It has been over a year since the release of OSSEC 2.6 in July 2011. Through all this time many patches/enhancements have been contributed. We have incorporated as many of them as possible into the upcoming release. We are calling this release 2.7 beta-o, with the expectation that Beta-1, Beta-2… will follow, until it is stable enough to be called final. Here are the highlight of changes in OSSEC 2.7 Beta-0:
- Installation
- Add hybrid mode – allows the same host to be both a server and an agent, useful for multi-tier OSSEC deployment.
- Add ‘ manage_agents -f’ option for bulk generation of client keys from an input file.
- Syscheck
- Add prelinking support – reduce confusion when a file change is the result of prelinking.
- Rootcheck
- Add fine-grained configuration control – allows you to turn ON/OFF individual rootcheck tasks for more efficiency and flexibility (default is all ON).
- Log monitoring/analysis
- Add GeoIP lookup support – allows geographical city names to be associated with IP addresses in OSSEC alerts, for more intelligent correlation.
- Add multi-line log readers for Linux auditd, plus ModSec and Regex log readers.
- Alert options and syslog output
- Add syscheck MD5/SHA1 sum to alerts for easier integration with third-party file signature checking.
- Support JSON and Splunk formats in syslog output.
- Rules and other notable changes/fixes
- Windows 2000 logs support has been deprecated (but will probably still work fine). Vista and Windows Server 2008 logs are now officially supported.
- Windows registry syscheck alert level has been reduced from 7 to 5 to reduce unnecessary noise from alerts which do not indicate a compromise.
- Update decoders include: PIX, auditd, apache, pam, php…
- Many updated rules, such as new checks for vulnerable web apps exploitation attempts.
- Update rootcheck rules
- ossec-client.sh now allows for ‘reload’, in addition to ‘restart’
- Many bug fixes…
How to test the BETA?
Download the beta-0 package from here. Note that the Windows Agent build is not ready yet. You can test 2.7 Beta-0 with 2.6 agents.
How to report bugs, contribute bug fixes?
Please post successful testing of features to Google group ‘ossec-dev’ with subject line starting with identification such as [2.7-beta0-rootcheck] , similarly do the same for reporting bugs and providing bug fixes. If privacy is a concern, you can send email to us at ossecproject @ gmail.com.
OSSEC 2.7 Beta-0 - ossec-hids-2.7-beta-0.tar.gz
Downloads
Unix/Linux version 2.7 beta-0
OSSEC for Linux, Solaris, *BSD, Mac, AIX and variants:
ossec-hids-2.7-beta-0.tar.gz Checksum – License
ossec-hids-2.7-beta-0.tar.gz Checksum – License
Unix/Linux version 2.6
OSSEC for Linux, Solaris, *BSD, Mac, AIX and variants:
ossec-hids-2.6.tar.gz Sig – Checksum – License
Installation instructions here.
ossec-hids-2.6.tar.gz Sig – Checksum – License
Installation instructions here.
Windows agent version 2.6
OSSEC for Windows 2000, XP, Vista, 7 and Windows Server 2003, 2008:
ossec-agent-win32-2.6.exe Sig – Checksum – License
ossec-agent-win32-2.6.exe Sig – Checksum – License
RPMs for RHEL, CentOS, Fedora and others
Available in the AtomiCorp repository. To install:
# wget -q -O – https://www.atomicorp.com/installers/atomic |sh
# yum install ossec-hids ossec-hids-server (or ossec-hids-client for the agent)
http://www.ossec.net/
Documentation -
0 comments:
Post a Comment