OSSEC 3.4.0

OSSEC 3.4.0

Release Maintainers

Dan Parriott
Scott R. Shinn (http://www.atomicorp.com)
Dominik Lisiak

Contributors on this release

(@ddpbsd) Dan Parriot – OSSEC Foundation
(@bchavet) Ben Chavet – Community
(@binrush) Rushan Shaymardanov – Community
(@mikeroyal) Michael Royal – Community
(@iasdeoupxe) – Community
(@aquerubin) Antonio Querubin – Community
(@Varstahl) Bruno Passeri – Community
(@atomicturtle) Scott Shinn – OSSEC Foundation
(@jubois) – Community
(@almirb) Almir Bolduan – Community

Release notes

Big changes in this release add support for the following new platforms:

Debian buster
Fedora 30
(Much awaited!) Centos 8
@jubois has completed the first round of pcre2 rule updates. This is a very exciting change to the overall IDS engine in OSSEC and opens the platform up to much more complex (and faster!) search functionality.

Snapcraft.io universal linux packaging support (aka Snaps) allow for a universal OSSEC package across multiple linux distributions.

Last but not least, @ddpbsd has a long awaited fix for agentd/maild when ipv6 is disabled and/or hostnames are used instead of IPs in PR#1698. Thanks again to all our community contributors, and dedicated team members for their work on this release!

New Rules / Decoders

(@aquerubin) Updated IPv4-dependent regexp in ownCloud decoders. PR#1697
(@jubois) Fix Issue #1708 (Incorrect regex match) PR#1710
(@jubois) PCRE2 rulefiles conversion PR#1711
(@jubois) PCRE2 decoders conversion PR#1712
(@aquerubin) Fix owncloud decoder PR#1724
(@iasdeoupxe) Additional ownCloud decoder fix PR#1725
(@iasdeoupxe) Second ownCloud decoder fix PR#1726
(@ddpbsd) Adjust pix decoder and a firewall rule PR#1749
(@binrush) Fixed missing same_source_ip in rule 11306 PR#1751 pureftpd
(@ddpbsd) Addition to sshd rule, new ntpd rule PR#1757,
(@ddpbsd) Fix rule IDs PR#1760 – openbsd_rules


(@ddpbsd) syscheck, Try to silence the “Attempted to check FS status for” message. PR#1701
(@ddpbsd) syscheck, Add some basic error handling to syscheck_control PR#1702
(@ddpbsd) core, More unlink and fopen error handling in src/util PR#1703
(@almirb) active-response,Added Cloudflare active-response script. PR#1709
(@Varstahl) cyslogd, csyslogd CEF – Remove duplicate parameters and fix discarded hashes PR#1713
(@atomicturtle) – docs, Updating links, using https, conference links PR#1714
(@Varstahl) cyslogd, Fix: csyslogd – CEF escaping / multi-line syslog
(@ddpbsd) core, Check return values for unlink(2) calls PR#1733
(@mikeroyal) packaging, snap build support PR#1737
(@ddpbsd) core, Set PCRE2_SYSTEM to no by default. PR#1738
(@ddpbsd) logtest, Remove leading space from field names PR#1741
(@bchavet) analysisd, Verify Googlebot PR#1752 , this is a code function in generic_samples.c
(@ddpbsd) analysisd, Free the lf->fields memory. PR#1758, fixes issue #1727
(@ddpbsd) testing, Update some travis-ci bits PR#1759 – travis fixes