Skip to content

OSSEC HIDS Release Version 2.8.0

Compare
Choose a tag to compare
@jrossi jrossi released this 11 Jun 15:05
· 1108 commits to stable since this release

Downloads & checksum

Agent 2.8 – Windows

https://github.com/ossec/ossec-hids/releases/download/v2.8.0/ossec-agent-win32-2.8.exe

Server/Agent 2.8 – Linux/BSD

https://github.com/ossec/ossec-hids/releases/download/v2.8.0/ossec-hids-2.8.tar.gz

Change log

Detailed Change log

bug fix of eventchannel timestamp

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/208]
  • Merged TimeStamp : 2014-05-22 13:10:57
  • Create TimeStamp : 2014-05-18 14:43:04

Think this is the issue with identified in #206. The function returned a pointer to local variable result would be undefined.

Align eventchannel log format with eventlog, fixes #155

  • Submitted by : gaelmuller
  • Full Pull Request : [https://github.com//pull/203]
  • Merged TimeStamp : 2014-05-10 01:08:48
  • Create TimeStamp : 2014-05-05 15:46:02

Add a "Time Created" field to the eventchannel log format to align it with eventlog.

fix active-response on mac os installation

  • Submitted by : jknockaert
  • Full Pull Request : [https://github.com//pull/202]
  • Merged TimeStamp : 2014-05-10 01:09:42
  • Create TimeStamp : 2014-05-05 15:00:46

Modern versions of mac os support pf, with ipfw to be fased out by (probably) the next version of the os.

os_net fixes

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/200]
  • Merged TimeStamp : 2014-05-02 00:11:32
  • Create TimeStamp : 2014-05-01 09:44:37

fix memory leaks (in error branches) and check return values of library calls (see coverity)

Fixes #194. Checks for both paths of openssl

  • Submitted by : harshilmathur
  • Full Pull Request : [https://github.com//pull/197]
  • Merged TimeStamp : 2014-04-29 22:23:25
  • Create TimeStamp : 2014-04-29 22:18:26

Resolves #194 which caused change in opensslconf.h path in ubuntu 14.04 causing Ossec to compile without OpenSSL support.

os_regex review

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/195]
  • Merged TimeStamp : 2014-04-29 12:58:39
  • Create TimeStamp : 2014-04-29 09:06:18

changes:

  • replace octal values of charmaps with decimal ones (cause octal values greater than 127 causing conversion warnings)
  • change string size variables to size_t
  • rewrite OS_StrStartsWith() so that the length of the pattern does not need to be computed
  • enable unit test for regex extraction added by 79460ac
  • fix bunch of compiler warnings
  • fix coverity warnings about uninitialized array (CID 28590)

os_regex unit tests #2

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/191]
  • Merged TimeStamp : 2014-04-25 11:02:44
  • Create TimeStamp : 2014-04-25 10:07:37

unit tests for os_regex's Os_StrStartsWith() and character maps

Windows agent UI version and Copyright update

  • Submitted by : jbcheng
  • Full Pull Request : [https://github.com//pull/189]
  • Merged TimeStamp : 2014-04-23 19:57:54
  • Create TimeStamp : 2014-04-23 18:47:09

In a hurry, this was pushed to stable branch first.
Please merge this to master.

os_regex unit tests

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/188]
  • Merged TimeStamp : 2014-04-23 14:47:17
  • Create TimeStamp : 2014-04-23 13:24:57

adding more unit tests for os_regex

p.s.:
the regex extraction tests is crashing for me, cause os_regex is trying to modify the const input strings (https://github.com/ossec/ossec-hids/blob/master/src/os_regex/os_regex_execute.c#L72).
I think i fixed this in my branch os_regex(https://github.com/cgzones/ossec-hids/tree/os_regex).

[tests] explicit enable branch coverage for new version of lcov

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/187]
  • Merged TimeStamp : 2014-04-23 10:59:16
  • Create TimeStamp : 2014-04-23 07:43:43

[os_xml] fix possible array underflows: see coverity

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/186]
  • Merged TimeStamp : 2014-04-23 10:57:52
  • Create TimeStamp : 2014-04-23 07:43:31

Avoid a crash of agentd on Solaris.

  • Submitted by : danpop60
  • Full Pull Request : [https://github.com//pull/185]
  • Merged TimeStamp : 2014-04-22 15:10:09
  • Create TimeStamp : 2014-04-22 11:06:40

Avoid a crash of agentd on Solaris.
Replaced AF_UNIX by PF_UNIX in a couple of socket() calls.

Use the evironment for the CC binary

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/180]
  • Merged TimeStamp : 2014-04-07 21:47:48
  • Create TimeStamp : 2014-04-06 03:26:18

See discussion at https://groups.google.com/forum/#!topic/ossec-list/FOTncDNnNk0

The ossec-lua addition included a regression on @cgzones changes for using clang correctly. This corrects that regression (as suggest by cgzones on the mailing list).

I think this should also be merged into stable for the 2.8 release as the ossec-lua introduced a regression into clang builds.

Please note travis will not pick up this try of errors due to gcc still being installed.

Fixes to win32 installation

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/179]
  • Merged TimeStamp : 2014-04-06 16:32:56
  • Create TimeStamp : 2014-04-05 18:27:10

Added local_internal_options.conf to the installation process. This
file will not be overwritten when an upgrade occurs so changes to how
the agent runs can be made in this file and persist through upgrades.
This fixes #169.

Also, some small fixes like removing whitespace and making the message
box definitions in ossec-installer.nsi a bit more readable.

