Tuesday, January 20, 2015

OSSEC 2.8.1 was released on September 9, 2014

OSSEC can be downloaded here. In terms of features OSSEC 2.8.1 is the same as OSSEC 2.8 except that 2.8.1 includes a fix for CVE-2014-5284 vulnerability, which allows for root escalation via temp files. Go to OSSEC GitHub repository for more information regarding this issue.

For a complete release history since 2.7, see What's New in OSSEC documentation.

Monday, July 7, 2014

OSSEC 2.8 Released

OSSEC 2.8 has been released in June 2014 and can be downloaded here. After moving to GitHub in early 2014, many contributors joined and submitted excellent Pull Requests. Below is a copy of the release notes which is a high level summary of the major changes since 2.7.1. Refer to GitHub commit history for a complete list.

Trend Micro, Inc.                                                  June 4, 2014
                       OSSEC "v2.8.0" Release Note

Summary of changes in v2.8.0 

=== Installation
    == Server 
  - Avoided a crash of agentd on Solaris (danpop60)
    == Agent 
  - Fixed manage_agents -f potential infinite loop (awiddersheim)
  - Added manage_agents -r <id> to remove an agent (awiddersheim)
  - Allow NIX agents to use "-f" option and run in forground (awiddersheim)
     - Windows agent install/uninstall GUI enhancements (awiddersheim)
  - Windows agent_config profile fixed (gaelmuller)
  - Added eventchannel support for Windows agent on Vista or later (gaelmuller)
  - Many Windows agent bug fixes (awiddersheim)

=== Syscheck
    == Extended filesize from an integer to a long integer 
 == Make syscheck/analysisd/remoted.debug in internal_options.conf work (awiddersheim)

=== ActiveResponse 
    == Fix active-response on MAC OS Firewall (jknockaert)

=== Log monitoring/analysis
 == Add option to allow the outputing of all alerts to a zeromq PUB socket 
  in JSON format, using cJSON library (jrossi, justintime32). New Config:
    == Add TimeGenerated to the output of Windows Event logs (awiddersheim)
 == os_net fixes, and code clean up in general (cgzones)
 == os_regex unit test cases added (cgzones)
 == os_xml review and fixes  (cgzones)

=== Rules and Decoders
    == Added some additional sshd rules in sshd_rules.xml (joshgarnett)
 == Removed bro-ids rules (ddpbsd)
    == Removed event ID 676, 672 in msauth_rules.xml (mstarks01)

=== Contributions 
    == zeromq_pubsub.py (jrossi)
 == ossec-eps.sh, a script to calculate events-per-second (mstarks01)

OSSEC 2.8 CONTRIBUTORS (GitHub usernames in alphabetical order): 
Brad Lhotsky
danpop60 (Solaris fix)
Joshua Garnett
Micha Nasriachi
Santiago Bassett

                               === END ===

Tuesday, January 28, 2014

OSSEC 2.7.1 and Beyond

OSSEC 2.7.1 has been released in November 2013 which contained mostly bug fixes.
Since then many new pull requests have been submitted and many developers are eager to contribute their talents. After considering many factors, it was decided that it's time to move the source code repository to GitHub.  This is happening during the first quarter of 2014. 

After the move, the future of OSSEC will be driven mainly by the community. There will be many opportunities for contributors/maintainers in the areas of source code, rule sets, and documentation. 
Please check www.osse.net in the next few weeks for the latest development. 

Monday, November 19, 2012

OSSEC 2.7 Released

Go straight to ossec.net Download page!

