Monday, November 19, 2012

OSSEC 2.7 Released

Go straight to Download page!

OSSEC 2.7 key features:

  1. Installation
    • Add hybrid mode – allows the same host to be both a server and an agent, useful for multi-tier OSSEC deployment.
    • Add  manage_agents -f option for bulk generation of client keys from an input file.
    • During Agent installation, allow the OSSEC server to be specified using hostname instead of IP.
  2. Syscheck
    • Add prelinking support – reduce confusion when a file change is the result of prelinking.
  3. Rootcheck
    • Add fine-grained configuration control – allows you to turn ON/OFF individual rootcheck tasks for more efficiency and flexibility. The default is all ON.
  4. Log monitoring/analysis
    • Add GeoIP lookup support – allows geographical city names to be associated with IP addresses in OSSEC alerts, for more intelligent correlation.
  5. Alert options and syslog output
    • Add syscheck MD5/SHA1 sum to alerts for easier integration with third-party file signature checking.
    • Support JSON and Splunk formats in syslog output.
  6. Rules and other notable changes/fixes
    • Windows 2000 logs support has been deprecated (but will probably still work fine). Vista and Windows Server 2008 logs are now officially supported.
    • Windows registry syscheck alert level has been reduced from 7 to 5 to reduce unnecessary noise from alerts which do not indicate a compromise.
    • Update decoders include: PIX, auditd, apache, pam, php.
    • Many updated rules, such as new checks for vulnerable web apps exploitation attempts.
    • Update rootcheck rules.
    • now allows for ‘reload’, in addition to ‘restart’
    • Many bug fixes…
  7. LICENSE text updated by adding exception clause for OpenSSL, while OSSEC is still under GPLv2


  1. I am trying to install OSSEC on Solaris 10. I initially downloaded the source, but neither did the work, or making it from the Makefile. Someone suggested I go here:

    And download the source from there. I did so. The still get a syntax error, but I was able to perform a "make all" and compile everything. I had previously made /var/ossec and the "make all" populated some of the directories, but bin seems rather empty. If I do a "make server", I get:

    make server
    cp: cannot access ../bin/ossec*
    cp: cannot access ../bin/manage_agents
    cp: cannot access ../bin/syscheck_update
    cp: cannot access ../bin/verify-agent-conf
    cp: cannot access ../bin/clear_stats
    cp: cannot access ../bin/list_agents
    cp: cannot access ../bin/agent_control
    cp: cannot access ../bin/syscheck_control
    cp: cannot access ../bin/rootcheck_control

  2. See Google group 'ossec-list' for discussion on this issue.