OSSEC v2.6 is out!

OSSEC v2.6 was just released (finally :)) and you can get more details here: http://www.ossec.net/main/ossec-v2-6-released

We are very happy to announce the availability of OSSEC version 2.6.

This has been a long release cycle, but it is here now with some good new features and very stable (thanks to our beta users). Our manual for the new version is also live at http://www.ossec.net/doc/.



Posted in ossec, v2.6 | Tagged , | 3 Comments

OSSEC 2.6 beta-1 available

This has been a long release cycle, but OSSEC 2.6 BETA1 is now available. Helping us out testing the beta version is a great way to contribute back to the project and the best way to get started on it.

How to test the BETA?

Download it from here:

And install on as many systems as you can. Make sure that the upgrade/install process is working without errors and that everything that was working before still it. If everything works (or you see any error), post in the comments section in here, send to the mailing list or privately to us (dcid@ossec.net).

Testing the new features

In addition to making sure everything still works, you can try some of the new features (full list here):

Plus a bunch of bug fixes… Let us know how it goes.

Posted in beta, ossec | 7 Comments

Improved reporting for file changes (OSSEC)

One that that always annoyed me on OSSEC was that ossec-reported didn’t list the file changes (from syscheck) and that I couldn’t use the filtering options in there for them. Well, that’s solved now :)

On the latest OSSEC snapshot you can use the “filename” option to filter and correlate values. For example, if I run the default reporting for the month of May I will see at the bottom a list of file changes:

# zcat /var/ossec/logs/alerts/2011/May/*.gz | /var/ossec/bin/ossec-reportd
Top entries for ‘Filenames’:
/etc/ossec-init.conf |3 |
/var/www/x/index.php |1 |
/var/www/x/js.js |1 |

And you can also use the related options to see on which agents the files were changed. So for a basic integrity monitoring report, I would filter for the group syscheck and list where each file was changed:

# zcat /var/ossec/logs/alerts/2011/May/*.gz | /var/ossec/bin/ossec-reportd -f group syscheck -r location filename
Top entries for ‘Filenames’:
/etc/ossec-init.conf |3 |
/var/www/x/index.php |1 |
/var/www/x/js.js |1 |

Related entries for ‘Location’:
web1->syscheck |1 |
    filename: ‘/etc/ossec-init.conf’
    filename: ‘/var/www/x/js.js’
    filename: ‘/var/www/x/index.php’
    filename: ‘/etc/ossec-init.conf’
    filename: ‘/etc/ossec-init.conf’

So the report is simple. It shows which files were changed and how many times (for example, ossec-init changed 3 times, on 3 agents). I am even thinking on making these reports enabled by default and reducing the severity of the normal syscheck alerts so they don’t get sent by email. Comments?

Posted in ossec | 2 Comments

Running multiple OSSEC decoders on the same event

If you need to run multiple decoders on the same log to extract additional pieces of information (and at the same time do not affect the original decoder), we have a simple way to do so.

Just create multiple child decoders with the same name and no “prematch” and all of them will be evaluated. A good example is for the Microsoft event logs. This is our original decoder for Windows:

<decoder name=”windows-sub1″>
<prematch>^WinEvtLog: </prematch>
<regex offset=”after_prematch”>^\.+: (\w+)\((\d+)\): (\.+): </regex>
<regex>(\.+): \.+: (\S+): </regex>
<order>status, id, extra_data, user, system_name</order>
<fts>name, location, user, system_name</fts>

You will see that we do not extract a soure IP address from there (only user, system name, location, etc). If we wanted to extract the source IP address whenever it is available, we would need to check all the variations (Source Network Address:, Source IP Address:, etc). By using sub-decoders we can check for them without affecting the original:

<decoder name=”windows”>
<prematch>^WinEvtLog: </prematch>

<decoder name=”windows-sub1″>
<regex offset=”after_parent”>^\.+: (\w+)\((\d+)\): (\.+): </regex>
<regex>(\.+): \.+: (\S+): </regex>
<order>status, id, extra_data, user, system_name</order>
<fts>name, location, user, system_name</fts>

