Mini Shell
OSSEC 2.8.0 Changelog
Summary
* bug fix of eventchannel timestamp pull: by jrossi
* Align eventchannel log format with eventlog, fixes #155 pull: by gaelmuller
* fix active-response on mac os installation pull: by jknockaert
* os_net fixes pull: by cgzones
* Fixes #194. Checks for both paths of openssl pull: by harshilmathur
* os_regex review pull: by cgzones
* os_regex unit tests #2 pull: by cgzones
* Windows agent UI version and Copyright update pull: by jbcheng
* os_regex unit tests pull: by cgzones
* [tests] explicit enable branch coverage for new version of lcov pull: by cgzones
* [os_xml] fix possible array underflows: see coverity pull: by cgzones
* Avoid a crash of agentd on Solaris. pull: by danpop60
* Use the evironment for the CC binary pull: by jrossi
* Fixes to win32 installation pull: by awiddersheim
* Fix windows agent compile error/warnings #define ENOBUFS, ALERT_SYSTEM_ERR pull: by jbcheng
* Moving ossec-lua back to posix so that we do no have a libreadline dep pull: by jrossi
* os_xml refresh2 pull: by cgzones
* Added more Vista+-associated event IDs for existing rules pull: by mstarks01
* Added #include for errno.h in os_net.c pull: by denied39
* Fixes to win32 (un)installation process pull: by awiddersheim
* Removing event ID 676 pull: by mstarks01
* Remove event ID 672 pull: by mstarks01
* Added option to ossec.conf (additional email header) pull: option to ossec.conf (additional email header))> by dopefish
* Fix make.sh files for win32 pull: by awiddersheim
* Continue removing the bro-ids stuff pull: by ddpbsd
* os_xml review pull: by cgzones
* Unittest os regex pull: by jrossi
* Fix compile warnings with win32 pull: by awiddersheim
* Remove win32 service start and stop executables pull: by awiddersheim
* os_zlib update pull: by cgzones
* enable full clang support and remove gcc dependencies pull: by cgzones
* Added error checking to ossec.conf installation pull: by awiddersheim
* Show details during win32 installation pull: by awiddersheim
* Fixes to win32 services pull: by awiddersheim
* Added /? as a parameter to ossec-agent on win32 pull: by awiddersheim
* Update manage_keys.c pull: by awiddersheim
* Use file command in ossec-installer.nsi pull: by awiddersheim
* Fixes to ossec-installer.nsi pull: by awiddersheim
* SetDateSave off in ossec-installer.nsi pull: by awiddersheim
* Grandstream ATA decoder pull: by mstarks01
* A simple script to calculate OSSEC events-per-second pull: by mstarks01
* removing deploy from travis-ci pull: by jrossi
* ossec-lua lua interpreter pull: by jrossi
* Fixing route-null active response on Windows pull: by mstarks01
* Remove ui.nsi pull: by awiddersheim
* Fixes to ossec-installer.nsi pull: by awiddersheim
* Fixes to ossec-installer.nsi pull: by awiddersheim
* add eventchannel (again) with proper build pull: by gaelmuller
* remove unused source code files pull: by cgzones
* Remove local file additions in setup-win.c pull: by awiddersheim
* Fix win32 ARGV0 names pull: by awiddersheim
* simplify cJSON makefile pull: by cgzones
* fix clang -Wall warnings pull: by cgzones
* enable geoip in travis build pull: by cgzones
* Make manage_agents.exe work on win32 pull: by awiddersheim
* Remove os_auth from win-files.txt pull: by awiddersheim
* Adding a new sshd rule for bad packet lengths pull: by joshgarnett
* Fix win32ui messages pull: by awiddersheim
* Free install_date pointer pull: by awiddersheim
* Remove debug messages it src/win32/ui/common.c pull: by awiddersheim
* Fix permissions and privilege detection pull: by awiddersheim
* Fix win32 setup log message pull: by awiddersheim
* Add install date to win32ui pull: by awiddersheim
* Add better version handling to win32ui pull: by awiddersheim
* Remove annoying win32ui dialog box pull: by awiddersheim
* Add to .gitignore pull: by awiddersheim
* Fix win32 OS detection pull: by awiddersheim
* Fix the client status exit code pull: by pdrakeweb
* fix problem with umlaut in date string when pre-decoding the log message pull: by ChristianBeer
* Fix comment in win32/ui/common.c pull: by awiddersheim
* OpenBSD deluser rule and remove bro-ids garbage pull: by ddpbsd
* fix to segfault introduced by pull request #81 pull: by ChristianBeer
* fix gcc wall warnings seen on travis pull: by cgzones
* fix resource leaks in active-response.c pull: by ChristianBeer
* fixing gcc -Wall warnings pull: by cgzones
* fix spelling preventing building geoip support pull: by cgzones
* exit on error during making zlib or cJSON pull: by cgzones
* fix cyclic header relationship mem_op.h <-> shared.h pull: shared.h)> by cgzones
* rename global agent struct pull: by cgzones
* rename syscheck config struct pull: by cgzones
* remove unused declarations pull: by cgzones
* fix missing breaks pull: by cgzones
* surround binary expression with parenthesis pull: by cgzones
* fix missing returns reported by eclipse pull: by cgzones
* remove complete bin directory on make clean and ignore failure by removi... pull: by cgzones
* fix buffer overflow pull: by cgzones
* ignore warning about assignment in condition pull: by cgzones
* remove static cJSON library on make clean pull: by cgzones
* fix spelling pull: by cgzones
* ignore eclipse project files pull: by cgzones
* correct deploy to s3 so that we can test win32 agents. pull: by jrossi
* Readme update pull: by jrossi
* Make remoted.debug in internal_options.conf work pull: by awiddersheim
* removing hg files pull: by jrossi
* Cherry-picking in @cgzones geoip clean pull: by jrossi
* Merging in changes from @cgzones pull: by jrossi
* Travis ci build windows and fix for setenv not being avaiable on win32 pull: by jrossi
* Use cJSON instead of writing a custom JSON output format. pull: by reyjrar
* Disable /var/ossec/queue/diff/*state.:math:epoch files, they were not used. [pull:<PullRequest (Disable /var/ossec/queue/diff/*state.epoch files, they were not used.)>](https://github.com/ossec/ossec-hids/pull/45) by reyjrar
* Feature: activeresponse with filename pull: by reyjrar
* Adding some additional sshd rules pull: by joshgarnett
* eventchannel: fix bug with bookmarks pull: by gaelmuller
* Output unformatted JSON and include the file path for syscheck alerts in ZeroMQ JSON output pull: by justintime32
* Removed keepalive message from win_agent.c when not in debug pull: by awiddersheim
* better install for eventchannel support (now only 1 installer) pull: by gaelmuller
* Fix debug level message used by NIX daemons to be more clear pull: by awiddersheim
* add eventchannel support for ossec agent on windows vista or greater pull: by gaelmuller
* Validate if a file is readable text when report_changes is set pull: by northox
* HandleClient should try to open the m_queue in WRITE mode instead of READ pull: by jrossi
* Labrown remoted child pid pull: by jrossi
* Make analysisd.debug in internal_options.conf work pull: by jrossi
* Fix timeout comment in receiver-win.c pull: by jrossi
* Allow NIX agent to use "-f" option and run in foreground pull: by jrossi
* Make syscheck.debug in internal_options.conf work pull: by jrossi
* Awiddersheim fix ossec agent debug internal option nix pull: by jrossi
* Made the command line debug level take precedence over what is specified pull: by jrossi
* Fix the removal of start menu shortcuts for windows agent pull: by jrossi
* Add TimeGenerated to the output of Windows Event Logs pull: by jrossi
* Add remove agent cmd line option to manage_agents pull: by jrossi
* Fix potential infinite loop when adding new agent using file input pull: by jrossi
* agent_config profiles for windows pull: by jrossi
* fix openssl operations on non blocking socket pull: by jrossi
* ZeroMQ Json Output pull: by jross
Detailed Change log
bug fix of eventchannel timestamp
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/208]
Merged TimeStamp : 2014-05-22 13:10:57
Create TimeStamp : 2014-05-18 14:43:04
Think this is the issue with identified in #206. The function returned a pointer to local variable result would be undefined.
