• Support
  • Forums
  • Blogs

AlienVault v5.4 Functional Release

SkylarTalleySkylarTalley

AlienVault Employee
+6
As of Wednesday, June 28 2017, AlienVault USM and OSSIM v5.4 are now generally available for all existing and new customers. Users can update their system(s) through the console or web UI (see upgrade instructions for more information). For customers using the Managed Appliance Service, please not that AlienVault Support will be contacting you to schedule your update.

Please take a few minutes to carefully read these release notes before upgrading.

Feature releases will change the behavior of the system with new functionality. AlienVault encourages users to first apply the upgrade to a test system to understand and learn the new functionality before upgrading production systems. Carefully read the enhancement summary and change log below before upgrading your system.


Announcements

Training Webcasts
Join us to learn what's new in v5.4! Check out the training schedule below and sign-up:
What's new in USM v5.4? - Thursday, June 29th

CPU Requirement
The upgrade to v5.4 requires the CPU to support the SSSE3 (Supplemental Streaming SIMD Extensions 3) instruction set. Please see this Knowledge Base article for more details.



New for USM only

  • Auto-updates for Threat Intelligence and Plugins - Users will no longer need to log into the system to update their feeds. They can enable auto-updates and then schedule the updates to run at a desired time.
  • New reports for ISO 27002 and NIST/FERPA - We've added 18 new reports for ISO 27002 and 10 new reports for NIST/FERPA compliance.

New for USM and OSSIM

  • Hyper-V support - Deployment of AlienVault USM on Hyper-V v3.0+ (Windows Server 2008 SP2 and later) is now officially supported!
  • Export reports to XLS - Users will now be able to export their reports to XLS format in addition to PDF. This should provide much more flexibility with the extended uses and modification of the exported data.
  • Optimized NIDS rulesets for better performance and better matching (fewer false positives and more indicators identified).
  • Plugin Builder (previously called Smart Event Collector or ASEC) - We now have an intuitive way for users to create their own custom plug-ins from log files. After uploading a sample log file, users will use a guided set-up flow to easily create their custom plug-in.
  • Alerting on netflow (*NOTE: only available for "All in One" deployments that do not utilize a remote sensor)- There are a great deal of anomalies that can be detected through netflow, such as an unusual amount of bandwidth used by a host or a large number of flows generated. These cases often find successful exfiltration attempts since a host is now acting differently on a network. Now, you can use USM to generate alarms and get alerted when your netflow goes above or below set thresholds.
  • Quick OTX lookup from right-click menu - Right-click on any IP in the Alarms and Events view to search for details in OTX, making environmental awareness easier than ever.

