New features and bug fixes:
- Add hybrid mode – allows the same host to be both a server and an agent, useful for multi-tier OSSEC deployment.
- Add ‘ manage_agents -f’ option for bulk generation of client keys from an input file.
- Add prelinking support – reduce confusion when a file change is the result of prelinking. (Beta-1: We realize there is a performance penalty. Please report if you notice a performance impact.)
- Add fine-grained configuration control – allows you to turn ON/OFF individual rootcheck tasks for more efficiency and flexibility. The default is all ON.
- Add GeoIP lookup support – allows geographical city names to be associated with IP addresses in OSSEC alerts, for more intelligent correlation. (Beta-1: Fixed potential string buffer overflow issues).
Alert options and syslog output
- Add syscheck MD5/SHA1 sum to alerts for easier integration with third-party file signature checking.
- Support JSON and Splunk formats in syslog output.
Rules and other notable changes/fixes
- Windows 2000 logs support has been deprecated (but will probably still work fine). Vista and Windows Server 2008 logs are now officially supported.
- Windows registry syscheck alert level has been reduced from 7 to 5 to reduce unnecessary noise from alerts which do not indicate a compromise.
- Update decoders include: PIX, auditd, apache, pam, php…
- Many updated rules, such as new checks for vulnerable web apps exploitation attempts.
- Update rootcheck rules
- ossec-client.sh now allows for 'reload', in addition to 'restart'
- Many bug fixes…
- Windows Agent 2.7 Beta-1
How to test the BETA?
Download the beta-1 package from here.
How to report bugs, contribute bug fixes?
Please post successful testing of features to Google group 'ossec-dev' with subject line starting with identification such as [2.7-beta1-rootcheck] , similarly do the same for reporting bugs and providing bug fixes. If privacy is a concern, you can send email to us at ossecproject @ gmail.com.
JB Cheng – 2012-09-24