Align eventchannel log format with eventlog, fixes #155
Submitted by : gaelmuller
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/203]
Merged TimeStamp : 2014-05-10 01:08:48
Create TimeStamp : 2014-05-05 15:46:02
Add a "Time Created" field to the eventchannel log format to align it with eventlog.
fix active-response on mac os installation
Submitted by : jknockaert
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/202]
Merged TimeStamp : 2014-05-10 01:09:42
Create TimeStamp : 2014-05-05 15:00:46
Modern versions of mac os support pf, with ipfw to be fased out by (probably) the next version of the os.
os_net fixes
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/200]
Merged TimeStamp : 2014-05-02 00:11:32
Create TimeStamp : 2014-05-01 09:44:37
fix memory leaks (in error branches) and check return values of library calls (see coverity)
Fixes #194. Checks for both paths of openssl
Submitted by : harshilmathur
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/197]
Merged TimeStamp : 2014-04-29 22:23:25
Create TimeStamp : 2014-04-29 22:18:26
Resolves #194 which caused change in opensslconf.h path in ubuntu 14.04 causing Ossec to compile without OpenSSL support.
os_regex review
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/195]
Merged TimeStamp : 2014-04-29 12:58:39
Create TimeStamp : 2014-04-29 09:06:18
changes: * replace octal values of charmaps with decimal ones (cause octal values greater than 127 causing conversion warnings) * change string size variables to size_t * rewrite OS_StrStartsWith() so that the length of the pattern does not need to be computed * enable unit test for regex extraction added by 79460acf9ae79dfd52de72c2599d6f0a3be81e83 * fix bunch of compiler warnings * fix coverity warnings about uninitialized array (CID 28590)
os_regex unit tests #2
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/191]
Merged TimeStamp : 2014-04-25 11:02:44
Create TimeStamp : 2014-04-25 10:07:37
unit tests for os_regex's Os_StrStartsWith() and character maps
Windows agent UI version and Copyright update
Submitted by : jbcheng
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/189]
Merged TimeStamp : 2014-04-23 19:57:54
Create TimeStamp : 2014-04-23 18:47:09
In a hurry, this was pushed to stable branch first. Please merge this to master.
os_regex unit tests
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/188]
Merged TimeStamp : 2014-04-23 14:47:17
Create TimeStamp : 2014-04-23 13:24:57
adding more unit tests for os_regex
p.s.: the regex extraction tests is crashing for me, cause os_regex is trying to modify the const input strings (https://github.com/ossec/ossec-hids/blob/master/src/os_regex/os_regex_execute.c#L72). I think i fixed this in my branch os_regex(https://github.com/cgzones/ossec-hids/tree/os_regex).
[tests] explicit enable branch coverage for new version of lcov
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/187]
Merged TimeStamp : 2014-04-23 10:59:16
Create TimeStamp : 2014-04-23 07:43:43
[os_xml] fix possible array underflows: see coverity
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/186]
Merged TimeStamp : 2014-04-23 10:57:52
Create TimeStamp : 2014-04-23 07:43:31
Avoid a crash of agentd on Solaris.
Submitted by : danpop60
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/185]
Merged TimeStamp : 2014-04-22 15:10:09
Create TimeStamp : 2014-04-22 11:06:40
Avoid a crash of agentd on Solaris. Replaced AF_UNIX by PF_UNIX in a couple of socket() calls.
Use the evironment for the CC binary
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/180]
Merged TimeStamp : 2014-04-07 21:47:48
Create TimeStamp : 2014-04-06 03:26:18
See discussion at https://groups.google.com/forum/#!topic/ossec-list/FOTncDNnNk0
The ossec-lua addition included a regression on @cgzones changes for using clang correctly. This corrects that regression (as suggest by cgzones on the mailing list).
I think this should also be merged into stable for the 2.8 release as the ossec-lua introduced a regression into clang builds.
Please note travis will not pick up this try of errors due to gcc still being installed.
Fixes to win32 installation
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/179]
Merged TimeStamp : 2014-04-06 16:32:56
Create TimeStamp : 2014-04-05 18:27:10
Added local_internal_options.conf to the installation process. This file will not be overwritten when an upgrade occurs so changes to how the agent runs can be made in this file and persist through upgrades. This fixes #169.
Also, some small fixes like removing whitespace and making the message box definitions in ossec-installer.nsi a bit more readable.
