From http://www.ossec.net/main/ossec-v15-released :

We are very pleased to announce the general availability of OSSEC version 1.5. This version comes with lots of bug fixes and new features, including:

-New log formats (info):

• Solaris BSM auditing logs
• Asterisk logs
• Checkpoint and Smart Defense logs
• Debian package (dpkg) install/status/remove messages
• Shorewall logs
• Postfix SASL error messages
• Localized pure-ftpd messages (for 12 different languages)
• DJB multilog

-Greek translation of the install.

-Added agent_control tool to manage the agents directly from the server (info).

-New options to syscheckd/rootcheckd to better schedule the scans (info).

-Performance improvements to the Windows Agent, specially when dealing with
large event logs.

-Added new options to Rootcheck to look for common web exploits installed
on the system (used to attack others).

Check the v1.5 Changelog to see all the changes and contributors.

Download it from: http://www.ossec.net/main/downloads .

Special thanks to Martin West, Sebastien Tricaud, Giannis Vrentzos, Sandro Gauci, Michael Starks, Cedric Bleimling, Dean Takemori and Dennis Golden for the contributions and John Lewis, Daniel Medianero, John Ives and Derek Morris for beta testing this release.

Version 1.5 comes with lot of additions to our log analysis (or LIDS - Log-based IDS) capabilities. Some of the new log formats we now support are:

• Solaris BSM auditing logs
• Asterisk logs
• Checkpoint and Smart Defense logs
• Debian package (dpkg) install/status/remove messages
• Shorewall logs
• Postfix SASL error messages
• Localized pure-ftpd messages (for 12 different languages)

In addition to that, we can now properly read DJB multilog files and read them with our decoders. To read it, just add to the configuration (in this example to read sshd logs):

<localfile>
<log_format>djb-multilog</log_format>
<location>/var/log/sshd/current</location>
</localfile>

Hope you enjoy OSSEC v1.5 when it is out

This is a feature that have been requested for a while and now is finally available. In the past, the only way to specify when rootcheck/syscheck was supposed to run was based on the frequency (every 10 hours or every 2 days, for example).

The default configuration would always look like:

<syscheck>
..
<frequency>86000</frequency>
..
</syscheck>

On version 1.5, we have two additional options: scan_time and scan_day. They allow you to run the scans on specific times or days of the week.

Example 1: Running syscheck/rootcheck every day at 11pm:

<syscheck>
..
<scan_time>23:00</scan_time>
..
</syscheck>

Example 2: Running syscheck/rootcheck tuesday, thursday and saturday at 9:30pm:

<syscheck>
..
<scan_time>9:30pm</scan_time>
<scan_day>tuesday, thursday, saturday</scan_day>
..
</syscheck>

Note that when you use scan_time and scan_day, the frequency is not going to be used. Hope you enjoy!

Version 1.5 will come with a new utility binary, called agent_control (by default located at /var/ossec/bin/agent_control ).

Basically, it allows you to query and get information from any agent you have configured on your server and it also allows you to restart (run now) the syscheck/rootcheck scan on any agent.

How it works? The first interesting command is “-lc”, to list the connected (active agents). To list all of them, use “-l” only.

Example 1: Listing all active agents:

# /var/ossec/bin/agent_control -lc
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: enigma.ossec.net (server), IP: 127.0.0.1, Active/Local
ID: 002, Name: winhome, IP: 192.168.2.190, Active
ID: 005, Name: jul, IP: 192.168.2.0/24, Active
ID: 165, Name: esqueleto2, IP: 192.168.2.99, Active
ID: 174, Name: lili3win, IP: 192.168.2.0/24, Active

To query an agent, just use the “-i” option followed by the agent id.

Example 2: Querying information from agent 002:

# /var/ossec/bin/agent_control -i 002

OSSEC HIDS agent_control. Agent information:
Agent ID: 002
Agent Name: winhome
IP address: 192.168.2.190
Status: Active

Operating system: Microsoft Windows XP Professional (Build 2600)
Client version: OSSEC HIDS v1.5-SNP-080412
Last keep alive: Fri Apr 25 14:33:03 2008

Syscheck last started at: Fri Apr 25 05:07:13 2008
Rootcheck last started at: Fri Apr 25 09:04:12 2008

To execute the syscheck/rootcheck scan immediately, use the “-r” option followed by the “-u” and the agent id.

Example 3: Executing syscheck and rootcheck scan immediately:

# /var/ossec/bin/agent_control -r -u 000

OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck locally.

For more information, just run it with the “-h” option:

# /var/ossec/bin/agent_control -h

OSSEC HIDS agent_control: Control remote agents.
Available options:
-h This help message.
-l List available (active or not) agents.
-lc List active agents.
-i Extracts information from an agent.
-r -a Runs the integrity/rootkit checking on all agents now.
-r -u Runs the integrity/rootkit checking on one agent now.

-s Changed the output to CSV (comma delimited).

OSSEC is part of the Hackontest, a 24-hour programming marathon
and we are looking for contributions…

First, you can register to request features that we would develop during this 24-hour period. I already added a couple, but the more the better. Second, you can vote on the submitted features and the one that receives more votes is going to be chosen.

Our page is at:
http://www.hackontest.org/index.php?action=Root-projectDetail(32)

If you are a developer, you can click on a feature and choose to help to implement it… If we are chosen, our team (whosoever registers to implement it) is going to Switzerland for the contest!

So, votes, features, ideas and developers are welcome..

Version 1.5 is very close and we need some help beta testing it. As I always say, trying out our beta releases is a simple and very effective way to help the project.

How can you test it?
We created an entry in our Wiki with all the information necessary regarding beta testing. The test sets are very simple, but I plan to improve it as we progress. Download information, what to test and everything else is there.

What are the new features?
Check the Wiki page as well.

Any help is very appreciated.

The OSSEC project is now an official partner/sponsor of the The Academy.

They already have videos showing how to install OSSEC (on Unix and Windows) and will be giving away a copy of the new OSSEC book to one of their registered users. More information at their site.

From: http://www.ossec.net/main/ossec-at-the-academy

Sandro Gauci wrote a very interesting article showing how to add support for Asterisk Logs on OSSEC. Enjoy:

Using OSSEC to detect attacks on an Asterisk box

We are pleased to announce the public availability of OSSEC Web UI (oswui) version 0.3. This new version comes with a new design, lots of bug fixes, speed improvements and a major code reorganization. Some of the bugs fixed include: 67. 89. 90, 91, 103, 114-117 from our bugzilla.

Installation instructions available at: Wiki OSSECWUI:Install

Download it at: Downloads page.

Official announcement: http://www.ossec.net/main/ossec-web-ui-v03-available

Special thanks to Chris Abernethy for the huge contributions and Daniel Medianero and Liliane Cid for beta testing this new version.

After a long time without updates, we finally have a new version of the web interface. It has a new design, lots of bug fixes and internal code changes (refactoring). Thanks to Chris Abernethy for his hard work improving it.

*As I mentioned before, the best way to get involved in the project is by helping us testing our beta releases. If you do so, please let us know how it went.

You can download the beta 1 from here.

You can follow the same steps as mentioned here to install.

Let us know of any bugs or suggestions that you may have.