What's new in OSSEC 2.8.3
Nov 6, 2015
- Notable fixes:
- eventchannel reliability has been improved for the win32 agent.
- The OSSEC agent in the hybrid installation should not error out and ignore the alerts.log file.
New in OSSEC 2.7.1 (Nov 20, 2013)
- Installation:
- Server:
- Fixed Solaris update install (ddpbsd)
- Agent:
- Fixed InstallAgent.sh script for Mac OSX addusers. Distinguishing OSX 10.5 from previous versions
- Allow os_auth to resolve manager hostname to IP address
- Fixed Windows Agent
- Syscheck:
- Extended filesize from an integer to a long integer
- Rootcheck:
- No Change
- Agents:
- Make Heartbeat interval configuable (Christobel Rosa):
- Was fixed at 10 minutes interval, now configurable
- Use ossec.conf "notify_time", "time-reconnect"
- For both *nix and Windows agents
- More details TBD (To Be Documented)
- Log monitoring/analysis:
- Added new feature "custom_alert_output" (Christobel Rosa). More details TBD (To Be Documented)
- Added checking for duplicate rule ID's (cgzones)
- Rules and Decoders:
- etc/decoder.xml updated:
- Fixed ar_log decoder (dcid)
- Updated decoders (jp.zurbrugg)
- Added Pure-FTPd transfer log decoder (ddpbsd)
- Added mptscsih \ mptbase SCSI controller log decoders
- etc/rules/ updated:
- nginx_rules.xml - Added to reduce noise
- pure-ftpd_rules.xml - Added rules 11310, 11311, 11312
- syslog_rules.xml - Added rules 2935-2939 for SCSI controller
- web_appsec_rules.xml - Updated PHPMyAdmin rules
- Added rule 31515,31516, 31530-31533, 31550 web_rules.xml - Updated,
- Added rule 31164,31165 for SQL injection attempt
- Output and Alert options:
- csyslogd:
- Fixed crash issue in non-debug mode due to memory corruption
- ossec-dbd:
- Fixed database log entries truncation issue
- Active Response:
- Fixed firewall-drop.sh script to prevent a resource loop (dcid)
- Added ip-customblock.sh script (dcid)
- Fixed ar.conf ownership issue (ddpbsd)
- Scripts fixes:
- Add a log message when something "did not start correctly" (ddpbsd)
- Contributions:
- Added contrib/ossec2snorby/ scripts, see README for details
New in OSSEC 2.7 (Nov 24, 2012)
- Installation:
- Add hybrid mode – allows the same host to be both a server and an agent, useful for multi-tier OSSEC deployment.
- Add manage_agents -f option for bulk generation of client keys from an input file.
- During Agent installation, allow the OSSEC server to be specified using hostname instead of IP.
- Syscheck:
- Add prelinking support – reduce confusion when a file change is the result of prelinking.
- Rootcheck:
- Add fine-grained configuration control – allows you to turn ON/OFF individual rootcheck tasks for more efficiency and flexibility. The default is all ON.
- Log monitoring/analysis:
- Add GeoIP lookup support – allows geographical city names to be associated with IP addresses in OSSEC alerts, for more intelligent correlation.
- Alert options anslog output:
- Adscheck MD5/SHA1 sum to alerts for easier integration with third-party file signature checking.
- Support JSON and Splunk formats in syslog output.
- Rules and other notable changesfixes:
- Windows 2000 logs support has been deprecated (but will probably still work fine). Vista and Windows Server 2008 logs are now officially supported.
- Windows registry syscheck alert level has been reduced from 7 to 5 to reduce unnecessary noise from alerts which do not indicate a compromise.
- Update decoders include: PIX, auditd, apache, pam, php.
- Many updated rules, such as new checks for vulnerable web apps exploitation attempts.
- Update rootcheck rules.
- ossec-client.sh now allows for ‘reload’, in addition to ‘restart’
- Many bug fixes…
- LICENSE text updated by adding exception clause for OpenSSL, while OSSEC is still under GPLv2
New in OSSEC 2.7 Beta-2 (Oct 12, 2012)
- LICENSE text: Added exception clause for OpenSSL, and make OSSEC GPLv2 (was v3)
- Fixed OpenSSL exception clause in LICNESE, adn os_auth source files.
- Installation:
- Server:
- Implemented a new feature to support agent config profiles.
- and (Christopher Moraes)
- Added hybrid mode installation (as standalone + agent),
- alerts.log on server will be monitored
- Reduced unnecessary 'chown/chmod -R' under /queue/diff/ during OSSEC upgrade (beta2)
- Fixed ossec.conf upgrade issue related to the wrong position of custom rules (beta2)
- Agent :
- Allow OSSEC server to be specified using hostname instead of IP (Michael Starks)
- non-English message templates updated with the above too.