Fix windows agent compile error/warnings #define ENOBUFS, ALERT_SYSTEM_ERR
Submitted by : jbcheng
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/176]
Merged TimeStamp : 2014-04-04 23:45:27
Create TimeStamp : 2014-04-04 23:35:02
The errno.h in some versions of MinGW do not have ENOBUFS defined, causing Travis CI windows_agent build to fail. This PR fixs that. Also, this PR gets rid of compile warnings regarding ALERT_SYSTEM_ERROR being redefined in rootcheck/rootcheck.h, which was also defined in /i686-w64-mingw32/include/winuser.h:4997
Moving ossec-lua back to posix so that we do no have a libreadline dep
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/175]
Merged TimeStamp : 2014-04-04 21:58:32
Create TimeStamp : 2014-04-04 02:17:42
os_xml refresh2
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/173]
Merged TimeStamp : 2014-04-12 02:50:25
Create TimeStamp : 2014-04-03 15:42:00
changes: * new make target for coverage report of testcases - cd src/ - make test - cd tests/ - make generate_coverage * xml error messages harmonized * speedup when applying variables - xml array only traversed once - names and contents of variables are not copied * add some testcases - multiple values per node (firstsecond) - space before attribute definition () - comments with '!' and '-' - string overflow tests for xml nodes and variables
Added more Vista+-associated event IDs for existing rules
Submitted by : mstarks01
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/163]
Merged TimeStamp : 2014-03-31 22:58:22
Create TimeStamp : 2014-03-26 04:01:51
Added #include for errno.h in os_net.c
Submitted by : denied39
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/160]
Merged TimeStamp : 2014-04-02 01:28:53
Create TimeStamp : 2014-03-24 12:10:01
Added include for errno.h in src/os_net/os_net.c to remove Windows agent compile error.
Fixes to win32 (un)installation process
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/159]
Merged TimeStamp : 2014-04-03 01:36:26
Create TimeStamp : 2014-03-23 15:27:45
Updated the style of ossec-installer.nsi so it is easier to read.
Turned on Uninstallation details same as is done for installtion details.
Start to use SimpleSC plugin (Rainer Döpke) to handle the intial stopping of the OSSEC agent service. The hope is this plugin can later be used to do handle all of the necessary service configuration that is required.
Added error checking around many of the (un)installation steps. There is plenty of room for more error checking but hopefully this covers some of the major problem areas.
Added logic to create the ossec.log on every installation.
Fixed cleaning up the bookmarks directory.
Start to use nsProcess plugin (Shengalts Aleksander aka Instructor) to detect if either manage_agents.exe or win32ui.exe are running during an uninstall. When they are running the uninstallation will fail to remove those files and thus fails to remove the ossec-agent directory.
Removing event ID 676
Submitted by : mstarks01
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/157]
Merged TimeStamp : 2014-03-26 01:06:22
Create TimeStamp : 2014-03-22 16:29:43
Since it is only on Windows 2000 and support for that OS has been deprecated.
Remove event ID 672
Submitted by : mstarks01
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/151]
Merged TimeStamp : 2014-03-20 01:08:40
Create TimeStamp : 2014-03-20 00:35:53
Event 672 is related to the granting of Kerberos tickets. It is extraneous due to other authentication events for the same action being logged, and causes the number of logon failures to appear higher than they really are. From Microsoft:
Does not contain any additional information if audit details from logon events 528 and 540 are already being collected. This event records that a Kerberos TGT was granted, actual access will not occur until a service ticket is granted, which is audited by Event 673.
Added option to ossec.conf (additional email header)
Submitted by : dopefish
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/150]
Merged TimeStamp : 2014-03-20 12:05:06
Create TimeStamp : 2014-03-19 19:34:37
This feature adds an additional option to the ossec_config/global config block in ossec.conf called <email_idsname>. The value of this field gets added o the email headers as "X-IDS-OSSEC: :math:`value" to make sorting of emails from different ossec servers easier (e.g. development and production servers). install.sh uses the `HOST variable as the default value for the field when creating an ossec.conf
Example:
<ossec_config>
<global>
<email_idsname>development</email_idsname>
</global>
</ossec_config>
Fix make.sh files for win32
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/145]
Merged TimeStamp : 2014-03-17 22:56:10
Create TimeStamp : 2014-03-17 22:00:14
Added the shebang. Also used 'set -e' to exit the scripts upon getting an error from any of the command being run. That is it say if there is an issue compiling anything for any reason stop there and continue not further.
Previously, it would just continue on until something would look for the executables that weren't there and exit. Usually after makensis.
This makes it a lot clearer on where things went wrong and you don't have to trudge through a lot of output to find compile issues.
Continue removing the bro-ids stuff
Submitted by : ddpbsd
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/144]
Merged TimeStamp : 2014-03-17 19:31:15
Create TimeStamp : 2014-03-17 17:04:29
os_xml review
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/142]
Merged TimeStamp : 2014-03-20 17:16:06
Create TimeStamp : 2014-03-15 10:39:09
changes: * remove global XML_VAR compile directive * restructure header structure (os_xml.h + os_xml_writer.h -> os_xml.h (for external includes) + os_xml_internal.h (for internal macros) * always ensure valid OS_XML state so OS_ClearXML() never encounter a nullpointer or memory leak * remove unused function _checkmemory() * clean up memory in failure branches * fix a bunch of compiler warnings * add test cases
Unittest os regex
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/139]
Merged TimeStamp : 2014-03-13 20:44:40
Create TimeStamp : 2014-03-12 15:55:25
Basic import of os_regex/example/tests into check unit test setup start by @cgzones. This will test OS_Match2 and OS_Regex
Fix compile warnings with win32
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/136]
Merged TimeStamp : 2014-03-11 20:54:47
Create TimeStamp : 2014-03-10 18:52:47
The buffer variable in InstallService() was not ever used.
The other warning was about windows.h being included before winsock2.h
Remove win32 service start and stop executables
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/134]
Merged TimeStamp : 2014-03-11 00:43:13
Create TimeStamp : 2014-03-10 13:27:01
These seem pretty useless to me. They also aren't used in the code anywhere. There are plenty of other tools available to start/stop the OSSEC services. Probably best to get rid of these.
os_zlib update
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/133]
Merged TimeStamp : 2014-03-10 20:53:02
Create TimeStamp : 2014-03-10 13:20:58
updating zlib to 1.2.8
adding some documentation
adding some unit tests for wrapper functions
enable full clang support and remove gcc dependencies
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/132]
Merged TimeStamp : 2014-03-10 20:44:21
Create TimeStamp : 2014-03-10 11:22:19
This pull request changes two things:
The complete ossec code can now be compiled with clang. Therefore the external openssl was changed according to http://www.andric.com/freebsd/clang/clang-bootstrap-r210374-1.txt. You can verify the unchanged crypto results by using the test binaries, e.g. by: cd src/ make all cd os_crypto/md5/ make main echo "next line should be 'MD5Sum for \"test\" is: 098f6bcd4621d373cade4e832627b4f6'" ./main str test cd ../sha1/ make main echo "next line should be 'SHA1Sum for \"main.c\" is: 4b35e3f3e19d9861db9eeb7827f8bdf46fe4b89c'" ./main main.c
The install and make script does search and set gcc as the default compiler. Instead ossec relies on either a properly set "CC" environment variable or on a reachable "cc" binary. So for debian/red hat respectively freebsd based systems cc is a symlink to gcc respectively clang. If you want to use a different compiler (e.g. clang on debian) you can set the CC environment variable before running the install script (export CC=/path/to/clang) or use the maketarget setclang (which sets the CC environment variable to clang).
