OSSEC v2.4 released
OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active respons
The following is the changelog for OSSEC version 2.4.
- Added more options to filter by user and srcip on reportd.
- Fixed init script for gentoo that was failing if OSSEC was not installed at /var/ossec.
- Fixed false positives on su/sudo trojan signature for Ubuntu.
- Added rules for Tru64 ftpd. (By Stephen Kreusch).
- Added rules for True64 rshd. (By Stephen Kreusch).
- Added rules for HP-UX cimserver. (By Stephen Kreusch).
- Added rules for Microsoft Security Essentials
- Patched system audit checks to look at /etc/php.ini.
(By Scott R. Shinn).
- Added MySQL timestamp to the schema (to improve performance).
(By Scott R. Shinn).
- Fixed a memory leak on the Windows agent that was not properly closing the sockets. It will cause a port exhaustion if the manager becames unavailablefor a long period of time. (By Paul Southerington).
- Fixed false positive in the rootcheck trojan rule for du.(Reported by Brian Mastenbrook).
- Added rules to Ignore cron logout messages on Ubuntu/Debian.
- Fixed bug where the only the first lines of the logs were stored in the database output.
- Added support for logging from the agentless.(By Jeremy Rossi
- Added additional rules options to the
tag (cve, link). (By Jeremy Rossi ).
- Improved Prelude support by adding detailed change information on
the integrity checking events.(By Jeremy Rossi
- Adding Windows netsh active response - for Windows 2003 and up
- Improved ossec-logtest to be used for the forensic analysis of log files
- Added daily summaries/reports option.
- Fixed bug where overwritten rules were not using the new ignore time.
(Reported by Peter M. Abraham).
- Fixed wrong path to ipf on the firewall-drop active response for Solaris.
(Reported by Borut Podlipnik).
- Fixed bug on the courier rules for failed login (Reported by atomicturtle).
- Fixed bugs found by clang.(Patch by Jeremy Rossi
- Added ’diff’ option to rules (check_diff).
- Added rules to ignore crawlers causing 404s (MSN, Google, Yahoo, etc).
- Added rules to alert on Postfix starting and stopping.
- Improved decoder to match on Snare logs from Vista.
- Fixed performance issue when the FTS queue was too large.
(reported by Burks, Doug <firstname.lastname@example.org> )
- Added one-way option to the agent, to deal with systems where the manager can’t talk back and respond to the keep alive requests.
- Fixed bug on smbd rules.(reported by email@example.com)
- Fixed bug on ossec_dbd that was crashing with the check_diff option enabled. (reported by Dan)
- Added showlogs option to the daily reports.
- Fixed bug on the fts queue that was getting duplicated entries
(reported by Cristian Paul PeÃ±aranda Roja)
- Removed false positive from the cback worm rootkit detection rule. (reported by Erik Zettel <ez> )