OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
OSSEC changelog (3.7.0) [email protected]
Release Maintainers
Dan Parriott
Scott R. Shinn (http://www.atomicorp.com)
Contributors on this release
Release Notes
Support for Journald
Full Changelog: https://github.com/ossec/ossec-hids/compare/3.6.0...3.7.0
OSSEC changelog (3.6.0) [email protected]
Release Maintainers
Dan Parriott
Scott R. Shinn (http://www.atomicorp.com)
Contributors on this release
Release Notes
Its that time of year again, our annual independent security audit! Joining our previous two years auditors, Apple Security and OVH Internet is security researcher Daniel McCarney (@cpu) who performed a very in depth analysis on our IDS engine updates (PCRE2, and more). With a project as critical as OSSEC in securing cloud and enterprise assets its very important to us to have independent assessments of the framework. So again we want to thank all of our auditors, old and new for their contribution to the project.
Coder? Tester? Enthusiast? If you're interested in joining our team, or just interacting with the OSSEC community , email us for a slack invite at: [email protected]
General
OSSEC changelog (3.5.0) [email protected]
Release Maintainers
Dan Parriott Scott R. Shinn (http://www.atomicorp.com) Dominik Lisiak
Contributors on this release
Release notes:
This would have been a minor 3.4.1 update if it wasnt for Boris Lukashev of https://www.sempervictus.com contributing a much needed update to multi-line log analysis. Previous usage of multi-line in OSSEC in the past was limited in processing events that did not use indentiation, a fairly common modern practice for readability. This update adds a new type: multi-line_indented to handle this condition (Example: postgresql).
Maintenance fixes in this release also address issue #1781, which affected maild when calling an external program, and add support for Fedora 31
Whats New:
General
OSSEC changelog (3.4.0) [email protected]
Release Maintainers
Dan Parriott Scott R. Shinn (http://www.atomicorp.com) Dominik Lisiak
Contributors on this release
Release notes
Big changes in this release add support for the following new platforms:
@jubois has completed the first round of pcre2 rule updates. This is a very exciting change to the overall IDS engine in OSSEC and opens the platform up to much more complex (and faster!) search functionality.
Snapcraft.io universal linux packaging support (aka Snaps) allow for a universal OSSEC package across multiple linux distributions.
Last but not least, @ddpbsd has a long awaited fix for agentd/maild when ipv6 is disabled and/or hostnames are used instead of IPs in PR#1698. Thanks again to all our community contributors, and dedicated team members for their work on this release!
New Rules / Decoders
General
OSSEC changelog (3.3.0) [email protected]
Release Maintainers
Dan Parriott Scott R. Shinn (http://www.atomicorp.com) Dominik Lisiak
Contributors on this release
Release Notes
OSSECCON 2019, from the whole team here at OSSEC it was really fantastic meeting everyone at the show, and we look forward to seeing you all again at OSSECCON 2020!
PCRE2, Jubois made a major update to the IDS foundation in OSSEC 3.3.0 with PCRE2 (https://www.pcre.org/current/doc/html/pcre2.html) library. This is an extremely powerful update to the overall pattern analysis functionaility in OSSEC. In order to build this with the native distribution pcre2 packages (pcre2-devel, etc), you will need to use: export PCRE2_SYSTEM=yes. This adds several new xml tags:
Dynamic Decoders, discussed in the "Beyond Security" talk at OSSECCON 2019, this allows for user-defined keys in decoders. These are exposed in JSON output for inclusion with other data analytics tools. This adds a new internal option: analysisd.decoder_order_size to define the maximum number keys allowed in a single decoder.
We'd like to thank (again! Cant be done enough!) all the contributors, speakers, security researchers, testers, and especially our users. Without you we wouldn't be here.
If you're interested in joining our team, or just interacting with the OSSEC community on slack email us for an invite at: [email protected]
Whats New
New Rules / Decoders
General
Changelog
Release Maintainers
Dan Parriott Scott R. Shinn (Atomicorp, Inc.) Dominik Lisiak
Contributors on this release
Release Notes
The great JSON-in-ing has begun! New features in this release focus on extending JSON output support to control commands like agent_control, syscheck_control, and rootcheck_control. Additional extensions add support for archives.log in native json format, and improving the alert.json output. This release also also brings some much needed enhancements to ossec-authd to streamline the agent registration experience (thanks nhatking16591!), Bob-Andrews continues on major auditing improvements plus support for Solaris 11.
We'd like to thank all the great contributors (named and anonymous!) who continue to improve ossec and support our community. We'd also like to welcome all our new contributors to OSSEC on this release. They have helped us on bug testing, documentation, new features, rules, compliance checks, code and more. There are no small contributions to a project like OSSEC, and we continue to thrive with your support. Special thanks to security researchers A.P. and S.S. for their audit of the ossec project, your work has greatly benefited the community.
