AlienVault R&D Labs Portal. Get the latest news from our research.
Header

Can OSSIM be considered a SIEM? Is it enterprise ready?

June 20th, 2009 | Posted by DK in Personal DK - (Comments Off)

The story starts as following. A couple of years ago Dr. Anton Chuvakin (for those who might not know him a well renowned security professional and speaker) made a prediction for 2006: that a Credible Open-Source SIM would not arrive.




A year later he said this goal hasn’t been reached (as predicted). I remember being quite pissed off and upset at that time, but his point was right. Development had been slow, we didn’t have resources and everything was a bit stalled. But that has changed and AlienVault is about two years old now, we made a huge step forward and I think OSSIM is nowadays more than S/MB as well as Enteprise ready. (And sadly our resources are still very limited compared of those which Arcsight, Symantec or others might have).

Yesterday I followed a couple of quick twitter exchanges where I’d like to quote the most significant ones:

So, there it is, Andrew Hay (another renowned security expert) and Anton say that:



  1. OSSIM is not a SIEM.
  2. OSSIM is too difficult for S/MB and not reliable enough for the Enterprise



Well. Guess I’ll have to prove them wrong ;-). And on top I’m not pissed off, so I guess I’m growing up :-)).

So what do I need? I for myself have received news/feedback of pretty big OSSIM installations and have had my hands on another bunch of them. Ranging from 100 person Real Estate companies to >40000pc governmnet environments with distributed deployments and thousands of events per second (this last one using the COSS version of course). But, the point as mentioned by Anton is that we don’t have our hands in it, the testimonial has to come from someone who’s got a deployment running not managed by us. Both S/MB as well as large enterprise deployments are valid since there are two points to prove. I’d really like to hear from a large company which is supposedly using Splunk+OSSIM, can’t say the name but that would be a good example :-).

So, if any of you reading this is in that situation please let Mr. Chuvakin and Mr. Hay know about it so they hopefully can change their minds on the subject. There’s contact information on their respective homepages. Otherwise I’ll have to eat my words and admit that OSSIM is no Open Source SIEM (like in The Matrix, “there’s no spoon”).

Thanks in advance for any help :-)

PS: BTW, we did a first run of the webinar yesterday, thanks everybody for assisting and apologies for the, well, mishappenings. I got quite nervous, next demo will be better.

Edit 2009/06/20: Fixed a misunderstanding on who predicted what, see the comments.

DK

Mr Wolf Wannabe.

More Posts - Website

, , ,

A small victory against abusive copyright holder practices

April 20th, 2009 | Posted by DK in Personal DK - (Comments Off)

I wanted to share this news entry with everybody visiting this site. This has very little to do with OSSIM or AlienVault and of course this is my own opinion, not necessarily shared by them.

A week ago I had read a sad sentence convicting those who’re running the Pirate Bay torrent tracking site. Now I’m pleased to see that not everybody has sold their soul to what’s “supposed to be politcally correct”: Telenor, the norwegian ISP hosting the pirate bay have told the copyright lawyers to shove their demands where Long John Silver couldn’t see ‘em even with his good eye and a very long spyglass.

My sincere admiration (both to TPB admins and Telenor), I’m pre-ordering my support t-shirt right now :-)


More information here.

DK

Mr Wolf Wannabe.

More Posts - Website

, ,

How to make good friends

March 27th, 2009 | Posted by DK in Rants - (Comments Off)

I just wanted to share a quick mail we’ve received tonight at AlienVault. I’m hiding the user’s identity until he grants me permission to disclose it, which I doubt he’ll do btw.

The mail did read as following:

Subject: Port scan from you guys to my server from 207.158.15.208. Cease and desist.

I installed your ossim product and now you are port scanning my servers?

You are scanning [insert FQDN here] servers right now and I am picking
it up on my IDS coming from 207.158.15.208.

Can you explain why you would be doing this?

