OSSEC HIDS Changelog

New in version 2.7.1

November 21st, 2013
  • Installation:
  • Server:
  • Fixed Solaris update install (ddpbsd)
  • Agent:
  • Fixed InstallAgent.sh script for Mac OSX addusers
  • Distinguishing OSX 10.5 from previous versions
  • Allow os_auth to resolve manager hostname to IP address
  • Fixed Windows Agent
  • Syscheck:
  • Extended filesize from an integer to a long integer
  • Agents:
  • Make Heartbeat interval configuable (Christobel Rosa)
  • Was fixed at 10 minutes interval, now configurable
  • Use ossec.conf "notify_time", "time-reconnect"
  • For both *nix and Windows agents
  • More details TBD (To Be Documented)
  • Log monitoring/analysis:
  • Added new feature "custom_alert_output" (Christobel Rosa)
  • More details TBD (To Be Documented)
  • Added checking for duplicate rule ID's (cgzones)
  • Rules and Decoders:
  • etc/decoder.xml updated
  • Fixed ar_log decoder (dcid)
  • Updated decoders (jp.zurbrugg)
  • Added Pure-FTPd transfer log decoder (ddpbsd)
  • Added mptscsih \ mptbase SCSI controller log decoders
  • etc/rules/ updated:
  • nginx_rules.xml - Added to reduce noise
  • pure-ftpd_rules.xml - Added rules 11310, 11311, 11312
  • syslog_rules.xml - Added rules 2935-2939 for SCSI controller
  • web_appsec_rules.xml - Updated PHPMyAdmin rules
  • Added rule 31515,31516, 31530-31533, 31550
  • web_rules.xml - Updated,
  • Added rule 31164,31165 for SQL injection attempt
  • Output and Alert options:
  • csyslogd:
  • Fixed crash issue in non-debug mode due to memory corruption ossec-dbd
  • Fixed database log entries truncation issue
  • Active Response:
  • Fixed firewall-drop.sh script to prevent a resource loop (dcid)
  • Added ip-customblock.sh script (dcid)
  • Fixed ar.conf ownership issue (ddpbsd)
  • Scripts fixes:
  • Add a log message when something "did not start correctly" (ddpbsd)
  • Contributions:
  • Added contrib/ossec2snorby/ scripts, see README for details

New in version 2.7 (November 20th, 2012)

  • Installation:
  • Add hybrid mode – allows the same host to be both a server and an agent, useful for multi-tier OSSEC deployment.
  • Add manage_agents -f option for bulk generation of client keys from an input file.
  • During Agent installation, allow the OSSEC server to be specified using hostname instead of IP.
  • Syscheck:
  • Add prelinking support – reduce confusion when a file change is the result of prelinking.
  • Rootcheck:
  • Add fine-grained configuration control – allows you to turn ON/OFF individual rootcheck tasks for more efficiency and flexibility. The default is all ON.
  • Log monitoring/analysis:
  • Add GeoIP lookup support – allows geographical city names to be associated with IP addresses in OSSEC alerts, for more intelligent correlation.
  • Alert options and syslog output:
  • Add syscheck MD5/SHA1 sum to alerts for easier integration with third-party file signature checking.
  • Support JSON and Splunk formats in syslog output.
  • Rules and other notable changes/fixes:
  • Windows 2000 logs support has been deprecated (but will probably still work fine). Vista and Windows Server 2008 logs are now officially supported.
  • Windows registry syscheck alert level has been reduced from 7 to 5 to reduce unnecessary noise from alerts which do not indicate a compromise.
  • Update decoders include: PIX, auditd, apache, pam, php.
  • Many updated rules, such as new checks for vulnerable web apps exploitation attempts.
  • Update rootcheck rules.
  • ossec-client.sh now allows for ‘reload’, in addition to ‘restart’
  • Many bug fixes…
  • LICENSE text updated by adding exception clause for OpenSSL, while OSSEC is still under GPLv2

New in version 2.2 (September 17th, 2009)

  • This is a stability release, with heavy focus on bugfixes, code cleanup, and a few new features.
  • Trend OSCE (Office scan) support has been added with rules to properly monitor and analyze Trend logs.
  • Wordpress is a popular blogging platform with very little logging by default.
  • This release has a plugin to extend its logging capabilities, and rules on OSSEC to monitor it.
  • There is support for vpopmail, roundcube, Netscreen IDS, and a few more log formats.

New in version 2.0 (March 3rd, 2009)

  • This version comes with numerous new features, including support for compiled (C-based) rules, new reporting tools, and agentless monitoring to allow file integrity checking on network devices (including firewalls, routers, etc).
  • It also comes with support for new log formats, including Checkpoint logs, Yum, and a few more.

New in version 1.6 (September 2nd, 2008)

  • This version delivers the most comprehensive update to OSSEC in its history, with numerous new features including support for Microsoft Vista (and Server 2008), VMware ESX, active response on Windows, CIS benchmarks on Linux (through the policy auditing), VMWare Security hardening guidelines, McAfee Virus Scan Enterprise logs, VMware ESX hostd logs, Mac OS FTP server logs, and much more.