• Support
  • Forums
  • Blogs

AlienVault OSSIM v4.0 Enhancement Summary

RussRuss

AlienVault Employee
+13
edited January 2017 in OSSIM (open source) > Release notes

Asset Discovery

  • Improved Passive Network-based Asset Discovery Prads is now built into the platform providing efficient and accurate identification of hosts and services by passively monitoring network traffic. This package deprecates the use of p0f, ArpWatch and pads.
  • Periodic Asset Discovery A new scheduling mechanism allows users to automatically discover changes in their infrastructure. Whether it is a new network segment or an existing segment, periodic scans allow for up-to-date information about new assets and hosts that are no longer active. This scheduling can be done for NMap, OCS Inventory, and to schedule WMI queries.

Vulnerability Assessment

  • Improved Vulnerability Assessment OpenVas v5 is now built into the platform, which provides additional assessment capabilities including improved support for local scanning via SSH. Additional scheduling and configuration options are also made available in the web interface allowing users to schedule periodic scans with more flexibility.

Threat Detection

  • Improved Host-based Intrusion Detection Management Improving on the configuration UI first introduced in v3.1 the configuration UI for HIDS agents now provides additional capabilities, making it easier to navigate configuration files and make updates without modifying the raw configuration file.
  • Improved Wireless Intrusion Detection Support Enhanced support for the latest version of Kismet is now included along with streamlined installation instructions for managing wireless intrusion detection in your installation.

Event Collection

  • Improved Performance for Log Processing Improvements in the algorithms used to process raw logs have increased the amount of raw logs that can be processed every second.

Correlation

  • Support for Taxonomy-based Correlation Taxonomy-based correlation simplifies the creation of correlation directives (rules) and it improves the detection capabilities. Now correlation rules can be created to match an abstraction of the events they are processing allowing alerts to be generated on generic malicious patterns opposed to device-specific events.
  • Support for Reputation-based Correlation The full meta-data from Open Threat Exchange is now available during correlation. This provides the ability to match not only on the IP but also data related to the activities that have been previously observed and the reliability of the report.
  • Improved Performance (Commercial Only) Improvements in the algorithms used to process events have increased the throughput of the correlation engine. Users can expect to see a 2-3x improvement in their throughput.

Event Management

  • Enhanced Event Forwarding Policies (Commercial Only) Enhanced policies allow for more complex filtering of events based on complex time conditions, IP reputation, and taxonomy. Additionally, events can be selectively forwarded to multiple destinations based on their attributes.
  • Improved Policy Creation Interface (Commercial Only) Along with the new policy capabilities the interface for creating the policies has been completely redesigned for greater ease of use. Users can now easily select new conditions and modify all policy actions in a simple, integrated interface.

Log Storage

  • Enhanced Log Compression (Commercial Only) When storing the log entries, the Logger now performs compression increasing the storage capacity up to 5x with the same physical disk.

Dashboard

  • Enhanced Visualizations A completely new set of visualizations is now available. This includes new chart types, RSS feeds, tag clouds, reporting modules, AlienVault URLs (embed of a variety of UI’s from throughout the product), real-time event streams, and network flows.
  • Multi-User Dashboard Modules Users can now create and share dashboard modules with one another, allowing for easy reuse and team-specific dashboards. All modules respect the access control of the user viewing the module.

Incident Response

  • Historical Asset Inventory (Commercial Only) New functionality provides users that are inspecting events to view the state of associated hosts at the time of the event. A full history of modifications to the host is maintained so temporal information such as running processes, network configuration, and authenticated users is available when investigating. Users of OSSIM will not be able to access the historical data, but will be able to see the current state of the host in question.
  • Dynamic Host Identification A new architecture for the asset management system allows for dynamic identification of hosts even in dynamic environments such as DHCP managed network segments.

System Administration

  • Web-based Configuration and Updates (Commercial Only) Sensors can now be configured from the web interface. This includes the network interface, the firewall, the VPN connection, and the event forwarding policies. In addition users will be able to update of remote sensors with the latest software and threat intelligence from AlienVault. Users of OSSIM will not be able to configure remote sensors, but will be able to access this UI if the sensor is running on the same machine as the web interface.
  • Centralized System Health Monitoring (Commercial Only) Easily monitor the current and historical resource utilization of remote AlienVault components. This helps identify bottlenecks before they occur and informs expansion planning.

Platform

  • Extended Hardware Support Debian Squeeze is now the basis for the platform that provides additional kernel-level support for non-standard hardware devices. This provides additional flexibility when deploying AlienVault on your own hardware.
  • Improved Packet Capture PF_Ring, Tcpdump, and libpcap have been updated for improved efficiency and throughput while capturing network traffic. In addition this update improves security and reliability as kernel patching is no longer required.
  • Enhanced Database Performance The backend architecture for event analysis and persistence has been modified to allow for greatly improved throughput. The integration of percona server allows for complete compatibility with those familiar with MySQL while also providing the performance of modern RDBMS alternatives.

Share post:

This discussion has been closed.