Added error checking to ossec.conf installation
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/131]
Merged TimeStamp : 2014-03-10 02:10:52
Create TimeStamp : 2014-03-10 01:54:58
Show details during win32 installation
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/130]
Merged TimeStamp : 2014-03-10 02:01:17
Create TimeStamp : 2014-03-10 01:46:57
When doing a win32 installation the details are hidden and only shown very briefly. In some cases when doing an Exec on some of the OSSEC command line tools it will spawn a cmd.exe that only appears for a second. Some of the details those processes do are logged in the ossec.log but it would be nice if they were also displayed in the details window and those details can be reviewed.
Changed all Exec's to use ExecToLog so their details show up in the installer details section.
Configured the details to be displayed by default and to not skip past the details page automatically when the installation is completed.
This also has the added benefit of now popping up cmd.exe windows when an installation takes place.
Fixes to win32 services
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/129]
Merged TimeStamp : 2014-03-10 02:10:06
Create TimeStamp : 2014-03-09 23:40:02
There were quite a few issues with the win32 service code that this corrects. The first is that some of the comments in the code needed to be updated. Looks like code was copied and reused but the comments were not updated to reflect what the reused code was doing.
There was the potential in InstallService() where not all the service handles would be closed if errors were hit at certain spots.
Before installing a new service the old service was not uninstalled. This is desireable in the case where the new service has different options or points to a different path location for example. In some cases it might be bad where some type of user change was made but that is difficult to account for. I leaned toward cleaning up the old so that the new service can be installed fresh.
This also causes an error when the service goes to install because the service already exists. This would actaully happen each time the OSSEC installer was ran but due to some incorrect logging statements (which I'll explain below) a blank line would appear.
When doing an uninstall of a service the service wasn't stopped prior to the uninstallation. This would leave the service running until the service was stopped or the computer rebooted at which point the service would dissappear. It is better to stop the service before unintsalling. I'd imagine that is what the user would expect to happen during such an operation.
The logging in this code was not done correctly. Namely, the call to merror() in the InstallService() function after the "install_error" label was completely wrong and would result in a nearly blank line in the logs. There were also reports of times where a user would install the agent on a win32 machine and everything would work except the service would never register. Fixing all of the logging to use verbose() should hopeflly lead to better troubleshooting of errors like that in the future.
Added /? as a parameter to ossec-agent on win32
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/128]
Merged TimeStamp : 2014-03-09 18:26:19
Create TimeStamp : 2014-03-09 17:55:41
Added /? as a help parameter. This is a pretty standard way of getting help information from other command line executable's on Windows.
Update manage_keys.c
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/127]
Merged TimeStamp : 2014-03-10 01:57:42
Create TimeStamp : 2014-03-09 16:52:02
Log the cacls command about to be run.
Use file command in ossec-installer.nsi
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/126]
Merged TimeStamp : 2014-03-10 02:01:52
Create TimeStamp : 2014-03-09 15:56:51
Use the full ability of the the File command. Before when upgrading and doing a Rename after without the /Reboot command most of those commands would "fail silently" which is the best way I can describe it. It would just leave these files in the main ossec-agent directory never really upgrading parts of the system. Using the File command has the added benefit of complaining if a file is in use during the installation. For example have the win32ui.exe open and try to run a new installation. It hould complain that the file is inaccessible until the application is closed. Previously, this would just leave os_win32.exe in the ossec-agent directory and never successfully upgrade the executable.
Fixes to ossec-installer.nsi
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/125]
Merged TimeStamp : 2014-03-10 02:08:11
Create TimeStamp : 2014-03-09 15:49:08
Explicitly set SetOverwrite to on. This is the default but for clarity it is good to show exactly what action we are hoping to take with these files.
SetDateSave off in ossec-installer.nsi
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/124]
Merged TimeStamp : 2014-03-10 02:06:02
Create TimeStamp : 2014-03-09 15:46:10
Turned SetDateSave to off. Reference http://nsis.sourceforge.net/Reference/SetDateSave for more information on what this does. While keeping the original DateModified times has some advantages I think not having NSIS overwrite the new DateModified times with the originals is much better. It lets the user see when a file was actually modified.
Grandstream ATA decoder
Submitted by : mstarks01
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/123]
Merged TimeStamp : 2014-03-09 15:47:37
Create TimeStamp : 2014-03-09 15:43:42
A simple script to calculate OSSEC events-per-second
Submitted by : mstarks01
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/122]
Merged TimeStamp : 2014-03-09 02:51:36
Create TimeStamp : 2014-03-09 02:19:46
removing deploy from travis-ci
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/121]
Merged TimeStamp : 2014-03-10 03:35:26
Create TimeStamp : 2014-03-08 19:27:09
Deploy with travis does not make sense for us and fails a lot more often then it should.
ossec-lua lua interpreter
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/120]
Merged TimeStamp : 2014-03-17 14:49:20
Create TimeStamp : 2014-03-08 18:55:18
This add a lua interpreter to ossec agent and master install. This is the smallest change allowing Lua to become the defacto script language for ossec.
Their are many reasons for lua support to be added to ossec:
LUA run any place ossec does and maybe even more
Constant interface for more advanced active response script on agents and manager
Constant set of libraries and tools for adding utils and interfaces.
Easy integration into C
Bloody fast
Simple
Once having ossec-lua we can start adding utils to the standard install without having to preform C everyplace. Here are some areas that I see:
Active response scripts
check perm script
move reporting from C to LUA so anyone can make changes
Templating using LUA for formatting emails.
I have gotten ossec-lua to compile on windows using mingw and will create a second pull request to make that complete.
This will also need decimation updates.
Fixing route-null active response on Windows
Submitted by : mstarks01
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/119]
Merged TimeStamp : 2014-03-08 18:01:10
Create TimeStamp : 2014-03-08 17:59:21
It was just plain... broken.
Remove ui.nsi
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/118]
Merged TimeStamp : 2014-03-08 17:40:55
Create TimeStamp : 2014-03-08 17:22:57
I can't seem to figure out what purpose the ui.nsi file serves if any. In my tests on Windows 2008R2 not making it and even having it present seem to make no difference in the agent functionality. The win32ui still gets installed and everything about it still seems to work.
Getting rid of it seems like a good idea to me at this point.
