Looking for documentation? Check out our new learning center!
AlienVault v4.5 Released! Download here

Patch release 4.1.3

juanmalsjuanmals Alien Overseer
edited February 2013 in Product

AlienVault Open Source SIEM 4.1.3 + AlienVault USM Products 4.1.3

-----------------------------------------------------------------------------------

-----------------------------------------------------------------------------------


- Suricata updated to version 1.4.4, fixes a problem with Suricata crashing in High load environments

- Fixed an issue in some rules in the fortunate plugin where the date in the event was not being captured

- Fixed an issue in the alarm stats, the correct geoip information was not being assigned to some ip addresses

- Fixed an issue that prevented showing certain WIDS events in the WIDS UI

- Do not overwrite the device field in the agent when building the normalized event

- Fixed an issue when using multiple search criterias in the Advanced Search in the SIEM Events UI

- Updated method to refresh the information in the system entered through the Assets -> Hosts page

- New method in the Frameworkd to run queries against the SQL DB, huge performance improvement

- Increased error verbosity in the Advanced search in the SIEM Events UI

- Allow modifying the alarm group status when the alarm is still being correlated

- Enhanced usability in the Advanced Search in the SIEM console

- Remove dynamically non-allowed characters in the description and action fields (Policy actions)

- Fixed a permission issue when displaying alarms for users with only one net or one host associated

- Fixed wrong link in Dashboard in 'Last SIEM vs Logger Events' chart

- Fixed an issue when displaying the port groups in the policy form (Thanks Gibbo for reporting)

- Fixed an issue with the OCS automatic inventory not updating the inventory

- Increased error verbosity in the Vulnerability Scan interface

- Deleted deprecated script plugin_wizard.pl

- Updated text messages in several sections in the UI

- Fixed an issue with a search criteria not being applied when using the ports summary views in the SIEM console

- Removed deprecated option (Refresh dashboard)

- Removed deprecated option (Show welcome screen at next login)

- Removed deprecated options (SIEM DB configuration related)

- New validation method when entering a new ossec agent in the HIDS console

- Deleted deprecated permission templates

- New method to delete alarms and alarm groups as a background task

- Fixed a small issue when ordering policies (Thanks dmscuffham for reporting) 

- Improve error handling when importing assets in CSV format

- Allow non-admin users configuring a vuln scan using credentials

- Fixed several typos

- Display grouped alarms generated by correlation directives that are no longer enabled

- Allow adding more than 1024 ossec agents using the UI

- Added missing plugin_sid in the DB

- Display the proper hostname in the HIDS if available

- Fixed a problem displaying migrated policy rules in some environments 

- Do not overwrite user data fields when some mandatory fields can not be normalised when building the event

- Updated allowed characters in multiple forms

- Fixed a visualisation issue when  the character "|" was being displayed in the trees (e.g inventory tree)

- Some information contained in the directives was not been displayed properly in the UI

- Fixed an issue when parsing Snort output (Big thanks to Nabil Naim for reporting and helping us fixing this)

- Minor visualisation changes in the directive editor to ensure that all information is displayed properly 

- Clean host_software table when deleting a host

- Fixed an issue when displaying the RSS Dashboard module using a proxy

- Fixed several issues when using LDAP authentication (Download and send pdf reports, scheduler report,  and last login date not updated)

- Added Restart Server button in correlation -> Directives

- Store the interface in which the event was generated, if any

- Fixed custom tickets datetime field validation

- Keep checkbox selection criteria when using the alarms and alarm groups panels

- Fix html characters encoding in event detail

- Improved performance when displaying hundreds of agents in the HIDS console

- Updated filter for the opened ticket data in the status bar (Consider other statuses as closed statuses)

- Refresh status bar when creating, closing or deleting a ticket

- Fix a small issue when filtering certain events in the Real Time Event viewer


AlienVault Unified SIEM 4.1.3 only 

-----------------------------------------------------------------------------------

-----------------------------------------------------------------------------------


- Fixed an issue when replicating certain server information in multi hierarchy environments (AV-center

- Fixed a segmentation fault in the Indexer process

- Fixed a problem in the Watchdog when multiple plugin files are using the same plugin_id but monitor different processes

- Fixed a couple of visualisation issues in the Reporting modules

- Fixed an issue exporting logger data when using extremely complex filters

- Do not allow the user deleting the dealt context

- Small memory leak fixed in the Indexer process

- Fixed a problem with the agent truncating its log file when restarting

- Fixed a small issue when using text= in the logger search criteria 

- Accept ANY as a taxonomy product in correlation directives


Comments

  • MikeMike Abducted By Aliens
    Hello,

    Thanks for the update looking forward to seeing the increased performance :)

    quick question:

    - Clean host_software table when deleting a host
    Does this need to performed manually after the update or is this handled automatically for deleted hosts pre update.


