OSSEC v3.3.0 Release Notes

Release Date: 2019-04-19 // almost 5 years ago
  • OSSEC changelog (3.3.0) [email protected]

    ๐Ÿš€ Release Maintainers

    Dan Parriott
    Scott R. Shinn (http://www.atomicorp.com)
    Dominik Lisiak

    ๐Ÿš€ Contributors on this release

    ๐Ÿš€ Release Notes

    ๐Ÿ‘€ OSSECCON 2019, from the whole team here at OSSEC it was really fantastic meeting everyone at the show, and we look forward to seeing you all again at OSSECCON 2020!

    โšก๏ธ PCRE2, Jubois made a major update to the IDS foundation in OSSEC 3.3.0 with PCRE2 (https://www.pcre.org/current/doc/html/pcre2.html) library. This is an extremely powerful update to the overall pattern analysis functionaility in OSSEC. In order to build this with the native distribution pcre2 packages (pcre2-devel, etc), you will need to use: export PCRE2_SYSTEM=yes. This adds several new xml tags:

    • pcre2 (to replace regex)
    • match_pcre2
    • program_name_pcre2
    • prematch_pcre2
    • srcgeoip_pcre2
    • dstgeoip_pcre2
    • srcport_pcre2
    • dstport_pcre2
    • ๐Ÿ‘‰ user_pcre2
    • url_pcre2
    • id_pcre2
    • status_pcre2
    • hostname_pcre2
    • extra_data_pcre2

    Dynamic Decoders, discussed in the "Beyond Security" talk at OSSECCON 2019, this allows for user-defined keys in decoders. These are exposed in JSON output for inclusion with other data analytics tools. This adds a new internal option: analysisd.decoder_order_size to define the maximum number keys allowed in a single decoder.

    ๐Ÿ”’ We'd like to thank (again! Cant be done enough!) all the contributors, speakers, security researchers, testers, and especially our users. Without you we wouldn't be here.

    If you're interested in joining our team, or just interacting with the OSSEC community on slack email us for an invite at: [email protected]

    Whats New

    • ๐Ÿ‘ (@jubois) - PCRE2 regular expression support - PR#1652
    • ๐Ÿ‘ (@atomicturtle) - ossec-analysisd, Dynamic decoder support. Original: Vikman Fdez-Castro - PR#1678
    • (@ddpbsd) - ossec-execd, Switch "white lists" to "allow lists" - PR#1687

    ๐Ÿ†• New Rules / Decoders

    • โšก๏ธ (@Bob-Andrews) - rootcheck, update for NullSessionShares - PR#1669
    • ๐ŸŒ (@Bob-Andrews) - topleveldomainrules.xml, Shady TLD web traffic detection - PR#1671
    • (@Bob-Andrews) - last_rootlogin_rules.xml, Sensitive login detection - PR#1671
    • ๐Ÿš‘ (@Bob-Andrews) - unbound_rules.xml, added rule for maybe critical TLD request - PR#1672
    • (@Bob-Andrews) - rootcheck, Deleted repeating rules - PR#1674
    • โšก๏ธ (@ddpbsd) - Update info links in Windows rules - PR#1675
    • (@aquerubin) - Added decoder for pam_succeed_if - PR#1684

    General

    • ๐Ÿ‘ (@MangyCoyote) - ossec-analysisd, support Syslog ISO timestamp events with optional fraction of second - PR#1664
    • (@ddpbsd) - Fix compilation with PCRE2_SYSTEM=yes - PR#1666
    • โšก๏ธ (@aquerubin) - ossec-batch-manager.pl, update regexp for ipv6 addresses - PR#1667
    • (@mephesto1337) - Fix part of issue#1663, compiling with PCRE2_SYSTEM=yes - PR#1677
    • ๐ŸŒฒ (@ddpbsd) - active-response, Fix for issue#1647, log disable-account.sh to the correct location - PR#1683
    • ๐Ÿ— (@aquerubin) - Copy resolv.conf on build event - PR#1685
    • ๐Ÿ (@almirb) - active-response, Corrected the way active-response logs are generated on windows - PR#1689
    • (@atomicturtle) - ossec-execd, Expose filename variable in AR add/delete events - PR#1695