OSSIM
Open Source Security Information Management
Open Source Security Information Management
Almost forgot to post this. As written before, OSSIM has been assigned 6 student slots by google.
The following projects are planned for this summer:
Just a quick not in order to inform that we've released a small update. This update fixes the stream preprocessor on the installed snort version, solving an issue where snort would eat up 100% of cpu and die after a couple of minutes. Also, we've linked the update script to //usr/sbin so after this update it can be run as "ossim-update".
We're proud to announce that google will be sponsoring development for OSSIM (among many other projects) during it's summer of code program. Have a look at our ideas page for more information, as weel as at the GSoC page.
Update 2008/03/26: Please be aware that application deadline for students is 2008/03/31!
Here is a post Jake from OSVDB made yesterday on bugtraq which resumes it quite well.
Just a quick heads up in case you have been hiding under a rock..... Google's Summer of Code 2008 is officially on. Full details at http://code.google.com/soc/2008/ Google will begin accepting student applications on Monday, March 24, 2008! Please help spread the word and encourage all eligible students to apply for one of the security related projects! OSVDB: The Open Source Vulnerability Database: http://osvdb.org/blog/?p=231 OSSIM: Open Source Security Information Management: http://www.ossim.net/dokuwiki/doku.php?id=ideas Nmap Security Scanner: http://nmap.org/GoogleGrants.html The Electronic Frontier Foundation/Tor Project: https://www.torproject.org/volunteer.html.en#Projects SoC Timeline: http://code.google.com/opensource/gsoc/2008/faqs.html#0.1_timeline
We just released an updater package for the OSSIM Installer. A couple of major issues slipped into 1.0.4, release which we couldn't test enough prior to public release due to the security fixes it contained.
The errors involve snort and ossec logging / parsing. Both of them are broken as in 1.0.4 for various reasons (1.0.4 snortunified plugin not matching the snort unified output filename and agent not sending multi-line log lines correctly).
For 1.0.3 users, please download the standalone updater file from the AlienVault Download section. 1.0.4 users should be able to just run the /home/ossim/dist/ossim-update.pl command and get their system updated.
No ISO will be released for 1.0.5 since the changes are actually minimal, so for new users please install 1.0.4 and run /home/ossim/dist/ossim-update.pl after installation in order to get a working 1.0.5.
Enjoy!
We've released OSSIM 0.9.9 this week, release which was followed by a post to BugTraq regarding some XSS and SQL vulnerabilities present on OSSIM.
After having fixed those vulnerabilities we're now releasing:
Upgrade is encouraged to all OSSIM users.
And here goes the extended version:
We're proud to annnounce the immediate availability of the 1.0.4 OSSIM Installer, coming both as a standalone ISO image as well as an updater. In order to differentiate it from other similar efforts and reflecting the significant work we're putting into making OSSIM more usefriendly, we're branding it the "AlienVault OSSIM Installer" from now on.
<shameless plug>
About a year ago the creators of OSSIM started a company dedicated to offer professional services around OSSIM, while keeping the development of the open source project with the same name moving. In the beginning we called the company OSSIM as well, but soon we realized that this was generating some confusion regarding the part that is (and will remain) open source, and the services being developed around it (such as courses, tuned appliances, consulting and support) which are helping us to further improve it and are turning OSSIM into a real alternative to similar commercial products.
Therefore we rebranded the commercial part into "AlienVault", a name that was available, sounded good and represented both innovation and security in a single word.
</shameless plug>
Back to release related stuff now.
This is a very important release for several reasons:
The installer is pretty straigthforward, the main difference in the installation process itself (regarding 1.0.3) is that it has better hardware compatibility now, a bunch of debian security fixes (including the recent kernel vulnerability) and a custom partition scheme.
The updater should run pretty smooth on 1.0 through 1.0.3 installations. After downloading and executing the script the default values for the "auto" method are quite safe. You'll get asked some debian specific questions regarding config file updates; answer no (the default) to all of them if unsure since we'll take care of those updates later on.