If anyone can tell me if this does get used for anything and what that anything is it would be much appreciated. Further testing always welcome.
Fixes to ossec-installer.nsi
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/117]
Merged TimeStamp : 2014-03-08 16:42:54
Create TimeStamp : 2014-03-08 16:15:25
Move the logic that determines whether the ossec.conf should be replaced/renamed out of the C code and into NSIS. The NSIS stuff is built for installing things. No need to write a bunch of C code to do something that there is already a system for. Going to try and move as much out of C and into NSIS to help cut down on the amount of code that needs to be maintained for no real reason.
Fixes to ossec-installer.nsi
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/116]
Merged TimeStamp : 2014-03-08 16:07:10
Create TimeStamp : 2014-03-08 15:57:44
Instead of using a relative jumpto use the NoAbort label for clarity.
add eventchannel (again) with proper build
Submitted by : gaelmuller
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/115]
Merged TimeStamp : 2014-03-07 21:58:30
Create TimeStamp : 2014-03-07 15:38:06
Restore eventchannel support, with proper build. Only mingw-w64 can be used.
remove unused source code files
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/114]
Merged TimeStamp : 2014-03-07 21:55:01
Create TimeStamp : 2014-03-06 18:23:07
os_err.h is located in src/headers and sysinfo is never ever used
Remove local file additions in setup-win.c
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/113]
Merged TimeStamp : 2014-03-06 17:08:36
Create TimeStamp : 2014-03-06 16:00:51
In my opinion adding these should be a user decision and shouldn't get done by default.
Fix win32 ARGV0 names
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/111]
Merged TimeStamp : 2014-03-07 21:53:35
Create TimeStamp : 2014-03-06 03:19:14
The ARGV0 names of manage-agents and the win32ui needed more clarity. Using 'ossec-agent' doesn't really makes sense. This will help in figuring out what is doing what in the log file for example a little easier.
simplify cJSON makefile
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/110]
Merged TimeStamp : 2014-03-05 12:53:48
Create TimeStamp : 2014-03-05 11:17:29
fix clang -Wall warnings
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/109]
Merged TimeStamp : 2014-03-05 12:58:41
Create TimeStamp : 2014-03-05 11:17:21
enable geoip in travis build
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/108]
Merged TimeStamp : 2014-03-07 21:57:20
Create TimeStamp : 2014-03-05 11:17:12
Make manage_agents.exe work on win32
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/107]
Merged TimeStamp : 2014-03-08 16:14:47
Create TimeStamp : 2014-03-04 21:47:36
The manage_agents.exe would never change into the proper ossec-agents directory. There is now some logic added to attempt to chdir() into the right directory when it starts but it is not foolproof.
Also, corrected the permissions on the client.keys file. They were not being set properly after the file was written out leaving it readable to any system user.
Remove os_auth from win-files.txt
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/106]
Merged TimeStamp : 2014-03-07 21:50:49
Create TimeStamp : 2014-03-04 19:19:58
After commit 75a91043 the os_auth daemon no longer gets made during builds on NIX based systems so copying over the files is no longer necessary.
Adding a new sshd rule for bad packet lengths
Submitted by : joshgarnett
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/105]
Merged TimeStamp : 2014-03-04 14:38:51
Create TimeStamp : 2014-03-04 14:13:11
Nothing fancy, just a new rule for an sshd message I encountered recently. Unit test created also.
Fix win32ui messages
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/104]
Merged TimeStamp : 2014-03-05 02:07:23
Create TimeStamp : 2014-03-03 21:54:03
These messages were a little all over the place with their style and what they were saying. This my attempt at cleaning them up a bit so they are a little more clear and cleaner in their presentation.
Free install_date pointer
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/103]
Merged TimeStamp : 2014-03-07 22:00:56
Create TimeStamp : 2014-03-03 21:49:45
I could be wrong about this being necessary but nothing bad happened when I added it and ran my tests.
Remove debug messages it src/win32/ui/common.c
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/102]
Merged TimeStamp : 2014-03-08 16:17:34
Create TimeStamp : 2014-03-03 21:46:31
These debug messages aren't particularly helpful and there isn't any easy way to even put the win32ui into debug mode that I have found so I feel they should be removed.
Fix permissions and privilege detection
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/100]
Merged TimeStamp : 2014-03-07 21:48:03
Create TimeStamp : 2014-03-03 21:39:10
When using the win32ui to change the server IP or import the authentication key the permissions on ossec.conf and client.keys were not set correctly resulting in any system user being able to read the contents of these files.
This brought on some additional problems where the win32ui was unable to properly detect if it was running with Administrative privileges. The previous logic would attempt to read/write a .test file in the OSSEC directory but thanks to a mixture of UAC redirection, an unsigned binary and not requiring Administrative privileges these tests would always pass. That means the win32ui would be able to run without Administrative privileges.
This solution still isn't the best. It would be better if proper win32 APIs were used to set permissions and determine if the win32ui was started with the proper privileges. This is just an iterim solution to get something out the door.
Fix win32 setup log message
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/99]
Merged TimeStamp : 2014-03-05 02:02:30
Create TimeStamp : 2014-03-03 21:20:55
When installing the win32 agent it does a call to checkVista() which logs a message. The problem is no name is set so (null) is placed where the executable name should be. This sets the name so that the executable name is displayed instead of (null).
Before: before
After: after
Add install date to win32ui
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/98]
Merged TimeStamp : 2014-03-07 21:52:47
Create TimeStamp : 2014-03-03 21:12:32
This adds the install date to the lower right status area in the win32ui. It also gets rid of the sizegrip that was getting added by the status data area. It gave the impression that the window could be resized which it can't. It also took up space in the status area.
Before: before
After: after
Add better version handling to win32ui
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/97]
Merged TimeStamp : 2014-03-07 21:43:54
Create TimeStamp : 2014-03-03 20:58:42
The delimiter of just '-' (no spaces) was not as strict as it could be making adding things like releases to the version file, 2.7.1-1 for example not possible. This makes the delimiter " - " (with spaces) which allows for that type of flexibility.
Remove annoying win32ui dialog box
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/96]
Merged TimeStamp : 2014-03-08 17:46:27
Create TimeStamp : 2014-03-03 20:51:20
If you close the win32ui, the win32ui is running with Administrative privileges, everything to run the win32 agent is configured and the Agent service is not running a dialog box will pop informing the user the service is not running and ask them if they would like to start it.
This to me is an annoyance more than anything. It is likely the user went into the win32ui to stop the service to begin with and knows it is stopped.
If anyone has any strong opinions on keep this I'm all ears.
