As of Tuesday, June 2, 2015, AlienVault v5.0.3 is now generally available for all existing and new customers.
You can download the latest version of USM here
and OSSIM here
. Please take a few minutes to carefully read these release notes before upgrading.
Important Upgrade Info for All USM Users
AlienVault USM v5.0 includes an update to the events database engine in order to improve performance and storage capability. With this upgrade, you can store more data for longer periods of time. You can also correlate and analyze more data in less time, accelerating your ability to detect and respond to threats. The upgrade to USM v5.0 will be done in two steps: Step 1:
Upgrade your USM v4.x system to USM v5.0. This is done using the normal update process available from within the web UI and Console. This will bring your USM system to v5.0, but will not update the database. Your USM deployment will be fully functional with the existing database engine, but will not have the improvement provided by the new database engine. Step 2:
Migrate the database engine. Now that your system is running v5.0 the necessary tools are available to migrate your database engine to the new version. This migration will migrate your data and configuration to the new database engine and enable it for use. Review the database migration instructions
prior to upgrading. If you would like assistance with this migration, contact AlienVault Customer Support. Note:
The new database is only available for USM customers. OSSIM users will continue to use the existing database with full functionality.
Important Upgrade Info for All Users on v4.11 and Lower
For users on v4.9 and lower, please see the v4.10 release notes
for additional upgrade information. For users on v4.10 and v4.11, please see the v4.12 release notes
for additional upgrade information. For those customers on v4.11 and below with a distributed deployment (Standard or Enterprise Sensors, Loggers, Servers) you will need to follow the instructions here
to upgrade your deployment.
RN1. Adding remote systems now requires authentication (v4.8)
As of AlienVault v4.8, all AlienVault components now require authentication for them to communicate with each other. Users will authenticate a remote system using the root password of the device to distribute SSH public keys and certificates to connected AlienVault systems.RN2. VPN Environment Configuration (v4.10)
As of AlienVault v4.10, the procedure to configure a VPN environment has been updated. This document describes the process to setup the VPN environment.RN.3 IDM - User login timeout (v4.13)
For each user login event matching a host managed by the IDM, a new entry is created in the IDM database. This entry stays in the database until the corresponding logout event is identified and processed. This leads to an uncontrolled growth of the IDM database when the corresponding event is not received. v4.13 now includes a configurable user login timeout to automatically purge the database.
AlienVault currently includes multiple ways to analyze Netflow data: Netflow and Ntop. Effective immediately AlienVault will be deprecating the ntop tool from both USM and OSSIM. Deprecation means that AlienVault will no longer invest development time into the use of this component. This means that the tool, related views and workflows will be removed or changed in a future release.
This deprecation notice is not applicable to the built-in Netflow support also provided by AlienVault. AlienVault will continue to develop and enhance the built-in Netflow capability in USM and OSSIM. For questions or additional information regarding this deprecation notice, contact [email protected]Snort
AlienVault USM and OSSIM have historically shipped with a built-in IDS capability that includes the use of two separate open source IDS engines: Snort and Suricata. As AlienVault continues to evolve its built-in IDS capabilities, it now becomes necessary for us to focus our efforts on a single IDS engine. We have chosen to use Suricata and will be deprecating the use of Snort from our product. Deprecation means that we will no longer invest development time into the use of this component and we will be removing the use of Snort in a future version of the products.
Some of the benefits you will receive from AlienVault’s decision to focus on use of Suricata include:
- Increased performance - Suricata is multi-threaded. Snort is single threaded. You will experience better performance and speed in processing from Suricata.
- Better Detection - Suricata detects 20% to 30% more threats using the same detection rules than Snort. Use of Suricata allows you to identify more threats, more quickly to provide better detection of threats in your environment.
- Better traffic visibility - Suricata provides Application Layer visibility, which allows you to better detect malicious content.
- Faster HTTP traffic analysis - Suricata provides faster normalization and parsing for HTTP streams, allowing you to evaluate HTTP traffic more quickly and with less processing requirement.
- Automated Protocol Detection - Suricata automatically detects protocols in use within the traffic, reducing false positives and allowing you to detect protocols running on non-standard ports.
- Ruleset Features - As AlienVault continues to evolve the AlienVault Labs Threat Intelligence content, we will be able to take advantage of the built-in features of Suricata to provide you with improved, advanced threat detection.
- Reduced Complexity - By focusing our efforts on a single IDS engine AlienVault will have additional development capacity to enhance / build new capabilities into other product areas and reduce the product complexity.
For those customers who are using the Snort engine within USM or OSSIM today, you will be able to continue using it until it has been removed. Once removed, the built-in IDS will be solely based on Suricata. For questions or additional information regarding this deprecation notice, contact [email protected]
- ENG-100444, HIDS Agentless deployment form doesn't require credentials when edited - Users have to enter agentless credentials any time the configuration is modified.
- ENG-100433, Custom reports filtered by user do not run correctly - Custom reports filtered by user run as expected
- ENG-100071, Error when you run a report with the geographic module - Report runs as expected.
- ENG-100067, Improper English on Discover New Assets tab - Fixed a typo when selecting a sensor.
- ENG-100064, The remote support tool does not work in the database is down - USM appliances can start the remote support tool without the database up.
- ENG-100021, Database migration not launched if limit of backups in DB is set to 0 (no limit) - 5.0 database migration is allowed even if backups are set to 0.
- ENG-98985, Any authenticated user can access availability monitoring information - Added an additional permission check to confirm user has access to that page.
- ENG-99607, Port 40007 is open but is no longer used - Port now closed by default.
- ENG-99280, Event reliability is not modified by cross-correlation - Users cannot assign more than one reference to the same plugin and an error message will appear to alert the user if this happens.
- ENG-99059, HA cannot be configured with Enterprise Servers - High Availability deployment now configurable using Enterprise Server appliances (with separate Database).
- ENG-100470, Nexpose reports vulnerability to CVE-2000-0219 - This has been identified as a false-positive. AlienVault v5.0.3 is not vulnerable.
- ENG-100371, Vulnerable Debian Package (php5) - AlienVault v5.0.3 is not vulnerable.
- ENG-100372, Vulnerable Debian Package (Curl) - AlienVault v5.0.3 is not vulnerable.
- ENG-100373, Vulnerable Debian Package (libxml-libxml-perl) - AlienVault v5.0.3 is not vulnerable.
- ENG-100374, Vulnerable Debian Package (tzdata) - AlienVault v5.0.3 is not vulnerable.
- ENG-99407, Nexpose reports world writable files - AlienVault v5.0.3 is not vulnerable.
- ENG-100255, Java script injections with plugins - AlienVault v5.0.3 is not vulnerable.
- ENG-100504, Vulnerable Debian Package (libicu44) - AlienVault v5.0.3 is not vulnerable.
- ENG-98552, Nexpose reports vulnerability with IP source routing - AlienVault v5.0.3 is not vulnerable.
- ENG-100584, Vulnerable Debian Package (eglibc) - AlienVault v5.0.3 is not vulnerable.
See the Security Advisory for USM v5.0.3 for more information.