February 20, 2010 | Dominique Karg

OSSIM 2.2 is out!

A quick saturday update. We just released OSSIM 2.2 with a ton of new features, have a look here. New screenshots and videos up on AlienVault too. This release is quite complex featuring a whole lot of new features as well as a rewrite of old ones. Please don’t hesitate posting on the forums if you’ve got…

February 12, 2010 | Dominique Karg

OSSIM at RSA '10. More news

Wow, almost March and my first post this year, need to care a bit more about this. Lot of things are happening around OSSIM, AlienVault and myself these months. First, we finished a big funding round early this year which finally will enable us to consolidate OSSIM as a leader in the SIEM space (at least that’s the…

Get the latest security news in your inbox.

Subscribe via Email

December 29, 2009 | Jaime Blasco

Exploring Windows Objects ACL's

In the last post, we talked about mutex objects and how to enumerate them. Today we’ll learn how to check mutex access lists from WinDBG as well as from user-mode extending the EnumerateMutex example http://alienvault-labs-garage.googlecode.com/svn/trunk/mutex/EnumerateMutex.cs. Let’s see an example using WinDBG. First query the “BaseNamedObjects” directory…

December 28, 2009 | Jaime Blasco

Malware: Exploring mutex objects

A mutex, also called a lock is a program object commonly used to avoid simultaneous access to a resource, such a variable. It’s used in concurrent programming to allow multiple program threads to share the same resource. Mutexs are usually used by malware creators to avoid the infection of a system by different instances of the same malware. …

December 24, 2009 | Jaime Blasco

Windows Kernel Objects

The Windows Kernel offers different resources to developers: Process, Socket, Thread, Mutex…A kernel object is a memory block which structure has different members containing information about the object. There are common members across all object types (like security descriptor) but each object type has its own specific members (like ID of a Process object). Let’s begin playing with…

December 21, 2009 | Jaime Blasco

Exploits: Analyzing a malicious PDF Document

In this post, I will explain a real case example of how to manually analyze a malicious PDF document. Some days ago I collected a malicious PDF file, usually, Wepawet does an excellent job and automatically analyze the malicious file for you. In this case, Wepawet said “No exploits were identified.” so probably the malicious PDF…

October 29, 2009 | Jaime Blasco

Ossim: Using Cisco SDEE Protocol to collect security events

We added support to collect events via Security Device Event Exchange (SDEE) Protocol that lets us capture events from: Cisco Network Prevention Systems (IPS) Cisco Network Detection Systems (IPS) Cisco Switch IDS Cisco IOS routers with Inline Intrusion Prevention System (IPS) functions Cisco IDS modules for routers Cisco PIX Firewalls Cisco Catalyst 6500 Series firewall services modules (FWSMs) Cisco Management Center…

September 12, 2009 | Jaime Blasco

LUHN checksum algorithm Lua implementation

I have wrote a LUA function that implements the LUHN checksum algorithm (requires bitlib), this algorithm checks that a sequence of digits is a valid credit card number. Here is the code: local bit = require("bit") local band, bor, bxor = bit.band, bit.bor, bit.bxor function checksum(card) num = 0 nDigits = card:len() odd = band(nDigits, 1) for count = 0,nDigits-1 do …

September 1, 2009 | Jaime Blasco

0-day in Microsoft IIS 5/6 FTP

A 0-day exploit in Microsoft IIS 5/6 FTP was recently published on Milw0rm while HDMoore is porting the bug to Metasploit. Alienvault’s feed customers are protected with the directive released today: 45046 :AV Possible 0day IIS FTP Exploit against DST_IP http://isc.sans.org/diary.html?storyid=7039 UPDATE: We have previously coverage with two directives present on Alienvault Professional…

August 23, 2009 | Dominique Karg

AlienVault/OSSIM Job Opening: Documentation Writer required.

Hello all, we’re looking for somebody to assist us in the elaboration of documentation around OSSIM, it’s components and Open Source Security in general. We require strong knowledge both in English written skills as well as experience on OSSIM. We are willing to pay on a per-work basis up to 3000 or 4000 . a month, with an option to get…

July 14, 2009 | Jaime Blasco

Infocon raised to yellow for Excel Activex vulnerability

Microsoft has released an advisory related to Office Web Components Activex. The ISC has raised the Infocon to yellow due to the active exploitation of the vulnerability from several .cn domains. Alienvault’s feed customers are protected and covered with these directives: 45050: AV Possible Malicious Server exploiting Excel ActiveX Client against DST_IP (CVE-2009-1136) 45051: AV Possible Excel ActiveX Client…

July 7, 2009 | Jaime Blasco

Ossim: 0-day in Microsoft DirectShow

A 0-day exploit in Microsoft Video ActiveX Control is being exploited by malicious sites. Many people is covering this vulnerability and seems that will be widely deployed. Alienvault’s feed customers are protected and covered with these directives: 45046:AV Possible MSVidCtl Client side attack detected against SRC_IP (KB-972890) 45047:AV Possible Malicious Server exploiting MSVidCt against DST_IP (KB-972890) 45048:AV…

Watch a Demo ›
Get Price Free Trial