OSSEC version 1.2 is now available.

Caveats if updating:
* Make sure to update your ossec server before any agent.


It has the following new features and fixes:


-Fixed init script for Debian-based systems (it was reporting
all of them as Ubuntu).
(Patch by Robert Millan [ackstorm] <rmillan at ackstorm.es>)

-Added new named rules (12110, 12111) to detect zone transfer errors.
(Submitted by Leonardo Goldim <goldim at intranetworks.com.br>)

-Added additional information to queue error messages.
(Patch submitted by Robert Millan [ackstorm] <rmillan at ackstorm.es>)

-Added support for Enterasys Dragon logs.

-Added escape for the "|" character on the regex library.

-Ignored false-positive rootkit entries for Suse and Ubuntu Linux systems.
(Thanks LNick and Peter Kaye for the report).

-Added support for OpenBSD PF logs.
(By Liliane Cid).

-Added new decoder option "plugin_decoder" to allow compiled decoders to
be used within ossec (useful for complex logs where regexes are not enough).

-Fixed init scripts to better handle incorrectly shutdowns.

-Fix endianess issue on HP-UX.
(Thanks Nick Baronian for testing it).

-Added "srcport", "dstport", "same_src_port", "same_dst_port" and
"same_location" as options to the rules.
(Thanks Michael Starks for the suggestion).

-Added "maild.full_subject" to internal_options.conf to allow more
verbose subjects on the e-mail notifications (set it to "1" to include
the rule description).
(Thanks Michael Starks for the suggestion).

-Added Windows event ids 659 and 660 to the group change rule (18114).
(By Michael Starks).

-Merged rootcheck and syscheck output into valid rules (inside ossec_rules.xml).It is much easier now to remove/ignore certain patterns.

-Added more granular e-mail options. We included "sms" for e-mail
output, "group" , "rule_id" and "do_not_delay" to do not group
the alerts.
Summary of all the options:

<email_alerts>
  <email_to>xx@xx.com</email_to>
  <event_location>agent_name</event_location>
  <group>syslog|apache</group>
  <rule_id>1003, 1009</rule_id>
  <level>10</level>
  <format>sms</format>
  <do_not_delay />
</email_alerts>

-Updated mod security rule 30118 to support version 2.1.
(Thanks Sioban).

-Updated pix rules to support ASA/PIX failover messages.
(By Michael Starks).

-Added support for Zeus WebServer logs.
(Thanks Chris Buckley for the help/logs).

-Fixed limitation within analysisd that only allowed
"analysisd.stats_percent_diff" to be up to 99%. Increased it to 999%.
(Thanks Thorne Lawler at kaz-group.com for the report).

-Fixed bug on the overwrite rule attribute that was not working
with composite rules.
(Submitted by chr1s at runbox.com).

-Multiple improvements to the Windows rules (more granular, etc).
(By Michael Starks).

-Changed output from event logs to do not contain tabs between
argument and value.

-Added support for daily/chained checksum of alert logs.
More information: http://www.ossec.net/wiki/index.php/Know_How:LogSign

-Large re-work of the internal architecture of analysisd,
greatly improving performance and organization.

-Fixed IIS 6 decoder to extract the uri-query field.
(Patch by Worawit Wang <worawita at gmail.com>)


To download the new version:
http://www.ossec.net/en/downloads.html


We want to thank everyone else who sent comments, suggestions
or just some nice words to us! We really appreciate the 
feedback!

Daniel B. Cid (in name of the OSSEC team).
http://www.ossec.net/en/about.html#dev-team
http://www.ossec.net/announcements/v1.2-2007-05-16.txt