Update: On Wednesday, May 13, 2015 a Hotfix was issued. See AlienVault v5.0.2 Hotfix
As of Tuesday, May 12, 2015, AlienVault v5.0.1 is now generally available for all existing and new customers.
You can download the latest version of USM here
and OSSIM here
. Please take a few minutes to carefully read these release notes before upgrading.
Important Upgrade Info for All USM Users
AlienVault USM v5.0 includes an update to the events database engine in order to improve performance and storage capability. With this upgrade, you can store more data for longer periods of time. You can also correlate and analyze more data in less time, accelerating your ability to detect and respond to threats. The upgrade to USM v5.0 will be done in two steps: Step 1:
Upgrade your USM v4.x system to USM v5.0. This is done using the normal update process available from within the web UI and Console. This will bring your USM system to v5.0, but will not update the database. Your USM deployment will be fully functional with the existing database engine, but will not have the improvement provided by the new database engine. Step 2:
Migrate the database engine. Now that your system is running v5.0 the necessary tools are available to migrate your database engine to the new version. This migration will migrate your data and configuration to the new database engine and enable it for use. Review the database migration instructions
prior to upgrading. If you would like assistance with this migration, contact AlienVault Customer Support. Note:
The new database is only available for USM customers. OSSIM users will continue to use the existing database with full functionality.
Important Upgrade Info for All Users on v4.11 and Lower
For users on v4.9 and lower, please see the v4.10 release notes
for additional upgrade information. For users on v4.10 and v4.11, please see the v4.12 release notes
for additional upgrade information. For those customers on v4.11 and below with a distributed deployment (Standard or Enterprise Sensors, Loggers, Servers) you will need to follow the instructions here
to upgrade your deployment.
RN1. Adding remote systems now requires authentication (v4.8)
As of AlienVault v4.8, all AlienVault components now require authentication for them to communicate with each other. Users will authenticate a remote system using the root password of the device to distribute SSH public keys and certificates to connected AlienVault systems.RN2. VPN Environment Configuration (v4.10)
As of AlienVault v4.10, the procedure to configure a VPN environment has been updated. This document describes the process to setup the VPN environment.RN.3 IDM - User login timeout (v4.13)
For each user login event matching a host managed by the IDM, a new entry is created in the IDM database. This entry stays in the database until the corresponding logout event is identified and processed. This leads to an uncontrolled growth of the IDM database when the corresponding event is not received. v4.13 now includes a configurable user login timeout to automatically purge the database.
- Configuration Backup and Restore - The backup and restore process was improved in 5.0. This document describes the procedure changes and what backups now include.
- Message Center This document outlines the new Message Center feature in AlienVault 5.0. The purpose of the Message Center is to centralize all in-system errors, warnings and messages into a single page within the web UI.
- What is Telemetry Collection and How Does it Work? - This knowledge base article further describes the use of telemetry collection in our customer base.
- ENG-100053, Confusing error message on VPN attempted deployment - Error message informs the user of other options in the case that network connectivity is not available.
- ENG-100011, Asset discovery scan display 'unknown error' message - Asset discovery scans run as expected and progress is displayed in the UI.
- ENG-99970, Typo when hovering over priority threshold - Updated hover text to say: "Logs with priority lower than threshold will be archived but not processed as security events as they are not considered to provide security information".
- ENG-99969, Typo when hovering over active events windows - Updated hover text to say: "Older security events will be erased when total number of events in database reaches this number".
- ENG-99968, Database error when deleting events - Database error no longer occurs when user delete events.
- ENG-99939, Missing protocol translations on server - Fixed a translation error with ossim-server. Protocols are translated properly.
- ENG-99938, OSSIM users see message to "Improve database performance" - OSSIM users no longer receive message to upgrade their database.
- ENG-99925, Database error in security events when you search by signature and IP - Fixed a database error with filters in Security Events.
- ENG-99893, Message Center search text box says "Search by Subject" even though it searches all message content - Text in search box changed to "Search".
- ENG-99833, Wrong success message when adding a note from the network list - Updated success message says "Your note has been added to the selected networks".
- ENG-99826, Wrong redirect used Deployment Status Dashboard - Users are redirected to the correct location from within the deployment status dashboard.
- ENG-99807, Typo in 5.0 database migration - Fixed minor typo in system checks prior to database upgrade in v5.0
- ENG-99798, Incorrect message displayed when selecting assets - Changed message to specify the number of assets you've selected on "this page".
- ENG-99783, Netflow processing shows wrong columns in results table - Updated the column headers to correctly define each field.
- ENG-99770, Missing geographical location in event details page - Added geographic location on the security events pages.
- ENG-99769, The Message Center does not notify the current number of assets exceeds the contracted one - USM users will be notified via the Message Center when they have gone over the asset limit for asset-based All-in-One devices.
