Softpedia >Mac >Developer Tools >OSSEC >  Changelog

OSSEC Changelog

What's new in OSSEC 2.8.3

Nov 6, 2015
  • Notable fixes:
  • eventchannel reliability has been improved for the win32 agent.
  • The OSSEC agent in the hybrid installation should not error out and ignore the alerts.log file.

New in OSSEC 2.7.1 (Nov 20, 2013)

  • Installation:
  • Server:
  • Fixed Solaris update install (ddpbsd)
  • Agent:
  • Fixed InstallAgent.sh script for Mac OSX addusers. Distinguishing OSX 10.5 from previous versions
  • Allow os_auth to resolve manager hostname to IP address
  • Fixed Windows Agent
  • Syscheck:
  • Extended filesize from an integer to a long integer
  • Rootcheck:
  • No Change
  • Agents:
  • Make Heartbeat interval configuable (Christobel Rosa):
  • Was fixed at 10 minutes interval, now configurable
  • Use ossec.conf "notify_time", "time-reconnect"
  • For both *nix and Windows agents
  • More details TBD (To Be Documented)
  • Log monitoring/analysis:
  • Added new feature "custom_alert_output" (Christobel Rosa). More details TBD (To Be Documented)
  • Added checking for duplicate rule ID's (cgzones)
  • Rules and Decoders:
  • etc/decoder.xml updated:
  • Fixed ar_log decoder (dcid)
  • Updated decoders (jp.zurbrugg)
  • Added Pure-FTPd transfer log decoder (ddpbsd)
  • Added mptscsih \ mptbase SCSI controller log decoders
  • etc/rules/ updated:
  • nginx_rules.xml - Added to reduce noise
  • pure-ftpd_rules.xml - Added rules 11310, 11311, 11312
  • syslog_rules.xml - Added rules 2935-2939 for SCSI controller
  • web_appsec_rules.xml - Updated PHPMyAdmin rules
  • Added rule 31515,31516, 31530-31533, 31550 web_rules.xml - Updated,
  • Added rule 31164,31165 for SQL injection attempt
  • Output and Alert options:
  • csyslogd:
  • Fixed crash issue in non-debug mode due to memory corruption
  • ossec-dbd:
  • Fixed database log entries truncation issue
  • Active Response:
  • Fixed firewall-drop.sh script to prevent a resource loop (dcid)
  • Added ip-customblock.sh script (dcid)
  • Fixed ar.conf ownership issue (ddpbsd)
  • Scripts fixes:
  • Add a log message when something "did not start correctly" (ddpbsd)
  • Contributions:
  • Added contrib/ossec2snorby/ scripts, see README for details

New in OSSEC 2.7 (Nov 24, 2012)

  • Installation:
  • Add hybrid mode – allows the same host to be both a server and an agent, useful for multi-tier OSSEC deployment.
  • Add manage_agents -f option for bulk generation of client keys from an input file.
  • During Agent installation, allow the OSSEC server to be specified using hostname instead of IP.
  • Syscheck:
  • Add prelinking support – reduce confusion when a file change is the result of prelinking.
  • Rootcheck:
  • Add fine-grained configuration control – allows you to turn ON/OFF individual rootcheck tasks for more efficiency and flexibility. The default is all ON.
  • Log monitoring/analysis:
  • Add GeoIP lookup support – allows geographical city names to be associated with IP addresses in OSSEC alerts, for more intelligent correlation.
  • Alert options anslog output:
  • Adscheck MD5/SHA1 sum to alerts for easier integration with third-party file signature checking.
  • Support JSON and Splunk formats in syslog output.
  • Rules and other notable changesfixes:
  • Windows 2000 logs support has been deprecated (but will probably still work fine). Vista and Windows Server 2008 logs are now officially supported.
  • Windows registry syscheck alert level has been reduced from 7 to 5 to reduce unnecessary noise from alerts which do not indicate a compromise.
  • Update decoders include: PIX, auditd, apache, pam, php.
  • Many updated rules, such as new checks for vulnerable web apps exploitation attempts.
  • Update rootcheck rules.
  • ossec-client.sh now allows for ‘reload’, in addition to ‘restart’
  • Many bug fixes…
  • LICENSE text updated by adding exception clause for OpenSSL, while OSSEC is still under GPLv2

New in OSSEC 2.7 Beta-2 (Oct 12, 2012)

