What's new in OSSEC HIDS 3.70
Oct 28, 2022
- @ddpbsd – ossec-dbd, Add help output to dbd, #1833
- @NicolasCARPi – INSTALL, updating depenency list,
- #1832
- @cpu – PCRE2, refuse to compile empty PCRE2 patterns, fix for Issue #1811, #1826
- @cpu, analysisd, resolves CVE-2020-8442 Issue #1820, #1825
- @cpu, analysisd, resolves CVE-2020-8443 Issue #1816, #1824
- @cpu, analysisd, resolves CVE-2020-8448 Issue #1815, #1823
- @cpu, Makefile, fix for DEBUGAD, #1822
- @jknockaert – dropbear rules, limit brute force rule to dropbear, #1803
- @mwidman, analysisd, Added non-standard Sophos UTM syslog timestamp format to pre-decoding. , #1794
- @drsjb80 – configs, Added authentication log file location for debian-based systems , #1784
- @ddpbsd – maild, Fix using a program to send mail, #1783
New in OSSEC HIDS 3.6.0 (Feb 28, 2020)
- General:
- Add help output to dbd, #1833
- Updating depenency list,
- Refuse to compile empty PCRE2 patterns, fix for Issue #1811, #1826
- Resolves CVE-2020-8442 Issue #1820, #1825
- Resolves CVE-2020-8443 Issue #1816, #1824
- Resolves CVE-2020-8448 Issue #1815, #1823
- Fix for DEBUGAD, #1822
- Dropbear rules, limit brute force rule to dropbear, #1803
- Analysisd, Added non-standard Sophos UTM syslog timestamp format to pre-decoding. , #1794
- Configs, Added authentication log file location for debian-based systems , #1784
- Maild, Fix using a program to send mail, #1783
New in OSSEC HIDS 3.4.0 (Oct 21, 2019)
- New Rules / Decoders:
- (@aquerubin) Updated IPv4-dependent regexp in ownCloud decoders. PR#1697
- (@jubois) Fix Issue #1708 (Incorrect regex match) PR#1710
- (@jubois) PCRE2 rulefiles conversion PR#1711
- (@jubois) PCRE2 decoders conversion PR#1712
- (@aquerubin) Fix owncloud decoder PR#1724
- (@iasdeoupxe) Additional ownCloud decoder fix PR#1725
- (@iasdeoupxe) Second ownCloud decoder fix PR#1726
- (@ddpbsd) Adjust pix decoder and a firewall rule PR#1749
- (@binrush) Fixed missing same_source_ip in rule 11306 PR#1751 pureftpd
- (@ddpbsd) Addition to sshd rule, new ntpd rule PR#1757,
- (@ddpbsd) Fix rule IDs PR#1760 - openbsd_rules
- General:
- (@ddpbsd) syscheck, Try to silence the "Attempted to check FS status for" message. PR#1701
- (@ddpbsd) syscheck, Add some basic error handling to syscheck_control PR#1702
- (@ddpbsd) core, More unlink and fopen error handling in src/util PR#1703
- (@almirb) active-response,Added Cloudflare active-response script. PR#1709
- (@Varstahl) cyslogd, csyslogd CEF – Remove duplicate parameters and fix discarded hashes PR#1713
- (@atomicturtle) - docs, Updating links, using https, conference links PR#1714
- (@Varstahl) cyslogd, Fix: csyslogd – CEF escaping / multi-line syslog
- (@ddpbsd) core, Check return values for unlink(2) calls PR#1733
- (@mikeroyal) packaging, snap build support PR#1737
- (@ddpbsd) core, Set PCRE2_SYSTEM to no by default. PR#1738
- (@ddpbsd) logtest, Remove leading space from field names PR#1741
- (@bchavet) analysisd, Verify Googlebot PR#1752 , this is a code function in generic_samples.c
- (@ddpbsd) analysisd, Free the lf->fields memory. PR#1758, fixes issue #1727
- (@ddpbsd) testing, Update some travis-ci bits PR#1759 - travis fixes
New in OSSEC HIDS 3.1.0 (Oct 12, 2018)
- Whats New:
- (davestoddard) Modification to Correct IP Connectivity Issues on BSD Servers PR #1412
- New Rules / Decoders:
- (@Bob-Andrews) - linux_usbdetect_rules.xml, ms1016_usbdetect_rules.xml, ms_firewall_rules.xml
- (@Bob-Andrews) - Added ms_ipsec_rules PR #1549