Documentation Updates



Change Log

  • ENG-105493 Fixed wrong breadcrumb messages on Event and Alarm pages
  • ENG-105414 Moved to using DSA for log signing
  • ENG-105406 Fixed AlienVault Community link on support section is not working
  • ENG-105388 Hide ISO 27001 compliance mapping page and report
  • ENG-105372 AV forwarding: fixed issue where more than one av-forward process is executed at the same time in the child server
  • ENG-105363 AV forwarding: fixed issue where forward process is not stopped if pid file does not exist
  • ENG-105353 AV forwarding: fixed server socket timeout in idle state
  • ENG-105312 AlienVault Forward - forwarder is unable to manage too large avcache
  • ENG-105309 Fixed Vuln Scans / Hids deployment requiring insecure SMBv1
  • ENG-105306 Poor error handling in OTX pulse sync is creating denial of service attack from USM/OSSIM clients
  • ENG-105224 Fixed issue where message sent date changes to current date upon reading the message in the Message Center
  • ENG-105184 SIEM query performance optimization (investigation)
  • ENG-105168 New NIST/FERPA reports
  • ENG-105148 New ISO 27002 Reports
  • ENG-105139 Fixed issue where Alienvault-forward stops sending alarms to Fed after mysql error reloading hierarchy
  • ENG-105126 Fixed issue where configuration backup does not include config.yml
  • ENG-105110 Improved log message for parsing timeout in agent
  • ENG-105084 Fixed Fed Server displaying wrong directive event name
  • ENG-105082 Error updating to 5.3.6 if a sensor is configured with sflow
  • ENG-105068 Removed deprecated scripts from sudoers
  • ENG-105059 Addressed Potential SQL injection in OssimDB.exec_query()
  • ENG-105057 Message Center message has broken URL for backup password
  • ENG-105034 Fixed issue with SIEM page taking an exceptionally long time to filter on Alienvault-HIDS
  • ENG-105029 HA resources allocated to both nodes
  • ENG-105024 Fixed defect resolving IP on a string.
  • ENG-105019 Cannot set up NetFlow sources using 'sflow'
  • ENG-104987 Fixed Grouped by username SIEM queries not working
  • ENG-104980 Fixed bulk delete in Message Center only Deletes 50 at a time
  • ENG-104977 Disabling and Enabling Policies is not tracked by User Activity monitoring
  • ENG-104974 Fixed GSW rewriting default networks list
  • ENG-104969 Updated OSSEC to 2.8.3 for Linux platform
  • ENG-104962 updateplugins.pl script breaks with double quotes introduced by new plugins
  • ENG-104944 Fixed delay defect while resolving hostnames (Ironport plugin)
  • ENG-104943 Fixed issue with agent not being able to start a remote logs parser
  • ENG-104928 Fixed incorrect number of rows is exported in pdf/csv in SIEM reports
  • ENG-104920 Addressed unneeded messages in Web UI when using bulk selecting option for tickets
  • ENG-104914 Fixed alarm search showed incorrect result when source and destination ip are the same
  • ENG-104895 Fixed a SIEM DB backup possibly bringing down a USM
  • ENG-104865 Updated useractivity log messages
  • ENG-104853 Fixed duplicated alert details on email when multiple recipients
  • ENG-104851 Fixed Ossec config issue - not processing logs from ossec-single-line
  • ENG-104850 Fixed Ossec firewall log is enabled on all installs, but not used by our plugin.
  • ENG-104839 Fixed typo: "Pre-scan localy" during vulnerability scan configuration
  • ENG-104808 Fixed GUI deleting more Ossec agents than the selected one
  • ENG-104793 Error message does not indicate a network is already defined
  • ENG-104788 Message center is breaking URL links embedded in system messages.
  • ENG-104705 Remove the word "reverse" from "Enable Reverse DNS Resolution"
  • ENG-104603 Ticket Creation of Grouped View Alarms - Fixed link to Alarms \
  • ENG-104555 Added support for src/dst HOME_NET in policies
  • ENG-104545 Fixed !SRC_ip failing on custom directives
  • ENG-104473 Fixed Hostname replaced with {resolv_ip($hostname)} in some scenarios
  • ENG-104383 Fixed Ticket Report - Date Range not showing correct results.
  • ENG-104359 Fixed USM not processing events when event backup is running
  • ENG-104346 Addressed smart event collection maximum file size issue
  • ENG-104343 Improve smart event collector web UI (Plugin Builder)
  • ENG-104339 Alert on netflow - *Note, this functionality will only work on AIO deployments without a remote sensor.
  • ENG-104319 Added list of invalid characters displayed next to password input field in web interface
  • ENG-104307 Improvement to Agent's logrotate handling
  • ENG-104189 Update OSSEC to 2.8.3 - xpath filters do not work with current 2.8.2 version
  • ENG-104018 Addressed AlienVault-rhythm appears to be matching incorrectly
  • ENG-103872 Added export reports to XLS
  • ENG-103854 ParserDatabase.py logging
  • ENG-103853 Fixed reconnect issue in Forward with more than one upper server
  • ENG-103818 User activity - log OSSEC activity changes
  • ENG-103791 Schedule clean up table log_action
  • ENG-103789 Add OTX lookup to right-click menu on IPs
  • ENG-103739 Deprecate macheted process from smart event collector (asec)
  • ENG-103712 VPN: Federated server uses admin ip of child USM intead vpn ip to display child USM Raw logs
  • ENG-103697 [Low load] Web UI displays alarms still being correlated despite they are reached the last correlation level
  • ENG-103652 'Asset logs not being processed' for assets that are not forwarding logs
  • ENG-103480 Suricata keeps filling up /var/log/suricata and crashing system
  • ENG-103457 Added new device types for asset management
  • ENG-103450 Add read user log_action table
  • ENG-103398 Fixed asset scan schedule is not properly stored for remote sensor and will be reset after agent restart
  • ENG-103381 Fixed OSSEC Stops After Midnight and Needs To Be Restarted
  • ENG-103243 Added support for src/dst !HOME_NET in policies
  • ENG-103213 Fixed unable to re-enable asset availability monitoring
  • ENG-103074 Changed how Suricata reports proxy-hidden communications
  • ENG-103016 Be able to schedule auto-updates for threat intelligence & plugins (not platform) - USM only
  • ENG-102950 Addressed Insufficient permissions for custom_tasks.ylm file
  • ENG-102760 Fixed activity with OTX IP Reputation reports are not working properly
  • ENG-102682 Added (custom) plugins to configuration backups
  • ENG-101869 Fixed toggling availability "on" does not work if a plugin has been previously enabled for the same host
  • ENG-101832 Fixed [Configuration - Administration - Main] Log to syslog option doesn't work properly
  • ENG-100765 Fixed firewall enable/disable option in console and web UI is not working

