What’s new

3.0.0

Released July 17, 2018:

New Features

• SQLite whitelist support for syscheck
• Pagerduty Active Response
• OSSEC agent selinux module
• Win32 agent-auth support

Updates

• cJSON updated to 1.7.0
• zlib update to 1.2.11

Bug Fixes

• So many. So. Many.

Note

This is a maintenance update, and the last release in the 2.9 series

Released June 20, 2018

General

• PR #1207, for issue #1205, Pushing merged.mg to Windows agents fails due to EOL conversion
• PR #1259, for issue #1145, fixes for RHEL getaddrinfo/ipv6
• PR #1428, for issue #1425, check owner option doesnt work on windows agent
• PR #1428, for issue #1425, check owner option doesnt work on windows agent
• PR #1421, for issue #1421, fixes for ossec-slack.sh alerts path
• PR #1422, for issue #1421, fixes for ossec-slack.sh active-response path
• PR #1421, for issue #1421, fixes for ossec-slack.sh path
• PR #1409 for issue #1402, Real-time file monitoring stops working if several files are encrypted at the same time
• PR #1100, fix for open received files in binary mode on windows
• PR #1350, fix for basename, Missing agent.conf messags are reportied as warnings
• PR #1334 for issue #210, do not add 12 to 12pm
• PR #1340 for issue #1065, fix for negating IP address
• PR #1088 for issue #1084, reportd double free

2.9.3

Released December 23, 2017

Note

This is a maintenance release, and includes a major rule & decoder update

New Rules / Decoders

• NSD Rules and Decoders
• Owncloud Rules and Decoders
• ProxMox Rules and Decoders
• PSAD Rules and Decoders

Updated Rules / Decoders

• Apache Rules
• Asterisk Rules
• Mailscanner Rules
• Mysql Rules
• Nginx Rules
• OpenBSD Rules
• Postfix Rules
• RoundCube Rules
• Sendmail Rules
• Syslog Rules
• WebAppSec Rules

General

• Added authd init scripts for Debian and Redhat/Centos
• Added Rootcheck CIS Mysql communnity and enterprise auditing
• Added Rootcheck CIS SSH checks
• Added Rootcheck CIS SLES 12 checks
• Update Rootcheck CIS RHEL / CentOS 5 checks
• Update Rootcheck CIS RHEL / CentOS 6 checks
• Update Rootcheck CIS RHEL / CentOS 7 checks
• Update Rootcheck CIS Windows checks
• Update Rootcheck trojans / malware DB
• Update Rootcheck Windows application DB
• Backported rule unit tests from master
• PR #915 allows the filename attribute in decoders and active response
• PR #1275 allow IPv6 addresses in names

2.9.2

Released August 9, 2017:

Note

This is a rule and decoder update

New Rules / Decoders (Leo Feyer)

• OpenBDS decoder
• Exim decoder
• Dovecot Rules
• Exim Rules
• Chrome remote Desktop Rules (Kevin Branch)
• Netscreen Firewall Rules
• OpenBSD rules

Updated Rules / Decoders (Leo Feyer)

• ssh decoder
• dropbear decoder
• su decoder
• vsftpd decoder
• dovecot decoder
• postfix decoder
• pix decoder
• apache decoder
• windows decoder
• Dovecot Rules
• SSHd Rules
• Syslog Rules

2.9.1

Note

This is a bug fix, and rule/decoder update.

Whats New

• Updated rootcheck audit db’s
• Updated GeoIP support
• New Rules / Decoders

Fixed windows decoders * PR #980: Update for vsftp rules / decoders

General

• PR #1108: Implement GeoIP checks in Groups and Events
• PR #1136: Fix for mysql building
• PR #1144: Fixes Issue #1142 for CEF support (@mkvocka)

2.9.0

Note

This is a major release

Whats New

• Alert Output support for JSON and ZeroMQ
• Syscheck improvements
• Report file deletion, even without realtime enabled
• Report modifications made on directories
• Corrects bug so that files created between the first and second scan are reported as new files
• Corrects bug that made changes reverting a file to the state it was in when ossec started unreported
• Avoids computing hashes multiple times to improve performance
• Make the time between two syscheck wakeups configurable in internal_options
• Add support for the “nodiff” option when using report_changes, sensitive files tagged with in ossec.conf will not have their contents included in an alert.
• IPv6 support
• Support to call an external mailer. This solves the problem of supporting encryption when sending mail alerts in OSSEC. The <smtp_server> field can now be prepended with “/” to designate a local binary. Example: “<smtp_server>/usr/sbin/sendmail -t</smtp_server>”.
• Slack notification support