After having installed this first updater version (or the 1.0.4 ISO) you'll be able to check for new updates running the /home/ossim/dist/ossim-update.pl script. We intend to include a "check for update" feature within the next release.
Last but not least, regarding the security fixes we always appreciate being helped out on things we've done wrong, but we do appreciate being contacted directly (cheers to Dave, who can be found at subverted.org, who notified some of these issues some time ago already) instead of having to read mistakes somewhere else. Feel free to contact us at contact@ossim.net regarding similar issues.
And should you have any other issue with the updater, installer or anything related to ossim, please check out the sourceforge.net forums, mailing lists or contact us directly at contact@alienvault.com.
Here is a more detailed list of the most important changes:
New software:
New features:
Updated features:
Bugfixes
Enjoy!
The focus of this release has been mainly bugfixes and we actually did focus a lot more into getting the 1.0.4 installer done along with an updater. This installer will be released during the next couple of days after we are polishing some last issues.
As mentioned earlier, the tutorial series continue with this second installment: OSSIM and compliance regulations: read it here.
This article will introduce an ossim module which will help your company getting more "compliant". And it teaches some basic plugin writing and how to log into ossim syslog too.
Enjoy :-)
Just wanted to post a quick notice about a series of tutorials I've been developing and will be posting on my "weblog experiment". Well, the first one is about OCS and you can read it here.
We're proud to announce the availability of a new, fast and reliable installation method for ossim, the first public version of the ossim installer.
Download OSSIM Installer v1.0 here.
This installer aims at solving the problems people have been having all this time installing ossim, even when installing using packages. Now everything gets installed and configured in under 10 minutes in a fortified, black-box like environment.
New features included within the installer are, just to name a few:
For more information about specific configuration options please visit the wiki help page.
This installer also obsoletes the vmware image since it can be installed on any available virtual machine without problems.
Warning: the installer will erase the target's operating system without asking for confirmation, it will automatically partition the system and deploy everything.
In order to make the image more accessible to everyone, since there've been problems with torrent downloads in the past, we're providing the image via HTTP, using bandwidth courtesy of alienvault.com.
Download OSSIM Installer v1.0 here.
Version 1.1 is already in the works, which will provide means for separate sensor, server, database or expert installations as the most important feature. We expect to release it in three weeks.
Update 2007/11/14: We just released 1.0.1 which fixes a couple of minor glitches reported by users, many thanks. Tomorrow we're going to publish 1.0.2 after solving another small issue which is taking more time. These are errors related to very specific environments and most users shouldn't notice anything.
We're proud to announce the immediate availability of two new pieces of documentation:
We'd like to thank the following people, in no particular order, for their contribution: Zeeshan Ahmed, Jason Minto, Jorge Cuevas and Jon Urionaguena.
Recently we have created an OSSIM linkedin user group for ossim professionals. Both existing as well as new users are welcome to join, as are any other people interested in OSSIM somehow.
Quoting linkedin's site:
Benefits for group members:
Please click the following link if you'd like to join.
Today we're releasing what will be the last 0.9.9 release candidate, which will be followed by 0.9.9 in a couple of months, aiming at releasing the final 1.0 stable release before the end of 2007, after many years of development.
Besides lots of bugfixes at agent, framework and server level, this release features some noteworthy enhancements:
And as a short preview, what we're currently working on is:
Enjoy.
This is just a quick update in order to inform you that our next release, 0.9.9rc5 (hopefully the last release candidate) will be released on august the 1st if everything goes as planned.
After releasing we'll also update the VMOSSIM image including:
As an update to the documentation entry we'd like to thank everybody who's offered help/services on this issue, there are currently three different groups of people working on various ossim-related document improvements including a huge technical guide, an extensive FAQ and an online help with lots of information on each single tab/feature.
Update 2007/08/01: Release will be delayed until August the 8th while we track down a couple of identified issues.
