OSSEC is Free Software, a GPL-licensed, host-based intrusion detection system (HIDS) that operates on a client-server model. Its development is sponsored by Trend Micro, a software security outfit based in Tokyo, Japan.
OSSEC is cross-platform, with binary packages available for all Linux distributions, the BSDs, Windows, Solaris, Mac OS, VMWare ESX, AIX, and HP-UX.
OSSEC 2.7 is the latest, stable version available for download. As with any software update, it comes with its share of new features and bugfixes.
Some of the new features are:
- Support for hybrid mode during installation
- Client keys can now be generated in bulk from an input file
- Support for hostname specification of server during installation
- More granular rootcheck configuration control
- GeoIP lookup support
The key enhancements in v2.7 are:
- Installation
- Add hybrid mode – allows the same host to be both a server and an agent, useful for multi-tier OSSEC deployment.
- Add manage_agents -f option for bulk generation of client keys from an input file.
- During Agent installation, allow the OSSEC server to be specified using hostname instead of IP.
- Syscheck
- Add prelinking support – reduce confusion when a file change is the result of prelinking.
- Rootcheck
- Add fine-grained configuration control – allows you to turn ON/OFF individual rootcheck tasks for more efficiency and flexibility. The default is all ON.
- Log monitoring/analysis
- Add GeoIP lookup support – allows geographical city names to be associated with IP addresses in OSSEC alerts, for more intelligent correlation.
- Alert options and syslog output
- Add syscheck MD5/SHA1 sum to alerts for easier integration with third-party file signature checking.
- Support JSON and Splunk formats in syslog output.
- Rules and other notable changes/fixes
- Windows 2000 logs support has been deprecated (but will probably still work fine). Vista and Windows Server 2008 logs are now officially supported.
- Windows registry syscheck alert level has been reduced from 7 to 5 to reduce unnecessary noise from alerts which do not indicate a compromise.
- Update decoders include: PIX, auditd, apache, pam, php.
- Many updated rules, such as new checks for vulnerable web apps exploitation attempts.
- Update rootcheck rules.
- ossec-client.sh now allows for ‘reload’, in addition to ‘restart’
- Many bug fixes…
- LICENSE text updated by adding exception clause for OpenSSL, while OSSEC is still under GPLv2
Download OSSEC 2.7 package from here.
Source -
http://www.ossec.net/?p=577
0 comments:
Post a Comment