Add to .gitignore
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/95]
Merged TimeStamp : 2014-03-04 14:39:32
Create TimeStamp : 2014-03-03 20:43:44
Added temporary vim files and left over files from patches being run.
Fix win32 OS detection
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/94]
Merged TimeStamp : 2014-03-07 21:42:41
Create TimeStamp : 2014-03-03 20:40:48
This starts to add support for 2012. Change the log message to be more flexible with what it spits back out to the user after the checkVista() function is run.
Although this helps with 2012 detection it is not perfect. With the addition of Windows 8.1/2012 R2 the documentation provided by Microsoft indicates that the GetVersionEx APIs have been deprecated. This means that if you are on an 8.1 machine and run GetVersionEx it will return the Windows 8 version (6.2.0.0). In order to get the correct version you must target your application for Windows 8.1.
I am just trying to fix installations on 2012 and 2012 R2 so this code works well enough for now but should be revisited at some point so that it will work with future Windows versions.
For more details on how to target your application for Windows 8.1 read the following http://msdn.microsoft.com/en-us/library/windows/desktop/dn481241(v=vs.85).aspx.
Fix the client status exit code
Submitted by : pdrakeweb
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/93]
Merged TimeStamp : 2014-03-04 14:43:59
Create TimeStamp : 2014-03-03 20:09:25
Mody ossec-client.sh and ossec-hids-debian.init such that both ossec-control and service ossec commands will exit with the proper status code, based on the ossec client process status.
fix problem with umlaut in date string when pre-decoding the log message
Submitted by : ChristianBeer
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/92]
Merged TimeStamp : 2014-03-07 21:53:10
Create TimeStamp : 2014-03-03 16:47:55
Fix comment in win32/ui/common.c
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/87]
Merged TimeStamp : 2014-03-01 16:03:08
Create TimeStamp : 2014-03-01 15:49:17
OpenBSD deluser rule and remove bro-ids garbage
Submitted by : ddpbsd
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/86]
Merged TimeStamp : 2014-02-28 14:21:09
Create TimeStamp : 2014-02-28 12:55:16
The bro-ids stuff is old, out of date, and never worked properly.
fix to segfault introduced by pull request #81
Submitted by : ChristianBeer
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/85]
Merged TimeStamp : 2014-02-26 18:59:09
Create TimeStamp : 2014-02-26 18:56:35
reported by Antonio Querubin on ossec-dev
I could reproduce the segfault with with ossec-analysisd -t -d -d and fixed it
fix gcc wall warnings seen on travis
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/82]
Merged TimeStamp : 2014-02-25 13:10:37
Create TimeStamp : 2014-02-25 10:51:15
fix resource leaks in active-response.c
Submitted by : ChristianBeer
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/81]
Merged TimeStamp : 2014-02-25 13:11:50
Create TimeStamp : 2014-02-24 19:15:09
fixed resource leaks (found by cppcheck)
fixing gcc -Wall warnings
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/80]
Merged TimeStamp : 2014-02-24 15:20:04
Create TimeStamp : 2014-02-24 15:07:24
fix spelling preventing building geoip support
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/79]
Merged TimeStamp : 2014-02-24 15:06:42
Create TimeStamp : 2014-02-24 15:06:01
exit on error during making zlib or cJSON
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/78]
Merged TimeStamp : 2014-02-24 15:18:07
Create TimeStamp : 2014-02-24 15:05:09
fix cyclic header relationship mem_op.h <-> shared.h
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/77]
Merged TimeStamp : 2014-02-24 15:22:04
Create TimeStamp : 2014-02-24 15:04:13
rename global agent struct
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/76]
Merged TimeStamp : 2014-02-24 15:25:18
Create TimeStamp : 2014-02-24 15:03:21
rename global agent struct from logr to agt due to naming conflict to global remoted struct logr
rename syscheck config struct
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/75]
Merged TimeStamp : 2014-02-24 15:25:41
Create TimeStamp : 2014-02-24 15:02:06
rename syscheck config struct from config to syscheck_config due to naming conflict to struct config in zlib
remove unused declarations
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/74]
Merged TimeStamp : 2014-02-24 15:25:59
Create TimeStamp : 2014-02-24 15:00:49
fix missing breaks
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/73]
Merged TimeStamp : 2014-02-24 15:28:55
Create TimeStamp : 2014-02-24 15:00:00
surround binary expression with parenthesis
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/72]
Merged TimeStamp : 2014-02-24 15:29:18
Create TimeStamp : 2014-02-24 14:59:13
fix missing returns reported by eclipse
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/71]
Merged TimeStamp : 2014-02-24 15:29:50
Create TimeStamp : 2014-02-24 14:58:21
remove complete bin directory on make clean and ignore failure by removi...
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/70]
Merged TimeStamp : 2014-02-24 14:58:31
Create TimeStamp : 2014-02-24 14:57:17
...ng non existent files
fix buffer overflow
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/69]
Merged TimeStamp : 2014-02-24 15:08:21
Create TimeStamp : 2014-02-24 14:56:18
ignore warning about assignment in condition
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/68]
Merged TimeStamp : 2014-02-25 13:11:13
Create TimeStamp : 2014-02-24 14:55:23
remove static cJSON library on make clean
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/67]
Merged TimeStamp : 2014-02-24 14:58:52
Create TimeStamp : 2014-02-24 14:54:13
fix spelling
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/66]
Merged TimeStamp : 2014-02-24 14:59:05
Create TimeStamp : 2014-02-24 14:53:12
ignore eclipse project files
Submitted by : cgzones
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/65]
Merged TimeStamp : 2014-02-24 14:58:01
Create TimeStamp : 2014-02-24 14:50:27
correct deploy to s3 so that we can test win32 agents.
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/61]
Merged TimeStamp : 2014-02-19 22:08:45
Create TimeStamp : 2014-02-19 19:58:04
Please accept this - travis does not deploy on pull request builds but I would like to download the generated win32 agents anyway.
Readme update
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/59]
Merged TimeStamp : 2014-02-19 17:21:36
Create TimeStamp : 2014-02-19 16:30:29
Make remoted.debug in internal_options.conf work
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/58]
Merged TimeStamp : 2014-02-19 16:32:12
Create TimeStamp : 2014-02-19 16:25:47
This should allow the user to specify a debug level for the remoted daemon using the remoted.debug option in the internal_options.conf. The debug level specified on the command line takes precedence.
removing hg files
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/57]
Merged TimeStamp : 2014-02-19 16:12:27
Create TimeStamp : 2014-02-19 16:06:27
Cherry-picking in @cgzones geoip clean
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/56]
Merged TimeStamp : 2014-02-19 15:29:13
Create TimeStamp : 2014-02-19 15:25:29
I have merged this but i have not tested it.
