Saturday, January 20, 2018

Monday, November 13, 2017

OSSEC has a new home

OSSEC has moved to a new home on GitHub.
You can find he latest releases here.
Check it out!

Tuesday, January 20, 2015

OSSEC 2.8.1 was released on September 9, 2014

OSSEC can be downloaded here. In terms of features OSSEC 2.8.1 is the same as OSSEC 2.8 except that 2.8.1 includes a fix for CVE-2014-5284 vulnerability, which allows for root escalation via temp files. Go to OSSEC GitHub repository for more information regarding this issue.

For a complete release history since 2.7, see What's New in OSSEC documentation.

Monday, July 7, 2014

OSSEC 2.8 Released

OSSEC 2.8 has been released in June 2014 and can be downloaded here. After moving to GitHub in early 2014, many contributors joined and submitted excellent Pull Requests. Below is a copy of the release notes which is a high level summary of the major changes since 2.7.1. Refer to GitHub commit history for a complete list.

Trend Micro, Inc.                                                  June 4, 2014
                       OSSEC "v2.8.0" Release Note

Summary of changes in v2.8.0 

=== Installation
    == Server 
  - Avoided a crash of agentd on Solaris (danpop60)
    == Agent 
  - Fixed manage_agents -f potential infinite loop (awiddersheim)
  - Added manage_agents -r <id> to remove an agent (awiddersheim)
  - Allow NIX agents to use "-f" option and run in forground (awiddersheim)
     - Windows agent install/uninstall GUI enhancements (awiddersheim)
  - Windows agent_config profile fixed (gaelmuller)
  - Added eventchannel support for Windows agent on Vista or later (gaelmuller)
  - Many Windows agent bug fixes (awiddersheim)

=== Syscheck
    == Extended filesize from an integer to a long integer 
 == Make syscheck/analysisd/remoted.debug in internal_options.conf work (awiddersheim)

=== ActiveResponse 
    == Fix active-response on MAC OS Firewall (jknockaert)

=== Log monitoring/analysis
 == Add option to allow the outputing of all alerts to a zeromq PUB socket 
  in JSON format, using cJSON library (jrossi, justintime32). New Config:
    == Add TimeGenerated to the output of Windows Event logs (awiddersheim)
 == os_net fixes, and code clean up in general (cgzones)
 == os_regex unit test cases added (cgzones)
 == os_xml review and fixes  (cgzones)

=== Rules and Decoders
    == Added some additional sshd rules in sshd_rules.xml (joshgarnett)
 == Removed bro-ids rules (ddpbsd)
    == Removed event ID 676, 672 in msauth_rules.xml (mstarks01)

=== Contributions 
    == (jrossi)
 ==, a script to calculate events-per-second (mstarks01)

OSSEC 2.8 CONTRIBUTORS (GitHub usernames in alphabetical order): 
Brad Lhotsky
danpop60 (Solaris fix)
Joshua Garnett
Micha Nasriachi
Santiago Bassett

                               === END ===

Tuesday, January 28, 2014

OSSEC 2.7.1 and Beyond

OSSEC 2.7.1 has been released in November 2013 which contained mostly bug fixes.
Since then many new pull requests have been submitted and many developers are eager to contribute their talents. After considering many factors, it was decided that it's time to move the source code repository to GitHub.  This is happening during the first quarter of 2014. 

After the move, the future of OSSEC will be driven mainly by the community. There will be many opportunities for contributors/maintainers in the areas of source code, rule sets, and documentation. 
Please check in the next few weeks for the latest development. 

Monday, November 19, 2012

OSSEC 2.7 Released

Go straight to Download page!

OSSEC 2.7 key features:

  1. Installation
    • Add hybrid mode – allows the same host to be both a server and an agent, useful for multi-tier OSSEC deployment.
    • Add  manage_agents -f option for bulk generation of client keys from an input file.
    • During Agent installation, allow the OSSEC server to be specified using hostname instead of IP.
  2. Syscheck
    • Add prelinking support – reduce confusion when a file change is the result of prelinking.
  3. Rootcheck
    • Add fine-grained configuration control – allows you to turn ON/OFF individual rootcheck tasks for more efficiency and flexibility. The default is all ON.
  4. Log monitoring/analysis
    • Add GeoIP lookup support – allows geographical city names to be associated with IP addresses in OSSEC alerts, for more intelligent correlation.
  5. Alert options and syslog output
    • Add syscheck MD5/SHA1 sum to alerts for easier integration with third-party file signature checking.
    • Support JSON and Splunk formats in syslog output.
  6. Rules and other notable changes/fixes
    • Windows 2000 logs support has been deprecated (but will probably still work fine). Vista and Windows Server 2008 logs are now officially supported.
    • Windows registry syscheck alert level has been reduced from 7 to 5 to reduce unnecessary noise from alerts which do not indicate a compromise.
    • Update decoders include: PIX, auditd, apache, pam, php.
    • Many updated rules, such as new checks for vulnerable web apps exploitation attempts.
    • Update rootcheck rules.
    • now allows for ‘reload’, in addition to ‘restart’
    • Many bug fixes…
  7. LICENSE text updated by adding exception clause for OpenSSL, while OSSEC is still under GPLv2

Friday, July 27, 2012

So You Want to Help OSSEC Development

Here is a list of tasks/areas you can help. The next release will be 2.7, focusing on bug fixes and small enhancements. Bigger enhancements are deferred for future release, marked as 3.0 for now. 'Doc' marks the areas for documentation. You can volunteer for any items marked with (TBD). 