Fix windows agent compile error/warnings #define ENOBUFS, ALERT_SYSTEM_ERR

  • Submitted by : jbcheng
  • Full Pull Request : [https://github.com//pull/176]
  • Merged TimeStamp : 2014-04-04 23:45:27
  • Create TimeStamp : 2014-04-04 23:35:02

The errno.h in some versions of MinGW do not have ENOBUFS defined, causing Travis CI windows_agent build to fail. This PR fixs that.
Also, this PR gets rid of compile warnings regarding ALERT_SYSTEM_ERROR being redefined in rootcheck/rootcheck.h, which was also defined in /i686-w64-mingw32/include/winuser.h:4997

Moving ossec-lua back to posix so that we do no have a libreadline dep

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/175]
  • Merged TimeStamp : 2014-04-04 21:58:32
  • Create TimeStamp : 2014-04-04 02:17:42

os_xml refresh2

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/173]
  • Merged TimeStamp : 2014-04-12 02:50:25
  • Create TimeStamp : 2014-04-03 15:42:00

changes:

  • new make target for coverage report of testcases
    • cd src/
    • make test
    • cd tests/
    • make generate_coverage
  • xml error messages harmonized
  • speedup when applying variables
    • xml array only traversed once
    • names and contents of variables are not copied
  • add some testcases
    • multiple values per node (firstsecond)
    • space before attribute definition ()
    • comments with '!' and '-'
    • string overflow tests for xml nodes and variables

Added more Vista+-associated event IDs for existing rules

  • Submitted by : mstarks01
  • Full Pull Request : [https://github.com//pull/163]
  • Merged TimeStamp : 2014-03-31 22:58:22
  • Create TimeStamp : 2014-03-26 04:01:51

Added #include for errno.h in os_net.c

  • Submitted by : denied39
  • Full Pull Request : [https://github.com//pull/160]
  • Merged TimeStamp : 2014-04-02 01:28:53
  • Create TimeStamp : 2014-03-24 12:10:01

Added include for errno.h in src/os_net/os_net.c to remove Windows agent compile error.

Fixes to win32 (un)installation process

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/159]
  • Merged TimeStamp : 2014-04-03 01:36:26
  • Create TimeStamp : 2014-03-23 15:27:45

Updated the style of ossec-installer.nsi so it is easier to read.

Turned on Uninstallation details same as is done for installtion
details.

Start to use SimpleSC plugin (Rainer Döpke) to handle the intial
stopping of the OSSEC agent service. The hope is this plugin can later
be used to do handle all of the necessary service configuration that
is required.

Added error checking around many of the (un)installation steps. There
is plenty of room for more error checking but hopefully this covers
some of the major problem areas.

Added logic to create the ossec.log on every installation.

Fixed cleaning up the bookmarks directory.

Start to use nsProcess plugin (Shengalts Aleksander aka Instructor) to
detect if either manage_agents.exe or win32ui.exe are running during
an uninstall. When they are running the uninstallation will fail to
remove those files and thus fails to remove the ossec-agent directory.

Removing event ID 676

  • Submitted by : mstarks01
  • Full Pull Request : [https://github.com//pull/157]
  • Merged TimeStamp : 2014-03-26 01:06:22
  • Create TimeStamp : 2014-03-22 16:29:43

Since it is only on Windows 2000 and support for that OS has been deprecated.

Remove event ID 672

  • Submitted by : mstarks01
  • Full Pull Request : [https://github.com//pull/151]
  • Merged TimeStamp : 2014-03-20 01:08:40
  • Create TimeStamp : 2014-03-20 00:35:53

Event 672 is related to the granting of Kerberos tickets. It is extraneous due to other authentication events for the same action being logged, and causes the number of logon failures to appear higher than they really are. From Microsoft:

Does not contain any additional information if audit details from logon events 528 and 540 are already being collected. This event records that a Kerberos TGT was granted, actual access will not occur until a service ticket is granted, which is audited by Event 673.

Added <email_idsname> option to ossec.conf (additional email header)

  • Submitted by : dopefish
  • Full Pull Request : [https://github.com//pull/150]
  • Merged TimeStamp : 2014-03-20 12:05:06
  • Create TimeStamp : 2014-03-19 19:34:37

This feature adds an additional option to the ossec_config/global config
block in ossec.conf called <email_idsname>. The value of this field gets
added o the email headers as "X-IDS-OSSEC: $value" to make sorting of
emails from different ossec servers easier (e.g. development and production
servers). install.sh uses the $HOST variable as the default value for the
field when creating an ossec.conf

Example:

<ossec_config>
  <global>
    <email_idsname>development</email_idsname>
  </global>
</ossec_config>

Fix make.sh files for win32

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/145]
  • Merged TimeStamp : 2014-03-17 22:56:10
  • Create TimeStamp : 2014-03-17 22:00:14

Added the shebang. Also used 'set -e' to exit the scripts upon
getting an error from any of the command being run. That is it say
if there is an issue compiling anything for any reason stop there
and continue not further.

Previously, it would just continue on until something would look
for the executables that weren't there and exit. Usually after makensis.

This makes it a lot clearer on where things went wrong and you don't have
to trudge through a lot of output to find compile issues.

Continue removing the bro-ids stuff

  • Submitted by : ddpbsd
  • Full Pull Request : [https://github.com//pull/144]
  • Merged TimeStamp : 2014-03-17 19:31:15
  • Create TimeStamp : 2014-03-17 17:04:29

os_xml review

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/142]
  • Merged TimeStamp : 2014-03-20 17:16:06
  • Create TimeStamp : 2014-03-15 10:39:09

changes:

  • remove global XML_VAR compile directive
  • restructure header structure (os_xml.h + os_xml_writer.h -> os_xml.h (for external includes) + os_xml_internal.h (for internal macros)
  • always ensure valid OS_XML state so OS_ClearXML() never encounter a nullpointer or memory leak
  • remove unused function _checkmemory()
  • clean up memory in failure branches
  • fix a bunch of compiler warnings
  • add test cases

Unittest os regex

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/139]
  • Merged TimeStamp : 2014-03-13 20:44:40
  • Create TimeStamp : 2014-03-12 15:55:25

Basic import of os_regex/example/tests into check unit test setup start by @cgzones. This will test OS_Match2 and OS_Regex

Fix compile warnings with win32

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/136]
  • Merged TimeStamp : 2014-03-11 20:54:47
  • Create TimeStamp : 2014-03-10 18:52:47

The buffer variable in InstallService() was not ever used.

