What’s new


Released November 5, 2015:


This is a bug fix release.

  • Fix eventchannel support for Windows agents.
  • Fix hybrid mode.

Checksum for ossec-hids-2.8.3.tar.gz: ossec-hids-2.8.3.tar.gz.sha256

Checkdum for ossec-agent-win32-2.8.3.exe: ossec-agent-win32-2.8.3.exe.sha256

SHA256 (ossec-agent-win32-2.8.3.exe) = 82c143613c4538101b64ccb6deec8cdf6f88e59a9cc45585c1a81bce8d78f015
SHA256 (ossec-hids-2.8.3.tar.gz) = 917989e23330d18b0d900e8722392cdbe4f17364a547508742c0fd005a1df7dd


Released June 10, 2015:


This is a bug fix release.

  • SECURITY fix for CVE-2015-322


Released Sept 9, 2014:


This is a bug fix release.

  • SECURITY fix for CVE-2014-5284 found by Jeff Petersen of Roka Security LLC.
  • Bug fixes


  • Bug fixes
  • manage_agents: Added manage_agents -r <id> to remove an agent (awiddersheim)
  • Windows: Added eventchannel support for Windows agent on Vista or later (gaelmuller)
  • syscheckd: Extended filesize from an integer to a long integer
  • Active Response: Fix active-response on MAC OS Firewall (jknockaert)
  • Log monitoring/analysis: Add option to allow the outputing of all alerts to a zeromq PUB socket in JSON format, using cJSON library (jrossi, justintime32)
  • Log monitoring/analysis: Add TimeGenerated to the output of Windows Event logs (awiddersheim)
  • Rules/decoders: Added some additional sshd rules in sshd_rules.xml (joshgarnett)
  • Rules/decoders: Removed bro-ids_rules.xml (ddpbsd)
  • Removed event ID 676, 672 in msauth_rules.xml (mstarks01)
  • contrib: zeromq_pubsub.py - No description (jrossi)
  • contrib: ossec-eps.sh, a script to calculate events-per-second (mstarks01)


  • Bug fixes
  • Extended filesize from an integer to a long integer in syscheck
  • Heartbeat interval is now configurable:
  • custom_alert_output added
  • ip-customblock.sh active-response script added
  • ossec2snorby scripts added to contrib


  • agent profiles
  • Allow the agents to run remote commands in agent.conf again internal_options.conf
  • New utility: util.sh
  • New hybrid mode: server + agent functionality on the same system (NOT REALLY DOCUMENTED, ARE ANY OF THE INSTALLATION TYPES WELL DOCUMENTED?)
  • contrib/ossec2rss.php: ossec alerts in an rss format
  • GeoIP data in alerts
  • OSSEC server can be specified by hostname in the agent’s ossec.conf server-hostname
  • ossec-authd can now add IP addresses to the client.keys file instead of using any with the -i flag from Jason Stelzer
  • support for prelink to reduce false positives refilter_cmd
  • Added knowbs to turn on or off rootcheck features check_*
  • Added support for json and splunk output (along with syslog and cef) format
  • Changed -f to -v in ossec-logtest
  • Added -f to manage_agents to create agent keys in bulk