A company willing to improve OSSIM has offered help in order to greatly improve OSSIM's documentation, so we're posting this quick notice trying to find someone. The ideal candidate would have very good english writing skills, be knowledgeable with ossim and have some free time. Everything written would be available freely to the community, the author would get credit for it and of course the job will also be paid.
As you know there's a big lack of documentation at every level, from technical to management passing through administration, usage and similar. Don't hesitate if you're not so skilled about low level but know a great deal about daily sim/ossim usage and other high level concepts. And rest assured there is quite a lot to be done.
Concluding, if you're sure about your english writing skills and think you would enjoy writing the severily needed documentation, being able to share it with everybody and getting credited and paid for it please contact me at dk at ossim net and I'll give you some more details about requirements, time restrictions and other conditions.
In order to get an initial impression of your skills please write a short mail with a couple of lines about yourself as well as describing (very briefly) why you're interested in ossim and what type of documentation you think you could help with. Of course if you've got previous experience with something similar it will always be a plus. Aaah, and don't forget, it has to be english :-)
We're happy to announce a new release of the ossim vmware image, VMOSSIM 0704. This is the recommended way of running ossim if you want to have a glance of it's capabilities or don't want to bother with setting up many dependencies.
As with the last releases, everything is working and pre-configured; the image can be instantly deployed on a sample network for real data gathering.
Following is a short list of additions with this release:
Starting with this release we're changing the numbering scheme as announced. This way we can update the image more often or in case things get added that aren't 100% related to an ossim release (such as a new snort , nessus, etc... version).
For detailed information about the image please visit our dedicated site . We have noticed a problem with interface naming, vmware tells you that the image has been moved and asks you what to do about the unique identifier, if unsure keep the UUID. Unless there are other vmossim images with the same mac on your lan you should be ok. If you have to change it, make sure you edit /etc/udev/rules.d/z25_persistent-net.rules in order to assign a valid eth0 interface for monitoring.
Finally, please send us any comments on the image, things you would like to see included, how we could improve it, scripts you've developed on your own, etc, etc...
Also, once more we'd like to thank everybody who's seeding the image, thank you very much.
Debian 4.0 "Etch" just has been released. For all of those that installed ossim specifying "testing" as packages sources, we urge to change to Etch which will be our main/stable distribution palatform for quite some time:
deb http://ftp.debian.org/debian/ etch main contrib non-free deb http://security.debian.org etch/updates main contrib non-free deb http://www.ossim.net/download/ debian/
We identified a couple of problems with this release that might lead to some headaches and wanted to share them here:
We thought that after all the trouble we've had lately this would be a perfect release day, so here it is. We're proud to announce the availability of ossim 0.9.9rc4, featuring lots of bugfixes as well as some very interesting new features. Since we're somehow misusing the numbering standards we'll try to close the "0.9.9rc" series asap and start working on 1.0alpha very soon.
Among the most noteworthy new features there are:
As you'll notice we've separated the source distribution files (as well as the cvs) into two: os-sim and agent. After this release we're going to split up the code into different cvs branches for clarity:
Almost last but not least a quick note on the vmware image. We're working on it and want to avoid errors we made in the past, expected release date is April the 14th, execpt some major enhancements therein too. And many many thanks to everyone who's been seeding all this time.
Finally we'd like to thank a bunch of people for various reasons:
Enjoy.
We've had sever ISP problems this last week which have forced us to move everything in a hurry. We apologize for any inconvenience caused by this and expect no more problems in a while. We've been fixing everything and trying to get a stable environment asap, still got some problems with the torrent tracker but everything else should be ok now.
As a result we have to delay the release a couple of weeks until we're sure everything is running fine again. We also have missed testing time due to all of this.
If you notice any problems on the server (mail, repository, whatever) please drop us a short mail so we can fix everything.
I'd like to thank the at our new provider, m5hosting.com. They've been very helpful in setting up a new home for ossim.net. Thanks :-)
Just a quick note announcing the soon to be released 0.9.9rc4 version. We're releasing another and hopefully last release candidate for 0.9.9, after having fixed tons of things during these last four months. We don't know the exact date but it will be before the end of the month.