You had better have a good explanation or I guarantee your company
will be written up in all the security publications I write in and I
will recommend that nobody ever use your product.

Amazing, ain’t? No previous contact, no double checking, nothing, just going ahead, threatening, menacing and being bold.

Well, here goes the answer. As said, this is my very own opinion and the company (Alienvault) has nothing to do with it.



Just for the records, before replying I logged in into the above host, checked for unauthorized access, ran several tcpdumps and checked logs on his domain. Clean. Oh, and I’m going to call the user “Hugo” after a big mounth president with the same name. 

Hello Hugo,

have you ever heard about kindness going a long way? Well, it usually works.

If you had kindly requested information about this, either on the
forums (where hundreds of happy users would've been eager to answer
you), on the irc, even on this contact address, I'd have answered with
a nice: "Hey Hugo, no worries, the 1.0.6 iso comes with an
automatic, free, nessus plugin feed which gets checked on a daily
basis. Due to the huge amount of users we've got we noticed rsync
starting to duplicate itself, launching multiple instances which in
turn get denied, provoking some sort of false positives". I even
would've offered you help on sorting it out if that weren't the cause,
which I'm pretty sure is.

But... here you come, threatening, menacing with bad manners. So the answer is.

Hugo, I encourage you to post the above mail to all the security
publications you write in. I'm sure your mail has the possibility to
become one of those long lasting laughers which will be used as
openings in security conferences all over the world for the next few
years.
Not enough with this, I offer you to also publish it on the ossim
forums. I for sure will post it on my blog (no worries, unless you
grant me permission to do so I'll hide your name and mail) for other
fellow users to comment on it.

 And, on top, I offer you a free refund for OSSIM. Oh, wait, you
haven't paid a single cent for it...

So please, just deinstall OSSIM right now, that will solve both our
problems or I guarantee your name will be written up in all the
security publications I write in and I will recommend that nobody ever
lets you use their product. I'd feel bad coding OSSIM and knowing that
you would benefit from it.

With kind regards,

Dominique Karg

PS: Any views or opinions presented in this email are solely those of
the author, that is, me and do not represent those of the company

Things like these keep opensource developers motivated. *sigh*

Update 2009/03/27: the story goes on.

BREAK

Hugo was so kind and replied to my friendly mail in order to make sure I’d know he has no clue what he’s talking about: 

No worries? When you download and install nessus by itself it asks you
if you want to update and it does not trigger IDS systems. A user of
your products should not have to be woken up in the middle of the
night and read a forum to figure that out. If your system has an issue
triggering IDS systems, why have you not fixed the issue or at least
put a warning up during install.
Your product was not free in this case, it cost me my time waking up
and trying to figure out why I was receiving IDS alerts. Lastly, why
would the product be receiving updates from your IP range for nessus.
Would nessus not receive updates from the nessus update servers? I
will be calling today to speak with someone in management and I will
be happy to pass your email along to them.

Anything amiss? right… the threats weren’t clear enough, so in a separate email he just wrote me a short:

Your sarcasm will be noted when I speak with management at Alienvault today.



After that level of threats, my only obvious answer could be (and was):

Don't you think that would be a bit excessive? I could loose my job...



To which at least he didn’t answer yet (I expected something like “Mess with the best, die like the rest”).

So, just to get it clear. Hugo downloads the ossim 1.0.6 iso which comes with automatic nessus updates, places into a restricted / highly protected network (I assume it is at least, what else would make you setup an IDS to send you an alarm and wake you up in the middle of the night), grants it full access to the internet (in order to trigger a portscan from rsync failures port 873 would have to be allowed in a firewall) and later on threatens the site where he downloaded the original .iso?


C’mon Hugo, you should know better than that. Maybe it’s me who should talk to your management. What you’ve done show you’ve got no clue about security, best practices or infosec at all. I wouldn’t let you manage my ipod shuffle out of fear you could expose it.


