Softpedia >Windows >Security >Security Related >OSSEC HIDS >  Changelog

OSSEC HIDS Changelog

What's new in OSSEC HIDS 3.70

Oct 28, 2022
  • @ddpbsd – ossec-dbd, Add help output to dbd, #1833
  • @NicolasCARPi – INSTALL, updating depenency list,
  • #1832
  • @cpu – PCRE2, refuse to compile empty PCRE2 patterns, fix for Issue #1811, #1826
  • @cpu, analysisd, resolves CVE-2020-8442 Issue #1820, #1825
  • @cpu, analysisd, resolves CVE-2020-8443 Issue #1816, #1824
  • @cpu, analysisd, resolves CVE-2020-8448 Issue #1815, #1823
  • @cpu, Makefile, fix for DEBUGAD, #1822
  • @jknockaert – dropbear rules, limit brute force rule to dropbear, #1803
  • @mwidman, analysisd, Added non-standard Sophos UTM syslog timestamp format to pre-decoding. , #1794
  • @drsjb80 – configs, Added authentication log file location for debian-based systems , #1784
  • @ddpbsd – maild, Fix using a program to send mail, #1783

New in OSSEC HIDS 3.6.0 (Feb 28, 2020)

  • General:
  • Add help output to dbd, #1833
  • Updating depenency list,
  • Refuse to compile empty PCRE2 patterns, fix for Issue #1811, #1826
  • Resolves CVE-2020-8442 Issue #1820, #1825
  • Resolves CVE-2020-8443 Issue #1816, #1824
  • Resolves CVE-2020-8448 Issue #1815, #1823
  • Fix for DEBUGAD, #1822
  • Dropbear rules, limit brute force rule to dropbear, #1803
  • Analysisd, Added non-standard Sophos UTM syslog timestamp format to pre-decoding. , #1794
  • Configs, Added authentication log file location for debian-based systems , #1784
  • Maild, Fix using a program to send mail, #1783

New in OSSEC HIDS 3.4.0 (Oct 21, 2019)

  • New Rules / Decoders:
  • (@aquerubin) Updated IPv4-dependent regexp in ownCloud decoders. PR#1697
  • (@jubois) Fix Issue #1708 (Incorrect regex match) PR#1710
  • (@jubois) PCRE2 rulefiles conversion PR#1711
  • (@jubois) PCRE2 decoders conversion PR#1712
  • (@aquerubin) Fix owncloud decoder PR#1724
  • (@iasdeoupxe) Additional ownCloud decoder fix PR#1725
  • (@iasdeoupxe) Second ownCloud decoder fix PR#1726
  • (@ddpbsd) Adjust pix decoder and a firewall rule PR#1749
  • (@binrush) Fixed missing same_source_ip in rule 11306 PR#1751 pureftpd
  • (@ddpbsd) Addition to sshd rule, new ntpd rule PR#1757,
  • (@ddpbsd) Fix rule IDs PR#1760 - openbsd_rules
  • General:
  • (@ddpbsd) syscheck, Try to silence the "Attempted to check FS status for" message. PR#1701
  • (@ddpbsd) syscheck, Add some basic error handling to syscheck_control PR#1702
  • (@ddpbsd) core, More unlink and fopen error handling in src/util PR#1703
  • (@almirb) active-response,Added Cloudflare active-response script. PR#1709
  • (@Varstahl) cyslogd, csyslogd CEF – Remove duplicate parameters and fix discarded hashes PR#1713
  • (@atomicturtle) - docs, Updating links, using https, conference links PR#1714
  • (@Varstahl) cyslogd, Fix: csyslogd – CEF escaping / multi-line syslog
  • (@ddpbsd) core, Check return values for unlink(2) calls PR#1733
  • (@mikeroyal) packaging, snap build support PR#1737
  • (@ddpbsd) core, Set PCRE2_SYSTEM to no by default. PR#1738
  • (@ddpbsd) logtest, Remove leading space from field names PR#1741
  • (@bchavet) analysisd, Verify Googlebot PR#1752 , this is a code function in generic_samples.c
  • (@ddpbsd) analysisd, Free the lf->fields memory. PR#1758, fixes issue #1727
  • (@ddpbsd) testing, Update some travis-ci bits PR#1759 - travis fixes

New in OSSEC HIDS 3.1.0 (Oct 12, 2018)

