A friend of mine is preparing a speech at a security conference this summer around OSSIM. He asked if I could get some feedback, case-studies or anything that could backup and enrichen his speech, this is what this post is for :-).

So please, should you have anything (wether it’s good or bad, happy or sad) to say around OSSIM (or should you know about anybody how does) which you would like to share write to feedback@ (created the alias so I wouldn’t miss anything, feedback is very important to us).

Anything from “I use OSSIM” to complete papers is welcome, tho in order to avoid confusions I’d please ask to include these couple of lines at the beginning of the mail:

Name (leave empty for anonymous):
Company (leave empty for anonymous or substitute for "english university" or "canadian oil platform" or similar):
Is it ok to tell/foward this?: yes/no (if the answer is 'no' then no one but me will know about this :P)
Is it ok to publish this on ossim.net/alienvault.com?: yes/no

Here again for copy & paste:

Name:
Company:
Ok to tell/forward?:
Ok to publish on ossim.net/alienvault.com?:

Last but not least, this is no commercial action, you won’t be contacted by anybody nor will you be included in any spam database; I’m just curious and want to help a friend out :-)

DK

Mr Wolf Wannabe.

More Posts - Website

I’m happy to announce the availability of the next beta, AV Installer beta6. (md5: 21204ecf2949a1d9ac9838b3c694b72d.

Again, thanks a ton to everybody testing the betas and reporting bugs / improvements, with your help this is already the best release that’s been published ever for OSSIM.

The betatesting process is reaching the point where we’re going to freeze code and just fix bugs. OpenVAS is now fully integrated and running like a charm, the compliance framework runs out of te box for ISO27001 (install beta6, “apt-get install ossim-compliance” and go to reports->reporting server), many new directives have been added and old ones fixed. A quick warning: OpenVAS takes ages to start the first time, if it looks like it hangs during init don’t worry, after maybe 5 or 10 minutes it will get through.

Next steps will be to ensure everything is working, get a new dashboard for PCI and ISO2700[12] compliance, integrate the SEM part (without signing) into the public server, put the new policy interface in place and double check distributed architecture scripts. After this release the final version, throw a party and get a couple of weeks off ;-)

I hope you enjoy this beta.

DK

Mr Wolf Wannabe.

More Posts - Website

I wanted to share this news entry with everybody visiting this site. This has very little to do with OSSIM or AlienVault and of course this is my own opinion, not necessarily shared by them.

A week ago I had read a sad sentence convicting those who’re running the Pirate Bay torrent tracking site. Now I’m pleased to see that not everybody has sold their soul to what’s “supposed to be politcally correct”: Telenor, the norwegian ISP hosting the pirate bay have told the copyright lawyers to shove their demands where Long John Silver couldn’t see ‘em even with his good eye and a very long spyglass.

My sincere admiration (both to TPB admins and Telenor), I’m pre-ordering my support t-shirt right now :-)


More information here.

DK

Mr Wolf Wannabe.

More Posts - Website

Just uploaded a new AlienVault OSSIM installer beta, Beta 5. As always, thanks a ton to everybody helping out on testing. Besides Anton, Greg, Kristian and Stephan there are many others helping, both on forums or anonymously (found some old friend’s domain names in the apache log for update checks, greets to Turkiye and France ;-))

As to the actual release:

Jasperserver got updated to 3.5 (Gannt charts, finally), many bugs have been fixed, some new directives, new snort packages, new misc tools and many more. Sensor and server profiles have been updated too, as well as monit scripts and database.

I expect three more betas, which would mean around three more testing weeks. There are some key features that still need some throughout testing:

- Distributed deployment.

- Jasper tuning and sample reports.

- New policy interface (beta6).

There are two factors which we can’t control but which would make this release perfect:

- Lenny OpenVAS packages.

- MySQL 5.1 making it into lenny stable.

I’ve already done some testing with partitions in the new mysql and the results are astonishing. Arcsight here we come :P

If you want bug Norbert Tretkowski and the guys at OpenVAS to hurry up. (Just kidding, they’re all doing a great job :-))

Just a last notice: next week there will be a slowdown on updates/fixes, it’s holidays around here and I’m taking a couple of days off with my lovely girlfriend. We’ll be heading to the beach so while she enjoys the sun I’ll be able to code towards this next relelase :D.

DK

Mr Wolf Wannabe.

More Posts - Website

I just wanted to share a quick mail we’ve received tonight at AlienVault. I’m hiding the user’s identity until he grants me permission to disclose it, which I doubt he’ll do btw.

