OSSEC v2.4 released
OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active respons
The following is the changelog for OSSEC version 2.4.
Changelog:
- Added more options to filter by user and srcip on reportd.
- Fixed init script for gentoo that was failing if OSSEC was not installed at /var/ossec.
http://ossec.uservoice.com/pages/18254-general/suggestions/284923-etc-init-d-ossec-installation-reference - Fixed false positives on su/sudo trojan signature for Ubuntu.
http://ohioloco.ubuntuforums.org/showthread.php?p=8494734 - Added rules for Tru64 ftpd. (By Stephen Kreusch).
- Added rules for True64 rshd. (By Stephen Kreusch).
- Added rules for HP-UX cimserver. (By Stephen Kreusch).
- Added rules for Microsoft Security Essentials
- Patched system audit checks to look at /etc/php.ini.
(By Scott R. Shinn). - Added MySQL timestamp to the schema (to improve performance).
(By Scott R. Shinn). - Fixed a memory leak on the Windows agent that was not properly closing the sockets. It will cause a port exhaustion if the manager becames unavailablefor a long period of time. (By Paul Southerington).
- Fixed false positive in the rootcheck trojan rule for du.(Reported by Brian Mastenbrook).
- Added rules to Ignore cron logout messages on Ubuntu/Debian.
- Fixed bug where the only the first lines of the logs were stored in the database output.
- Added support for logging from the agentless.(By Jeremy Rossi
) - Added additional rules options to the
tag (cve, link). (By Jeremy Rossi ). - Improved Prelude support by adding detailed change information on
the integrity checking events.(By Jeremy Rossi). - Adding Windows netsh active response - for Windows 2003 and up
(By http://windowsnerd.com/). - Improved ossec-logtest to be used for the forensic analysis of log files
http://www.ossec.net/dcid/?p=192 - Added daily summaries/reports option.
- Fixed bug where overwritten rules were not using the new ignore time.
(Reported by Peter M. Abraham). - Fixed wrong path to ipf on the firewall-drop active response for Solaris.
(Reported by Borut Podlipnik). - Fixed bug on the courier rules for failed login (Reported by atomicturtle).
- Fixed bugs found by clang.(Patch by Jeremy Rossi
). - Added ’diff’ option to rules (check_diff).
- Added rules to ignore crawlers causing 404s (MSN, Google, Yahoo, etc).
- Added rules to alert on Postfix starting and stopping.
- Improved decoder to match on Snare logs from Vista.
- Fixed performance issue when the FTS queue was too large.
(reported by Burks, Doug <doug.burks@morris.com> ) - Added one-way option to the agent, to deal with systems where the manager can’t talk back and respond to the keep alive requests.
- Fixed bug on smbd rules.(reported by trevor.a.b.mcleod@gmail.com)
- Fixed bug on ossec_dbd that was crashing with the check_diff option enabled. (reported by Dan)
- Added showlogs option to the daily reports.
- Fixed bug on the fts queue that was getting duplicated entries
(reported by Cristian Paul Peñaranda Roja) - Removed false positive from the cback worm rootkit detection rule. (reported by Erik Zettel <ez> )
Post scriptum
Compliance Mandates
|
Related Articles
Data Mining |
|
IDS |
|
Network Monitoring |
|
OSSEC |
|