OSSIM
Open Source Security Information Management
Open Source Security Information Management
We're proud to announce 0.9.8rc2, mainly a bugfix release. Lot's of parser bugs have been corrected as well as framework and server issues.
We've tried to keep the feature enhancements to a minimum since this is intended to be mainly a bugfix release but we could name the following new features:
See the ChangeLog for details.
We're releasing 0.9.8rc1 so we can catch any bugs introduced by the latest code-changes. This release features:
Enjoy ;-)
Help needed.... Again.
Starting with ossim 0.9.8 we'll introduce internationalization support and will be able to release in English, French, German and Spanish. However, we would love to support a bunch more of languages and need some help. If you're willing to contribute on any language please contact Dominique dk [at] ossim dot net.
And as a little spoiler, some screenshots [1], [2] of the new appearance which we'll introduce in 0.9.8 and wich is 99% definitive for 1.0.
Enjoy ;-)
In an effort to get input from as many devices as possible before releasing 1.0 we request your help with this matter. We need sample logs, files/lines, regular expressions, documentation, etc... from any device/program that you consider interesting for correlation and qualification. If you are willing to help please send an email to logs at ossim dot net with the following information:
All fields are optional except the sample logs. We need them even if a regexp is provided for verification purposes. Of course you may obfuscate fields such as usernames / ip addresses and similar sensitive information although none of the submitted log-files will be published without express permission.
Thank you in advance.
We're proud to announce the availability of ossim 0.9.7. This release fixes numerous bugs present in rc1 and rc2 and provides two major feature enhancements: optional database configuration replacing ossim.conf and pdf reporting using FPDF. Enjoy :).
Many things have happened since our last release (nearly three months ago).
First of all we would like to greet our two new members again: Stephane Fournier who has been helping the project for many months now and has agreed to join us and our (currently) nameless elephant, the official logo.
Focusing on the 0.9.7 release the most noticeable improvements have been:
Besides those main additions, we're currently improving the directive viewer/editor, have fixed many many bugs and added new parsers for the following devices/generators:
In order to take advantage all of this don't forget to check the new documentation (thanks Ken!):
(01/10/2004) Update: We have released OSSIM 0.9.7rc2. This version fixes some sql errors and includes some incident manager improvements.
We're pleased announce at ossim dot net, a newly created mailing list on which new releases, new documents, project status updates and similar information will be sent out.
If you wish to subscribe please visit http://www.ossim.net/mailman/listinfo/announce.
Kevin Milne, who we already had the pleasure to mention here some weeks ago, has just submitted a first version of his User Manual. This Manual covers ossim from an end users point of view and goes through the web-ui explaining the steps needed to create and tune assets, policies, priorities, etc.
Ossim is being mentioned in Kevin Milne's book Z4ck. Z4ck is a novel about a hacker on the run available on http://www.z4ck.org and will be soon available on Amazon. In that book, the protagonist uses ossim in his daily security monitorization job.
(DK) PS: As a personal opinion I enjoyed the book very much.
As said last week we were finishing another paper about ossim's correlation engine. It's done, you can grab it here. Enjoy.
July is being a busy month for us all but nevertheless here's a short status update.
First of all we would like to thank Stéphane Fournier for joining our team. He's been doing a great job the last couple of months and helped to improve ossim a lot so, welcome.
If you've taken a look at the cvs you'll have noticed all the acl stuff we implemented using phpgacl which adds a new level of security to the whole app, with the code review we'll have to do before 1.0 around the corner. The rrd stuff is being heavily improved too since currently they only result in noisy false positives.
Another addition that will make it into 0.9.7 is a reporting module for incident handling that could be very useful on bigger environments with incident escalation procedures and the like.
A little bit late but we're pleased to announce the availability of the bundled Fedora-Ossim 0.9.6 ISO provided by Boseco, grab it at http://www.boseco.com. It includes some nice additions and pretty much shows how a good setup should look.
Again, new documentation is available too (thanks to Ken Gregoire) and we're finishing a second paper covering the correlation engine. It should be out later this week.
And, last but not least: check out http://www.bleedingsnort.com for up-to-date, bleeding edge snort rules. The false positive rate is extremely low for little tested signatures and they are being very useful to us.
Finally we've got a logo! Why did we choose an elephant? Our elephant will assimilate all the different network events, it will remember each attack and correlate the responses, it will find the proof that it's a real attack, finally sending a big alarm.
You can see more pictures at the artwork section.
Version 0.9.6 is out. Please upgrade to this version as it corrects many bugs affecting framework, server and agents.
As you can see on http://www.ossim.net, we've also redesigned part of our web page and have setup a apt-like repository for ossim and it's deps, just add one of these lines to your sources.list:
# Fedora Core 2
rpm http://www.ossim.net/ download/fedora fc2 os-sim
# Fedora Core 1
rpm http://www.ossim.net/ download/fedora fc1 os-sim
We're proud to announce the availability of debian packages for most of the OSSIM dependencies and up-to-date documentation. The original OSSIM rpm's can be easily converted using alien. Enjoy!
Update:
You can add this line into your /etc/apt/source.list file:
deb http://www.ossim.net/download/ debian/
Ossim 0.9.5 is out. Featuring a huge number of bugfixes and some very nice improvements we're steadily approaching 1.0.
Here's a short list of what this release provides:
We're proud to announce OSSIM 0.9.4. Again, many, many bugs involving agent, server and framework have been fixed in this release. There have been lots of speed improvements too. Additionaly, as usual, new features have been finished.
Here is a short list:
Enjoy...
We would like to thank Michael Boman for the effort he is putting into getting a fully working Fedora OSSIM-ISO with all needed dependencies packaged and ready to use. See the official announcement.
For more information about the ISO (which is still in beta-testing) please visit http://www.boseco.com. We'll also keep this site up-to-date regarding OSSIM-ISO (if you come up with a better name just throw us a mail) and announce new releases, making the iso available when it's stable enough.
We'll be releasing in a few days, so this should be 99% OSSIM 0.9.4 iso. Check for it at download section and enjoy! :)
Note: The ISO mentioned above doesn't contain a Live! Distribution. It's an installation CD.
It happened again. Fixing some bugs within 0.9.1 we introduced a new serious bug. Release 0.9.3 fixes monitor requests from the server that were broken in 0.9.2.
We apologize for any inconvinience this could have caused.
A major bug was introduced on 0.9.1 and has been fixed now. Some bug have also been fixed within the misc scripts.
Besides that os and mac detection has been incorporated into the agent and the change logic now is done on the server side.
Last but not least, sensor management has been greatly improved and now ntop, snort, arpwatch, etc... can be started/stopped and enabled/disable from within the web interface.
Thank's to all those who submitted useful bug reports.
Ten days after releasing ossim 0.9.0 we're proud to announce 0.9.1. Hopefully this means we'll be able to release every 15 days as we did at the beginning...
This release's main purpose is twofold:
With this new correlation method, whenever an alert arrives against a host on which nessus has identified a vulnerability, the alerts reliability and priority are raised. It's as simple as that. As of today we've got a relation of 610 snort-nessus events. This is possible due to the hard work of Ignacio Herrero; thank's to him, it's been a hard task.
If you think there are more events that should be included into this list please submit them.
Besides that, minor feature enhancements include:
Enjoy
News