The other warning was about windows.h being included before winsock2.h

Remove win32 service start and stop executables

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/134]
  • Merged TimeStamp : 2014-03-11 00:43:13
  • Create TimeStamp : 2014-03-10 13:27:01

These seem pretty useless to me. They also aren't used in the code
anywhere. There are plenty of other tools available to start/stop
the OSSEC services. Probably best to get rid of these.

os_zlib update

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/133]
  • Merged TimeStamp : 2014-03-10 20:53:02
  • Create TimeStamp : 2014-03-10 13:20:58
  • updating zlib to 1.2.8
  • adding some documentation
  • adding some unit tests for wrapper functions

enable full clang support and remove gcc dependencies

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/132]
  • Merged TimeStamp : 2014-03-10 20:44:21
  • Create TimeStamp : 2014-03-10 11:22:19

This pull request changes two things:

cd src/
make all
cd os_crypto/md5/
make main
echo "next line should be 'MD5Sum for \"test\" is: 098f6bcd4621d373cade4e832627b4f6'"
./main str test
cd ../sha1/
make main
echo "next line should be 'SHA1Sum for \"main.c\" is: 4b35e3f3e19d9861db9eeb7827f8bdf46fe4b89c'"
./main main.c
  • The install and make script does search and set gcc as the default compiler.
    Instead ossec relies on either a properly set "CC" environment variable or on a reachable "cc" binary.
    So for debian/red hat respectively freebsd based systems cc is a symlink to gcc respectively clang.
    If you want to use a different compiler (e.g. clang on debian) you can set the CC environment variable before running the install script (export CC=/path/to/clang) or use the maketarget setclang (which sets the CC environment variable to clang).

Added error checking to ossec.conf installation

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/131]
  • Merged TimeStamp : 2014-03-10 02:10:52
  • Create TimeStamp : 2014-03-10 01:54:58

Show details during win32 installation

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/130]
  • Merged TimeStamp : 2014-03-10 02:01:17
  • Create TimeStamp : 2014-03-10 01:46:57

When doing a win32 installation the details are hidden and only shown
very briefly. In some cases when doing an Exec on some of the OSSEC
command line tools it will spawn a cmd.exe that only appears for a
second. Some of the details those processes do are logged in the
ossec.log but it would be nice if they were also displayed in the details
window and those details can be reviewed.

Changed all Exec's to use ExecToLog so their details show up in the
installer details section.

Configured the details to be displayed by default and to not skip
past the details page automatically when the installation is completed.

This also has the added benefit of now popping up cmd.exe windows when
an installation takes place.

Fixes to win32 services

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/129]
  • Merged TimeStamp : 2014-03-10 02:10:06
  • Create TimeStamp : 2014-03-09 23:40:02

There were quite a few issues with the win32 service code that this
corrects. The first is that some of the comments in the code needed
to be updated. Looks like code was copied and reused but the comments
were not updated to reflect what the reused code was doing.

There was the potential in InstallService() where not all the service
handles would be closed if errors were hit at certain spots.

Before installing a new service the old service was not uninstalled.
This is desireable in the case where the new service has different
options or points to a different path location for example. In some
cases it might be bad where some type of user change was made but that
is difficult to account for. I leaned toward cleaning up the old so that
the new service can be installed fresh.

This also causes an error when the service goes to install because the service
already exists. This would actaully happen each time the OSSEC installer was ran
but due to some incorrect logging statements (which I'll explain below) a blank
line would appear.

When doing an uninstall of a service the service wasn't stopped prior to
the uninstallation. This would leave the service running until the service
was stopped or the computer rebooted at which point the service would dissappear.
It is better to stop the service before unintsalling. I'd imagine that is what
the user would expect to happen during such an operation.

The logging in this code was not done correctly. Namely, the call to merror()
in the InstallService() function after the "install_error" label was completely
wrong and would result in a nearly blank line in the logs. There were also reports
of times where a user would install the agent on a win32 machine and everything
would work except the service would never register. Fixing all of the logging to
use verbose() should hopeflly lead to better troubleshooting of errors like that
in the future.

Added /? as a parameter to ossec-agent on win32

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/128]
  • Merged TimeStamp : 2014-03-09 18:26:19
  • Create TimeStamp : 2014-03-09 17:55:41

Added /? as a help parameter. This is a pretty standard way of getting help information from other command line executable's on Windows.

Update manage_keys.c

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/127]
  • Merged TimeStamp : 2014-03-10 01:57:42
  • Create TimeStamp : 2014-03-09 16:52:02

Log the cacls command about to be run.

Use file command in ossec-installer.nsi

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/126]
  • Merged TimeStamp : 2014-03-10 02:01:52
  • Create TimeStamp : 2014-03-09 15:56:51

Use the full ability of the the File command. Before when upgrading and doing a Rename after without the /Reboot command most of those commands would "fail silently" which is the best way I can describe it. It would just leave these files in the main ossec-agent directory never really upgrading parts of the system. Using the File command has the added benefit of complaining if a file is in use during the installation. For example have the win32ui.exe open and try to run a new installation. It hould complain that the file is inaccessible until the application is closed. Previously, this would just leave os_win32.exe in the ossec-agent directory and never successfully upgrade the executable.

Fixes to ossec-installer.nsi

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/125]
  • Merged TimeStamp : 2014-03-10 02:08:11
  • Create TimeStamp : 2014-03-09 15:49:08

Explicitly set SetOverwrite to on. This is the default but for clarity it is good to show exactly what action we are hoping to take with these files.

SetDateSave off in ossec-installer.nsi

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/124]
  • Merged TimeStamp : 2014-03-10 02:06:02
  • Create TimeStamp : 2014-03-09 15:46:10

Turned SetDateSave to off. Reference http://nsis.sourceforge.net/Reference/SetDateSave for more information on what this does. While keeping the original DateModified times has some advantages I think not having NSIS overwrite the new DateModified times with the originals is much better. It lets the user see when a file was actually modified.