- ENG-99705, Incorrect error message when applying the same label to a ticket twice - Error message will no longer appear when a label is added twice. Instead, the label will be added to tickets if it has not been added yet and no error will occur if the label already exists for some of the selected tickets.
- ENG-99700, Net icon is not displayed properly in alarm detail - Fixed display error and added server validation.
- ENG-99698, PHP errors displaying event information from alarm detail - Errors have been fixed and user sees the filtered list properly.
- ENG-99689, Incorrect sentence in asset group - Fixed typo in hover text on assets in asset group.
- ENG-99679, Incorrect message on Alarms circle on Asset Details Page - Alarms with risk greater than 5 change the circle color to red.
- ENG-99675, HIDS deployment credentials don't allow numerical user names - Users can deploy HIDS agents with numerical usernames and/or alphabetic.
- ENG-99646, Restoring a backup in a fresh installation ask for confirmation about authenticate host - Users do not need to authenticate to restore from backup on a fresh install.
- ENG-99636, Failed server related tests (from AV-doctor) in OSSIM AIO - Fixed plugins in AV-doctor to be compatible with installs that have upgraded from OSSIM to USM.
- ENG-99616, Sensor search issues with multiple device IPs on security events - The criteria description now shows only the sensor name, instead of "Sensor - First device IP" to avoid confusion.
- ENG-99566, HIDS agentless not working for network devices without aes256-ctr and aes128-ctr - Agentless HIDS connections to non-AlienVault components are able to use additional cyphers.
- ENG-99539, User is unaware that underscore "_" is not allowed in asset names - Updated the help text to alert the user that underscores are not allowed in asset names.
- ENG-99500, Menu closes when adding IP address in advanced search in security events - Search criteria drop-down stays open until the user clicks search to begin the query.
- ENG-99499, Advanced search in security events breaks the view - In the case of a query issue, the following error message is displayed: "No events matching your search criteria have been found. Try fewer conditions."
- ENG-99483, Wrong text on startup screen shown at installation - Fixed text shown after reboot or at first installation to be easier to read.
- ENG-99450, IDM inserts login information for the first log-off event - User information is not added to host properties for log-off events.
- ENG-99449, The Raw Logs section responds "no data found" when there is a query that provokes a timeout - Updated error messages to be more descriptive. We have separated the messages used for time-outs and for queries that return no data.
- ENG-99447, API does not clean the temporary folders properly - Added a cron script that cleans temporary files and/or kills processes that take longer than 7 days.
- ENG-99444, Impossible to change a custom directive from taxonomy to event type - Users can change a custom directive from taxonomy to event type.
- ENG-99385, USM Standard Sensor 2x10 drops 90% of packets - 10Gb interfaces do not drop packets.
- ENG-99329, MongoDB log file is not rotated at all - Added missing logrotate policy to MongoDB logs.
- ENG-99253, Actions are duplicated every time they're edited - The action is updated instead of duplicating actions.
- ENG-99225, Warning message for plugin changes do not display the plugin name in the title - Messages for plugin changes in the Message Center now contain the plugin name in the title.
- ENG-99170, Replication issues in HA environments - Replication data works as expected in High Availability environments.
- ENG-99167, The signature from dB plugins cannot be verified in the raw logs - Fixed parameter validation so that signatures can be verified.
- ENG-99152, The signature validation doesn't work on compressed files - The validation works for compressed files and indexed search.
- ENG-99098, Vulnerability scans crash after changing the schedule type of a scan previously scheduled - After editing a scheduled scan and changing it to "immediately", it will work as expected.
- ENG-99016, Using hostname:port in reports breaks the format - Users can use hostname:port in reports without any issues.
- ENG-99003, Asset discovery asset name resolution depends on the order of the DNS's - Asset discovery output will display hostnames if the local DNS is able to resolve them.
- ENG-98974, Failure with sensor IP admin collision - Users can change the sensor IP.
- ENG-98927, It's not possible to deploy agentless HIDS in HA environments - Users can deploy agentless HIDS in high availability environments.
- ENG-98706, It's not possible to re-configure promiscuous interfaces - All the network interfaces that were once configured as network monitoring interfaces (promiscuous mode), can be disabled/re-configured.
- ENG-98094, TLS on LDAP connections - New option has been added to the Configuration menu in the UI so users can activate LDAP using TLS.
- ENG-98039, Authentication modules grouping by username takes too long to compile reports - Optimized the search utility in Raw Logs by about 40% to improve complex searches and groupings.
- ENG-99866, Asset discovery scanner vulnerability - AlienVault v5.0.1 is not vulnerable.
- ENG-99865, Asset discovery scanner vulnerability - AlienVault v5.0.1 is not vulnerable.
- ENG-98424, NBE import vulnerability - AlienVault v5.0.1 is not vulnerable.
See the Security Advisory for USM v5.0.1 for more information.