We're proud to announce the availability of our last release candidate before 0.9.9 unless we discover major issues which would justify a rc4.
This has been a summer of testing and bugfixing and many issues have been resolved. A major Metric panel rewrite, server crash fixes, anomaly issue corrections are some of the highlights of this release, please check the changelog for more information.
Additionally we're releasing an updated version of the vmware image. As a reminder, you can always use the old one and use apt- in order to upgrade it.
As said on the first line, expect this to be the last release candidate before 0.9.9 so we'll soon be able to work on new features again, which we'll be detailing during the next months.
Just a quick note, we can confim a release this friday, release which as stated before will be a major bugfix one. Hopefully this will be the last rc for 0.9.9 too.
Update, 2006/09/14 18:30 GMT: we'll have to delay the release, some of the bugfixes are harder to implement than we had thought previously and it would be somehow irresponsible to release tomorrow. Final 0.9.9rc3 release date is going to be the 22th of September, next friday. Sorry for any inconvenience this may have caused.
Just a quick note. A couple of weeks ago the winner for the VMWare virtual appliace challenge were announced and well, no luck on our side this time. Congrats to the winners, guess we'll have to do better next time :-).
Besides that we'll be announcing a new release next week (should be due for around 15 of september once we've sorted out a series of bugs, mainly with the control panel and rrd updates).
While fixing that we're as well finishing the multi-server code which should soon enable for larger distributed architectures, more on this after the (hopefully) last 0.9.9rc. The new agent codebase is almost done too and should start shipping after this release.
Last but not least, after having been toying around with netflow these last weeks we're putting together a document describing some sample scenarios using fprobe, ntop, flow-capture and some other together with ossim.
We have just uploaded an up-to-date Vmware image with the 0.9.9rc2 version. You can grab it from our local tracker.
Remember that you can update your current Vmware image using "apt-get update && apt-get install ossim". You can get more info about the image in the wiki.
Please keep seeding for a couple of days once the image has been downloaded.
The OSSIM Team
As promised, here it is, 0.9.9rc2. Not many news on the release itself, we fixed tons of bugs (kudos to everyone reporting them and sending information in) which should make this release a bit more stable and user-friendly.
Having said this we'd like to express our gratitude again to everyone seeding the vmware image. It has been downloaded 581 times already and still is growing. Of course we'll be releasing and seeding an up-to-date 0.9.9rc2 version image with all these bug-fixes included. We're currently working on an http mirror too which will be provided by Richard Sperry @ Wrinklebrain, we'll issue a separate announce once it's up & running.
The image will be announced on this page when it's ready, we've had some logistics issues this morning.
Anyway, in case you don't want to download it again simply use "apt-get update && apt-get install ossim" in order to fetch the just-released version. We recommend updating Base too btw (apt-get install acidbase). After that the upgrade system should ask you for a quick patching when you log into the web console next time and that's it.
Special thanks go to Jeremy Briffaut, he's been working on Gentoo installation instructions. This is a very detailed guide and should be useful to anyone wanting to install from source. Included are some tricks too, it's well worth to have a look at.
Enjoy !
Update, 2006/06/30 15:10 GMT: if you downloaded the .tar.gz sourcefile or updated your debian installation before this time please do so again, a serious server bug has slipped in and we just fixed it. We apologize for any inconvenience this might have caused.
Many thanks to Thibault Vigneron and Antoine Fabry for the following contribution. This pdf document presents a detailed step by step installation of ossim on Debian GNU/Linux. It is written in french and should give ossim a boost among the french speaking community.
Thank you very much !
0.9.9rc2 is going to be released June the 30th. We've fixed many bugs including a serious one at server level which some user have detected. As a side note, we've slipped in some new server keywords which can be used by plugins and for correlation purposes (username, password and filename fields among others).
We'd also like to express our gratitude to all the users who've been seeding the vmware image. 421! downloads and growing, many many thanks for making it possible.