  • Whats New:
  • (davestoddard) Modification to Correct IP Connectivity Issues on BSD Servers PR #1412
  • New Rules / Decoders:
  • (@Bob-Andrews) - linux_usbdetect_rules.xml, ms1016_usbdetect_rules.xml, ms_firewall_rules.xml
  • (@Bob-Andrews) - Added ms_ipsec_rules PR #1549
  • (@Bob-Andrews) - Rootchecks for Debian 7+8, cis_debianlinux7-8_L1_rcl.txt, cis_debianlinux7-8_L2_rcl.txt, cis_win10_enterprise_L1_rcl.txt, cis_win10_enterprise_L2_rcl.txt PR #1531
  • (@Bob-Andrews) - acsc_office2016_rcl.txt, Added rootcheck PR #1510
  • (@Bob-Andrews) - added cis_win2016_memberL1_rcl.txt, cis_win2016_memberL2_rcl.txt PR #1496
  • (@Bob-Andrews) - cis_win2012r2_memberL1_rcl.txt, Added Check Description/Alert PR #1495
  • (@ddpbsd) - additional sshd decoders PR #1480
  • (@ddpbsd) - basic support for Dnsmasq PR #1461
  • General:
  • (@iasdeoupxe) - host-deny.sh: Move duplicate entry check into the add action PR #1554
  • (@iasdeoupxe) - host-deny.sh: Use consistent indentation PR #1553
  • (@iasdeoupxe) - host-deny.sh: Remove unnecessary echo for duplicated entry PR #1552
  • (@Bob-Andrews) - Added new id ranges for linux usb detection rules, ms1016 usb detection rules and ms firewall rules from PR #1543
  • (@Bob-Andrews) - Corrected IDs to a non user defined range PR #1547 (psad_rules.xml, sysmon_rules.xml, unbound_rules.xml)
  • (@c0r3dump3d) - Correct and expand spanish translation PR #1541
  • (@ddpbsd) - Adjust the tests for sysmon rules PR #1548
  • (@MangyCoyote) - install.sh - case for s-nail patch can't be applied if mail is not installed PR #1539
  • (@atomicturtle) - ossec-authd Fix for foreground flags PR #1538
  • (@atomicturtle) - ossec-authd Add -f foreground flag support PR #1537
  • (@featzor) - psad signature match level 6 PR #1517
  • (@Bob-Andrews) - Corrected rootcheck CIS tests for cis_win2012r2_domainL2_rcl.txt, is_win2012r2_memberL2_rcl.txt, cis_win2016_domainL2_rcl.txt PR #1521
  • (@franciosi) - Updated README.md, correts small typos PR #1519
  • (@ddpbsd) - Fix the subject handling. Issue submitted by Michael Starks #1370 PR #1377
  • (@foygl) - ossec-slack.sh, Fix and clean up output for Slack integration PR #1508
  • (@ddpbsd) - From issue #1514, a duplicate _gsid1 == 0 -> _gsid0 == 0 PR #1515
  • (@Bob-Andrews) - cis_win2016_domainL1_rcl.txt, Corrected Check - Registry Hive PR #1511
  • (@ashley-dunn) - Fix "bellow" typos in ossec-[client|local|server].sh files PR #1512
  • (@ddpbsd) - Fix the log location in the ossec-slack AR script. PR #1422
  • (@phamvuong) - BUGFIX: remove default value for authpass PR #1464
  • (@calve) - Bump version definition in defs.h PR #1504
  • (@ddpbsd) - More coverity fixes PR #1497
  • (@ddpbsd) - Modify status() to not return 1 when maild is not running PR #1501
  • (@ddpbsd) - Coverity fixes PR #1490
  • (@Bob-Andrews) - Moved file to ossec-hids/ src/rootcheck/db/ PR #1493
  • (@ddpbsd) - Make sure there's room for the full alert id in json alerts PR #1487
  • (@ddpbsd) - Fix an issue in the nodiff option which could ignore files it isn't supposed to PR #1486
  • (@ddpbsd) - Hard coded user/group changed to appropriate variables PR #1484
  • (@ddpbsd) - Add FreeBSD's php.ini location to rootcheck db PR #1483
  • (@ddpbsd) - Replace hard coded directories with the appropriate variables PR #1482
  • (@ddpbsd) - When trying to bind to a local address, present the error on failure. PR #1457
  • (@ddpbsd) - version_bump.sh Quick script to make version bumping easier PR #1532
  • (@phamvuong) - Call select() before checking active socket PR #1529
  • (@stephengroat) - use nicer looking travis build badge PR #1460
  • (@StevHsu) - Correct lua version variable PR #1459

New in OSSEC HIDS 2.9.3 (Dec 27, 2017)

