Friday, July 27, 2012

So You Want to Help OSSEC Development

Here is a list of tasks/areas you can help. The next release will be 2.7, focusing on bug fixes and small enhancements. Bigger enhancements are deferred for future release, marked as 3.0 for now. 'Doc' marks the areas for documentation. You can volunteer for any items marked with (TBD). 

  1. Bugs / enhancement requests
    • a) Document the current development process (jbcheng).
    • b) 2.7 - Release Coordinator (jbcheng)
    • c) 2.7 - BitBucket existing open issues prioritization (DONE mstarks01)
    • d) 2.7 - Work on one or more of the open issues (DONE,
    • e) 2.7 - Beta test volunteers (ALL Sep. 12 - Oct. 12, 2012) 
    • f) Anyone can submit new bugs/enhancement requests to BitBucket jbcheng repository, or to ossec-dev Google group.
    • g) 3.0 - An auto regression framework to make sure bug fixes do not break existing functionality (TBD). 
  2. Rules tuning - to reduce the noise level 
    • a) 2.7 - Linux rules are OK in general; but Windows rules can be tuned to reduce the number of alerts by default (Some adjustments have been done in v2.7-beta).
    • b) 2.x - Further gathering of feedback and adjustment of Windows rules. By default, email alerts should be meaningful and actionable (stay consistent and informative) while the rest can be viewed in a GUI (TBD).
    • c) 2.7 - To test whether the <do_not_group> configuration option for putting multiple alerts in one email works as expected or not (TBD).
    • d) 3.0 - Suggestion to tie rule alert levels with business risk factor for different assets, so non-critical assets do not trigger email notifications.
    • e) 3,0 - Suggestions to tie alert levels with different group characteristics. For example, admin group vs. normal groups.
  3. OSSEC deployment – Key exchange
    • a) Doc - Before ‘authd’ was available, deploying lots of OSSEC agents was very time consuming. ‘authd’ works on Linux, but some users experienced problems on Windows. Please write a success story of deploying Windows agents using ‘authd’ (TBD).
    • b) Doc - Write a success story of using Puppet for deploying OSSEC on Unix systems (TBD). 
    • c) Doc - Write a success story of using OCS-ng for OSSEC mass deployment (TBD). 
    • d) 3.0 - Making Windows Agent MSI build so users can leverage Active Directory group policy for Windows agent deployment (mstarks01)
    • e) 2.7 - RPM and other installation packages (TBD)
    • f) 3.0 - Make mass deployment easy. It should “just work” (TBD).
  4. More frequent Rule and Decoder Updates 
    • a) 3.0 - Current OSSEC rules are coupled with OSSEC releases. By decoupling them it will allow faster response to current and emerging threats with faster rule fixes. Need help on architectural design (TBD)
    • b) 2.7 - Decoders/Rules enhancements (DONE since 2.7-beta)
    • c) 2.7 - Decoders/Rules testing (TBD)
    • d) 2.7 - Releasing (jbcheng)
  5. WUI – Web User Interface (current release 0.3, next release 0.4)
    • a) 0.4 - Fix OSSEC WUI 0.3 where it is incompatible with OSSEC 2.6. For example,  IP address and Date field got mixed up (TBD).
    • b) 0.5 - Viewing alerts is currently via text display only. It would be nice to have CSV output option. 
    • c) 0.5 - WUI reporting can be enhanced to become more useful.
  6. Web site –
    • a) Doc - The web site has been restructured with a new look and better navigation. Anyone can report  broken links or missing information to (ANY). 
    • b) Doc - The Wiki feature on the old web site has been discontinued due to extensive spam trouble. Important content will be reproduced as static pages at user’s request (Vic, DONE in the new
    • c) Doc - Collect/create OSSEC tutorial video on YouTube (TBD) 
    • d) Demo - Create a live demo OSSEC server, ideally with agents in virtual machines (TBD)
    • e) Virtual machine - Re-visit the Virtual  Machine image effort which may contain OSSEC manager , WUI and even some 3rd party tools preinstalled (TBD).
  7. Interface with 3rd party tools
    • a) Doc - Write a blog about Snort –> OSSEC –> Splunk (TBD)
    • b) Doc - Write a blog about integrating OSSEC –> ELSA (TBD)
    • c) 3.0 - Investigate possible synergy between Hadoop and OSSEC (TBD)
    • d) Make syslog output enhancement – adding File Integrity checksum to alert output so it can be used for lookups (refer to : and (mstarks01, DONE in 2.7-beta1)


  1. Hey JB,

    I would like to contribute to most of part 3 ... next step? (~4000 Linux, ~600 Win)

    (company to be disclosed once I get some approval)

  2. Please post to Google Group 'ossec-dev' for general contribution to the public. For private communication, contact my email address as shown on

    Once the content is reviewed, we may decide to officially publish it on the web site, or to include the source code/rules in the next OSSEC release.

  3. This comment has been removed by a blog administrator.

  4. Marry, Spam message is not welcome here!