  • LICENSE text: Added exception clause for OpenSSL, and make OSSEC GPLv2 (was v3)
  • Fixed OpenSSL exception clause in LICNESE, adn os_auth source files.
  • Installation:
  • Server:
  • Implemented a new feature to support agent config profiles.
  • and (Christopher Moraes)
  • Added hybrid mode installation (as standalone + agent),
  • alerts.log on server will be monitored
  • Reduced unnecessary 'chown/chmod -R' under /queue/diff/ during OSSEC upgrade (beta2)
  • Fixed ossec.conf upgrade issue related to the wrong position of custom rules (beta2)
  • Agent :
  • Allow OSSEC server to be specified using hostname instead of IP (Michael Starks)
  • non-English message templates updated with the above too.
  • Adding option to enable/disable allowing remote commands on the agent internal conf
  • --internal_options.conf
  • # Logcollector - If it should accept remote commands from the manager.
  • # allowed value: 0(no), 1(yes)
  • logcollector.remote_commands=0
  • ossec-authd:
  • Added logic to clean up forked processes as they exit (Jason Stelzer)
  • Added '-i' option to write IP address in client.keys file (Jason Stelzer)
  • Fix installation script exitcode, to work with Puppet/Chef/cfengine (Brad Lhotsky)
  • == init/update.sh:
  • patched to allow '-' in directory path 2135:8664b3f984e4
  • Fix bug dcid#40 update failed when using cdb in ossec.conf (Michael Starks)
  • Syscheck:
  • add support for prelink in syscheck, reduces False Positives
  • add inotify realtime monitor flags: IN_CREATE IN_DELETE_SELF
  • fix the syscheck restrict=".txt" not working issue (added in v2.7-beta1)
  • bug fixes (sgros) regex init and memory free fix
  • bug fixes (pieska) 2164:884acf7da206
  • Fixed syscheckd segmentation fault when there is no syscheck directories in ossec.conf
  • Rootcheck :
  • support rootcheck fine-grain configuration control -- yes/no of individual checks
  • etc/ossec.conf
  • yes
  • yes
  • yes
  • yes
  • yes
  • yes
  • yes
  • yes
  • Fixed rootcheck config file issue when there are trailing spaces/tabs (beta1)
  • Log monitoring/analysis:
  • ossec-logcollector
  • added support for GeoIP lookup using Maxmind database and API (xavier)
  • Rules and Decoders:
  • removing useless CIS checks, adding checks for vuln web apps (dcid)
  • rootcheck rules updated:
  • src/rootcheck/db/cis_debian_linux_rcl.txt
  • src/rootcheck/db/cis_rhel5_linux_rcl.txt
  • src/rootcheck/db/cis_rhel_linux_rcl.txt
  • src/rootcheck/db/rootkit_files.txt
  • src/rootcheck/db/rootkit_trojans.txt
  • src/rootcheck/db/system_audit_rcl.txt
  • etc/decoder.xml updated:
  • new decoders (Scott R. Shinn)
  • Auditd decoders for logs from CentOS 5.5 - (c): Michael Starks, 2011
  • Will extract action, id, status, extra_data, srcip:
  • etc/rules/ updated:
  • apache_rules.xml - Updated for more variations
  • arpwatch_rules.xml - Updated with new rule id 7209 >Possible arpspoofing attempt
  • clam_av_rules.xml - Updated rule 52509 level "1" --> "0", and
  • mcafee_av_rules.xml - Updated for precise ID matching
  • msauth_rules.xml - Updated for precise ID matching (for Win 2008)
  • openbsd_rules.xml - Updated with new rule 51525- 51529
  • ossec_rules.xml - Added new rule 519, 533-535, and 594-598:
  • Win Registry syscheck alert level 7 --> 5 (to reduce noise)
  • pam_rules.xml - added rule 5552 - 5555
  • php_rules.xml - added rule 31413 PHP internal error (server out of space).
  • pix_rules.xml - fixed typo
  • syslog_rules.xml - Updated
  • web_appsec_rules.xml - New for Web attacks/vulns specific rules for OSSEC.
  • web_rules.xml - added 31110 PHP CGI-bin vulnerability attempt
  • added 31109 MSSQL Injection attempt (/ur.php, urchin.js)
  • updated 31115 URL too long. Possible attack
  • Output and Alert options:
  • ossec-csyslogd:
  • Add MD5/SHA1 sum to the syslog output. (mstarks) 2110:2c911b0e6dc3
  • Add "json" and "splunk" to allowed
  • Trim extra long strings to "..." in order to fit the maximum output size (v2.7-beta2)
  • ossec-dbd:
  • Allow newline characters to be stored in the database. 2146:a10f4dfc417c
  • fix postgresql.schema file (adding alertid) 2107:ca96a1d3b298
  • Active Response:
  • better handling of IPv6 firewall-drop:
  • firewall-drop.sh - Updated to support both IPv4 and IPv6
  • firewall-drop.sh - fixed fw-drop lock issue that prevented script from exiting(beta1)
  • Fix active-response.c config value: "srcip" worked, but "user" was ignored
  • Fix Active Response to allow AR being triggerred with "(local_source)" (beta1)
  • It is a modification to OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar):
  • Originally, OS_Exec would process the AR exec_msg only if the event location,
  • lf->location, contains a string starting with '(', signaling an agent_id is
  • available, e.g., " (MYAGENT_ID) 192.168.1.2->WinEvtLog".
  • That was fine for remote agents, but the events created by local analysisd
  • were ignored since their location fields do not start with "(agent_id)",
  • e.g., "mycentos->/var/log/secure".
  • 2.7 beta-1 adds a prefix "(local_source)" to the exec_msg if no '(' was found.
  • Using the example above, the exec_msg will start with
  • e.g., "(local_source) mycentos->/var/log/secure"
  • and will be processed.
  • The intention is to allow local generated events to able to trigger AR.
  • Tools and Utilities:
  • bin/ossec-logtest
  • updated argument '-f' --> '-v', it means "verbose (full) output/rule debugging"
  • bin/manage_agents:
  • Added -f option for bulk generate client keys from file. (OSSEC Manager only)
  • Allow agent IP address to be pre-specified rather then "any"
  • bin/verify-agent-conf:
  • Modified verify-agent-conf to add a help message (Christopher Moraes)
  • Scripts fixes:
  • init.sh
  • Debian init patch by Costas Drogos (Bug dcid#26 missing insserv tag) (Michael Starks)
  • Fixing installer for DragonFly BSD (dcid) 1723:8140357f4d9d
  • Fixing init scripts for Darwin (peter.wolanin) 1659:a88ee6ea3c05
  • ossec-client.sh:
  • modify ossec-client.sh to allow 'reload', in addition to 'restart' 2144:6645123f9e19
  • Contributions:: in contrib/ directory:
  • active-list.pl - New OSSEC active-response script to store a suspicious IP address in a MySQL table (xavir)
  • ossec2rss.php - New OSSEC 2 RSS script (dcid)
  • util.sh - New utility (dcid):
  • Add a new file
  • Add a new remote host to be monitored via lynx
  • Add a new remote host to be monitored (DNS)
  • Add a new command to be monitored
  • Documentation for Adding GeoIP Support:
  • added support for GeoIP lookup using Maxmind database and API (xavier)
  • support GeoIP database lookup for src/dst IP addresses
  • converting non-private IP addresses to city names
  • output to alerts.log, and syslog forwarding, and maild output

