OSSEC v2.4 released

OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active respons

The following is the changelog for OSSEC version 2.4.


  • Added more options to filter by user and srcip on reportd.
  • Fixed init script for gentoo that was failing if OSSEC was not installed at /var/ossec.
  • Fixed false positives on su/sudo trojan signature for Ubuntu.
  • Added rules for Tru64 ftpd. (By Stephen Kreusch).
  • Added rules for True64 rshd. (By Stephen Kreusch).
  • Added rules for HP-UX cimserver. (By Stephen Kreusch).
  • Added rules for Microsoft Security Essentials
  • Patched system audit checks to look at /etc/php.ini.
    (By Scott R. Shinn).
  • Added MySQL timestamp to the schema (to improve performance).
    (By Scott R. Shinn).
  • Fixed a memory leak on the Windows agent that was not properly closing the sockets. It will cause a port exhaustion if the manager becames unavailablefor a long period of time. (By Paul Southerington).
  • Fixed false positive in the rootcheck trojan rule for du.(Reported by Brian Mastenbrook).
  • Added rules to Ignore cron logout messages on Ubuntu/Debian.
  • Fixed bug where the only the first lines of the logs were stored in the database output.
  • Added support for logging from the agentless.(By Jeremy Rossi )
  • Added additional rules options to the tag (cve, link). (By Jeremy Rossi ).
  • Improved Prelude support by adding detailed change information on
    the integrity checking events.(By Jeremy Rossi ).
  • Adding Windows netsh active response - for Windows 2003 and up
    (By http://windowsnerd.com/).
  • Improved ossec-logtest to be used for the forensic analysis of log files
  • Added daily summaries/reports option.
  • Fixed bug where overwritten rules were not using the new ignore time.
    (Reported by Peter M. Abraham).
  • Fixed wrong path to ipf on the firewall-drop active response for Solaris.
    (Reported by Borut Podlipnik).
  • Fixed bug on the courier rules for failed login (Reported by atomicturtle).
  • Fixed bugs found by clang.(Patch by Jeremy Rossi ).
  • Added ’diff’ option to rules (check_diff).
  • Added rules to ignore crawlers causing 404s (MSN, Google, Yahoo, etc).
  • Added rules to alert on Postfix starting and stopping.
  • Improved decoder to match on Snare logs from Vista.
  • Fixed performance issue when the FTS queue was too large.
    (reported by Burks, Doug <doug.burks@morris.com> )
  • Added one-way option to the agent, to deal with systems where the manager can’t talk back and respond to the keep alive requests.
  • Fixed bug on smbd rules.(reported by trevor.a.b.mcleod@gmail.com)
  • Fixed bug on ossec_dbd that was crashing with the check_diff option enabled. (reported by Dan)
  • Added showlogs option to the daily reports.
  • Fixed bug on the fts queue that was getting duplicated entries
    (reported by Cristian Paul Peñaranda Roja)
  • Removed false positive from the cback worm rootkit detection rule. (reported by Erik Zettel <ez> )

Post scriptum

Compliance Mandates

  • IDS :

    PCI DSS 10.6, 11.4, SOX A13.2, DS5.10, GLBA 16CFR Part 314.4(b) and (3), HIPAA 164.306(a)(2), 164.308(a)(1) 164.308(a)(6)42, FISMA SI-4, AC-2, ISO 27001/27002 10.6.2,
    10.10.1, 10.10.2, 10.10.4, 15.1.5

  • Network Monitoring :

    PCI DSS Requirements 3, 4, SOX DS13.4, HIPAA 164.310(d)(1),
    164.312(a)(2)(iv), FISMA SI-4, AU-2, ISO 27001/27002 12.5.4, 15.1.5

Related Articles

Data Mining
Network Monitoring