Furthermore, even after getting pointed at your mistake in the first response, you had the chance to apologize, but no, you answer with more threats. Threatening me to talk to AlienVault management shows your lack of checking on sources, which in turn not only nullifies you as a security professional but also should make everyone doubt 90% of the statements you make about what you know, what you think, what you recommend.

I hope this is the end of the story…

DK

Mr Wolf Wannabe.

More Posts - Website

,

OSSEC 2.0 going public…

February 27th, 2009 | Posted by DK in Friends - (Comments Off)

Cheering at Daniel & co. for their ossec 2.0 release.

I’m actually very excited about this new release (agentless monitoring being my favourite) and the moment is perfect: I’ll put this into the installer beta right away and make it avaiable along ossim asap.

Congratulations :-)

DK

Mr Wolf Wannabe.

More Posts - Website

Zattoo… Scam ?

August 22nd, 2008 | Posted by DK in Rants - (Comments Off)

#tags zattoo,tv,scam

After having used their service for quite some time I received the announcement that they wanted to start charging users a samll fee. I’m talking about Zattoo. Quoting their site:

Zattoo is real TV on your PC – andd it’s absolutely free. It’s the football game as you chat, the news as you email, and your favorite soap as you pay your bills. Zattoo is also TV when you don’t have a TV – it’s the channels you want, when you want, where you want.

Well, completely free obviously not anymore, but that doesn’t matter. I don’t know how well known / widely used this service is outside of Europe, but I’ve got many frieds here that actually used it.

Fact is I wanted to see a soccer match last evening on my computer, in order to let my GF watch here stuff on the big screen. I decided to pay the 2.40 euro (as can be seen here, sending the two sms with ZAT to 7766. After two hours I still didn’t have my code (so bye bye match) and after 24 hours and two mails, both using the support form as well as the info email address I’m still waiting for an answer/activation code.

2.40 ain’t that much money, but things like these are very annoying. Until I get an answer from them I consider this new “pay-per-view” service a true SCAM, con, swindle, grift, gaffle, bunko, flim flam, stratagem, or scheme (wikipedia ;-) ), since after using the service for a couple of months and getting confident with the people at Zattoo I’ve paid for a service which I haven’t received yet, there’s no info about reclamations, payment confirmation, receipt, etc etc…

Update 2008/08/18 – First contact from Zattoo, quite dissapointing

Got a mail last night from them:

Hi,

Thanks for contacting Zattoo. If you have not received the activation code, you will have to contact Allopass (http://www.es.allopass.com/contact_accueil.php4). They send the codes, not Zattoo.

Yours kindly,

Zattoo Spain

So I know how this story will be evolving. Have you read The Twelve Tasks of Asterix ? I always feel like in the 8th task when something doesn’t work out 100% with obscure/big companies or government:


Quoting:


Find Permit 838 in “The Place That Sends You Mad”. A mind-numbing multi-storey building founded on bureaucracy and staffed by clinically unhelpful people who direct all their clients to other similarly unhelpful people elsewhere in the building. Asterix eventually beats them at their own game by asking for an imaginary permit that nobody knows about, sending the place into disarray. Eventually Asterix is given Permit 838 just to make him leave and stop causing trouble.

So next task: write to the friendly people at the other company. I feel like this will take a long long time…

My mail to the new company, I wonder how long it will take them to answer:

To whom it may concern,



On wednesday 2008/08/13 at 19:10 I sent two sms messages to the number “7766″ with codeword “ZAT” in it.




I was supposed to receive a activation code for Zattoo which never arrived. Yesterday evening I finally got an answer from Zattoo where they state that they don’t have to do anything with payments, that I should refer to you.




So this is my mail / compliant, I’ve paid for the service five days ago and still haven’t received any answer/feedback or even the product.




The phone number where I sent the sms messages from (2x) is 627xxxxxx.




Thanks in advance for your attention in this matter.

DK

Mr Wolf Wannabe.

More Posts - Website

, ,