Merging in changes from @cgzones
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/55]
Merged TimeStamp : 2014-02-19 15:18:46
Create TimeStamp : 2014-02-19 15:18:01
Travis ci build windows and fix for setenv not being avaiable on win32
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/53]
Merged TimeStamp : 2014-02-18 21:05:15
Create TimeStamp : 2014-02-18 20:54:58
Use cJSON instead of writing a custom JSON output format.
Submitted by : reyjrar
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/49]
Merged TimeStamp : 2014-02-18 18:01:52
Create TimeStamp : 2014-02-17 18:42:26
This addresses Issue#32. I have tested that this code builds and runs. I had to tweak the config for the ZeroMQ output stuff, so if @jrossi can sanity check, that would be ideal. I also added a .gitignore.
Disable /var/ossec/queue/diff/*state.$epoch files, they were not used.
Submitted by : reyjrar
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/45]
Merged TimeStamp : 2014-02-16 14:10:53
Create TimeStamp : 2014-02-15 12:58:54
This feature isn't being used and can lead to running out of inodes on server systems. Mickey removed the tracking of old diffs because we had no need for it.
Feature: activeresponse with filename
Submitted by : reyjrar
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/44]
Merged TimeStamp : 2014-02-17 15:44:44
Create TimeStamp : 2014-02-15 12:52:50
Will require an update to the documentation as the filename is appended to the argument list for AR events with filename attributes in the eventinfo struct. Includes a test for the os_shell_escape() function that's been added to string_op.c
Adding some additional sshd rules
Submitted by : joshgarnett
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/43]
Merged TimeStamp : 2014-02-15 03:32:23
Create TimeStamp : 2014-02-14 15:06:05
Added some new sshd rules for 1002 errors I encountered in production.
eventchannel: fix bug with bookmarks
Submitted by : gaelmuller
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/40]
Merged TimeStamp : 2014-02-04 15:55:29
Create TimeStamp : 2014-02-04 13:45:31
Fixes a bug present in the eventchannel log_format when using bookmarks (only-future-events not set in config file), that results in events not being monitored, with the following error in the log:
Subscription error: 87
Output unformatted JSON and include the file path for syscheck alerts in ZeroMQ JSON output
Submitted by : justintime32
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/38]
Merged TimeStamp : 2014-02-03 18:27:50
Create TimeStamp : 2014-02-03 18:25:26
Unformatted JSON should be used rather than formatted JSON since it would typically be used by other programs and not read directly by users.
The file path should be included in syscheck alerts so a receiving program doesn't have to scrape it from the log message.
Removed keepalive message from win_agent.c when not in debug
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/35]
Merged TimeStamp : 2014-02-03 16:46:30
Create TimeStamp : 2014-02-03 15:46:35
Seems a bit excessive to have this message in the logs when not in any kind of debug mode. That is what I am observing on some of the windows agents we are running as of right now.
better install for eventchannel support (now only 1 installer)
Submitted by : gaelmuller
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/34]
Merged TimeStamp : 2014-02-03 20:48:37
Create TimeStamp : 2014-02-03 10:41:37
This follows this commit: ossec/ossec-hids@75a91043c3d64cd2a7e5dcbb077755bf2aa85760
This commit modifies the build process of the Windows installer in order to have only one installer handle two cases:
Deploy ossec-agent-eventchannel.exe on Vista or greater
Deploy ossec-agent.exe otherwise
The installer packages the two executables and checks Windows version at runtime in order to decide which version of "ossec-agent.exe" should be used.
Fix debug level message used by NIX daemons to be more clear
Submitted by : awiddersheim
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/33]
Merged TimeStamp : 2014-02-02 14:44:14
Create TimeStamp : 2014-02-02 14:16:06
add eventchannel support for ossec agent on windows vista or greater
Submitted by : gaelmuller
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/28]
Merged TimeStamp : 2014-01-31 20:49:36
Create TimeStamp : 2014-01-30 15:49:35
This pull request adds a new feature to the windows agent, to be able to monitor "Application and Services Logs" that appeared with Windows Vista. This is not currently possible (OSSEC will read the "Applications" eventlog instead).
Previous discussions on this topic: * https://groups.google.com/forum/#!searchin/ossec-list/eventlog/ossec-list/9AhapIAjMOk/SFRzG38XAQ4J * https://groups.google.com/forum/#!msg/ossec-list/C9jmVkAmiRg/3zj0Fwv_EJ
For example, we can now monitor the "Microsoft-Windows-PrintService/Operational" eventlog with this config:
<localfile>
<location>Microsoft-Windows-PrintService/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
By default, OSSEC will keep track of where it was before stopping, which means that it will read (at start time) all events that occured between stop and start in order not to miss any event. However, you can cancel this behaviour with the "only-future-events" parameter:
<localfile>
<location>Microsoft-Windows-PrintService/Operational</location>
<log_format>eventchannel</log_format>
<only-future-events>yes</only-future-events>
</localfile>
You can also use an XPATH query if you are not interrested in all the events (see the event schema to construct queries: http://msdn.microsoft.com/en-us/library/windows/desktop/aa385201%28v=vs.85%29.aspx):
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
<only-future-events>yes</only-future-events>
<query>Event/System[EventID=7040]</query>
</localfile>
With this config, OSSEC will only receive events from the "System" eventlog that have an event ID equal to 7040.
Few things to note: * When changing the configuration, you should delete saved bookmarks (in the "bookmarks" directory) if you want to avoid unwanted behaviour (getting two much eventlog history on start) * This relies on relatively new APIs available on Windows Vista or greater. This has two implications: * We cannot use mingw32 to compile anymore, because it is missing these APIs. That is why this PR uses mingw-w64 (which explains a few changes in this PR not related to the added feature). * We now have to generate two distinct installers: "ossec-win32-agent.exe" and "ossec-win32-agent-with-eventchannel.exe" because the new one cannot be used on systems older than Vista. We could have only one if we dropped compatibility with older systems (such as Windows XP). This is obvioulsy not wanted at this time.
Note: replaces PR 27 (contained two many commits for an unknown reason ...)
Validate if a file is readable text when report_changes is set
Submitted by : northox
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/25]
Merged TimeStamp : 2014-01-30 14:38:15
Create TimeStamp : 2014-01-30 03:51:45
Syscheckd will save (in /queue/diff/) any file with report_changes option, e.g. /chroot/dev/urandom (yes it really happened to me), iso, mp3. This patch integrates libmagic to validate mime type. Only mime type beginning with 'text/', e.g. text/html, text/plain, will be copied and reported by diff.