<decoder name=”windows-sub1″>
<regex offset=”after_regex”>Source Network Address: (\S+)</regex>

<decoder name=”windows-sub1″>
<regex offset=”after_regex”>Source IP Address: (\S+)</regex>

You see that all of them are named “windows-sub1″ and none of them have a prematch. Another option is to use the “after_regex” in the offset so OSSEC won’t check the whole string again…

Posted in ossec, v2.6 | 2 Comments

Blocking repeated offenders with OSSEC

By default OSSEC has a static timeout on our active response scripts. You specify the action and how long to block the IP Address:


Which works well for most of the time. However, if you need to increase the timeout for repeated offenders (say the same IP trying to brute force your server all the time), you would have to do this manually.

To solve this problem, we added a new option to the active response config (repeated_offenders):


It allows you to specify a comma separated list of timeouts per re-incidence (in minutes). So the first time an IP is blocked it would use the default timeframe (600 seconds). If it gets blocked again, it would use the first entry in the <repeated_offenders> list (30 minutes = 1800 seconds), then 60 minutes and then 120 minutes… Anything above that would use the latest entry.

To use this option, you have to download the latest snapshot from: http://bitbucket.org/dcid/ossec-hids (just click on get source).

Posted in ossec, v2.6 | 4 Comments

Automatically creating and setting up the agent keys

The complain I hear more often about OSSEC is related to how hard it is to setup the authentication keys between the agents and the manager. Each agent share a key-pair with the manager, so if you have a thousand agents, you need a thousand keys.

To make life easier, we added a new daemon on the manager, called ossec-authd. To get that working, you need the latest snapshot (just get from here:https://bitbucket.org/dcid/ossec-hids (click on get source)).

Once you have the new version running, you need to create the certificate / private key for SSL (note that OSSEC will look at /var/ossec/etc/sslmanager.cert and /var/ossec/etc/sslmanager.key for them).

# openssl genrsa -out /var/ossec/etc/sslmanager.key 2048
# openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365

*note that you only need to run this command on the manager (not on the agents)

Once the keys are created, you can start the ossec-authd:

# /var/ossec/bin/ossec-authd -p 1515 >/dev/null 2>&1 &

Setting up the agents

On the agents, the work is minimal. All you have to do is to run the following command:

# /var/ossec/bin/agent-auth -m -p 1515

INFO: Connected to
INFO: Using agent name as: melancia
INFO: Send request to manager. Waiting for reply.
INFO: Received response with agent key
INFO: Valid key created. Finished.
INFO: Connection closed.

Where is your manager IP address. Inside the manager, you will also see the logs:

2011/01/19 15:04:40 ossec-authd: INFO: New connection from
2011/01/19 15:04:41 ossec-authd: INFO: Received request for a new agent (melancia) from:
2011/01/19 15:04:41 ossec-authd: INFO: Agent key generated for melancia (requested by
2011/01/19 15:04:41 ossec-authd: INFO: Agent key created for melancia (requested by

That’s it. The keys are now exchanged and you can start your agent. Note that I don’t recommend to keep the ossec-authd running during “normal” operations, only when you are setting up your agents.

The code is still in alpha/beta mode, so let us know if you find any issues (I have been using for a little while, so should be stable).

Posted in ossec | 15 Comments

OSSEC Award daemon

I just got that via the mail today:


If you can’t see well from the image, it is a beautiful plaque from the OSSEC community (Michael Starks, I know it was your idea :)) and it says (in the OSSEC alert format):

OSSEC HIDS Notification
2010 Oct 20 15:10:04
Received from: ossec-community->/var/log/community.log
Rule: 1000000 (Level: 15) -> “A sincere thanks”
Portion of the log(s):

Oct 20 15:10:04 allhosts ossec-awardd[423]: To: Daniel Cid. From: OSSEC Community. Thank you for your tireless devotion to making our digital world a safer place.