Grandstream ATA decoder

  • Submitted by : mstarks01
  • Full Pull Request : [https://github.com//pull/123]
  • Merged TimeStamp : 2014-03-09 15:47:37
  • Create TimeStamp : 2014-03-09 15:43:42

A simple script to calculate OSSEC events-per-second

  • Submitted by : mstarks01
  • Full Pull Request : [https://github.com//pull/122]
  • Merged TimeStamp : 2014-03-09 02:51:36
  • Create TimeStamp : 2014-03-09 02:19:46

removing deploy from travis-ci

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/121]
  • Merged TimeStamp : 2014-03-10 03:35:26
  • Create TimeStamp : 2014-03-08 19:27:09

Deploy with travis does not make sense for us and fails a lot more often then it should.

ossec-lua lua interpreter

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/120]
  • Merged TimeStamp : 2014-03-17 14:49:20
  • Create TimeStamp : 2014-03-08 18:55:18

This add a lua interpreter to ossec agent and master install. This is the smallest change allowing Lua to become the defacto script language for ossec.

Their are many reasons for lua support to be added to ossec:

  1. LUA run any place ossec does and maybe even more
  2. Constant interface for more advanced active response script on agents and manager
  3. Constant set of libraries and tools for adding utils and interfaces.
  4. Easy integration into C
  5. Bloody fast
  6. Simple

Once having ossec-lua we can start adding utils to the standard install without having to preform C everyplace. Here are some areas that I see:

  1. Active response scripts
  2. check perm script
  3. move reporting from C to LUA so anyone can make changes
  4. Templating using LUA for formatting emails.

I have gotten ossec-lua to compile on windows using mingw and will create a second pull request to make that complete.

This will also need decimation updates.

Fixing route-null active response on Windows

  • Submitted by : mstarks01
  • Full Pull Request : [https://github.com//pull/119]
  • Merged TimeStamp : 2014-03-08 18:01:10
  • Create TimeStamp : 2014-03-08 17:59:21

It was just plain... broken.

Remove ui.nsi

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/118]
  • Merged TimeStamp : 2014-03-08 17:40:55
  • Create TimeStamp : 2014-03-08 17:22:57

I can't seem to figure out what purpose the ui.nsi file serves if any.
In my tests on Windows 2008R2 not making it and even having it present
seem to make no difference in the agent functionality. The win32ui
still gets installed and everything about it still seems to work.

Getting rid of it seems like a good idea to me at this point.

If anyone can tell me if this does get used for anything and what that anything is it would be much appreciated. Further testing always welcome.

Fixes to ossec-installer.nsi

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/117]
  • Merged TimeStamp : 2014-03-08 16:42:54
  • Create TimeStamp : 2014-03-08 16:15:25

Move the logic that determines whether the ossec.conf should be
replaced/renamed out of the C code and into NSIS. The NSIS stuff is
built for installing things. No need to write a bunch of C code to do
something that there is already a system for. Going to try and move
as much out of C and into NSIS to help cut down on the amount of code
that needs to be maintained for no real reason.

Fixes to ossec-installer.nsi

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/116]
  • Merged TimeStamp : 2014-03-08 16:07:10
  • Create TimeStamp : 2014-03-08 15:57:44

Instead of using a relative jumpto use the NoAbort label for clarity.

add eventchannel (again) with proper build

  • Submitted by : gaelmuller
  • Full Pull Request : [https://github.com//pull/115]
  • Merged TimeStamp : 2014-03-07 21:58:30
  • Create TimeStamp : 2014-03-07 15:38:06

Restore eventchannel support, with proper build. Only mingw-w64 can be used.

remove unused source code files

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/114]
  • Merged TimeStamp : 2014-03-07 21:55:01
  • Create TimeStamp : 2014-03-06 18:23:07

os_err.h is located in src/headers and sysinfo is never ever used

Remove local file additions in setup-win.c

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/113]
  • Merged TimeStamp : 2014-03-06 17:08:36
  • Create TimeStamp : 2014-03-06 16:00:51

In my opinion adding these should be a user decision and shouldn't get done by default.

Fix win32 ARGV0 names

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/111]
  • Merged TimeStamp : 2014-03-07 21:53:35
  • Create TimeStamp : 2014-03-06 03:19:14

The ARGV0 names of manage-agents and the win32ui needed more clarity.
Using 'ossec-agent' doesn't really makes sense. This will help in
figuring out what is doing what in the log file for example a little
easier.

simplify cJSON makefile

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/110]
  • Merged TimeStamp : 2014-03-05 12:53:48
  • Create TimeStamp : 2014-03-05 11:17:29

fix clang -Wall warnings

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/109]
  • Merged TimeStamp : 2014-03-05 12:58:41
  • Create TimeStamp : 2014-03-05 11:17:21

enable geoip in travis build

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/108]
  • Merged TimeStamp : 2014-03-07 21:57:20
  • Create TimeStamp : 2014-03-05 11:17:12

Make manage_agents.exe work on win32

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/107]
  • Merged TimeStamp : 2014-03-08 16:14:47
  • Create TimeStamp : 2014-03-04 21:47:36

The manage_agents.exe would never change into the proper ossec-agents
directory. There is now some logic added to attempt to chdir() into
the right directory when it starts but it is not foolproof.

Also, corrected the permissions on the client.keys file. They were
not being set properly after the file was written out leaving it
readable to any system user.

Remove os_auth from win-files.txt

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/106]
  • Merged TimeStamp : 2014-03-07 21:50:49
  • Create TimeStamp : 2014-03-04 19:19:58

After commit 75a9104 the os_auth daemon no longer gets made during builds on NIX based systems so copying over the files is no longer necessary.

Adding a new sshd rule for bad packet lengths

  • Submitted by : joshgarnett
  • Full Pull Request : [https://github.com//pull/105]
  • Merged TimeStamp : 2014-03-04 14:38:51
  • Create TimeStamp : 2014-03-04 14:13:11

Nothing fancy, just a new rule for an sshd message I encountered recently. Unit test created also.

Fix win32ui messages

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/104]
  • Merged TimeStamp : 2014-03-05 02:07:23
  • Create TimeStamp : 2014-03-03 21:54:03

These messages were a little all over the place with their style
and what they were saying. This my attempt at cleaning them up a
bit so they are a little more clear and cleaner in their presentation.