If you're interested in joining our team, or just interacting with us on slack email us at: [email protected]
Join us at OSSEC Con 2019 in Washington DC on March 20th! https://www.eventbrite.com/e/ossec-con2019-tickets-51523249426
Whats New
New Rules / Decoders
General
Changelog
Release Maintainers
Dan Parriott Scott R. Shinn (Atomicorp, Inc.)
Release Notes
Special thanks on this release go out to:
davestoddard for an amazingly well thought out, and well documented update to the networking code
Bob-Andrews for the largest update to the auditing system in the project history
phamvoung for resolving some very subtle bugs and high profile issues with the authd daemon
We'd also like to thank all the other fantastic contributors to the project, whom are referenced in parenthesis in the changelog. We cannot thank you enough!
Whats New
New Rules / Decoders
General
mail
is not installed PR #1539_gsid1 == 0
-> _gsid0 == 0
PR #1515Changelog
Release Maintainers
Dan Parriott Scott R. Shinn (Atomicorp, Inc.)
Whats New
SQLite support for syscheck
Update cJSON 1.7.0
Add Pagerduty Active response
OSSEC-authd
zlib update to 1.2.11
ossec-agent selinux module
windows agent
#1170 - add agent-auth.exe support
tcp support for agent communications
#1162
GeoIP support in rules and events
Slack support
Decoders filename attribute
New Rules / Decoders
General
Bugfix #42 - Add option to use unaltered hashes with Windows syscheck
Bugfix #210 - Time option in rules is rejecting valid syntax.
Bugfix #425 - manage_agents unable to access /dev/random due to chroot
Bugfix #454 - Prevent manage_agents from chrooting in bulk mode
Bugfix #780 - Compile warning (and potential segfault) after merge from calve/do_not_show_diff
Bugfix #829 - Segmentation fault at logcollector
Bugfix #888 - Pull Request #840 reverts some ipv6 support
Bugfix #869 - ossec-agentd is unable to unmerge files
Bugfix #892 - Contrib tools need to be updated for IPv6.
Bugfix #911 - "any" is broken after change to sacmp for ipv4 networks #911
Bugfix #913 - logcollector goes into loop when a NULL is in the log
Bugfix #960 - do not attempt to start ossec-maild when it is enabled
Bugfix #961 - fix for open file handle when rotating alerts.json
Bugfix #976 - win32: 2 values in internal_options.conf ignored
Bugfix #994 - rootcheck, fix for false positive trojaned /bin/grep
Bugfix #998 - IPv6 triggers Rule 1002
Bugfix #1065 - fix for negating IP/CIDR rules
Bugfix #1084 - fix a double free
Bugfix #1106 - ossec-remoted, Fix for clang checks, and a potential DOS caused by a warning
Bugfix #1142 - CEF field uniqueness fix
Bugfix #1145 - if getaddrinfo fails with WAI_FAMILY try ipv4
Bugfix #1165 - rpm spec files generate ossec user and group in user space
Bugfix #1180 - Add last events (previous output) to JSON output
Bugfix #1205 - Avoid EOL conversion of received files in the windows receiver
Bugfix #1227 - Fix for daily reports not being sent
Bugfix #1237 - Custom CFLAGS/CXXFLAGS/LDFLAGS support
Bugfix #1274 - ossec-authd, ipv6 returns an invalid key
Bugfix #1278 - Use getent to check for users/group
Bugfix #1366 - Update to rule ID map
Bugfix #1370 - Bugfix for full subject handling
PR #770 - ossec-dbd, postgresql fixes on the user colume, schema, and not null conditions
PR #778 - syscheck, Selective opening mode to extract file hash #778
PR #792 - Check for a null from malloc
PR #802 - ossec-dbd, allow for longer entries in the system.information column
PR #804 - ossec-dbd, allow for mysql/postgres format changing based on MYSQLDB/POSTGDB
PR #806 - ossec-reportd, report fixes on IP and user fields
PR #808 - Igngore openBSD's random seed
PR #824 - ossec-dbd, fix for mysql/postgres insert condition
PR #839 - JSON output, Add group field to json output
PR #843 - Add support for CZMQ v3
PR #848 - Fixed bug at logcollector that inhibited alerts about file reduction
PR #849 - ossec-maild, Format string security fix
PR #855 - Fixed memory error on CDB lists management
PR #859 - added utils to rename an agent or change its IP address (rename_agent.sh, renumber_agent.sh)
PR #862 - ossec-analysisd, fixed memory leaks
PR #864 - There is an error when running ossec-logtest to test rules with check_diff, since it doesn't change root directory and tries to create a directory at/queue/diff`.