  • New Rules / Decoders:
  • NSD Rules and Decoders
  • Owncloud Rules and Decoders
  • ProxMox Rules and Decoders
  • PSAD Rules and Decoders
  • Updated Rules / Decoders:
  • Apache Rules
  • Asterisk Rules
  • Mailscanner Rules
  • Mysql Rules
  • Nginx Rules
  • OpenBSD Rules
  • Postfix Rules
  • RoundCube Rules
  • Sendmail Rules
  • Syslog Rules
  • WebAppSec Rules
  • General:
  • Added authd init scripts for Debian and Redhat/Centos
  • Added Rootcheck CIS Mysql communnity and enterprise auditing
  • Added Rootcheck CIS SSH checks
  • Added Rootcheck CIS SLES 12 checks
  • Update Rootcheck CIS RHEL / CentOS 5 checks
  • Update Rootcheck CIS RHEL / CentOS 6 checks
  • Update Rootcheck CIS RHEL / CentOS 7 checks
  • Update Rootcheck CIS Windows checks
  • Update Rootcheck trojans / malware DB
  • Update Rootcheck Windows application DB
  • Backported rule unit tests from master
  • PR #915 allows the filename attribute in decoders and active response
  • PR #1275 allow IPv6 addresses in names

New in OSSEC HIDS 2.9.2 (Nov 17, 2017)

  • New Rules / Decoders:
  • OpenBDS decoder
  • Exim decoder
  • Dovecot Rules
  • Exim Rules
  • Chrome remote Desktop Rules
  • Netscreen Firewall Rules
  • OpenBSD rules
  • Updated Rules / Decoders:
  • ssh decoder
  • dropbear decoder
  • su decoder
  • vsftpd decoder
  • dovecot decoder
  • postfix decoder
  • pix decoder
  • apache decoder
  • windows decoder
  • Dovecot Rules
  • SSHd Rules
  • Syslog Rules

New in OSSEC HIDS 2.9.1 (Nov 17, 2017)

  • Whats New:
  • Updated rootcheck audit db's
  • Updated GeoIP support
  • New Rules / Decoders:
  • Fixed windows decoders
  • PR #980: Update for vsftp rules / decoders
  • General:
  • PR #1108: Implement GeoIP checks in Groups and Events
  • PR #1136: Fix for mysql building
  • PR #1144: Fixes Issue #1142 for CEF support (@mkvocka)

New in OSSEC HIDS 2.7 (Jun 24, 2013)

  • The key enhancements in v2.7 are:
  • Installation:
  • Add hybrid mode – allows the same host to be both a server and an agent, useful for multi-tier OSSEC deployment.
  • Add manage_agents -f option for bulk generation of client keys from an input file.
  • During Agent installation, allow the OSSEC server to be specified using hostname instead of IP.
  • Syscheck:
  • Add prelinking support – reduce confusion when a file change is the result of prelinking.
  • Rootcheck:
  • Add fine-grained configuration control – allows you to turn ON/OFF individual rootcheck tasks for more efficiency and flexibility. The default is all ON.
  • Log monitoring/analysis:
  • Add GeoIP lookup support – allows geographical city names to be associated with IP addresses in OSSEC alerts, for more intelligent correlation.
  • Alert options and syslog output:
  • Add syscheck MD5/SHA1 sum to alerts for easier integration with third-party file signature checking.
  • Support JSON and Splunk formats in syslog output.
  • Rules and other notable changes/fixes:
  • Windows 2000 logs support has been deprecated (but will probably still work fine). Vista and Windows Server 2008 logs are now officially supported.
  • Windows registry syscheck alert level has been reduced from 7 to 5 to reduce unnecessary noise from alerts which do not indicate a compromise.
  • Update decoders include: PIX, auditd, apache, pam, php.
  • Many updated rules, such as new checks for vulnerable web apps exploitation attempts.
  • Update rootcheck rules.
  • ossec-client.sh now allows for ‘reload’, in addition to ‘restart’
  • Many bug fixes…
  • LICENSE text updated by adding exception clause for OpenSSL, while OSSEC is still under GPLv2

New in OSSEC HIDS 2.6 (Nov 12, 2011)

  • Added IPv6 support
  • Lots of new rules (OpenBSD, Clamav, BRO-ids, active response logs, etc, etc)
  • Added os-authd – For automatically creating and setting up the agent keys
  • Added CEF support to client syslog
  • Improved reporting for file changes
  • Added option to Block repeated offenders with OSSEC
  • Many bug fixes