OSSIM 2.2 introduces a range of new features including an improved installer, enhanced usability, and a new vulnerability management interface. It offers automated compliance reporting for PCI DSS and ISO standards, a unified report manager, and advanced asset management capabilities. Additional enhancements include netflow analysis, multi-client management, and increased performance and storage capacity.

1. What’s New in OSSIM 2.2?http://www.alienvault.comFebruary 2009Juan Manuel Lorenzo (jmlorenzo@alienvault.com)

2. New Features and EnhancementsOSSIM 2.2

3. IndexNew Features and Enhancements New InstallerEnhanced UsabilityNew Vulnerability Management InterfaceISO & PCI ComplianceUnified Report ManagerAsset Management, Search and ReportingSIEM Forensic Console EnhancementsFull PCI Wireless Security complianceNetflow AnalysisNew data sourcesNew menu organizationMulticlientLoggerHigher Performance and Increased StorageUpcoming Work3

4. New installer32-bit and 64-bit versionGraphical installerUnattended installationVPN auto-setupFirewall auto-setupUpdate process improvedFull Multi-profileAutomatic configuration of OSSIM ComponentsHTTPS enabled by defaultSoftware UpgradedPacket capture improved (Pfring 1.0 in 32-bit and 64- bit version)4

5. New InstallerUpgraded Software Linux Kernel 2.6.31Support for newest devicesMySQL 5.1Greater performance and partitioning supportPfring 4.0PF_RING can be used with vanilla kernels (no kernel patch required).OSSEC 2.3.1Real time file integrity monitoring on Windows systemsSupport for monitoring the commands output (process monitoring)Openvas 3.0WMI clients supportNew internal module architecture5

6. Enhanced UsabilityEasy access to a broad range of information about any host or network:Asset ReportAlarmsSIEMLoggerTicketing systemKnowledge DBVulnerabilitiesNetwork MonitorAvailability MonitorRight-click on any IP address or Network to see the contextual menu6

7. Enhanced UsabilityEase of useAnalysis/Monitoring, reporting and configuration have been separated into different tabs.Advanced options and complex configurations have been separated from simple configuration options.HelpEach panel has it's own link to the documentation/help7

8. Enhanced UsabilityUser templatesSimplifies permission assignment to users in OSSIM.Floating WindowsNew floating Windows are now being used to help navigation within the web interface.8

9. New Vulnerability Management InterfaceSchedule ScansScanning profilesScan summaryThreats databasePredefined Scanning ProfilesReporting in HTML, PDF and XLSMonitor Scan status in Real TimeVulnerability Scanner Web configuration9

10. New Vulnerability Management InterfaceMonitor Scan status in Real TimeSchedule Scan10

11. New Vulnerability Management InterfaceVulnerability Scanner Reports11EXCELPDFHTML

12. ISO & PCI ComplianceAutomated PCI DSS and ISO 27001 Compliance reporting including:Threat overviewBusiness real impact risksC.I.A Potential impactPCI-DSSTrendsISO27002 Potential impactISO27001Directives mapped to compliance control objectives 12

13. Unified Report ManagerReport Management system built on JasperServerReports in PDF, RTF, and HTML FormatReports can be sent via e-mail from the Web InterfaceTime frame selection when generating reports13

14. Unified Report ManagerAccess all reports from a single centralized locationAvailable reports:Asset ReportSIEM EventsLoggerAlarmsBusiness & Compliance ISO PCIMetrics ReportGeographic ReportUser activity14

15. Unified Report ManagerContent selection for each reportCustomizable Reports15

16. Asset Management, Search and Reporting16Asset SearchFind all Assets matching certain criteriaDate frame SelectionSave predefined searchesAdvanced searchesAuto completion

17. Asset Management, Search and Reporting17Advanced Asset SearchUse logical Operators to combine search criteriaPredefined Search CriteriasAdvanced searchesMultiple Options in each criteriaAuto completion

18. Asset Management, Search and Reporting18Asset ReportShows all the information regarding a host or network that can be found in OSSIM

19. SIEM Forensic Console EnhancementsSIEM Forensic Database redesignedFaster analysisStorage capacity increasedSearch Engine optimizedLogical Search (Using AND & OR operators)Export query results in PDF FormatNew filtersFilter by countryFilter by local networksTime frame selection using a calendarExtended information using event references 19

20. SIEM Forensic Console EnhancementsSearch using AND & OR (IP and Signature)Export query results in PDF Format20

21. SIEM Forensic Console EnhancementsEvent geo-localization statisticsTime frame selection21

22. Full PCI Wireless Security complianceImplements the necessary controls for a full Wireless PCI Compliance.Reporting System and Wireless IDS (Kismet)Reports:NetworksCloaked Networks having uncloaked AP’sEncrypted Networks having unencrypted AP’sNetworks using weak encryptionsSuspicious clients22

23. Netflow AnalysisNetflow monitoring and managementIntegration of Nfdump and NfsenNetflow collection from network devicesFprobe auto-configured to collect logs in the OSSIM collectors.23

24. Netflow AnalysisEasy configuration interfaceComplex Netflow Analysis and plugin support24

25. New data sources Cisco SDEEApplication level communications protocol that is used to exchange events in Cisco DevicesSnort Unified2Snort 3.0 and Suricata Engine supportedWMI Agentless CollectionWindows Management InstrumentationNew supported devices and applicationsAstaro, Vyatta, Siteprotector, TippingPoint, Juniper VPN, RedBack, Netscreen IDP, Kismet, LucentBrick,...25

26. New Menu OrganizationDashboardsHigh level information: charts, graphs, and risk maps.IncidentsMedium level information: Alarms, Ticketing system and Knowledge DBAnalysisLow level information: SIEM Events (Data mining), Logger and vulnerabilitiesReportsReport Manager AssetsInventory, Asset Search and OSSIM Components26

27. New Menu OrganizationIntelligencePolicy, actions, correlation rules and Compliance MappingMonitorsInformation in real time: Network, Usage and availabilityConfigurationUsers, Collection configuration, and Database UpgradesToolsBackup, Tools Download, and Network Discovery system27

28. MulticlientMulti Company/Department management capabilitiesMulti-hierarchical deployments 28Only available when using Alienvault professional SIEM

29. LoggerNew graphs and statisticsReports on the information stored in the LoggerLogical operators in Logger SearchFastest access to the information stored in the Logger29Only available when using Alienvault professional SIEM

30. LoggerSelect the time frame easily clicking on graphs or using a calendarDigitally signed logs can be exported to be verified using an external applicationImproved search syntax30Only in Alienvault Professional SIEM

31. Higher Performance and Increased StorageDatabase redesigned to increase performance and storage capacity.Improved Multithread support in OSSIM ServerMulti-insertion to reduce database queriesFaster processing of events31Only available when using Alienvault professional SIEM

32. Upcoming Work

33. Upcoming workNAC ( Network Access Control)Asset auto-discoveryHIDS Management consoleCollectors Management consoleNew correlation capabilitiesDLP (Data Loss Prevention)Improve Nagios Integration33