New Rules / Decoders

• PR #572: Rules/Decoders, Better Dropbear events detection
• PR #602: Rules/Decoders, Add dropbear_rules and unbound_rules
• PR #604: Rules/Decoders,sid 5300 incorrectly alerts on OS X
• PR #607, Rules/Decoders, Update syslog_rules for OSX false positive
• PR #611: Rules/Decoders, Sysmon decoder update, This should better support Windows 2003 R2.
• PR #643, Rules/Decoders, update to IIS decoder
• PR #654, Rules/Decoders, update to the vsftpd decoder
• PR #668: Rules/Decoders, Fix for Cisco PIX decoder, ms-se_rules.xml, msauth_rules.xml
• PR #721: Rules/Decoders, Update for systemd rules to add support for new program_name, systemctl
• PR #746: Rules/Decoders, Update to the apache decoders to handle Apache 2.4 events more gracefully
• PR #755: Rules/Decoders, Update to ssh rules. Adds rules 5750-5753 to dedect client, protocol, and hostkey events
• PR #762: Rules/Decoders, Update to ssh rules. Associates 5751 with 5700 instead of 1002
• PR #763: Rules/Decoders, Add rules for OpenBSD smtpd
• PR #774: Rules/Decoders, Add OpenBSD smtpd rules
• PR #787: Rules/Decoders, Update to OpenBSD smtpd decoder to not conflict with postfix
• PR #786: Rules/Decoders, SSH Rule improvements
• PR #799: Rules/Decoders, Add rule for users not in sudoers
• PR #803: Rules/Decoders, Add additional sshd decoders for ssh-pam & ssh invalid auth requests

General

• PR #2, Output, Adds ZeroMQ and Json output support
• PR #4, Authd, Bugfix for Openssl operations on non-blocking socket
• PR #563: IPv6 support
• PR #599, Allow for the log format in proftpd 1.3.5+
• PR #610: Execd, Reduce system load caused by simultaneous active response processes during ossec stop. #610
• PR #615: Adds support for Binding src IP to ‘local_ip’ config value in agentd. In mulihomed host environment we have a big problem with binding agent to correct ip. By default agentd used ip-addr of interface, from which sented ip-packets.
• PR #617: Agentd, Add CLIENT to DEFINES for winagent target #617 Bugfix #595
• PR #622: Fix for CVE-2015-3222
• PR #631, Log failure when ossec fails to remove a PID file
• PR #652, Syscheck, add support for the “-t” flag to display XML parsing errors in agent.conf on agents
• PR #657: Syscheck, Allows scanning of directories with , in the name. Let directory check_something=”no” options to work. This means you can do instead of listing out all the ones you want to use.
• PR #670: Syscheck, Bugfix for report_changes
• PR #689: Maild, add support to call an external MTA to send alert emails. The smtp_server setting can now be written as “/usr/sbin/sendmail -t”
• PR #690: Cleanup for building on OSX
• PR #691: adds support for syslog messages that prepend the year, ie: “2015 Nov 13 ....”
• PR #696: Bugfix for OpenBSD sendto() sockaddr length restrictions.
• PR #699: Encompassing only complete statements with conditional directives.
• PR #717: Active Response, add Slack (www.slack.com) notification support
• PR #720: Fixes for the statfs error spam
• PR #724: Authd, bugfix for issue #642, This brings ossec-authd into parity with whatever the MAX_AGENTS is set at build time
• PR #726: Make syslog/cef consistent with json/splunk and add classification field to alerts.
• PR #727: Maild, Add support for “email_reply_to”. This allows configuring the Reply-To: field in email alerts sent from ossec-maild
• PR #740: Remoted, bugfix for issue #739, Ossec will now report the agent ID of the agent that tries to connect
• PR #744: Syscheck, Bugfix for issue #42, corrects issue on windows that would produce an incorrect hash
• PR #749: Windows, Changed Makefile to use Windows subsystem only with UI manager
• PR #750: Analysisd, Fixes glob() impelemtation bug, adds Hourly/Daily options to logcollector, improved dfalts to analysisd diff alerts.
• PR #751: Add simple python rule updater script
• PR #754: Install.sh, Bugfix for OpenBSD adduser support
• PR #765: Syscheck, add “nodiff” support. Sensitive data may leak through the diff attached to alerts when some file changes. This pull request add a nodiff option, which allows to explicitly set files for which we never want to output a diff.
• PR #768: Analysisd, Bugfix for Issue #767, increase of value for stats
• PR #770: Database support, Postgres support updates
• PR #781: Syscheck, Bugfix for Issue #780
• PR #788: System Audit, Add PCI DSS tags to RHEL/CentOS/Cloudlinux auditing tests
• PR #789: Install.sh, Use ls for file existence checks, for cross platform compatibility
• PR #791: Syscheck, add /boot to default directories. Fix for Issue #675
• PR #797: Rootcheck, Remove legacy rootcheck options
• PR #798: System Audit, Add RHEL/CentOS/Cloudlinux 7 CIS benchmarks
• PR #802: Database support, Allow for longer entries in the system information column
• PR #849 Format string security fix
• PR #864 Fix ossec-logtest to chroot when testing check_diff rules
• PR #870 Fix installer permissions on the etc/shared directory
• PR #878 Fix version field to correctly report “2.9.0” instead of 2.8.3
• PR #909 Bugfix for decoders.d/rules.d logtest
• PR #920 Bugfixes for OS_IPFound, OS_IPFoundList, OS_IsValidIP
• PR #923 Security fix for SQLi in al_data->location
• PR #926 Rootcheck, updates or EL7
• PR #945 Remove debug message
• PR #986 - Prevent manage_agents from chrooting in bulk mode