OSSEC 2.7 key features:

  1. Installation
    • Add hybrid mode – allows the same host to be both a server and an agent, useful for multi-tier OSSEC deployment.
    • Add  manage_agents -f option for bulk generation of client keys from an input file.
    • During Agent installation, allow the OSSEC server to be specified using hostname instead of IP.
  2. Syscheck
    • Add prelinking support – reduce confusion when a file change is the result of prelinking.
  3. Rootcheck
    • Add fine-grained configuration control – allows you to turn ON/OFF individual rootcheck tasks for more efficiency and flexibility. The default is all ON.
  4. Log monitoring/analysis
    • Add GeoIP lookup support – allows geographical city names to be associated with IP addresses in OSSEC alerts, for more intelligent correlation.
  5. Alert options and syslog output
    • Add syscheck MD5/SHA1 sum to alerts for easier integration with third-party file signature checking.
    • Support JSON and Splunk formats in syslog output.
  6. Rules and other notable changes/fixes
    • Windows 2000 logs support has been deprecated (but will probably still work fine). Vista and Windows Server 2008 logs are now officially supported.
    • Windows registry syscheck alert level has been reduced from 7 to 5 to reduce unnecessary noise from alerts which do not indicate a compromise.
    • Update decoders include: PIX, auditd, apache, pam, php.
    • Many updated rules, such as new checks for vulnerable web apps exploitation attempts.
    • Update rootcheck rules.
    • ossec-client.sh now allows for ‘reload’, in addition to ‘restart’
    • Many bug fixes…
  7. LICENSE text updated by adding exception clause for OpenSSL, while OSSEC is still under GPLv2

Friday, July 27, 2012

So You Want to Help OSSEC Development

Here is a list of tasks/areas you can help. The next release will be 2.7, focusing on bug fixes and small enhancements. Bigger enhancements are deferred for future release, marked as 3.0 for now. 'Doc' marks the areas for documentation. You can volunteer for any items marked with (TBD). 

  1. Bugs / enhancement requests
    • a) Document the current development process (jbcheng).
    • b) 2.7 - Release Coordinator (jbcheng)
    • c) 2.7 - BitBucket existing open issues prioritization (DONE mstarks01)
    • d) 2.7 - Work on one or more of the open issues (DONE,jb..ms..dp..)
    • e) 2.7 - Beta test volunteers (ALL Sep. 12 - Oct. 12, 2012) 
    • f) Anyone can submit new bugs/enhancement requests to BitBucket jbcheng repository, or to ossec-dev Google group.
    • g) 3.0 - An auto regression framework to make sure bug fixes do not break existing functionality (TBD). 
  2. Rules tuning - to reduce the noise level 
    • a) 2.7 - Linux rules are OK in general; but Windows rules can be tuned to reduce the number of alerts by default (Some adjustments have been done in v2.7-beta).
    • b) 2.x - Further gathering of feedback and adjustment of Windows rules. By default, email alerts should be meaningful and actionable (stay consistent and informative) while the rest can be viewed in a GUI (TBD).
    • c) 2.7 - To test whether the <do_not_group> configuration option for putting multiple alerts in one email works as expected or not (TBD).
    • d) 3.0 - Suggestion to tie rule alert levels with business risk factor for different assets, so non-critical assets do not trigger email notifications.
    • e) 3,0 - Suggestions to tie alert levels with different group characteristics. For example, admin group vs. normal groups.
  3. OSSEC deployment – Key exchange
    • a) Doc - Before ‘authd’ was available, deploying lots of OSSEC agents was very time consuming. ‘authd’ works on Linux, but some users experienced problems on Windows. Please write a success story of deploying Windows agents using ‘authd’ (TBD).
    • b) Doc - Write a success story of using Puppet for deploying OSSEC on Unix systems (TBD). 
    • c) Doc - Write a success story of using OCS-ng for OSSEC mass deployment (TBD). 
    • d) 3.0 - Making Windows Agent MSI build so users can leverage Active Directory group policy for Windows agent deployment (mstarks01)
    • e) 2.7 - RPM and other installation packages (TBD)
    • f) 3.0 - Make mass deployment easy. It should “just work” (TBD).
  4. More frequent Rule and Decoder Updates 
    • a) 3.0 - Current OSSEC rules are coupled with OSSEC releases. By decoupling them it will allow faster response to current and emerging threats with faster rule fixes. Need help on architectural design (TBD)
    • b) 2.7 - Decoders/Rules enhancements (DONE since 2.7-beta)
    • c) 2.7 - Decoders/Rules testing (TBD)
    • d) 2.7 - Releasing (jbcheng)
  5. WUI – Web User Interface (current release 0.3, next release 0.4)
    • a) 0.4 - Fix OSSEC WUI 0.3 where it is incompatible with OSSEC 2.6. For example,  IP address and Date field got mixed up (TBD).
    • b) 0.5 - Viewing alerts is currently via text display only. It would be nice to have CSV output option. 
    • c) 0.5 - WUI reporting can be enhanced to become more useful.
  6. Web site – www.ossec.net
    • a) Doc - The web site has been restructured with a new look and better navigation. Anyone can report  broken links or missing information to ossecproject@gmail.com (ANY). 
    • b) Doc - The Wiki feature on the old web site has been discontinued due to extensive spam trouble. Important content will be reproduced as static pages at user’s request (Vic, DONE in the new ossec.net).
    • c) Doc - Collect/create OSSEC tutorial video on YouTube (TBD) 
    • d) Demo - Create a live demo OSSEC server, ideally with agents in virtual machines (TBD)
    • e) Virtual machine - Re-visit the Virtual  Machine image effort which may contain OSSEC manager , WUI and even some 3rd party tools preinstalled (TBD).
  7. Interface with 3rd party tools
    • a) Doc - Write a blog about Snort –> OSSEC –> Splunk (TBD)
    • b) Doc - Write a blog about integrating OSSEC –> ELSA (TBD)
    • c) 3.0 - Investigate possible synergy between Hadoop and OSSEC (TBD)
    • d) Make syslog output enhancement – adding File Integrity checksum to alert output so it can be used for lookups (refer to : http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html and  http://cr.yp.to/cdb.html) (mstarks01, DONE in 2.7-beta1)

