OSSEC version 1.1 is now available.

Caveats if updating:
* Make sure to fully stop ossec (if upgrading from 0.9).
* Make sure to update your ossec server before any agent.


It has the following new features and fixes:


-Added support for IIS 6 log formats.
(Thanks Michael Starks for the logs).

-Added support for Windows event log from Snare.
(Thanks Michael Starks for the logs).

-Added support for tabs (\t) in the regex library.

-Changed FTS on Windows logs to be case insensitive.
(Thanks Michael Starks for the idea).

-Fixed bug on if_matched_group that was improperly
searching on the groups (causing false positives).

-Fixed wrong message on the stats notification
(Thanks Wilfried <wilfried.werner@xx> for the report).

-Added support for hostnames in the server-ip configuration.
Use "server-hostname" to specify it.

-Added rules/decoders for Cisco VPN concentrator.

-Added rules for PIX VPN (AAA) logs
(Thanks Isaac Straley for the logs).

-Fixed bug where pending active responses were not
being removed after a clean shutdown.

-Fixed Apache decoder to make it work on countries
east of Greenwich.

-Added granular e-mail configuration options.
Extra email_alerts options can be added based
on the severity or event location. Example bellow
sends alerts to xx@yy.com for severity >= 10.

  <email_alerts>
    <email_to>xx@yy.com</email_to>
    <level>10</level>
  </email_alerts>

-Fixed error on SETGID_ERROR messages, causing manage_agents
to segfault. 
(Thanks Robert Millan for the patch).

-Added "type sregex" for the ignore entries on syscheck. It
allows simple regular expressions (match style) to be used.

-Added check to ignore duplicated entries on syscheckd
ignore/registry_ignore entries.

-Fixed alert on syscheckd to handle the case when a file was
removed and then added back again (it was generating an
incorrect alert).

-Added "\$" escape on the os_regex library.

-Fixed issue with active-responses and the "analysisd" location.
(Thanks to Marco Supino <Marco at praxell.com>  for the report).

-Added support for Solaris 10 and OpenBSD su messages.

-Added support for Symantec anti virus logs from the Windows event log.

-Fixed issue where child rules were not inheriting all the logs from
the parent. 
(Thanks David J. Bianco for the report).

-Increased time out values for Windows agents.

-Improved Windows installer to use NSIS Modern UI.

-Added "-a" argument to syscheck-update to update every agent.

-Improved manage-agents to clear the agent information during
removal.

-Removed some false positive entries from rootcheck. Added
entries for the "Solaris worm":
http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen

-Added overwrite attribute to the rules. It allows an entire rule
to be overwritten.
Example to overwrite rule 1002:

  <rule id="1002" level="8" overwrite="yes">
    <match>Segmentation|XYZ</match>
    <description>Rule 1002 overwritten.</description>
  </rule>

-Added option 'maild.groupping' to internal_options.conf to disallow
the grouping of alerts in one e-mail.

-Added null route active response to block IPs using the routing
table. 
(Done by Ivan Lotina <lotke at lotke.com>).

-Added decoder for FWSM.
(Thanks David J. Bianco <david at vorant.com>  for the patch).


To download the new version:
http://www.ossec.net/en/downloads.html


We want to thank everyone else who sent comments, suggestions
or just some nice words to us! We really appreciate the 
feedback!

Daniel B. Cid (in name of the OSSEC team).
http://www.ossec.net/en/about.html#dev-team
http://www.ossec.net/announcements/v1.1-2007-03-12.txt