- (@Bob-Andrews) - Rootchecks for Debian 7+8, cis_debianlinux7-8_L1_rcl.txt, cis_debianlinux7-8_L2_rcl.txt, cis_win10_enterprise_L1_rcl.txt, cis_win10_enterprise_L2_rcl.txt PR #1531
- (@Bob-Andrews) - acsc_office2016_rcl.txt, Added rootcheck PR #1510
- (@Bob-Andrews) - added cis_win2016_memberL1_rcl.txt, cis_win2016_memberL2_rcl.txt PR #1496
- (@Bob-Andrews) - cis_win2012r2_memberL1_rcl.txt, Added Check Description/Alert PR #1495
- (@ddpbsd) - additional sshd decoders PR #1480
- (@ddpbsd) - basic support for Dnsmasq PR #1461
- General:
- (@iasdeoupxe) - host-deny.sh: Move duplicate entry check into the add action PR #1554
- (@iasdeoupxe) - host-deny.sh: Use consistent indentation PR #1553
- (@iasdeoupxe) - host-deny.sh: Remove unnecessary echo for duplicated entry PR #1552
- (@Bob-Andrews) - Added new id ranges for linux usb detection rules, ms1016 usb detection rules and ms firewall rules from PR #1543
- (@Bob-Andrews) - Corrected IDs to a non user defined range PR #1547 (psad_rules.xml, sysmon_rules.xml, unbound_rules.xml)
- (@c0r3dump3d) - Correct and expand spanish translation PR #1541
- (@ddpbsd) - Adjust the tests for sysmon rules PR #1548
- (@MangyCoyote) - install.sh - case for s-nail patch can't be applied if mail is not installed PR #1539
- (@atomicturtle) - ossec-authd Fix for foreground flags PR #1538
- (@atomicturtle) - ossec-authd Add -f foreground flag support PR #1537
- (@featzor) - psad signature match level 6 PR #1517
- (@Bob-Andrews) - Corrected rootcheck CIS tests for cis_win2012r2_domainL2_rcl.txt, is_win2012r2_memberL2_rcl.txt, cis_win2016_domainL2_rcl.txt PR #1521
- (@franciosi) - Updated README.md, correts small typos PR #1519
- (@ddpbsd) - Fix the subject handling. Issue submitted by Michael Starks #1370 PR #1377
- (@foygl) - ossec-slack.sh, Fix and clean up output for Slack integration PR #1508
- (@ddpbsd) - From issue #1514, a duplicate _gsid1 == 0 -> _gsid0 == 0 PR #1515
- (@Bob-Andrews) - cis_win2016_domainL1_rcl.txt, Corrected Check - Registry Hive PR #1511
- (@ashley-dunn) - Fix "bellow" typos in ossec-[client|local|server].sh files PR #1512
- (@ddpbsd) - Fix the log location in the ossec-slack AR script. PR #1422
- (@phamvuong) - BUGFIX: remove default value for authpass PR #1464
- (@calve) - Bump version definition in defs.h PR #1504
- (@ddpbsd) - More coverity fixes PR #1497
- (@ddpbsd) - Modify status() to not return 1 when maild is not running PR #1501
- (@ddpbsd) - Coverity fixes PR #1490
- (@Bob-Andrews) - Moved file to ossec-hids/ src/rootcheck/db/ PR #1493
- (@ddpbsd) - Make sure there's room for the full alert id in json alerts PR #1487
- (@ddpbsd) - Fix an issue in the nodiff option which could ignore files it isn't supposed to PR #1486
- (@ddpbsd) - Hard coded user/group changed to appropriate variables PR #1484
- (@ddpbsd) - Add FreeBSD's php.ini location to rootcheck db PR #1483
- (@ddpbsd) - Replace hard coded directories with the appropriate variables PR #1482
- (@ddpbsd) - When trying to bind to a local address, present the error on failure. PR #1457
- (@ddpbsd) - version_bump.sh Quick script to make version bumping easier PR #1532
- (@phamvuong) - Call select() before checking active socket PR #1529
- (@stephengroat) - use nicer looking travis build badge PR #1460
- (@StevHsu) - Correct lua version variable PR #1459
New in OSSEC HIDS 2.9.3 (Dec 27, 2017)
- New Rules / Decoders:
- NSD Rules and Decoders
- Owncloud Rules and Decoders
- ProxMox Rules and Decoders
- PSAD Rules and Decoders
- Updated Rules / Decoders:
- Apache Rules
- Asterisk Rules
- Mailscanner Rules
- Mysql Rules
- Nginx Rules
- OpenBSD Rules