Tuesday, June 5, 2012

OSSEC Symposium

OSSEC CON 2013, July 25, Cupertino, CA

Trend Micro continued previous year's OSSEC Symposium with OSSEC CON 2013. The conference was again a huge success and the attendees tripled compared to 2012. The user community response was excellent and many from outside the US requested to have future OSSEC CON's in places near their countries of origin.  If you missed OSSEC CON 2013, see the recap page for a high level summary and keynote presentation slides. 

OSSEC Symposium Summer 2012, July 12-13, Cupertino, CA

Trend Micro has announced the first OSSEC Symposium to the open source community. It's a two-day event to be held in Cupertino, California, USA on July 12-13, 2012. The agenda includes Trend Micro managers talking about the future direction of OSSEC project, expert OSSEC developers presenting their experience, and fellow OSSEC users sharing their success stories as well as pain points. 

The symposium was a big success and a complete recap along with the presentation slides are available at www.ossec.net.

JB Cheng

Friday, June 1, 2012


Besides the obvious must-have of OSSEC package you downloaded, what other things do I need to extend OSSEC capabilities?
  1. Graylog2 is an open source log management solution that stores your logs in elasticsearch and provides web-based GUI. It utilizes logstash.
  2. Splunk can receive OSSEC alerts via syslog. There is a free version which allows you to index up to 500 megabytes of data per day, and make the data ready for query and correlation. Splunk for OSSEC is an app which offers parsing logic, saved searches, and dashboards. Here is a blog for the installation of OSSEC & Splunk.
  3. ELSA ( Enterprise Log Search and Archive) is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web. 
  4. OSSIM (Open Source SIEM) provides event collection, normalization, correlation and incident response. There is an OSSIM Tutorial: OSSEC Quick Start Guide.
  5. ArcSight integration help can be found at this blog OSSEC Speaks ArcSight.
  6. AnaLogi  (Analytical Log Interface) was built to sit on top of OSSEC (since OSSEC 2.6) and requires 0 modifications to OSSEC or the database schema that ships with OSSEC. AnaLogi requires a Webserver sporting PHP and MySQL.  Remy van Elst blogged about a nice tutorial which covers the basic installation of OSSEC 2.8 server on Ubuntu 14.04, as well as OSSEC WebUI and Analogi dashboard. Nice job!
  7. To uninstall OSSEC, check out the blog by Remy van Elst here.