AlienVault v5.3.5 Patch Release

LBarraco

Updated: March 17, 2017

As of Tuesday, January 24 2017, AlienVault USM and OSSIM v5.3.5 are now generally available for all existing and new customers. Users can update their system(s) through the console or web UI (see upgrade instructions for more information). For customers using the Managed Appliance Service, please not that AlienVault Support will be contacting you to schedule your update.

Please take a few minutes to carefully read these release notes before upgrading.

Documentation Updates

• How to collect Windows logs with NXLog
  
• How to forward Microsoft IIS logs to AlienVault
  
• How to see EPS trend graph
  
• How to install missing profile packages to avoid network issues
  
• Troubleshooting issues with Fortigate firewalls
  
• How to set up port mirroring for Hyper-V appliances
  
• Netflow monitoring user guide
  
• USM event taxonomy overview
  
• Hyper-V deployment guide
  
• How to configure nxlog
  
• AMI deployment guide
  
• How to exclude IPs from an asset scan
  
• How to configure file integrity monitoring on your USM appliance
  

Announcements

New NxLog plugin - In this release, we made some major modifications to our data source plugin for NxLog. To continue collecting Windows events from NxLog, you will need to reconfigure the settings. Please follow the steps in this document

Deprecation Notice

Log watch
The log watch functionality in the Smart Event Collector has been deprecated in AlienVault USM and OSSIM. Deprecation means that we will no longer be doing development on that feature. This functionality may also be removed from the product at a later release date.

Compliance mapping
The compliance mapping functionality has been deprecated in AlienVault USM. Deprecation means that we will no longer be doing development on that feature. This functionality may also be removed from the product at a later release date.

This will not remove the ability to report on compliance regulations (PCI DSS 3.2 and ISO 27001:2012). AlienVault will continue to deliver new and updated compliance reports. For questions or additional information regarding this deprecation notice, contact AlienVault Support.

Change Log

• ENG-100893 - Users can now bulk delete tickets
  
• ENG-101666 - Fixed issue with adblocker disabling alarm views
  
• ENG-102523 - In SIEM view, added new grouping options for userdataX and username fields
  
• ENG-102727 - Added new permission option to control which users can close alarms
  
• ENG-102930 - Fixed issue in alarm forwarding caused by mysql error
  
• ENG-103144 - Tickets automatically created from alarms will send emails to assigned user
  
• ENG-103168 - Increased number of assets and alarms that can be displayed per page
  
• ENG-103184 - Manually created tickets will send emails to the assigned user
  
• ENG-103257 - Added "sticky" settings in Alarms and Assets so that filters will stay enacted when navigating from page to page
  
• ENG-103798 - Fixed issue with disabling forwarding on child servers in a federated environment
  
• ENG-103833 - Added 'Delete All' option to bulk delete in the message center
  
• ENG-103978 - Fixed issue with cron script removing HIDS alerts directory
  
• ENG-104203 - Fixed issue with parent server not receiving alarms in federated environment
  
• ENG-104329 - Fixed issue with missing alarms in federated environment
  
• ENG-104545 - Fixed issue with !SRC_ip failing on custom directives
  
• ENG-104553 - Fixed issue with upgrades in HA (high availability) environment
  
• ENG-104564 - Users can now exclude IPs from asset scans
  
• ENG-104578 - Removed redundant rotation of /var/ossec/logs/alerts/alerts.log
  
• ENG-104606 - Fixed issue in federation environment that caused alarms to get lost when they were stored in memory backed queue
  
• ENG-104657 - Added local_decoder.xml back to HIDS feed
  
• ENG-104669 - Fixed issue with forwarding with missing object types
  
• ENG-104686 - Filters applied to assets and alarms stay "sticky" when navigating between pages
  
• ENG-104802 - Fixed display issue that changed scan type for scheduled asset scans
  
• ENG-104848 - Fixed issue with openvas certificates not allowing scans in 2017
  
• ENG-104858 - Fixed issue with openvas certificates not allowing OSSIM to update or install
  
• ENG-104871 - Fixed issue with scheduled vulnerability scans using single date fields in database
  
• ENG-104872 - Fixed issue with scheduled vulnerability scans not showing the previous year in dropdown
  
• ENG-104872 - Fixed issue with scheduled vulnerability scans not setting the date properly
  

Security Advisories

• ENG-104037, Vulnerable Debian Package - sqlite3 (CVE-2016-6153) - AlienVault 5.3.5 is not vulnerable.
  