- Postfix Rules
- RoundCube Rules
- Sendmail Rules
- Syslog Rules
- WebAppSec Rules
- General:
- Added authd init scripts for Debian and Redhat/Centos
- Added Rootcheck CIS Mysql communnity and enterprise auditing
- Added Rootcheck CIS SSH checks
- Added Rootcheck CIS SLES 12 checks
- Update Rootcheck CIS RHEL / CentOS 5 checks
- Update Rootcheck CIS RHEL / CentOS 6 checks
- Update Rootcheck CIS RHEL / CentOS 7 checks
- Update Rootcheck CIS Windows checks
- Update Rootcheck trojans / malware DB
- Update Rootcheck Windows application DB
- Backported rule unit tests from master
- PR #915 allows the filename attribute in decoders and active response
- PR #1275 allow IPv6 addresses in names
New in OSSEC HIDS 2.9.2 (Nov 17, 2017)
- New Rules / Decoders:
- OpenBDS decoder
- Exim decoder
- Dovecot Rules
- Exim Rules
- Chrome remote Desktop Rules
- Netscreen Firewall Rules
- OpenBSD rules
- Updated Rules / Decoders:
- ssh decoder
- dropbear decoder
- su decoder
- vsftpd decoder
- dovecot decoder
- postfix decoder
- pix decoder
- apache decoder
- windows decoder
- Dovecot Rules
- SSHd Rules
- Syslog Rules
New in OSSEC HIDS 2.9.1 (Nov 17, 2017)
- Whats New:
- Updated rootcheck audit db's
- Updated GeoIP support
- New Rules / Decoders:
- Fixed windows decoders
- PR #980: Update for vsftp rules / decoders
- General:
- PR #1108: Implement GeoIP checks in Groups and Events
- PR #1136: Fix for mysql building
- PR #1144: Fixes Issue #1142 for CEF support (@mkvocka)
New in OSSEC HIDS 2.7 (Jun 24, 2013)
- The key enhancements in v2.7 are:
- Installation:
- Add hybrid mode – allows the same host to be both a server and an agent, useful for multi-tier OSSEC deployment.
- Add manage_agents -f option for bulk generation of client keys from an input file.
- During Agent installation, allow the OSSEC server to be specified using hostname instead of IP.
- Syscheck:
- Add prelinking support – reduce confusion when a file change is the result of prelinking.
- Rootcheck:
- Add fine-grained configuration control – allows you to turn ON/OFF individual rootcheck tasks for more efficiency and flexibility. The default is all ON.
- Log monitoring/analysis:
- Add GeoIP lookup support – allows geographical city names to be associated with IP addresses in OSSEC alerts, for more intelligent correlation.
- Alert options and syslog output:
- Add syscheck MD5/SHA1 sum to alerts for easier integration with third-party file signature checking.
- Support JSON and Splunk formats in syslog output.
- Rules and other notable changes/fixes:
- Windows 2000 logs support has been deprecated (but will probably still work fine). Vista and Windows Server 2008 logs are now officially supported.
- Windows registry syscheck alert level has been reduced from 7 to 5 to reduce unnecessary noise from alerts which do not indicate a compromise.
- Update decoders include: PIX, auditd, apache, pam, php.
- Many updated rules, such as new checks for vulnerable web apps exploitation attempts.
- Update rootcheck rules.
- ossec-client.sh now allows for ‘reload’, in addition to ‘restart’
- Many bug fixes…
- LICENSE text updated by adding exception clause for OpenSSL, while OSSEC is still under GPLv2
New in OSSEC HIDS 2.6 (Nov 12, 2011)
- Added IPv6 support
- Lots of new rules (OpenBSD, Clamav, BRO-ids, active response logs, etc, etc)
- Added os-authd – For automatically creating and setting up the agent keys
- Added CEF support to client syslog
- Improved reporting for file changes
- Added option to Block repeated offenders with OSSEC
- Many bug fixes