This should pave the way for binary diff. ;)
Reviewers: I'm not quite sure about the build process (e.g. MEXTRA, MAGICCMD) so please advice.
HandleClient should try to open the m_queue in WRITE mode instead of READ
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/21]
Merged TimeStamp : 2014-02-07 16:21:16
Create TimeStamp : 2014-01-29 15:15:54
HandleClient does not ever exit after ossec is stopped or restarted because the call to StartMQ on line 146 is for READ mode instead of WRITE. When changed to WRITE, the StartMQ call fails and ossec-remoted exits.
Original Pull REquest: https://bitbucket.org/jbcheng/ossec-hids/pull-request/27/handleclient-should-try-to-open-the/diff
Labrown remoted child pid
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/20]
Merged TimeStamp : 2014-02-07 16:20:45
Create TimeStamp : 2014-01-29 15:05:53
This patch adds creation of PID files for ossec-remoted children so they get properly killed when the ossec service is stopped or restarted.
Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/28/create-pid-files-for-ossec-remoted/diff
Make analysisd.debug in internal_options.conf work
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/18]
Merged TimeStamp : 2014-02-02 02:50:27
Create TimeStamp : 2014-01-29 14:48:32
This should allow the user to specify a debug level for the analysisd daemon using the analysisd.debug option in the internal_options.conf. The debug level specified on the command line takes precedence.
Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/38/make-analysisddebug-in/diff
Fix timeout comment in receiver-win.c
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/17]
Merged TimeStamp : 2014-02-04 16:01:47
Create TimeStamp : 2014-01-29 14:36:49
Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/30/fix-timeout-comment-in-receiver-winc/diff
Allow NIX agent to use "-f" option and run in foreground
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/16]
Merged TimeStamp : 2014-02-13 06:47:00
Create TimeStamp : 2014-01-29 14:32:30
While this works I'm not sure I fully understand how it affects this code when the agent is actually run in the foreground:
srandom( time(0) + getpid()+ pid + getppid());
My guess is this is why the foreground option was never implemented for this daemon in the first place. Seems like the random stuff is only used with keep_alive messages and might not be that big of a deal but I'd appreciate someone double checking.
Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/35/allow-nix-agent-to-use-f-option-and-run-in/diff
Make syscheck.debug in internal_options.conf work
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/14]
Merged TimeStamp : 2014-02-02 03:02:44
Create TimeStamp : 2014-01-29 14:02:07
This should allow the user to specify a debug level for the syscheck daemon on NIX machines using the syscheck.debug option in the internal_options.conf. The debug level specified on the command line takes precedence. Also, added starting up messages to match what some of the daemons do.
Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/34/make-syscheckdebug-in-internal_optionsconf/diff
Awiddersheim fix ossec agent debug internal option nix
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/13]
Merged TimeStamp : 2014-02-02 02:53:43
Create TimeStamp : 2014-01-29 13:51:34
Orginal Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/31/fixed-agentdebug-option-in/diff
Made the command line debug level take precedence over what is specified
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/12]
Merged TimeStamp : 2014-01-30 14:19:42
Create TimeStamp : 2014-01-29 13:43:00
in internal_options.conf.
Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/33/fixed-logcollectordebug-option-in/diff
Fix the removal of start menu shortcuts for windows agent
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/11]
Merged TimeStamp : 2014-02-13 06:42:14
Create TimeStamp : 2014-01-29 13:37:48
Refer to http://nsis.sourceforge.net/Shortcuts_removal_fails_on_Windows_Vista. This fixes issues on machines that run Vista or newer.
Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/24/fix-the-removal-of-start-menu-shortcuts/diff
Add TimeGenerated to the output of Windows Event Logs
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/9]
Merged TimeStamp : 2014-02-07 16:23:50
Create TimeStamp : 2014-01-29 05:14:31
Updated read_win_el.c to include TimeGenerated from an EVENTLOGRECORD formatted into a human readable format for better logging. Also updated the decoder to handle this change.
Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/23/add-timegenerated-to-the-output-of-windows/diff
Add remove agent cmd line option to manage_agents
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/8]
Merged TimeStamp : 2014-02-07 17:27:43
Create TimeStamp : 2014-01-29 05:09:29
Orginal Pull Request https://bitbucket.org/jbcheng/ossec-hids/pull-request/22/add-remove-agent-cmd-line-option-to/diff
Fix potential infinite loop when adding new agent using file input
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/7]
Merged TimeStamp : 2014-02-07 17:26:50
Create TimeStamp : 2014-01-29 05:03:04
When adding a new agent using the -f option provided by manage_agents there is a possibility that it loops infinitely if you have used up all of the potential IDs. It will say that the ID needs to be unique since the last ID checked is already in use. This commit adds a new message stating the problem and prevents the infinite loop. It also increases the amount of IDs manage_agents will look at when adding new agents both in the interactive mode and when using the -f option.
Original pull request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/21/fix-potential-infinite-loop-when-adding
agent_config profiles for windows
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/6]
Merged TimeStamp : 2014-01-30 14:15:37
Create TimeStamp : 2014-01-29 04:46:18
Current version of OSSEC's windows agent ignores every in its configuration. This PR corrects this bug so that config profiles also work on windows.
Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/20/agent_config-profiles-for-windows/diff
fix openssl operations on non blocking socket
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/4]
Merged TimeStamp : 2014-01-31 21:14:22
Create TimeStamp : 2014-01-29 04:38:37
I was having problems with ossec-authd (SSL Accept error + SSL Read error). This was due to incorrect error handling for these two operations in the context of non blocking sockets (which is the case for the ossec-authd server).
I don't know what I seem to be the only one to experience this issue (maybe my LAN is particularly slow ... :/) The diff contains a lot of noise because I removed a if/else construct, and then reindented a big block of code.
Orgianl Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/26/fix-openssl-operations-on-non-blocking/diff
@gaelmuller
ZeroMQ Json Output
Submitted by : jrossi
Full Pull Request : [https://github.com/ossec/ossec-hids/pull/2]
Merged TimeStamp : 2014-02-01 01:06:37
Create TimeStamp : 2014-01-25 18:33:56
This is a complete patch that will allow the outputing of all alerts to a zeromq PUB socket in JSON format.
New Config: xml <ossec> <global> <zeromq_output>yes|no</zeromq_output> <zeromq_uri>tcp://localhost:11111</zeromq_uri> Somethings had to change to allow this to work. Based on the preprossor defines - WINDOWS was redefined by OSSEC and is used by GCC changed the define to to DECODER_WINDOWS - __name was redefinied by OSSEC and is used by GCC changed the defeine to be _ossecname
Zerion Mini Shell 1.0