will this fix the blowup of the C&C Communications? 
    NickAuresabrineJRV
  • tracy.danger Are you referring to the PSEmpire ones? Gosh I hope so too!

    tracy.danger
  • I think the PSEmpire rule needs to be updated.
    tracy.danger
  • 5.5 broke all of our Ossec Servers on a USM and 4 of their sensors.   This is a bug with the ossec server in version  2.9.1 where remoted will not bind to port 1514.  The fix was to turn on ipv6 in sysctl as ossec needs it on to run in 2.9.1. We executed the command "sysctl net.ipv6.conf.all.disable_ipv6=0" and moved the old ossim config file out of sysctl.d keeping suricata and the alienvault conf files.  
    zparkerkr1spy84
  • edited January 13
    Hello @sweldon, @zparker, @kr1spy84,

       With the latest OSSEC development, the OSSEC team has pushed out an IPv6 configuration; this configuration was included with our 5.5 release. Our Engineering team is aware of the modification and will have this corrected with the next firmware release. However, in the meantime, you can apply a workaround :: 

    # mv /etc/sysctl.d /etc/sysctl.d_bak

    # /etc/init.d/ossec stop ; /etc/init.d/ossec start ; alienvault-reconfig 


       You can then check the status of #ossec-remoted  ::

    # ps afux | grep ossec-remoted

       or 

    # netstat -tulpen | grep 1514


        If you still do not see #OSSEC-remoted is failing to start, ((and you have successfully moved the sysctl.d file)), please try a #reboot of your Appliance. 


       Regards,

    - kratos
    zparker
Sign In or Register to comment.