  1. Bugs / enhancement requests
    • a) Document the current development process (jbcheng).
    • b) 2.7 - Release Coordinator (jbcheng)
    • c) 2.7 - BitBucket existing open issues prioritization (DONE mstarks01)
    • d) 2.7 - Work on one or more of the open issues (DONE,
    • e) 2.7 - Beta test volunteers (ALL Sep. 12 - Oct. 12, 2012) 
    • f) Anyone can submit new bugs/enhancement requests to BitBucket jbcheng repository, or to ossec-dev Google group.
    • g) 3.0 - An auto regression framework to make sure bug fixes do not break existing functionality (TBD). 
  2. Rules tuning - to reduce the noise level 
    • a) 2.7 - Linux rules are OK in general; but Windows rules can be tuned to reduce the number of alerts by default (Some adjustments have been done in v2.7-beta).
    • b) 2.x - Further gathering of feedback and adjustment of Windows rules. By default, email alerts should be meaningful and actionable (stay consistent and informative) while the rest can be viewed in a GUI (TBD).
    • c) 2.7 - To test whether the <do_not_group> configuration option for putting multiple alerts in one email works as expected or not (TBD).
    • d) 3.0 - Suggestion to tie rule alert levels with business risk factor for different assets, so non-critical assets do not trigger email notifications.
    • e) 3,0 - Suggestions to tie alert levels with different group characteristics. For example, admin group vs. normal groups.
  3. OSSEC deployment – Key exchange
    • a) Doc - Before ‘authd’ was available, deploying lots of OSSEC agents was very time consuming. ‘authd’ works on Linux, but some users experienced problems on Windows. Please write a success story of deploying Windows agents using ‘authd’ (TBD).
    • b) Doc - Write a success story of using Puppet for deploying OSSEC on Unix systems (TBD). 
    • c) Doc - Write a success story of using OCS-ng for OSSEC mass deployment (TBD). 
    • d) 3.0 - Making Windows Agent MSI build so users can leverage Active Directory group policy for Windows agent deployment (mstarks01)
    • e) 2.7 - RPM and other installation packages (TBD)
    • f) 3.0 - Make mass deployment easy. It should “just work” (TBD).
  4. More frequent Rule and Decoder Updates 
    • a) 3.0 - Current OSSEC rules are coupled with OSSEC releases. By decoupling them it will allow faster response to current and emerging threats with faster rule fixes. Need help on architectural design (TBD)
    • b) 2.7 - Decoders/Rules enhancements (DONE since 2.7-beta)
    • c) 2.7 - Decoders/Rules testing (TBD)
    • d) 2.7 - Releasing (jbcheng)
  5. WUI – Web User Interface (current release 0.3, next release 0.4)
    • a) 0.4 - Fix OSSEC WUI 0.3 where it is incompatible with OSSEC 2.6. For example,  IP address and Date field got mixed up (TBD).
    • b) 0.5 - Viewing alerts is currently via text display only. It would be nice to have CSV output option. 
    • c) 0.5 - WUI reporting can be enhanced to become more useful.
  6. Web site –
    • a) Doc - The web site has been restructured with a new look and better navigation. Anyone can report  broken links or missing information to (ANY). 
    • b) Doc - The Wiki feature on the old web site has been discontinued due to extensive spam trouble. Important content will be reproduced as static pages at user’s request (Vic, DONE in the new
    • c) Doc - Collect/create OSSEC tutorial video on YouTube (TBD) 
    • d) Demo - Create a live demo OSSEC server, ideally with agents in virtual machines (TBD)
    • e) Virtual machine - Re-visit the Virtual  Machine image effort which may contain OSSEC manager , WUI and even some 3rd party tools preinstalled (TBD).
  7. Interface with 3rd party tools
    • a) Doc - Write a blog about Snort –> OSSEC –> Splunk (TBD)
    • b) Doc - Write a blog about integrating OSSEC –> ELSA (TBD)
    • c) 3.0 - Investigate possible synergy between Hadoop and OSSEC (TBD)
    • d) Make syslog output enhancement – adding File Integrity checksum to alert output so it can be used for lookups (refer to : and (mstarks01, DONE in 2.7-beta1)