- Adding option to enable/disable allowing remote commands on the agent internal conf
- --internal_options.conf
- # Logcollector - If it should accept remote commands from the manager.
- # allowed value: 0(no), 1(yes)
- logcollector.remote_commands=0
- ossec-authd:
- Added logic to clean up forked processes as they exit (Jason Stelzer)
- Added '-i' option to write IP address in client.keys file (Jason Stelzer)
- Fix installation script exitcode, to work with Puppet/Chef/cfengine (Brad Lhotsky)
- == init/update.sh:
- patched to allow '-' in directory path 2135:8664b3f984e4
- Fix bug dcid#40 update failed when using cdb in ossec.conf (Michael Starks)
- Syscheck:
- add support for prelink in syscheck, reduces False Positives
- add inotify realtime monitor flags: IN_CREATE IN_DELETE_SELF
- fix the syscheck restrict=".txt" not working issue (added in v2.7-beta1)
- bug fixes (sgros) regex init and memory free fix
- bug fixes (pieska) 2164:884acf7da206
- Fixed syscheckd segmentation fault when there is no syscheck directories in ossec.conf
- Rootcheck :
- support rootcheck fine-grain configuration control -- yes/no of individual checks
- etc/ossec.conf
- yes
- yes
- yes
- yes
- yes
- yes
- yes
- yes
- Fixed rootcheck config file issue when there are trailing spaces/tabs (beta1)
- Log monitoring/analysis:
- ossec-logcollector
- added support for GeoIP lookup using Maxmind database and API (xavier)
- Rules and Decoders:
- removing useless CIS checks, adding checks for vuln web apps (dcid)
- rootcheck rules updated:
- src/rootcheck/db/cis_debian_linux_rcl.txt
- src/rootcheck/db/cis_rhel5_linux_rcl.txt
- src/rootcheck/db/cis_rhel_linux_rcl.txt
- src/rootcheck/db/rootkit_files.txt
- src/rootcheck/db/rootkit_trojans.txt
- src/rootcheck/db/system_audit_rcl.txt
- etc/decoder.xml updated:
- new decoders (Scott R. Shinn)
- Auditd decoders for logs from CentOS 5.5 - (c): Michael Starks, 2011
- Will extract action, id, status, extra_data, srcip:
- etc/rules/ updated:
- apache_rules.xml - Updated for more variations
- arpwatch_rules.xml - Updated with new rule id 7209 >Possible arpspoofing attempt
- clam_av_rules.xml - Updated rule 52509 level "1" --> "0", and
- mcafee_av_rules.xml - Updated for precise ID matching
- msauth_rules.xml - Updated for precise ID matching (for Win 2008)
- openbsd_rules.xml - Updated with new rule 51525- 51529
- ossec_rules.xml - Added new rule 519, 533-535, and 594-598:
- Win Registry syscheck alert level 7 --> 5 (to reduce noise)
- pam_rules.xml - added rule 5552 - 5555
- php_rules.xml - added rule 31413 PHP internal error (server out of space).
- pix_rules.xml - fixed typo
- syslog_rules.xml - Updated
- web_appsec_rules.xml - New for Web attacks/vulns specific rules for OSSEC.
- web_rules.xml - added 31110 PHP CGI-bin vulnerability attempt
- added 31109 MSSQL Injection attempt (/ur.php, urchin.js)
- updated 31115 URL too long. Possible attack
- Output and Alert options:
- ossec-csyslogd:
- Add MD5/SHA1 sum to the syslog output. (mstarks) 2110:2c911b0e6dc3
- Add "json" and "splunk" to allowed
- Trim extra long strings to "..." in order to fit the maximum output size (v2.7-beta2)
- ossec-dbd:
- Allow newline characters to be stored in the database. 2146:a10f4dfc417c
- fix postgresql.schema file (adding alertid) 2107:ca96a1d3b298
- Active Response:
- better handling of IPv6 firewall-drop:
- firewall-drop.sh - Updated to support both IPv4 and IPv6
- firewall-drop.sh - fixed fw-drop lock issue that prevented script from exiting(beta1)
- Fix active-response.c config value: "srcip" worked, but "user" was ignored
- Fix Active Response to allow AR being triggerred with "(local_source)" (beta1)
- It is a modification to OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar):
- Originally, OS_Exec would process the AR exec_msg only if the event location,
- lf->location, contains a string starting with '(', signaling an agent_id is
- available, e.g., " (MYAGENT_ID) 192.168.1.2->WinEvtLog".
- That was fine for remote agents, but the events created by local analysisd
- were ignored since their location fields do not start with "(agent_id)",
- e.g., "mycentos->/var/log/secure".
- 2.7 beta-1 adds a prefix "(local_source)" to the exec_msg if no '(' was found.
