After having written the whole thing a reduced version for those with little time available seems in place.
We’ve released OSSIM 0.9.9 this week, release which was followed by a post to BugTraq
http://www.securityfocus.com/archive/1/488450/30/0/threaded [no longer available] regarding some XSS and SQL vulnerabilities present on OSSIM.
After having fixed those vulnerabilities we’re now releasing:
- OSSIM Installer 1.0.4 (the recommended installation method)
- OSSIM Updater 1.0.4 (the recommended updating method for those running versions 1.0 - 1.0.3)
- OSSIM 0.9.9-3 Debian packages.
- OSSIM 0.9.9p1 for those who need source code.
Upgrade is encouraged to all OSSIM users.
And here goes the extended version:
We’re proud to annnounce the immediate availability of the 1.0.4 OSSIM Installer, coming both as a standalone ISO image as well as an updater. In order to differentiate it from other similar efforts and reflecting the significant work we’re putting into making OSSIM more usefriendly, we’re branding it the “AlienVault OSSIM Installer” from now on.
About a year ago the creators of OSSIM started a company dedicated to offer professional services around OSSIM, while keeping the development of the open source project with the same name moving. In the beginning we called the company OSSIM as well, but soon we realized that this was generating some confusion regarding the part that is (and will remain) open source, and the services being developed around it (such as courses, tuned appliances, consulting and support) which are helping us to further improve it and are turning OSSIM into a real alternative to similar commercial products.
Therefore we rebranded the commercial part into “AlienVault”, a name that was available, sounded good and represented both innovation and security in a single word.
Back to release related stuff now.
This is a very important release for several reasons:
- Our first updater release
- Security fixes (XSS, SQL Injection)
- Many new features / improvements
The installer is pretty straigthforward, the main difference in the installation process itself (regarding 1.0.3) is that it has better hardware compatibility now, a bunch of debian security fixes (including the recent kernel vulnerability) and a custom partition scheme.
The updater should run pretty smooth on 1.0 through 1.0.3 installations. After downloading and executing the script the default values for the “auto” method are quite safe. You’ll get asked some debian specific questions regarding config file updates; answer no (the default) to all of them if unsure since we’ll take care of those updates later on.
After having installed this first updater version (or the 1.0.4 ISO) you’ll be able to check for new updates running the /home/ossim/dist/ossim-update.pl script. We intend to include a “check for update” feature within the next release.
Last but not least, regarding the security fixes we always appreciate being helped out on things we’ve done wrong, but we do appreciate being contacted directly (cheers to Dave, who can be found at subverted.org, who notified some of these issues some time ago already) instead of having to read mistakes somewhere else. Feel free to contact us at firstname.lastname@example.org regarding similar issues.
And should you have any other issue with the updater, installer or anything related to ossim, please check out the sourceforge.net forums, mailing lists or contact us directly at email@example.com.
Here is a more detailed list of the most important changes:
- Included OSSEC (http://www.ossec.net/)
- Included Munin for sensor monitorization (http://munin.projects.linpro.no/)
- Included FProbe for high traffic environments (http://fprobe.sourceforge.net/)
- OSSIM core upgrade
- Included and updated bleeding snort rules
- Intrushield plugin
- Symantec plugin
- Tarantella plugin
- Ntop connections being rewritten through the server, no need to open port 3000 to then anymore.
- Partitioning switched to manual on installation
- Database optimization code included
- Added some database indexes for query speedup
- Updater support
- Experimental agent event consolidation
- Agent event statistics
- Updated ISS Realsecure/Proventia plugin
- Updated FW1 plugin
- Update IIS plugin
- Update Squid plugin
- Database types optimized
- Updated pam_unix rules
- Updated ssh rules
- Updated cross correlation information
- OCS will now inventorize the ossim hosts as well
- Localization now working
- Fixed some server issues
- Fixed a login page XSS
- Restricted input validation which was too lax