Nueva versión de AlienVault OSSIM 5.2.4 (18/05/2016)

Saludos nuevamente.

El pasado día 18 de mayo de 2016 se publicó una nueva versión de la rama 5.x de AlienVault OSSIM, la 5.2.4. Dicha versión viene con actualizaciones de características y plugins. He aquí la noticia enviada por parte del equipo de realización:

New Update: AlienVault 5.2.4 has been released

2016-05-18 20:00:00

As of Thursday, May 19, 2016, AlienVault USM and OSSIM v5.2.4 are now generally available for all existing and new customers.

Users can update their system(s) through the console or web UI (see upgrade instructions for more information).

Please take a few minutes to carefully read these release notes before upgrading.

Additional Upgrade Info for All Users on v5.1.1 and Earlier

• For users on v5.1.1 and earlier, please see the v5.2 release notes and read the v5.2 upgrade instructions prior to updating.
• For users on v5.0.4 and earlier, please see the v5.1 release notes for additional upgrade information around OTX.
• For users on v4.15.2, please see the v5.0 release notes for additional upgrade information.

Documentation Updates

• WIDS: How to modify Kismet scripts to work with Kismet 2008 and Kismet 2013
• Disk Space Requirements
• How to clear the AlienVault HIDS syscheck database
• Known Issue: Trial Activation Error
• Known Issue: Unable to view alarm details
• How to change timezone for specific datasource plugins
• How to configure a policy action to execute a program or script
• Troubleshooting VPN issue after upgrading to v5.2
• Known Issue: NTP server settings not applied to /etc/default/ntpdate
• Known Issue: local_rules is overwritten by default rules
• Known Issue: «Automatic Deployment for Windows OS» / «Download Preconfigured Agent» options not available
• Known False-Positive Vulnerability: «MySQL Authentication» and «Apache /server-status accessible»
• How to update ossec.conf in USM Enterprise Server
• Troubleshooting exports from the Logger
• How to remove Remote Sensors
• How to disable OpenVPN Configuration
• How to forward files with rsyslog
• How to change the timezone for specific plugins

Improvements Added – USM and OSSIM

• Improved alarm filtering – Filter alarms by risk level in the alarm list view
• Syslog via TCP – AlienVault can now collect logs from devices that send syslog via TCP
• Improved Windows file integrity monitoring – AlienVault HIDS now includes new rules to better monitor activities occurring on Windows machines

Improvements Added – USM only

• AlienVault Logger performance improvements – Improved indexing and compression for long-term storage and more efficient searching
• New compliance reports – 16 new reports available for NERC CIP and Gramm-Leach Bliley Act (GLBA) regulations

Defects Fixed

• ENG-100641 – Web UI displays alarms still be correlated despite them reaching last correlation level – Alarms that have finished correlating appear properly in UI.
• ENG-101664 – Agent auto-deployment/download is blocked for OS mis-detection with no easy fix – Added new messaging in the web UI to provide users with instructions on how to deploy agents.
• ENG-101864 – Advanced search options not working properly in SIEM events – Advanced search works as expected.
• ENG-102183 – No warning when user reaches plugin limit – Warnings added in UI and Message Center.
• ENG-102512 – Template permission not working in alarm details action menu – Delete alarms option is only available when permission is given.
• ENG-102704 – Ticket opened from alarm has no back reference to alarm – Tickets now include link to alarm.
• ENG-102705 – SIEM events do not have unique URLs – Each event now contains a unique URL.
• ENG-102857 – Initial setup search domain configured by ossim-setup is broken – Search domain is configured properly.
• ENG-102923 – Some accounts have unnecessary access – The users list, irc, gnats, uucp, news, and IP were removed.
• ENG-102934 – Database schema is inconsistent – Improved vulnerability database.
• ENG-103175 – Squid events are being discarded by server – Updated plugin SID so that logs are processed properly.
• ENG-103221 – The top 5 alarms dashboard shows open and closed alarms – Dashboard now shows only open alarms.
• ENG-103240 – User permissions not properly segregating information – User permissions using contexts now work as expected.
• ENG-103262 – Whois monitor plugin failing since 5.2 – Re-installed whois binary so that plugin works as expected.
• ENG-103284 – Adjust rsyslog config for Bluecoat logging – Updated rsyslog to split Bluecoat logs into multiple lines.
• ENG-103291 – Large events generate overflow which affects sensors – Improved sensor handling of large events.
• ENG-103302 – Binary data is indexed in the Logger leading to large indices – Binary data is no longer indexed.
• ENG-103339 – Alarm link in ticket is broken after alarm correlation – All opened tickets point to the alarm that they were generated from.- ENG-103364 – alienvault_dumpindex does not work with compressed indices – Users are able to dump indexes, even when the mindex.inx file is compressed.
• ENG-103434 – Alienvault-forward does not reconnect when it loses connection – Added new reconnect method and additional debug messages when this issue occurs.

Security Advisories

• ENG-103348, Vulnerable Hardware Configuration – RAKP (CVE-2013-4786) – AlienVault 5.2.4 is not vulnerable.
• ENG-103348, Vulnerable Package – samba (multiple) – Added new version of package to repository – AlienVault 5.2.4 is not vulnerable.
• ENG-103378, Vulnerable Package – openssh (CVE-2015-8325) – Added new version of package to repository – AlienVault 5.2.4 is not vulnerable.
• ENG-103396, Vulnerable Package – libgd2 (CVE-2016-3074) – Added new version of package to repository – AlienVault 5.2.4 is not vulnerable.
• ENG-103416, Vulnerable Configuration (ZDI-CAN-3704) – AlienVault 5.2.4 is not vulnerable.
• ENG-103417, Vulnerable Configuration (ZDI-CAN-3704) – AlienVault 5.2.4 is not vulnerable.
• ENG-103419, Vulnerable Package – openssl (multiple) – Added new version of package to repository – AlienVault 5.2.4 is not vulnerable.
• ENG-103436, Vulnerable Package – libtasn1-6 (CVE-2016-4008) – Added new version of package to repository – AlienVault 5.2.4 is not vulnerable.
• ENG-103449, Vulnerable Configuration (ZDI-CAN-3752) – AlienVault 5.2.4 is not vulnerable.
• ENG-103452, Vulnerable Package – php5 (multiple) – Added new version of package to repository – AlienVault 5.2.4 is not vulnerable.

See the Security Advisory for USM and OSSIM v5.2.4 for more information.