2.8.3

Released November 5, 2015:

Note

This is a bug fix release.

• Fix eventchannel support for Windows agents.
• Fix hybrid mode.

Checksum for ossec-hids-2.8.3.tar.gz: ossec-hids-2.8.3.tar.gz.sha256

Checkdum for ossec-agent-win32-2.8.3.exe: ossec-agent-win32-2.8.3.exe.sha256

SHA256 (ossec-agent-win32-2.8.3.exe) = 82c143613c4538101b64ccb6deec8cdf6f88e59a9cc45585c1a81bce8d78f015
SHA256 (ossec-hids-2.8.3.tar.gz) = 917989e23330d18b0d900e8722392cdbe4f17364a547508742c0fd005a1df7dd

2.8.2

Released June 10, 2015:

Note

This is a bug fix release.

• SECURITY fix for CVE-2015-322

2.8.1

Released Sept 9, 2014:

Note

This is a bug fix release.

• SECURITY fix for CVE-2014-5284 found by Jeff Petersen of Roka Security LLC.
• Bug fixes

2.8

• Bug fixes
• manage_agents: Added manage_agents -r <id> to remove an agent (awiddersheim)
• Windows: Added eventchannel support for Windows agent on Vista or later (gaelmuller)
• syscheckd: Extended filesize from an integer to a long integer
• Active Response: Fix active-response on MAC OS Firewall (jknockaert)
• Log monitoring/analysis: Add option to allow the outputting of all alerts to a zeromq PUB socket in JSON format, using cJSON library (jrossi, justintime32)
• Log monitoring/analysis: Add TimeGenerated to the output of Windows Event logs (awiddersheim)
• Rules/decoders: Added some additional sshd rules in sshd_rules.xml (joshgarnett)
• Rules/decoders: Removed bro-ids_rules.xml (ddpbsd)
• Removed event ID 676, 672 in msauth_rules.xml (mstarks01)
• contrib: zeromq_pubsub.py - No description (jrossi)
• contrib: ossec-eps.sh, a script to calculate events-per-second (mstarks01)

2.7.1

• Bug fixes
• Extended filesize from an integer to a long integer in syscheck
• Heartbeat interval is now configurable:
  • notify_time
  • time-reconnect
• custom_alert_output added
• ip-customblock.sh active-response script added
• ossec2snorby scripts added to contrib

2.7

• agent profiles
  • ossec.conf
  • agent.conf
• Allow the agents to run remote commands in agent.conf again internal_options.conf
• New utility: util.sh
• New hybrid mode: server + agent functionality on the same system (NOT REALLY DOCUMENTED, ARE ANY OF THE INSTALLATION TYPES WELL DOCUMENTED?)
• contrib/ossec2rss.php: ossec alerts in an rss format
• GeoIP data in alerts
• OSSEC server can be specified by hostname in the agent’s ossec.conf server-hostname
• ossec-authd can now add IP addresses to the client.keys file instead of using any with the -i flag from Jason Stelzer
• support for prelink to reduce false positives refilter_cmd
• Added knowbs to turn on or off rootcheck features check_*
• Added support for json and splunk output (along with syslog and cef) format
• Changed -f to -v in ossec-logtest
• Added -f to manage_agents to create agent keys in bulk