• ENG-104719, Vulnerable Debian Package - php5 (multiple CVE's) - AlienVault 5.3.5 is not vulnerable.
  
• ENG-104722, Vulnerable Debian Package - apt (CVE-2016-1252) - AlienVault 5.3.5 is not vulnerable.
  
• ENG-104789, Vulnerable Debian Package - php5 (CVE-2016-9935) - AlienVault 5.3.5 is not vulnerable.
  
• ENG-104805, Vulnerable Debian Package - samba (multiple CVE's) - AlienVault 5.3.5 is not vulnerable.
  
• ENG-104862, Vulnerable Configuration - nfsen (CVE-2017-6971) - AlienVault 5.3.5 is not vulnerable.
  
• ENG-104863, Vulnerable Configuration - nfsen (CVE-2017-6972) - AlienVault 5.3.5 is not vulnerable.
  
• ENG-104869, Vulnerable Configuration - nfdump (ZDI-CAN-4416) - AlienVault 5.3.5 is not vulnerable.
  
• ENG-104885, Vulnerable Debian Package - bind9 (multiple CVE's) - AlienVault 5.3.5 is not vulnerable.
  
• ENG-104887, Vulnerable Debian Package - libxml2 (multiple CVE's) - AlienVault 5.3.5 is not vulnerable.
  
• ENG-104888, Vulnerable Debian Package - squid3 (CVE-2016-10002) - AlienVault 5.3.5 is not vulnerable.
  
• ENG-104891, Vulnerable Debian Package - libgd2 (CVE-2016-9933) - AlienVault 5.3.5 is not vulnerable.
  
• ENG-104898, Vulnerable Debian Package - rabbitmq-server (CVE-2016-9877) - AlienVault 5.3.5 is not vulnerable.
  

See the Security Advisory for USM and OSSIM v5.3.5 for more information.

Additional Upgrade Info for All Users on v5.1.1 and Earlier

• For users on v5.3.1 and earlier, please see the v5.3.2 release notes for information on why all appliances need to be on 5.3.2 or later
  
• For users on v5.2.4 and earlier, please see the v5.2.5 release notes for information on the changes to backups.
  
• For users on v5.1.1 and earlier, please see the v5.2 release notes and read the v5.2 upgrade instructions prior to updating.
  
• For users on v5.0.4 and earlier, please see the v5.1 release notes for additional upgrade information around OTX.
  
• For users on v4.15.2, please see the v5.0 release notes for additional upgrade information.
  

ol.batard

Hi,

Bulk delete doesn't work for all messages.

The select all [X] messages doesn't select all messages but the already (manualy) selected messages... 

 

zparker

Some good stuff in this upgrade. Would be great if our Federated server could see or report the eps of child USM's. How to see EPS trend graph doesn't work from the Fed:/

LBarraco

@ol.batard - can you send me a private mail with your email address? Want to see what you're experiencing on your installation. 

@zparker - great feedback! I've added a ticket to our backlog for that request. Would love to get more feedback from you if you're interested. If you're interested, please send me a private message with your email address and I'll set something up. 

ol.batard

I would like but I have this error when I try to send you a PM... 

Fatal error: Call to undefined method PHPMailer::ThrowExceptions() in /srv/www/htdocs/forums/library/core/class.email.php on line 255

[email protected]

If you click on the New NXLOG Plugin link,  it initially states the Device Vendor is NXLOG (in a green table) for this plugin.  However if you scroll down further, it says we need to select Device Vendor as "Microsoft" 

Can someone pls clarify what to choose? 

jotones

Just for your knowledge:

There is an error with the new feature of grouping by username in the Security Events window.

It groups the events by the username correctly (aparently at least) but when you try to get the events for some specific user, the filter is using the 'IDM Username' field instead the 'Username' field.

We are reporting this issue to Alienvault support.

Jose Luis

kamyabi

Fatal error: Call to undefined method PHPMailer::ThrowExceptions() in /srv/www/htdocs/forums/library/core/class.email.php on line 255

How to fix it while posting a problem in community??

damianz

Hi @jotones, it's working OK now (no longer have "IDM Username", but "Username" now).

jotones

Hi @damianz, 

It is not working, at least in my installation. 

Could you explain the test you are doing? I have not seen any bug or something that could solve the issue.

Best regards