PR #866 - JSON output, Add timestamp for events
PR #881 - Add debugging output to active repsonse xml config read
PR #883 - Bugfix for agents failing to bind to a specific local IP address and the server is specified by hostname.
PR #887 - agent status needs to be verified before using agt->lip
PR #893 - Prelude IDS support, Do not use absolute indexes in prelude fields
PR #899 - manage_agents, OSSEC agent IDs can only be numbers but they are treated as strings. Because of this, it's possible to add the agent "00" and "000", or "1" and "00001" at the same time, and they can be confused on extracting keys or on deleting agents.
PR #909 - ossec-logtest, Bugfix for decoders.d/rules.d segfault
PR #910 - Update intcheck_op.c
PR #912 - update validate_op.c
PR #918 - ossec-logtest, add -q "quiet" flag support
PR #920 - Bugfixes for OS_IPFound, OS_IPFoundList, OS_IsValidIP. #920
PR #921 - JSON output, This removes the double addition of the 'action' field and adds a few other interesting fields that I need for my analysis in ELK. Most notably, the rule.group is now passed out via the zmq output.
PR #923 - ossec-dbd, fix SQLi in al_data->location
PR #928 - ossec-logtest, add geoip to logtest output
PR #930 - fix memory leak in decode-xml.c
PR #931 - Custom output, fix common realloc mistake in custom_output_search_replace.
PR #934 - Create OSSEC users and group as system members
PR #944 - Don't pass null variables to snprintf.
PR #950 - Exclude btrfs-Filesystem from searching for hidden files inside directorie
PR #953 - Prevent manage_agents from doing invalid actions on interactive mode
PR #964 - Csyslogd patch for sending additional FIM event information
PR #991 - set default AR level to 7
PR #1003 - JSON output, bugfix for duplicated group field
PR #1004 - memory fixes in XML decoding, no-terminated strings, and searchAndReplace()
PR #1016 - bugfix that prevents ossec-control from starting ossec-maild on server
PR #1017 - ossec-remoted, fix for openbsd canary violation
PR #1020 - Allow notify_timeout to be configured server-side. #1020
PR #1021 - Windows Agent, fix for build related issues
PR #1027 -Fx for the "USER_AGENT_CONFIG_PROFILE" preloaded-vars.conf file usage. This fixes that and adds a profile config line if the variable is defined. Very useful for unattended installs or binary installs.
PR #1089 - Retire picviz support
PR #1090 - JSON output, add "id" to the json log
PR #1093 - pf.sh, update support FreeBSD, OpenBSD, and Darwein
PR #1097 - ossec-batch-manager.pl, support "any" IP address
PR #1099 - AR, prevent duplication in hosts.deny
PR #1100 - Windows agent, Open received files in binary mode cause of cr/lf and let hashes match.
PR #1102 - JSON ouput, Fix timestamp
PR #1116 - ossec-remoted, systemd support
PR #1135 - ossec-dbd, UMYSQL_DATABASE_ENABLED does not exist in the tree except this one place.
PR #1137 - Windows agent, administrators group might not be present on non-english installs
PR #1148 - Update for gmake to compile on Solaris 11.2
PR #1149 - Update adduser.sh for Solaris 11.2
PR #1158 - Update shell on ossec-hids-solaris.init Solaris 11.2
PR #1159 - Update Makefile for Solaris
PR #1179 - ossec-dbd, fix readme display IP as string
PR #1235 - spelling fixes
PR #1238 - fix for edead oop in hash_op.c
PR #1255 - syscheck, update windows syscheck directories
PR #1256 - ossec-dbd, use port for postgresql connections
PR #1257 - rootcheck, make sleep interval configurable (rootcheck.sleep)
PR #1258 - adduser.sh, fix the useradd and groupadd script for openbsd
PR #1262 - agentless ssh.exp, remove the P's entirely to support upper and lower case
PR #1304 - syscheck, Don't display the errno, show the error message
PR #1307 - Allow alerts.log to be turned off (DOUBLE CHECK, THIS WAS REVERTED)
PR #1322 - rootcheck, mysql/mariadb auditing checks
PR #1336 - Disable warning on OS_PassEmptyKeyfile
PR #1342 - remove execute flag on rules and config files
PR #1343 - Makefile fix ar warning
PR #1344 - add option to exclude lua and use system zlib
PR #1345 - gitignore, Ignore zlib paths
PR #1347 - Fix compiler warnings: Wall, Wextra
PR #1374 - Bugfix for AIX building
PR #1382 - added rootcheck file for apache 2.2/2.4
Changelog
Release Maintainers
Dan Parriott Scott R. Shinn (Atomicorp, Inc.)
General
Changelog
Release Maintainers
Dan Parriott Scott R. Shinn (Atomicorp, Inc.)
Whats New
New Rules / Decoders
Updated Rules / Decoders
General