As promised, I didn’t let the momentum die off. Releasing today v2016-04 with multiple improvements to our log engine and rootcheck.
Key ones from Changelog:
Changes with 2016-04 -Feature: Added a default temp (shared) password for os_authd -Feature: Added detection of outdated CMSs on rootcheck: WordPress, Joomla & Drupal. -Feature: Added geoip change alerts by default on SSHD/WordPress rules. -Feature: Added signatures to detect Darkleech, Cdorked and some common web backdoors and linux malware. -Feature: Added option to negate a pattern when using the OSMatch library. -Bug fix: Glob() implementation on logcollector. Was very very slow if you have a few hundred entries. -Bug fix: Rootcheck sigs causing false positives on cpanel servers. -Bug fix: Finding right OpenSSL path on Debian.
The one that I am the most excited about is the new keyword on our regex library to allow usage of ”!” at the beginning of the pattern to change the behavior of the library to return true when not found. Very useful when writing subrules when something is not present on the log.
I will do a follow up article about it soon.
You can download this release from: https://dcid.me/ossec
Full changelog: http://dcid.me/ossec-packages/CHANGELOG.txt
OSSEC related articles since last release:
https://blog.sucuri.net/2016/03/server-security-anomaly-behaviour-with-ossec.html https://blog.sucuri.net/2016/02/investigating-a-compromised-server-with-rootcheck.html https://blog.sucuri.net/2016/02/server-security-adding-wordpress-visibility-into-ossec.html