  • MikeMike Abducted By Aliens
    We successfully updated all our machines.

    It seems that the security events tab with filtering is a bit faster :)

    Although it seems that after the updating that the IDS settings changes to suricata. How can we revert this to snort ?

    i double posted because it seems i couldn't edit my previous post.


  • paul_psmithpaul_psmith Alien Embassador
    i can't get suricata to install on my main ossim server. Seemed to update a sensor. Here is an error when trying to run apt-get install suricata:

    ossim-server# apt-get install suricata
    Running /usr/bin/apt-get install suricata
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    The following packages will be upgraded:
      suricata
    1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
    Need to get 0 B/762 kB of archives.
    After this operation, 324 kB of additional disk space will be used.
    WARNING: The following packages cannot be authenticated!
      suricata
    Install these packages without verification [y/N]? y
    (Reading database ... 50643 files and directories currently installed.)
    Preparing to replace suricata 1.3.4-2 (using .../suricata_1.4-4_amd64.deb) ...
    Stopping suricata: /etc/init.d/suricata: line 104: kill: (16562) - No such process
    invoke-rc.d: initscript suricata, action "stop" failed.
    dpkg: warning: subprocess old pre-removal script returned error exit status 1
    dpkg - trying script from the new package instead ...
    Stopping suricata: /etc/init.d/suricata: line 104: kill: (16562) - No such process
    invoke-rc.d: initscript suricata, action "stop" failed.
    dpkg: error processing /var/cache/apt/archives/suricata_1.4-4_amd64.deb (--unpack):
     subprocess new pre-removal script returned error exit status 1
    configured to not write apport reports
                                          Errors were encountered while processing:
     /var/cache/apt/archives/suricata_1.4-4_amd64.deb
    E: Sub-process /usr/bin/dpkg returned an error code (1)


    Everything else upgraded fine when i ran alienvaul-update, but suricata did not get updated which was whay i tried the install method. I have done this with framework in the past when it made the update fail.
  • paul_psmithpaul_psmith Alien Embassador
    Got is working by starting suricata process and then running the update. Suricata is now upgraded. Odd that it needs to actually be a running process on  the server before it would update it.

    And I must say things are looking very good. I am getting a fair number of events in the logs now. Much more than the previous version of suricata and Ossim.

    Nice update so far. Thanks guys!
    Paul
  • paul_psmithpaul_psmith Alien Embassador
    Just tried updating another sensor and it failed. This seems to happen a lot when the update fails to download packages. We are running this through a proxy server to get the updates, so I imagine something is timing out on the file downloads while the proxies scan for malware.

    Usually a second run of the update works as the packages are then in the proxy cache.

    Just an FYI...

    Thanks!
    Paul
  • paul_psmithpaul_psmith Alien Embassador
    I noticed the update seemed to reset my user account timezone on the webgui.

    Thanks!
    Paul
  • YC555YC555 Contactee
    Hello,

    I have updated my system to 4.1.3 and since, my custom datasource's events are not displayed in the SIEM tab nor raw logs.

    The plugin was working well prior the update and looks to be still working according to the agent's log:

    2013-02-03 12:11:22,169 Agent [INFO]: Plugin[9002] Total lines [20159] TotalEvents:[19224]  EPS: [0.0] ELAPSED [10.00547719] seconds
    2013-02-03 12:11:32,177 Agent [INFO]: Plugin[9002] Total lines [20161] TotalEvents:[19226]  EPS: [0.199848337827] ELAPSED [10.0075888634] seconds
    2013-02-03 12:11:42,180 Agent [INFO]: Plugin[9002] Total lines [20168] TotalEvents:[19231]  EPS: [0.499873336462] ELAPSED [10.0025339127] seconds
    2013-02-03 12:11:52,186 Agent [INFO]: Plugin[9002] Total lines [20168] TotalEvents:[19231]  EPS: [0.0] ELAPSED [10.0057840347] seconds

    Anyone having similar problem?

    Thanks,
    YC.
  • I have same issue, I updated today ossim to 4.1.3 and any datasource's events are not displayed in the SIEM.

    I try alienvault-update, ossim-update, ossim-reconfig, but in "Alienvault Components > Sensors", ossim-sensor status is down.