Free install_date pointer

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/103]
  • Merged TimeStamp : 2014-03-07 22:00:56
  • Create TimeStamp : 2014-03-03 21:49:45

I could be wrong about this being necessary but nothing bad happened when I added it and ran my tests.

Remove debug messages it src/win32/ui/common.c

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/102]
  • Merged TimeStamp : 2014-03-08 16:17:34
  • Create TimeStamp : 2014-03-03 21:46:31

These debug messages aren't particularly helpful and there isn't
any easy way to even put the win32ui into debug mode that I have
found so I feel they should be removed.

Fix permissions and privilege detection

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/100]
  • Merged TimeStamp : 2014-03-07 21:48:03
  • Create TimeStamp : 2014-03-03 21:39:10

When using the win32ui to change the server IP or import the
authentication key the permissions on ossec.conf and client.keys
were not set correctly resulting in any system user being able to
read the contents of these files.

This brought on some additional problems where the win32ui was unable
to properly detect if it was running with Administrative privileges.
The previous logic would attempt to read/write a .test file in the
OSSEC directory but thanks to a mixture of UAC redirection, an
unsigned binary and not requiring Administrative privileges these
tests would always pass. That means the win32ui would be able to run
without Administrative privileges.

This solution still isn't the best. It would be better if proper
win32 APIs were used to set permissions and determine if the win32ui
was started with the proper privileges. This is just an iterim
solution to get something out the door.

Fix win32 setup log message

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/99]
  • Merged TimeStamp : 2014-03-05 02:02:30
  • Create TimeStamp : 2014-03-03 21:20:55

When installing the win32 agent it does a call to checkVista() which
logs a message. The problem is no name is set so (null) is placed
where the executable name should be. This sets the name so that
the executable name is displayed instead of (null).

Before:
before

After:
after

Add install date to win32ui

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/98]
  • Merged TimeStamp : 2014-03-07 21:52:47
  • Create TimeStamp : 2014-03-03 21:12:32

This adds the install date to the lower right status area in the
win32ui. It also gets rid of the sizegrip that was getting added
by the status data area. It gave the impression that the window
could be resized which it can't. It also took up space in the
status area.

Before:
before

After:
after

Add better version handling to win32ui

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/97]
  • Merged TimeStamp : 2014-03-07 21:43:54
  • Create TimeStamp : 2014-03-03 20:58:42

The delimiter of just '-' (no spaces) was not as strict as it could
be making adding things like releases to the version file, 2.7.1-1
for example not possible. This makes the delimiter " - " (with spaces)
which allows for that type of flexibility.

Remove annoying win32ui dialog box

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/96]
  • Merged TimeStamp : 2014-03-08 17:46:27
  • Create TimeStamp : 2014-03-03 20:51:20

If you close the win32ui, the win32ui is running with Administrative
privileges, everything to run the win32 agent is configured and the
Agent service is not running a dialog box will pop informing the user
the service is not running and ask them if they would like to start it.

This to me is an annoyance more than anything. It is likely the user
went into the win32ui to stop the service to begin with and knows it is
stopped.

If anyone has any strong opinions on keep this I'm all ears.

Add to .gitignore

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/95]
  • Merged TimeStamp : 2014-03-04 14:39:32
  • Create TimeStamp : 2014-03-03 20:43:44

Added temporary vim files and left over files from patches being run.

Fix win32 OS detection

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/94]
  • Merged TimeStamp : 2014-03-07 21:42:41
  • Create TimeStamp : 2014-03-03 20:40:48

This starts to add support for 2012. Change the log message to be
more flexible with what it spits back out to the user after the
checkVista() function is run.

Although this helps with 2012 detection it is not perfect. With the
addition of Windows 8.1/2012 R2 the documentation provided by
Microsoft indicates that the GetVersionEx APIs have been deprecated.
This means that if you are on an 8.1 machine and run GetVersionEx it
will return the Windows 8 version (6.2.0.0). In order to get the
correct version you must target your application for Windows 8.1.

I am just trying to fix installations on 2012 and 2012 R2 so this
code works well enough for now but should be revisited at some point
so that it will work with future Windows versions.

For more details on how to target your application for Windows 8.1 read
the following http://msdn.microsoft.com/en-us/library/windows/desktop/dn481241(v=vs.85).aspx.

Fix the client status exit code

  • Submitted by : pdrakeweb
  • Full Pull Request : [https://github.com//pull/93]
  • Merged TimeStamp : 2014-03-04 14:43:59
  • Create TimeStamp : 2014-03-03 20:09:25

Mody ossec-client.sh and ossec-hids-debian.init such that both ossec-control and service ossec commands will exit with the proper status code, based on the ossec client process status.

fix problem with umlaut in date string when pre-decoding the log message

  • Submitted by : ChristianBeer
  • Full Pull Request : [https://github.com//pull/92]
  • Merged TimeStamp : 2014-03-07 21:53:10
  • Create TimeStamp : 2014-03-03 16:47:55

Fix comment in win32/ui/common.c

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/87]
  • Merged TimeStamp : 2014-03-01 16:03:08
  • Create TimeStamp : 2014-03-01 15:49:17

OpenBSD deluser rule and remove bro-ids garbage

  • Submitted by : ddpbsd
  • Full Pull Request : [https://github.com//pull/86]
  • Merged TimeStamp : 2014-02-28 14:21:09
  • Create TimeStamp : 2014-02-28 12:55:16

The bro-ids stuff is old, out of date, and never worked properly.

