==OSSEC v2.4 CHANGELOG (Apr 01, 2010)== The following is the changelog for OSSEC version 2.4 and 2.4.1. UPDATES for 2.4.1: -Removed false positive from cback worm. (reported by Erik Zettel ) -Added support for using UTF-8 encoded strings in the rules (for japanese, chinese, etc). -Fixed duplicated postfix rule. -Fixed version number that was still pointing to 2.3. -Fixed Windows rule 18110 to include the Vista event id. (reported by Michael Starks). -Removed shell prompts during the Windows install (patch by Michael Starks). -Improved error handling during the startup. It will call ossec-logtest to verify that the rules are properly formatted. -Added binary (verify-agent-conf) to verify the agent.conf file. It must be run from the manager. --Fixed frequency of courier rules. (patch by Atomic turtle). Changelog: -Added more options to filter by user and srcip on reportd. -Fixed init script for gentoo that was failing if OSSEC was not installed at /var/ossec. http://ossec.uservoice.com/pages/18254-general/suggestions/284923-etc-init-d-ossec-installation-reference -Fixed false positives on su/sudo trojan signature for Ubuntu. http://ohioloco.ubuntuforums.org/showthread.php?p=8494734 -Added rules for Tru64 ftpd. (By Stephen Kreusch). -Added rules for True64 rshd. (By Stephen Kreusch). -Added rules for HP-UX cimserver. (By Stephen Kreusch). -Added rules for Microsoft Security Essentials -Patched system audit checks to look at /etc/php.ini. (By Scott R. Shinn). -Added MySQL timestamp to the schema (to improve performance). (By Scott R. Shinn). -Fixed a memory leak on the Windows agent that was not properly closing the sockets. It will cause a port exhaustion if the manager becames unavailable for a long period of time. (By Paul Southerington). -Fixed false positive in the rootcheck trojan rule for du. (Reported by Brian Mastenbrook). -Added rules to Ignore cron logout messages on Ubuntu/Debian. -Fixed bug where the only the first lines of the logs were stored in the database output. -Added support for logging from the agentless. (By Jeremy Rossi ) -Added additional rules options to the tag (cve, link). (By Jeremy Rossi ). -Improved Prelude support by adding detailed change information on the integrity checking events. (By Jeremy Rossi ). -Adding Windows netsh active response - for Windows 2003 and up (By http://windowsnerd.com/). -Improved ossec-logtest to be used for the forensic analysis of log files http://www.ossec.net/dcid/?p=192 -Added daily summaries/reports option. -Fixed bug where overwritten rules were not using the new ignore time. (Reported by Peter M. Abraham). -Fixed wrong path to ipf on the firewall-drop active response for Solaris. (Reported by Borut Podlipnik). -Fixed bug on the courier rules for failed login (Reported by atomicturtle). -Fixed bugs found by clang. (Patch by Jeremy Rossi ). -Added 'diff' option to rules (check_diff). -Added rules to ignore crawlers causing 404s (MSN, Google, Yahoo, etc). -Added rules to alert on Postfix starting and stopping. -Improved decoder to match on Snare logs from Vista. -Fixed performance issue when the FTS queue was too large. (reported by Burks, Doug ) -Added one-way option to the agent, to deal with systems where the manager can't talk back and respond to the keep alive requests. -Fixed bug on smbd rules. (reported by trevor.a.b.mcleod@gmail.com) -Fixed bug on ossec_dbd that was crashing with the check_diff option enabled. (reported by Dan) -Added showlogs option to the daily reports. -Fixed bug on the fts queue that was getting duplicated entries (reported by Cristian Paul PeƱaranda Roja) -Removed false positive from the cback worm rootkit detection rule. (reported by Erik Zettel ) To download the new version: http://www.ossec.net/main/downloads We want to thank everyone who sent comments, suggestions or just some nice words to us! We really appreciate the feedback! Daniel B. Cid (in name of the OSSEC team). http://www.ossec.net/main/about http://www.ossec.net/announcements/v2.4-2010-04-01.txt