    Suricata don't start, pads launch segfaults and nepenthes try to start in 80 port, I need to stop nepenthes to start apache2.

    Last version (4.1.0) work well and flawlessly, ¿anyone has any problems with the update?
  • Can you explain me if you have the problems with a standard plugin or a custom plugin?
  • iamfromitiamfromit Taken Aboard the Mothership

    aarias said:
    Can you explain me if you have the problems with a standard plugin or a custom plugin?
    I have had problems with custom plugins; copies of the standard plugins but customized for my deployment, such as 1696 = cisco-asa for instance, where I needed to customize the regex and didn't want it to be overwritten on update; they don't run any more. They ran fine on 4.1.1 and 4.1.2, but 4.1.3 broke them.
  • please, check if you have some error in the /var/log/ossim/agent.log or /var/log/ossim/server.log?
  • aarias said:
    Can you explain me if you have the problems with a standard plugin or a custom plugin?
    Fortigate standard plugin, work on 4.1.0 but upgrade to 4.1.3 don't work, regular expression change (fortiguard and fortigate plugins).
    nepenthes work on 4.1.0, but after upgrade, nepenthes begin to start "before" that apache2, then, apache don't start anymore.
    stop nepenthes, start apache2 and start nepenthes, solve the problem.
  • thinnythinny Contactee
    edited April 2013
    I have a distributed system (separate sensor, database, and framework/web servers). I patched my systems yesterday. Since then, I too am having problems with a custom plugin. Events are no longer displayed in the SIEM for my custom plugin, out of the box plugins work fine. Here is a sample of the errors present in /var/log/ossim/server.log: 

    2013-04-03 14:27:04 OSSIM-Message: Event 9c9c11e2-8a62-fa64-6e22-c301d91dbdd8 without date, setting local time
    2013-04-03 14:27:04 OSSIM-Message: Event 9c9c11e2-8a62-fa64-6e22-c301d91ed5ce without date, setting local time
    2013-04-03 14:27:04 OSSIM-Message: Error: event incorrect. Please check the device received: cc-cs-fw-02
    2013-04-03 14:27:04 OSSIM-Message: sim_session_read: error command null. Buffer: event type="detector" date="1365019662" device="cc-cs-fw-02" interface="any" plugin_id="1636" plugin_sid="305012" src_ip="10.47.179.53" src_port="63250" dst_ip="XX.XX.XX.XX" log="QXByICAzIDE0OjA3OjQyIGNjLWNzLWZ3LTAyICVBU0EtNi0zMDUwMTI6IFRlYXJkb3duIGR5bmFtaWMgVENQIHRyYW5zbGF0aW9uIGZyb20gUFJJVjoxMC40Ny4xNzkuNTMvNjMyNTAgdG8gUFVCOjUwLjIwMC4xNTAuMjI3LzYzMjUwIGR1cmF0aW9uIDA6MDE6NTMg" fdate="2013-04-03 20:07:42" tzone="-6.0" event_id="9c9c11e2-8a62-fa64-6e22-c301d9335c38"

    Additionally, I'm no longer seeing any entries in /var/log/ossim/agent.log concerning my custom plugin.
  • iamfromitiamfromit Taken Aboard the Mothership
    edited April 2013
    thinny said:
    I have a distributed system (separate sensor, database, and framework/web servers). I patched my systems yesterday. Since then, I too am having problems with a custom plugin. Events are no longer displayed in the SIEM for my custom plugin
    Can you post your plugin .cfg except for any sensitive information?
  • thinnythinny Contactee
    edited April 2013
    Long story short, I ended up completely shutting down my OSSIM server/sensor/database, and then brought them all back on. After they powered back up I began seeing entries in the SIEM again

    No explanation as to why I couldn't see entries in the SIEM for 2-3 days for one specific .cfg, but the issue has been resolved.

    This is well after, I had rebooted all systems multiple times, and restarted system services.
  • TemeYahiTemeYahi Contactee
    Hi,

    Is there anywhere stored older iso-images?

    I would need AlienVault Open Source SIEM 4.1.3 64-bit iso image.

    I have environment running on 4.1.3 version, I updated it from 4.0.2 (that iso image  I have in place).

    Thanks,
    TemeYahi
  • TemeYahiTemeYahi Contactee
    Thanks!

    Good to know that repository. somehow I have missed the archives location.

    Yep, I have closed environment separated from internet at the moment.
    However, plan is to update to latest version soon, but must finish all necessary testing with version 4.1.x.
Sign In or Register to comment.