fix to segfault introduced by pull request #81

  • Submitted by : ChristianBeer
  • Full Pull Request : [https://github.com//pull/85]
  • Merged TimeStamp : 2014-02-26 18:59:09
  • Create TimeStamp : 2014-02-26 18:56:35

reported by Antonio Querubin on ossec-dev

I could reproduce the segfault with with ossec-analysisd -t -d -d and fixed it

fix gcc wall warnings seen on travis

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/82]
  • Merged TimeStamp : 2014-02-25 13:10:37
  • Create TimeStamp : 2014-02-25 10:51:15

fix resource leaks in active-response.c

  • Submitted by : ChristianBeer
  • Full Pull Request : [https://github.com//pull/81]
  • Merged TimeStamp : 2014-02-25 13:11:50
  • Create TimeStamp : 2014-02-24 19:15:09
  • fixed resource leaks (found by cppcheck)

fixing gcc -Wall warnings

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/80]
  • Merged TimeStamp : 2014-02-24 15:20:04
  • Create TimeStamp : 2014-02-24 15:07:24

fix spelling preventing building geoip support

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/79]
  • Merged TimeStamp : 2014-02-24 15:06:42
  • Create TimeStamp : 2014-02-24 15:06:01

exit on error during making zlib or cJSON

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/78]
  • Merged TimeStamp : 2014-02-24 15:18:07
  • Create TimeStamp : 2014-02-24 15:05:09

fix cyclic header relationship mem_op.h <-> shared.h

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/77]
  • Merged TimeStamp : 2014-02-24 15:22:04
  • Create TimeStamp : 2014-02-24 15:04:13

rename global agent struct

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/76]
  • Merged TimeStamp : 2014-02-24 15:25:18
  • Create TimeStamp : 2014-02-24 15:03:21

rename global agent struct from logr to agt due to naming conflict to global remoted struct logr

rename syscheck config struct

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/75]
  • Merged TimeStamp : 2014-02-24 15:25:41
  • Create TimeStamp : 2014-02-24 15:02:06

rename syscheck config struct from config to syscheck_config due to naming conflict to struct config in zlib

remove unused declarations

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/74]
  • Merged TimeStamp : 2014-02-24 15:25:59
  • Create TimeStamp : 2014-02-24 15:00:49

fix missing breaks

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/73]
  • Merged TimeStamp : 2014-02-24 15:28:55
  • Create TimeStamp : 2014-02-24 15:00:00

surround binary expression with parenthesis

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/72]
  • Merged TimeStamp : 2014-02-24 15:29:18
  • Create TimeStamp : 2014-02-24 14:59:13

fix missing returns reported by eclipse

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/71]
  • Merged TimeStamp : 2014-02-24 15:29:50
  • Create TimeStamp : 2014-02-24 14:58:21

remove complete bin directory on make clean and ignore failure by removi...

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/70]
  • Merged TimeStamp : 2014-02-24 14:58:31
  • Create TimeStamp : 2014-02-24 14:57:17

...ng non existent files

fix buffer overflow

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/69]
  • Merged TimeStamp : 2014-02-24 15:08:21
  • Create TimeStamp : 2014-02-24 14:56:18

ignore warning about assignment in condition

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/68]
  • Merged TimeStamp : 2014-02-25 13:11:13
  • Create TimeStamp : 2014-02-24 14:55:23

remove static cJSON library on make clean

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/67]
  • Merged TimeStamp : 2014-02-24 14:58:52
  • Create TimeStamp : 2014-02-24 14:54:13

fix spelling

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/66]
  • Merged TimeStamp : 2014-02-24 14:59:05
  • Create TimeStamp : 2014-02-24 14:53:12

ignore eclipse project files

  • Submitted by : cgzones
  • Full Pull Request : [https://github.com//pull/65]
  • Merged TimeStamp : 2014-02-24 14:58:01
  • Create TimeStamp : 2014-02-24 14:50:27

correct deploy to s3 so that we can test win32 agents.

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/61]
  • Merged TimeStamp : 2014-02-19 22:08:45
  • Create TimeStamp : 2014-02-19 19:58:04

Please accept this - travis does not deploy on pull request builds but I would like to download the generated win32 agents anyway.

Readme update

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/59]
  • Merged TimeStamp : 2014-02-19 17:21:36
  • Create TimeStamp : 2014-02-19 16:30:29

Make remoted.debug in internal_options.conf work

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/58]
  • Merged TimeStamp : 2014-02-19 16:32:12
  • Create TimeStamp : 2014-02-19 16:25:47

This should allow the user to specify a debug level for the remoted
daemon using the remoted.debug option in the internal_options.conf.
The debug level specified on the command line takes precedence.

removing hg files

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/57]
  • Merged TimeStamp : 2014-02-19 16:12:27
  • Create TimeStamp : 2014-02-19 16:06:27

Cherry-picking in @cgzones geoip clean

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/56]
  • Merged TimeStamp : 2014-02-19 15:29:13
  • Create TimeStamp : 2014-02-19 15:25:29

I have merged this but i have not tested it.

Merging in changes from @cgzones

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/55]
  • Merged TimeStamp : 2014-02-19 15:18:46
  • Create TimeStamp : 2014-02-19 15:18:01

Travis ci build windows and fix for setenv not being avaiable on win32

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/53]
  • Merged TimeStamp : 2014-02-18 21:05:15
  • Create TimeStamp : 2014-02-18 20:54:58

Use cJSON instead of writing a custom JSON output format.

  • Submitted by : reyjrar
  • Full Pull Request : [https://github.com//pull/49]
  • Merged TimeStamp : 2014-02-18 18:01:52
  • Create TimeStamp : 2014-02-17 18:42:26

This addresses Issue#32. I have tested that this code builds and runs. I had to tweak the config for the ZeroMQ output stuff, so if @jrossi can sanity check, that would be ideal. I also added a .gitignore.

Disable /var/ossec/queue/diff/*state.$epoch files, they were not used.

  • Submitted by : reyjrar
  • Full Pull Request : [https://github.com//pull/45]
  • Merged TimeStamp : 2014-02-16 14:10:53
  • Create TimeStamp : 2014-02-15 12:58:54

This feature isn't being used and can lead to running out of inodes on server systems. Mickey removed the tracking of old diffs because we had no need for it.

