It has been over a year since the release of OSSEC 2.6 in July 2011. Through all this time many developers have contributed patches and many users have tested several pre-release builds. A sincere THANKS to all of you.The key enhancements in v2.7 are:

1. Installation
   • Add hybrid mode – allows the same host to be both a server and an agent, useful for multi-tier OSSEC deployment.
   • Add  manage_agents -f option for bulk generation of client keys from an input file.
   • During Agent installation, allow the OSSEC server to be specified using hostname instead of IP.
2. Syscheck
   • Add prelinking support – reduce confusion when a file change is the result of prelinking.
3. Rootcheck
   • Add fine-grained configuration control – allows you to turn ON/OFF individual rootcheck tasks for more efficiency and flexibility. The default is all ON.
4. Log monitoring/analysis
   • Add GeoIP lookup support – allows geographical city names to be associated with IP addresses in OSSEC alerts, for more intelligent correlation.
5. Alert options and syslog output
   • Add syscheck MD5/SHA1 sum to alerts for easier integration with third-party file signature checking.
   • Support JSON and Splunk formats in syslog output.
6. Rules and other notable changes/fixes
   • Windows 2000 logs support has been deprecated (but will probably still work fine). Vista and Windows Server 2008 logs are now officially supported.
   • Windows registry syscheck alert level has been reduced from 7 to 5 to reduce unnecessary noise from alerts which do not indicate a compromise.
   • Update decoders include: PIX, auditd, apache, pam, php.
   • Many updated rules, such as new checks for vulnerable web apps exploitation attempts.
   • Update rootcheck rules.
   • ossec-client.sh now allows for ‘reload’, in addition to ‘restart’
   • Many bug fixes…
7. LICENSE text updated by adding exception clause for OpenSSL, while OSSEC is still under GPLv2

Download OSSEC 2.7 package from here.

Jia-bing(JB) Cheng
November 19, 2012