We're proud to announce the availability of ossim 0.9.9rc1 after more than a year since last release. Our intention is to shorten this release period again providing a couple more release candidates during June / July and publishing the final 0.9.9 around mid-July.
After that we'll move into 1.0bN images aiming at a 1.0 release around 2nd quarter 2007.
This release features too many exciting enhancements to resume them here so we recommend checking out the next news entry for a short list.
As a side note and in order to make the first impression of ossim easier to everyone we're publishing a 235MB fully configured vmware image. Please refer to VMWare for more information.
Besides this image we've released source code and debian versions. RPM packages for all the major rpm platforms will follow soon.
Many many thanks to everyone who submitted documents, code, plugins, etc... some are mentioned on the thanks page, obviously many are missing too but we would like to give a special mention to, in no particular order:
Finally we would like to send our best wishes to Julio who's been having a hard time lately. All the best Julio.
The ossim team.
The following list is a somewhat reduced compilation of what has changed since 0.9.8. 2006/05/31 still is the official release date for this release.
Do you remember the mention about Z4CK we made almost a couple of years ago ? Digital Force is the sequel to Z4CK, I haven't read it yet but OSSIM is being mentioned inside again. I'll comment on it once I get to read it.
Thx a lot Kevin !!
DK
Official release scheduled for 2006/05/31, we'll be posting release notes before that date anticipating one year of changes.
It's been quite some time since we last had an update so here's sort-of-a "Slashdot's slashback".
Besides that there's starting to be some activity on the plugin front. We've received some contributions lately so we thought about setting up a separate CVS module for this purpose as well as a separate plugin listing in order to thank those contributors adequately.
I'm surely missing things here but I'll try to get the full list of contributions and similar by the release date. I can't specify one right now but it should be during the next couple of weekst most definetively.
Dominique.
We're publishing a new document (pdf) entitled "Ossim | How to install ossim-agent on Windows Box". The document has been written by Matteo Perazzo and targets all those users wanting to run the agent / sensor part (with snort at least) on windows.
We hope you enjoy it.
We're proud to announce the availability of a Dokuwiki covering ossim information. We decided to initially trust contributions so registration is open and everybody is allowed to post almost everywhere.
Please check a couple of short behaviour rules , besides that please feel free to post what you want.
As part of the wiki release we release a new roadmap which we'll update as needed. (Hopefully not too often). Please send any comments or suggestions to Dominique dk [at] ossim . net
Enjoy!
As you all may have noticed development has been slowing down the
last four or five months. We've suffered some real life and work
issues that have negatively affected the development pace but it
seems like everything is more or less sorted out and we expect to get
moving again soon. Expect a roadmap update that will reflect this
changes as well as another release before end of the year.
Additionally, we would like to link to a couple of pages that caught
our attention lately. Joël
Winteregg from the swiss EIVD has put up a page with some ossim
documentation as well as some interesting plans about extending
ossim.
Interesting read indeed.
The second link we deemed interesting is to a french speaking blog regarding ossim. It
looks very promising.
Kaos.Theory: Fractal Blog
features an interesting article combining various open
source tools in order to provide physical & logical security to a
site.
From the page:
"A guide to securing your home and home network with inexpensive
hardware, open source software and about 8 hours of dedicated time"
Interesting read indeed.
After having fixed numerous bugs we're releasing 0.9.8. With five months of testing on it's back we expect this release to be quite stable.There have been many many bugfixes since the last release while we tried to keep improvements to a minimum.
Just as a reminder, besides the source tarball ossim packages are readily available for Debian and FC3 from download section.
After many months we're releasing Fedora RPMS again. You can install them using apt-get, just setup your sources.list as follows:
rpm http://www.ossim.net/ download/fedora fc3
and issue an apt-get install ossim. Anyway, please check the updated FC3 documentation since quite some things have changed since the last rpm release.
We would like to thank everybody that is currently testing them and giving good support on forums & mailing lists. Thank you guys !
News 