Feature: activeresponse with filename

  • Submitted by : reyjrar
  • Full Pull Request : [https://github.com//pull/44]
  • Merged TimeStamp : 2014-02-17 15:44:44
  • Create TimeStamp : 2014-02-15 12:52:50

Will require an update to the documentation as the filename is appended to the argument list for AR events with filename attributes in the eventinfo struct.
Includes a test for the os_shell_escape() function that's been added to string_op.c

Adding some additional sshd rules

  • Submitted by : joshgarnett
  • Full Pull Request : [https://github.com//pull/43]
  • Merged TimeStamp : 2014-02-15 03:32:23
  • Create TimeStamp : 2014-02-14 15:06:05

Added some new sshd rules for 1002 errors I encountered in production.

eventchannel: fix bug with bookmarks

  • Submitted by : gaelmuller
  • Full Pull Request : [https://github.com//pull/40]
  • Merged TimeStamp : 2014-02-04 15:55:29
  • Create TimeStamp : 2014-02-04 13:45:31

Fixes a bug present in the eventchannel log_format when using bookmarks (only-future-events not set in config file), that results in events not being monitored, with the following error in the log:

 Subscription error: 87

Output unformatted JSON and include the file path for syscheck alerts in ZeroMQ JSON output

  • Submitted by : justintime32
  • Full Pull Request : [https://github.com//pull/38]
  • Merged TimeStamp : 2014-02-03 18:27:50
  • Create TimeStamp : 2014-02-03 18:25:26

Unformatted JSON should be used rather than formatted JSON since it would typically be used by other programs and not read directly by users.

The file path should be included in syscheck alerts so a receiving program doesn't have to scrape it from the log message.

Removed keepalive message from win_agent.c when not in debug

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/35]
  • Merged TimeStamp : 2014-02-03 16:46:30
  • Create TimeStamp : 2014-02-03 15:46:35

Seems a bit excessive to have this message in the logs when not in any kind of debug mode. That is what I am observing on some of the windows agents we are running as of right now.

better install for eventchannel support (now only 1 installer)

  • Submitted by : gaelmuller
  • Full Pull Request : [https://github.com//pull/34]
  • Merged TimeStamp : 2014-02-03 20:48:37
  • Create TimeStamp : 2014-02-03 10:41:37

This follows this commit: 75a9104

This commit modifies the build process of the Windows installer in order to have only one installer handle two cases:

  • Deploy ossec-agent-eventchannel.exe on Vista or greater
  • Deploy ossec-agent.exe otherwise

The installer packages the two executables and checks Windows version at runtime in order to decide which version of "ossec-agent.exe" should be used.

Fix debug level message used by NIX daemons to be more clear

  • Submitted by : awiddersheim
  • Full Pull Request : [https://github.com//pull/33]
  • Merged TimeStamp : 2014-02-02 14:44:14
  • Create TimeStamp : 2014-02-02 14:16:06

add eventchannel support for ossec agent on windows vista or greater

  • Submitted by : gaelmuller
  • Full Pull Request : [https://github.com//pull/28]
  • Merged TimeStamp : 2014-01-31 20:49:36
  • Create TimeStamp : 2014-01-30 15:49:35

This pull request adds a new feature to the windows agent, to be able to monitor "Application and Services Logs" that appeared with Windows Vista. This is not currently possible (OSSEC will read the "Applications" eventlog instead).

Previous discussions on this topic:

For example, we can now monitor the "Microsoft-Windows-PrintService/Operational" eventlog with this config:

<localfile>
  <location>Microsoft-Windows-PrintService/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

By default, OSSEC will keep track of where it was before stopping, which means that it will read (at start time) all events that occured between stop and start in order not to miss any event. However, you can cancel this behaviour with the "only-future-events" parameter:

<localfile>
  <location>Microsoft-Windows-PrintService/Operational</location>
  <log_format>eventchannel</log_format>
  <only-future-events>yes</only-future-events>
</localfile>

You can also use an XPATH query if you are not interrested in all the events (see the event schema to construct queries: http://msdn.microsoft.com/en-us/library/windows/desktop/aa385201%28v=vs.85%29.aspx):

<localfile>
  <location>System</location>
  <log_format>eventchannel</log_format>
  <only-future-events>yes</only-future-events>
  <query>Event/System[EventID=7040]</query>
</localfile>

With this config, OSSEC will only receive events from the "System" eventlog that have an event ID equal to 7040.

Few things to note:

  • When changing the configuration, you should delete saved bookmarks (in the "bookmarks" directory) if you want to avoid unwanted behaviour (getting two much eventlog history on start)
  • This relies on relatively new APIs available on Windows Vista or greater. This has two implications:
    • We cannot use mingw32 to compile anymore, because it is missing these APIs. That is why this PR uses mingw-w64 (which explains a few changes in this PR not related to the added feature).
    • We now have to generate two distinct installers: "ossec-win32-agent.exe" and "ossec-win32-agent-with-eventchannel.exe" because the new one cannot be used on systems older than Vista. We could have only one if we dropped compatibility with older systems (such as Windows XP). This is obvioulsy not wanted at this time.

Note: replaces PR 27 (contained two many commits for an unknown reason ...)

Validate if a file is readable text when report_changes is set

  • Submitted by : northox
  • Full Pull Request : [https://github.com//pull/25]
  • Merged TimeStamp : 2014-01-30 14:38:15
  • Create TimeStamp : 2014-01-30 03:51:45

Syscheckd will save (in /queue/diff/) any file with report_changes
option, e.g. /chroot/dev/urandom (yes it really happened to me), iso, mp3. This patch integrates libmagic
to validate mime type. Only mime type beginning with 'text/', e.g. text/html,
text/plain, will be copied and reported by diff.

This should pave the way for binary diff. ;)

Reviewers: I'm not quite sure about the build process (e.g. MEXTRA, MAGICCMD) so please advice.

HandleClient should try to open the m_queue in WRITE mode instead of READ

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/21]
  • Merged TimeStamp : 2014-02-07 16:21:16
  • Create TimeStamp : 2014-01-29 15:15:54

HandleClient does not ever exit after ossec is stopped or restarted
because the call to StartMQ on line 146 is for READ mode instead of
WRITE. When changed to WRITE, the StartMQ call fails and ossec-remoted
exits.