New in OSSEC 2.7 Beta-1 (Oct 1, 2012)

  • Installation:
  • Add hybrid mode – allows the same host to be both a server and an agent, useful for multi-tier OSSEC deployment.
  • Add ‘ manage_agents -f’ option for bulk generation of client keys from an input file.
  • Syscheck:
  • Add prelinking support – reduce confusion when a file change is the result of prelinking. (Beta-1: We realize there is a performance penalty. Please report if you notice a performance impact.)
  • Rootcheck:
  • Add fine-grained configuration control – allows you to turn ON/OFF individual rootcheck tasks for more efficiency and flexibility. The default is all ON.
  • Log monitoring/analysis:
  • Add GeoIP lookup support – allows geographical city names to be associated with IP addresses in OSSEC alerts, for more intelligent correlation. (Beta-1: Fixed potential string buffer overflow issues)
  • Add multi-line log readers for Linux auditd, plus ModSec and Regex log readers.
  • Alert options and syslog output:
  • Add syscheck MD5/SHA1 sum to alerts for easier integration with third-party file signature checking.
  • Support JSON and Splunk formats in syslog output.
  • Rules and other notable changes/fixes:
  • Update decoders include: PIX, auditd, apache, pam, php…
  • Many updated rules, such as new checks for vulnerable web apps exploitation attempts.
  • Update rootcheck rules
  • ossec-client.sh now allows for ‘reload’, in addition to ‘restart’
  • Many bug fixes

New in OSSEC 2.7 Beta-0 (Sep 12, 2012)

  • Installation:
  • Add hybrid mode – allows the same host to be both a server and an agent, useful for multi-tier OSSEC deployment.
  • Add ‘ manage_agents -f’ option for bulk generation of client keys from an input file.
  • Syscheck:
  • Add prelinking support – reduce confusion when a file change is the result of prelinking.
  • Rootcheck:
  • Add fine-grained configuration control – allows you to turn ON/OFF individual rootcheck tasks for more efficiency and flexibility (default is all ON).
  • Log monitoring/analysis:
  • Add GeoIP lookup support – allows geographical city names to be associated with IP addresses in OSSEC alerts, for more intelligent correlation.
  • Add multi-line log readers for Linux auditd, plus ModSec and Regex log readers.
  • Alert options and syslog output:
  • Add syscheck MD5/SHA1 sum to alerts for easier integration with third-party file signature checking.
  • Support JSON and Splunk formats in syslog output.
  • Rules and other notable changes/fixes:
  • Update decoders include: PIX, auditd, apache, pam, php…
  • Many updated rules, such as new checks for vulnerable web apps exploitation attempts.
  • Update rootcheck rules
  • ossec-client.sh now allows for ‘reload’, in addition to ‘restart’
  • Many bug fixes

New in OSSEC 2.6 (Aug 28, 2012)

  • Added IPv6 support
  • Lots of new rules (OpenBSD, Clamav, BRO-ids, active response logs, etc, etc)
  • Added os-authd – For automatically creating and setting up the agent keys
  • Added CEF support to client syslog
  • Improved reporting for file changes
  • Added option to Block repeated offenders with OSSEC
  • Many bug fixes