- Using the example above, the exec_msg will start with
- e.g., "(local_source) mycentos->/var/log/secure"
- and will be processed.
- The intention is to allow local generated events to able to trigger AR.
- Tools and Utilities:
- bin/ossec-logtest
- updated argument '-f' --> '-v', it means "verbose (full) output/rule debugging"
- bin/manage_agents:
- Added -f option for bulk generate client keys from file. (OSSEC Manager only)
- Allow agent IP address to be pre-specified rather then "any"
- bin/verify-agent-conf:
- Modified verify-agent-conf to add a help message (Christopher Moraes)
- Scripts fixes:
- init.sh
- Debian init patch by Costas Drogos (Bug dcid#26 missing insserv tag) (Michael Starks)
- Fixing installer for DragonFly BSD (dcid) 1723:8140357f4d9d
- Fixing init scripts for Darwin (peter.wolanin) 1659:a88ee6ea3c05
- ossec-client.sh:
- modify ossec-client.sh to allow 'reload', in addition to 'restart' 2144:6645123f9e19
- Contributions:: in contrib/ directory:
- active-list.pl - New OSSEC active-response script to store a suspicious IP address in a MySQL table (xavir)
- ossec2rss.php - New OSSEC 2 RSS script (dcid)
- util.sh - New utility (dcid):
- Add a new file
- Add a new remote host to be monitored via lynx
- Add a new remote host to be monitored (DNS)
- Add a new command to be monitored
- Documentation for Adding GeoIP Support:
- added support for GeoIP lookup using Maxmind database and API (xavier)
- support GeoIP database lookup for src/dst IP addresses
- converting non-private IP addresses to city names
- output to alerts.log, and syslog forwarding, and maild output
New in OSSEC 2.7 Beta-1 (Oct 1, 2012)
- Installation:
- Add hybrid mode – allows the same host to be both a server and an agent, useful for multi-tier OSSEC deployment.
- Add ‘ manage_agents -f’ option for bulk generation of client keys from an input file.
- Syscheck:
- Add prelinking support – reduce confusion when a file change is the result of prelinking. (Beta-1: We realize there is a performance penalty. Please report if you notice a performance impact.)
- Rootcheck:
- Add fine-grained configuration control – allows you to turn ON/OFF individual rootcheck tasks for more efficiency and flexibility. The default is all ON.
- Log monitoring/analysis:
- Add GeoIP lookup support – allows geographical city names to be associated with IP addresses in OSSEC alerts, for more intelligent correlation. (Beta-1: Fixed potential string buffer overflow issues)
- Add multi-line log readers for Linux auditd, plus ModSec and Regex log readers.
- Alert options and syslog output:
- Add syscheck MD5/SHA1 sum to alerts for easier integration with third-party file signature checking.
- Support JSON and Splunk formats in syslog output.
- Rules and other notable changes/fixes:
- Update decoders include: PIX, auditd, apache, pam, php…
- Many updated rules, such as new checks for vulnerable web apps exploitation attempts.
- Update rootcheck rules
- ossec-client.sh now allows for ‘reload’, in addition to ‘restart’
- Many bug fixes
New in OSSEC 2.7 Beta-0 (Sep 12, 2012)
- Installation:
- Add hybrid mode – allows the same host to be both a server and an agent, useful for multi-tier OSSEC deployment.
- Add ‘ manage_agents -f’ option for bulk generation of client keys from an input file.
- Syscheck:
- Add prelinking support – reduce confusion when a file change is the result of prelinking.
- Rootcheck:
- Add fine-grained configuration control – allows you to turn ON/OFF individual rootcheck tasks for more efficiency and flexibility (default is all ON).
- Log monitoring/analysis:
- Add GeoIP lookup support – allows geographical city names to be associated with IP addresses in OSSEC alerts, for more intelligent correlation.
- Add multi-line log readers for Linux auditd, plus ModSec and Regex log readers.
- Alert options and syslog output:
- Add syscheck MD5/SHA1 sum to alerts for easier integration with third-party file signature checking.
- Support JSON and Splunk formats in syslog output.
- Rules and other notable changes/fixes:
- Update decoders include: PIX, auditd, apache, pam, php…
- Many updated rules, such as new checks for vulnerable web apps exploitation attempts.
- Update rootcheck rules
- ossec-client.sh now allows for ‘reload’, in addition to ‘restart’
- Many bug fixes
New in OSSEC 2.6 (Aug 28, 2012)
- Added IPv6 support
- Lots of new rules (OpenBSD, Clamav, BRO-ids, active response logs, etc, etc)
- Added os-authd – For automatically creating and setting up the agent keys
- Added CEF support to client syslog
- Improved reporting for file changes
- Added option to Block repeated offenders with OSSEC
- Many bug fixes