Original Pull REquest: https://bitbucket.org/jbcheng/ossec-hids/pull-request/27/handleclient-should-try-to-open-the/diff

Labrown remoted child pid

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/20]
  • Merged TimeStamp : 2014-02-07 16:20:45
  • Create TimeStamp : 2014-01-29 15:05:53

This patch adds creation of PID files for ossec-remoted children so they get properly killed when the ossec service is stopped or restarted.

Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/28/create-pid-files-for-ossec-remoted/diff

Make analysisd.debug in internal_options.conf work

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/18]
  • Merged TimeStamp : 2014-02-02 02:50:27
  • Create TimeStamp : 2014-01-29 14:48:32

This should allow the user to specify a debug level for the analysisd
daemon using the analysisd.debug option in the internal_options.conf.
The debug level specified on the command line takes precedence.

Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/38/make-analysisddebug-in/diff

Fix timeout comment in receiver-win.c

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/17]
  • Merged TimeStamp : 2014-02-04 16:01:47
  • Create TimeStamp : 2014-01-29 14:36:49

Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/30/fix-timeout-comment-in-receiver-winc/diff

Allow NIX agent to use "-f" option and run in foreground

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/16]
  • Merged TimeStamp : 2014-02-13 06:47:00
  • Create TimeStamp : 2014-01-29 14:32:30
While this works I'm not sure I fully understand how it affects this code when the agent is actually run in the foreground:

srandom( time(0) + getpid()+ pid + getppid());

My guess is this is why the foreground option was never implemented for this daemon in the first place. Seems like the random stuff is only used with keep_alive messages and might not be that big of a deal but I'd appreciate someone double checking.

Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/35/allow-nix-agent-to-use-f-option-and-run-in/diff

Make syscheck.debug in internal_options.conf work

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/14]
  • Merged TimeStamp : 2014-02-02 03:02:44
  • Create TimeStamp : 2014-01-29 14:02:07

This should allow the user to specify a debug level for the syscheck
daemon on NIX machines using the syscheck.debug option in the
internal_options.conf. The debug level specified on the command line
takes precedence. Also, added starting up messages to match what some of
the daemons do.

Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/34/make-syscheckdebug-in-internal_optionsconf/diff

Awiddersheim fix ossec agent debug internal option nix

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/13]
  • Merged TimeStamp : 2014-02-02 02:53:43
  • Create TimeStamp : 2014-01-29 13:51:34

Orginal Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/31/fixed-agentdebug-option-in/diff

Made the command line debug level take precedence over what is specified

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/12]
  • Merged TimeStamp : 2014-01-30 14:19:42
  • Create TimeStamp : 2014-01-29 13:43:00

in internal_options.conf.

Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/33/fixed-logcollectordebug-option-in/diff

Fix the removal of start menu shortcuts for windows agent

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/11]
  • Merged TimeStamp : 2014-02-13 06:42:14
  • Create TimeStamp : 2014-01-29 13:37:48

Refer to
http://nsis.sourceforge.net/Shortcuts_removal_fails_on_Windows_Vista.
This fixes issues on machines that run Vista or newer.

Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/24/fix-the-removal-of-start-menu-shortcuts/diff

Add TimeGenerated to the output of Windows Event Logs

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/9]
  • Merged TimeStamp : 2014-02-07 16:23:50
  • Create TimeStamp : 2014-01-29 05:14:31

Updated read_win_el.c to include TimeGenerated from an EVENTLOGRECORD
formatted into a human readable format for better logging. Also updated
the decoder to handle this change.

Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/23/add-timegenerated-to-the-output-of-windows/diff

Add remove agent cmd line option to manage_agents

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/8]
  • Merged TimeStamp : 2014-02-07 17:27:43
  • Create TimeStamp : 2014-01-29 05:09:29

Orginal Pull Request https://bitbucket.org/jbcheng/ossec-hids/pull-request/22/add-remove-agent-cmd-line-option-to/diff

Fix potential infinite loop when adding new agent using file input

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/7]
  • Merged TimeStamp : 2014-02-07 17:26:50
  • Create TimeStamp : 2014-01-29 05:03:04

When adding a new agent using the -f option provided by manage_agents
there is a possibility that it loops infinitely if you have used up all
of the potential IDs. It will say that the ID needs to be unique since
the last ID checked is already in use. This commit adds a new message
stating the problem and prevents the infinite loop. It also increases
the amount of IDs manage_agents will look at when adding new agents both
in the interactive mode and when using the -f option.

Original pull request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/21/fix-potential-infinite-loop-when-adding

agent_config profiles for windows

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/6]
  • Merged TimeStamp : 2014-01-30 14:15:37
  • Create TimeStamp : 2014-01-29 04:46:18

Current version of OSSEC's windows agent ignores every in its configuration. This PR corrects this bug so that config profiles also work on windows.

Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/20/agent_config-profiles-for-windows/diff

fix openssl operations on non blocking socket

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/4]
  • Merged TimeStamp : 2014-01-31 21:14:22
  • Create TimeStamp : 2014-01-29 04:38:37

I was having problems with ossec-authd (SSL Accept error + SSL Read error). This was due to incorrect error handling for these two operations in the context of non blocking sockets (which is the case for the ossec-authd server).

I don't know what I seem to be the only one to experience this issue (maybe my LAN is particularly slow ... :/)
The diff contains a lot of noise because I removed a if/else construct, and then reindented a big block of code.

Orgianl Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/26/fix-openssl-operations-on-non-blocking/diff

@gaelmuller

ZeroMQ Json Output

  • Submitted by : jrossi
  • Full Pull Request : [https://github.com//pull/2]
  • Merged TimeStamp : 2014-02-01 01:06:37
  • Create TimeStamp : 2014-01-25 18:33:56

This is a complete patch that will allow the outputing of all alerts
to a zeromq PUB socket in JSON format.

New Config:

<ossec>
  <global>
      <zeromq_output>yes|no</zeromq_output>
      <zeromq_uri>tcp://localhost:11111</zeromq_uri>

Somethings had to change to allow this to work. Based on the
preprossor defines

  • WINDOWS was redefined by OSSEC and is used by GCC changed
    the define to to DECODER_WINDOWS
  • __name was redefinied by OSSEC and is used by GCC changed
    the defeine to be __ossec_name