Documentation

From OSSEC Wiki

Jump to: navigation, search

Beta Testing


Contents

Beta Testing goals

The goal of beta testing and QA (quality assurance) is the following:

  1. Make sure that everything that was working on previous versions are correct on the new one.
  2. Make sure your local rules still work and it can parse all your logs.
  3. Make sure that all the new features work as expected.
  4. Bugs reported were properly fixed.
  5. Make sure that the upgrade process still works on all platforms.
  6. We need to make sure it compiles fine on all platforms and operating systems. Try it on Solaris, NetBSD, FreeBSD, AIX, HP-UX, any Linux distribution that you have.
  7. On Windows, make sure that the installation/upgrade works.


New features - v2.4

  1. Added support for MSE (Microsoft Security Essentials).
  2. Added support for daily reports.
  3. Added support for check_diff
  4. Added one-way option to the agent, to deal with systems where the manager can't talk back and respond to the keep alive requests.
  5. Added rules to ignore crawlers causing 404s (MSN, Google, Yahoo, etc).
  6. Improved ossec-logtest to be used for the forensic analysis of log files
  7. Added support for logging from the agentless modules

A list with all changes is available at: http://www.ossec.net/announcements/v2.4-2010-04-01.txt


Beta Testing (II) - v2.4

Please note, Beta 2 period is from Mar 26 (Friday), 2010 to Mar 31, 2010


Download


**Please put any errors in red.
***Create as many entries as you want, one per type or per hardware.
****Also, let us know of all the log formats that you know are working (you tested).


Testing Table

*Please, follow the format above. Include your name, os, logs and status of the test.

2010 Mar 22 (Daniel Cid):
OpenBSD 4.6
gcc 3.3.5 (no compilation warnings)
Logs: normal syslog (sshd, su, sudo, etc)
2009 Mar 22 (Daniel Cid):
Ubuntu 9.04
gcc 4.2.4
Logs: normal syslog
2010 Mar 29 (Dan Parriott):
OpenBSD 4.7-beta AMD64 (ossec server)
gcc 3.3.5
Logs: syslog, arpwatch, apache, full command
2010 Mar 29 (Dan Parriott):
OpenBSD 4.7-beta macppc
gcc 3.3.5
Logs: syslog, nginx, nmap
2010 Mar 29 (Dan Parriott):
OpenBSD 4.7-beta i386
gcc 3.3.5
Logs: syslog


2010 Mar 29 (Earxtacy):
Debian Lenny
gcc 4.3
Logs: syslog, apache, vsftpd

Comments

2010 Mar 22 (Daniel Cid):
Post your comments in here, including what/how you tested, errors, etc
2010 Mar 29 (Dan Parriott):
Did not notice any issues with OpenBSD and Windows (lightly used, XP and Vista) hosts. 
Active response is working on the OpenBSD hosts. 
ossec-dbd has been working with the check_diff option since the 20100325 snapshot.
Daily reports have been working for fts and rule 1002 searches.
2010 Mar 29 (Earxtacy):

If you upgrade from ossec 2.0 to 2.3 or 2.4 and you choose to update the rules.
Ossec will not start with this error:

2010/04/01 09:56:53 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2010/04/01 09:56:53 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2010/04/01 09:56:53 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'.
2010/04/01 09:56:53 ossec-remoted(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up.

just did a logtest -f, and the result was that i use the rules id 30114 in my local_rules.xml that didn't exist anymore.
To resolve just delete all the rules that refer to this id.