The mail did read as following:

Subject: Port scan from you guys to my server from 207.158.15.208. Cease and desist.

I installed your ossim product and now you are port scanning my servers?

You are scanning [insert FQDN here] servers right now and I am picking
it up on my IDS coming from 207.158.15.208.

Can you explain why you would be doing this?

You had better have a good explanation or I guarantee your company
will be written up in all the security publications I write in and I
will recommend that nobody ever use your product.

Amazing, ain’t? No previous contact, no double checking, nothing, just going ahead, threatening, menacing and being bold.

Well, here goes the answer. As said, this is my very own opinion and the company (Alienvault) has nothing to do with it.



Just for the records, before replying I logged in into the above host, checked for unauthorized access, ran several tcpdumps and checked logs on his domain. Clean. Oh, and I’m going to call the user “Hugo” after a big mounth president with the same name.

Hello Hugo,

have you ever heard about kindness going a long way? Well, it usually works.

If you had kindly requested information about this, either on the
forums (where hundreds of happy users would've been eager to answer
you), on the irc, even on this contact address, I'd have answered with
a nice: "Hey Hugo, no worries, the 1.0.6 iso comes with an
automatic, free, nessus plugin feed which gets checked on a daily
basis. Due to the huge amount of users we've got we noticed rsync
starting to duplicate itself, launching multiple instances which in
turn get denied, provoking some sort of false positives". I even
would've offered you help on sorting it out if that weren't the cause,
which I'm pretty sure is.

But... here you come, threatening, menacing with bad manners. So the answer is.

Hugo, I encourage you to post the above mail to all the security
publications you write in. I'm sure your mail has the possibility to
become one of those long lasting laughers which will be used as
openings in security conferences all over the world for the next few
years.
Not enough with this, I offer you to also publish it on the ossim
forums. I for sure will post it on my blog (no worries, unless you
grant me permission to do so I'll hide your name and mail) for other
fellow users to comment on it.

 And, on top, I offer you a free refund for OSSIM. Oh, wait, you
haven't paid a single cent for it...

So please, just deinstall OSSIM right now, that will solve both our
problems or I guarantee your name will be written up in all the
security publications I write in and I will recommend that nobody ever
lets you use their product. I'd feel bad coding OSSIM and knowing that
you would benefit from it.

With kind regards,

Dominique Karg

PS: Any views or opinions presented in this email are solely those of
the author, that is, me and do not represent those of the company

Things like these keep opensource developers motivated. *sigh*

Update 2009/03/27: the story goes on.

BREAK

Hugo was so kind and replied to my friendly mail in order to make sure I’d know he has no clue what he’s talking about:

No worries? When you download and install nessus by itself it asks you
if you want to update and it does not trigger IDS systems. A user of
your products should not have to be woken up in the middle of the
night and read a forum to figure that out. If your system has an issue
triggering IDS systems, why have you not fixed the issue or at least
put a warning up during install.
Your product was not free in this case, it cost me my time waking up
and trying to figure out why I was receiving IDS alerts. Lastly, why
would the product be receiving updates from your IP range for nessus.
Would nessus not receive updates from the nessus update servers? I
will be calling today to speak with someone in management and I will
be happy to pass your email along to them.

Anything amiss? right… the threats weren’t clear enough, so in a separate email he just wrote me a short:

Your sarcasm will be noted when I speak with management at Alienvault today.

After that level of threats, my only obvious answer could be (and was):

Don't you think that would be a bit excessive? I could loose my job...

To which at least he didn’t answer yet (I expected something like “Mess with the best, die like the rest”).

So, just to get it clear. Hugo downloads the ossim 1.0.6 iso which comes with automatic nessus updates, places into a restricted / highly protected network (I assume it is at least, what else would make you setup an IDS to send you an alarm and wake you up in the middle of the night), grants it full access to the internet (in order to trigger a portscan from rsync failures port 873 would have to be allowed in a firewall) and later on threatens the site where he downloaded the original .iso?


C’mon Hugo, you should know better than that. Maybe it’s me who should talk to your management. What you’ve done show you’ve got no clue about security, best practices or infosec at all. I wouldn’t let you manage my ipod shuffle out of fear you could expose it.


Furthermore, even after getting pointed at your mistake in the first response, you had the chance to apologize, but no, you answer with more threats. Threatening me to talk to AlienVault management shows your lack of checking on sources, which in turn not only nullifies you as a security professional but also should make everyone doubt 90% of the statements you make about what you know, what you think, what you recommend.

I hope this is the end of the story…

DK

Mr Wolf Wannabe.

More Posts - Website