==OSSEC v1.5 CHANGELOG (May 02, 2008)== We are pleased to announce the general availability of OSSEC version 1.5. This version comes with lots of bug fixes and new features, including: -New log formats: * Solaris BSM auditing logs * Asterisk logs * Checkpoint and Smart Defense logs * Debian package (dpkg) install/status/remove messages * Shorewall logs * Postfix SASL error messages * Localized pure-ftpd messages (for 12 different languages) * DJB multilog http://www.ossec.net/dcid/?p=132 -Added Greek translation of the install. -Added agent_control tool to manage the agents directly from the server. http://www.ossec.net/dcid/?p=130 -Added multiple options to syscheckd/rootcheckd to better schedule the scans. http://www.ossec.net/dcid/?p=131 -Performance improvements to the Windows Agent, specially when dealing with large event logs. -Added new options to Rootcheck to look for common web exploits installed on the system (used to attack others). Download it from: http://www.ossec.net/main/downloads ***If updating, make sure to upgrade the ossec server FIRST before any agent. In addition to the above changes, this release comes with the following bug fixes and new features: -Fixed duplicated rule id on syslog_rules.xml (thanks to Dominique Karg for the report). -Fixed bug on the database support that was not working properly with MySQL. http://www.ossec.net/bugs/show_bug.cgi?id=106 (Thanks tol at sics.se for the report). -Fixed bug on the dbmake script that wasn't recognizing PostgreSQL libraries on 64bits systems. http://www.ossec.net/bugs/show_bug.cgi?id=101 (Thanks to Brad Lhotsky for the report). -Fixed bug on the database output that was crashing on rules without a description. http://www.ossec.net/bugs/show_bug.cgi?id=102 (Thanks to Brad Lhotsky for the report). -Changed the way we look for MySQL libraries to use mysql_config. http://www.ossec.net/bugs/show_bug.cgi?id=104 http://www.ossec.net/bugs/show_bug.cgi?id=105 (Thanks tol at sics.se for the report). -Fixed bug on the granular alerts where it was seg faulting if more than 3 rules were specified. http://www.ossec.net/bugs/show_bug.cgi?id=115 (Thanks to Peter M. Abraham for the report). -Fixed Courier decoder that wasn't matching on all possible logs. (Thanks to Matthew Steven for the report). -Fixed bug on ossec-maild that was crashing if no logs were being generated during log rotation (affecting small installations with few logs/second). -Added rules for ADSL (to alert on line-down and line-up). (By Martin West ). -Fixed problem where duplicated syslog messages were not being properly tested. (Reported by Martin West ). -Added a few options to the prelude output configuration. (By Sebastien Tricaud ). -Fixed bug with te binary installs that were still looking for "make". -Changed name requirement in the install to allow dots. (Reported by Alberto Avi ). -Improved error handling and issues when the maximum number of agents is achieved. -Added support for Solaris BSM auditing logs. -Fixed analysisd to make sure it compiles on old systems. (By Panayotis ). -Added support for multiple servers per agent. If one server is not available, the agent will fall back to the second one. -Added agent_control binary to allow managing the agents directly from the server. -Added hability to run syscheck/rootcheck scans immediatly, outside the normal scheduled time. -Added the time of last syscheck scan into the rootcheck queue. This information is available now on list_agents and agent_control. -Added multiple checks looking for web exploits. Based on research at: https://www.ossec.net/wiki/index.php/WebAttacks_links -Added Greek translation of the install. (by Giannis Vrentzos ). -Added rules for Asterisk. (Contributed by Sandro Gauci of enablesecurity.com). -Changed the internal logging (ossec.log) to include the severity of the messages. -Added a few more granular Windows rules to alert on applications being installed/uninstalled and some policy changes. (by Michael Starks). -Fixed Squid pre-decoder to support new dates (it will stop working some day in 2008). -Lots of performance improvements on Windows (specially with large event logs). -Added support for DJB multilog logs. Use the log_format "djb-multilog" in the configuration. -Added translation of the pure-ftpd rules to 12 languages. They are inside /var/ossec/rules/translation/ and can replace the original ones if the system is configured with a different locale. (Thanks to Cedric Bleimling for the work) -Added init scripts to create the users under MacOS X 10.5. (By Derek Spransy and Charlie Scott). -Fixed timeout issues with the agent on Windows 2003. -Added support for Checkpoint firewall and IDS logs. (Thanks to Dean Takemori for the logs and decoders). -Added support for Shorewall firewall log (iptables-based). (Thanks to Dean Takemori for the logs). -Added scan_time and scan_day options to syscheck. It can be used to configure it to run at specific times, instead of the frequency. -Fixed rootcheck when run with -s flag (not within ossec). (Thanks to brpodol at sandia.gov for the patch). -Fixed init scripts to work properly on Solaris 10 (OLDPWD not available). (Thanks to Michael L. Richards for the patch). -Added support for Debian package (dpkg) logs. -Added support for Postfix SASL error messages. (Thanks to Dennis Golden for the logs). -Improvements to the database support to allow the usage of port/sock options. (Thanks to genanr at allantgroup.com for the patch). To download the new version: http://www.ossec.net/main/downloads We want to thank everyone who sent comments, suggestions or just some nice words to us! We really appreciate the feedback! Daniel B. Cid (in name of the OSSEC team). http://www.ossec.net/main/about http://www.ossec.net/announcements/v1.5-2008-05-02.txt