Security Advisories

  • ENG-105735 Vulnerable Debian Package - libffi (CVE-2017-1000376) - AlienVault 5.4 is not vulnerable.
  • ENG-105733 Vulnerable Debian Package - libgcrypt20 (CVE-2017-9526) - AlienVault 5.4 is not vulnerable.
  • ENG-105722 Vulnerable Debian Package - linux (multiple CVE's) - AlienVault 5.4 is not vulnerable.
  • ENG-105691 Vulnerable Debian Package - rtmpdump (multiple CVE's) - AlienVault 5.4 is not vulnerable.
  • ENG-105659 Vulnerable Debian Package - nss (multiple CVE's) - AlienVault 5.4 is not vulnerable.
  • ENG-105651 "Vulnerable Debian Package - openldap (CVE-2017-9287) - AlienVault 5.4 is not vulnerable.
  • ENG-105647 "Vulnerable Debian Package - sudo (CVE-2017-1000367) - AlienVault 5.4 is not vulnerable.
  • ENG-105630 Vulnerable Debian Package - libtasn1-6 (CVE-2017-6891) - AlienVault 5.4 is not vulnerable.
  • ENG-105626 Vulnerable Debian Package - samba (CVE-2017-7494) - AlienVault 5.4 is not vulnerable.
  • ENG-105614 Vulnerable Debian Package - tiff (multiple CVE's) - AlienVault 5.4 is not vulnerable.
  • ENG-105608 Vulnerable Debian Package - freetype (multiple CVE's) - AlienVault 5.4 is not vulnerable.
  • ENG-105600 Vulnerable Debian Package - bind9 (multiple CVE's) - AlienVault 5.4 is not vulnerable.
  • ENG-105523 Vulnerable Debian Package - mysql-5.5 (multiple CVE's) - AlienVault 5.4 is not vulnerable.
  • ENG-105488 Vulnerable Debian Package - icu (multiple CVE's) - AlienVault 5.4 is not vulnerable.
  • ENG-105481 Vulnerable Debian Package - jasper (multiple CVE's) - AlienVault 5.4 is not vulnerable.
  • ENG-105382 Vulnerable Debian Package - eject (CVE-2017-6964) - AlienVault 5.4 is not vulnerable.
  • ENG-105324 Vulnerable Debian Package - samba (CVE-2017-2619) - AlienVault 5.4 is not vulnerable.
  • ENG-105319 Vulnerable Debian Package - wireshark (multiple CVE's) - AlienVault 5.4 is not vulnerable.
  • ENG-105078 Vulnerable Debian Package - mongodb (CVE-2016-6494) - AlienVault 5.4 is not vulnerable.

See the Security Advisory for USM and OSSIM v5.4 for more information.


Additional Upgrade Info for All Users on v5.1.1 and Earlier




dgranLBarracozparkerCacturfcollinsScrubbylady

Share post:

Comments

  • Looking good! Can you elaborate on what is involved with the optimized NIDS rulesets?
    tracy.danger
  • I see that Suricata has been updated;
    alienvault:~# suricata -V
    This is Suricata version 3.2 RELEASE

    Does this mean that you support ERSPAN? I can't find any notes on that in the release notes.
    tracy.danger
  • Hello,

    The upgrade failed due to Suricata:

    dpkg: error processing archive /var/cache/apt/archives/suricata_2%3a3.2-2~bpo8+2_amd64.deb (--unpack):^M
     subprocess new pre-removal script returned error exit status 1^M
    Starting suricata in IDS (af-packet) mode... done.^M
    Errors were encountered while processing:^M
     /var/cache/apt/archives/suricata_2%3a3.2-2~bpo8+2_amd64.deb^M
    E: Sub-process /usr/bin/dpkg returned an error code (1)
    + echo 'ERROR: Failed to install new Suricata version!'
    ERROR: Failed to install new Suricata version!
    + return 1
    ## update_suricata_refresh_conf, code 1

  • It seems to work after an "apt update" before the "alienvault-update"
    tracy.danger
  • Hi @idarlund, ERSPAN is not currently supported, unfortunately. We'll be working on it for a future release. 
  • Auto-Update is easily the single biggest step forward in this release. Keep them coming!
    LBarraco
  • After 5.4.1 update (from 5.4): no more OTX info, and list of HIDS is empty. I already rollbacked.
  • @EGeek If you log a case we can assist with those issues - https//support,alienvault.com 
  • After upgrading to 5.4.1 from 5.3 I receive an error messages about an 'Invalid logger' setting dispiote the fact that the 'Logger' is not configurable in OSSIM.

    Now I am getting NO events being inserted into the database.

    /var/log/alienvault/agent/agent.log shows 1000's of events per second coming in.
    /var/ossec/logs/alerts/alerts.log shows an equivalent  1000's of alerts being generated

    Nothing being inserted into the events database - nothing showing in the 'Real time' events display either.

    I have rolled back to a previous snapshot - Any ideas?

  • Plugin Builder feature is not working in OSSIM , Kindly fix
Sign In or Register to comment.