OSSEC is an a free and open-source Host-based Intrusion Detection System that allows you to perform log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
OSSEC is cross-platform and it works on Mac OS X, Windows and Linux.
What's New in This Release: [ read full changelog ]
· Add hybrid mode – allows the same host to be both a server and an agent, useful for multi-tier OSSEC deployment.
· Add manage_agents -f option for bulk generation of client keys from an input file.
· During Agent installation, allow the OSSEC server to be specified using hostname instead of IP.
· Add prelinking support – reduce confusion when a file change is the result of prelinking.
· Add fine-grained configuration control – allows you to turn ON/OFF individual rootcheck tasks for more efficiency and flexibility. The default is all ON.
· Add GeoIP lookup support – allows geographical city names to be associated with IP addresses in OSSEC alerts, for more intelligent correlation.
Alert options and syslog output:
· Add syscheck MD5/SHA1 sum to alerts for easier integration with third-party file signature checking.
· Support JSON and Splunk formats in syslog output.
Rules and other notable changes/fixes:
· Windows 2000 logs support has been deprecated (but will probably still work fine). Vista and Windows Server 2008 logs are now officially supported.
· Windows registry syscheck alert level has been reduced from 7 to 5 to reduce unnecessary noise from alerts which do not indicate a compromise.
· Update decoders include: PIX, auditd, apache, pam, php.
· Many updated rules, such as new checks for vulnerable web apps exploitation attempts.
· Update rootcheck rules.
· ossec-client.sh now allows for ‘reload’, in addition to ‘restart’
· Many bug fixes…
· LICENSE text updated by adding exception clause for OpenSSL, while OSSEC is still under GPLv2