It was the last think I was expecting and It meant a lot to me, thanks! This week of OSSEC is getting better each day :)

Posted in ossec | Leave a comment

2WoO: Day 3: Contributing to OSSEC

There are many types of open source projects out there. Many have the code base open (GPL, BSD, etc), but not all of them have an open culture.

On OSSEC, we try to be fully open. Not only the source code, but open to contributions, open to new developers, open to new ideas and open (friendly) to new users. So if you want to become involved and participating in this project, we have a few recommendations.

These recommendations will probably be valid for most open source projects, not only OSSEC.

How to get started:

1-The first thing you have to do is to become an active OSSEC user. I mean, install it on as many machines as you can, try different setups, see things you don’t like and start from there. Become passionate about it if you want to make a difference.

2-Start small. As any project, it takes some time to get used to how it works and how the code is organized. So start from simple things. Even if you detect a typo, try to fix that first and send us the patch.

3-Consider contributing your customizations. If you had to add a simple local rule to ignore a noisy event, send that to us! Get the log that was causing the false alert and the rule you created and send to our development mailing list or to our IRC channel (details after).

4-Get involved on our mailing lists and on IRC to see the needs and issues most users have.

5-You don’t need to be a developer or code in C. You can contribute with documentation, with the rules/decoders or even testing it. We also have our web interface (PHP), active responses/install scripts (in shell) that you can help out. So no excuses :)

Getting involved:

1-Our code base is available on bit bucket: http://bitbucket.org/dcid/ossec-hids/

2-Our documentation is also on bit bucket: http://bitbucket.org/jrossi/ossec-rules

3-We are always on IRC (#ossec on irc.freenode.org). That’s the best way to get quickly feedback from us and get to know everyone actively involved.

4-We also have a development mailing list, but via IRC is recommended.

If you don’t know how to access our repository on bit bucket, this link should help you: http://hginit.com

Any questions, let us know.

Posted in ossec | 2 Comments

Week of OSSEC (2WoO) – Oct 17-23

Taken from: http://www.ossec.net/main/week-of-ossec-2woo-oct-17-23

Week of OSSEC: Day -2
Michael Starks had the great idea to get everyone together and organize the second annual week of ossec. Last year he was the only one participating, but this year we hope to have many contributions.

To get started, Syngress decided to help out and release a few chapters of the OSSEC book for free. Plus, they are giving 30% off the book for anyone interested. Just go here and use the promotion code “43663″.

The PDF’s for the book can be downloaded here:

Chapter 2 – Installation
Chapter 3 – General configuration
Chapter 4 – Writing log analysis rules

For updates on the Week of OSSEC, I will be “tweeting” new articles: @danielcid and @ddpbsd as well.

Some blogs to follow for updates:

Michael Stark
Daniel Cid’
Dan Parriott
Xavier Mertens (he already started with a nice post).
Jason Frisvold
David Dede

And I am sure many others. If you plan on contributing, send me a note and I will add your blog/twitter link here.

Posted in ossec | Leave a comment

OSSC v2.5.1 released

Early this week we pushed OSSEC v2.5.1 out, but forgot to mention here in the blog. If you had issues with v2.5, you can download the new version here: http://www.ossec.net/main/downloads/

Some of the things we fixed/added:

-Logcollector crashing when using some globs.
-Logcollector crashing with the alias command monitoring.
-Analysisd crashing with report_changes enabled + local ignore rules.
-Some Windows rules were not matching properly.
-Added no_ar option to the rules (by Jeremy Rossi and Scott at atomicrocketturtle.com)
-Docs fixed by Michael Starks.

Also, if you are having issues with HPUX, try this snapshot where we fixed it: http://www.ossec.net/files/snapshots/ossec-hids-101014.tar.gz
(didn’t get included on v2.5.1).

Posted in ossec, v2.5 | Leave a comment