Table of Contents
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#208]"" "Merged TimeStamp","2014-05-22 13:10:57" "Create TimeStamp","2014-05-18 14:43:04"
> Think this is the issue with identified in #206. The function returned a pointer to local variable result would be undefined. > > >
Pull Request info
"Submitted by" ,"[gaelmuller](https://github.com/gaelmuller) " "Full Pull Request","[ossec/ossec-hids#203]"" "Merged TimeStamp","2014-05-10 01:08:48" "Create TimeStamp","2014-05-05 15:46:02"
> Add a "Time Created" field to the eventchannel log format to align it with eventlog.
Pull Request info
"Submitted by" ,"[jknockaert](https://github.com/jknockaert) " "Full Pull Request","[ossec/ossec-hids#202]"" "Merged TimeStamp","2014-05-10 01:09:42" "Create TimeStamp","2014-05-05 15:00:46"
> Modern versions of mac os support pf, with ipfw to be fased out by (probably) the next version of the os.
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#200]"" "Merged TimeStamp","2014-05-02 00:11:32" "Create TimeStamp","2014-05-01 09:44:37"
> fix memory leaks (in error branches) and check return values of library calls (see coverity)
Pull Request info
"Submitted by" ,"[harshilmathur](https://github.com/harshilmathur) " "Full Pull Request","[ossec/ossec-hids#197]"" "Merged TimeStamp","2014-04-29 22:23:25" "Create TimeStamp","2014-04-29 22:18:26"
> Resolves #194 which caused change in opensslconf.h path in ubuntu 14.04 causing Ossec to compile without OpenSSL support.
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#195]"" "Merged TimeStamp","2014-04-29 12:58:39" "Create TimeStamp","2014-04-29 09:06:18"
> changes: > * replace octal values of charmaps with decimal ones (cause octal values greater than 127 causing conversion warnings) > * change string size variables to size_t > * rewrite OS_StrStartsWith() so that the length of the pattern does not need to be computed > * enable unit test for regex extraction added by 79460acf9ae79dfd52de72c2599d6f0a3be81e83 > * fix bunch of compiler warnings > * fix coverity warnings about uninitialized array (CID 28590)
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#191]"" "Merged TimeStamp","2014-04-25 11:02:44" "Create TimeStamp","2014-04-25 10:07:37"
> unit tests for os_regex's Os_StrStartsWith() and character maps
Pull Request info
"Submitted by" ,"[jbcheng](https://github.com/jbcheng) " "Full Pull Request","[ossec/ossec-hids#189]"" "Merged TimeStamp","2014-04-23 19:57:54" "Create TimeStamp","2014-04-23 18:47:09"
> In a hurry, this was pushed to stable branch first. > Please merge this to master.
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#188]"" "Merged TimeStamp","2014-04-23 14:47:17" "Create TimeStamp","2014-04-23 13:24:57"
> adding more unit tests for os_regex > > p.s.: > the regex extraction tests is crashing for me, cause os_regex is trying to modify the const input strings (https://github.com/ossec/ossec-hids/blob/master/src/os_regex/os_regex_execute.c#L72). > I think i fixed this in my branch os_regex(https://github.com/cgzones/ossec-hids/tree/os_regex). >
-------------------------------------------------------[tests] explicit enable branch coverage for new version of lcov -------------------------------------------------------
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#187]"" "Merged TimeStamp","2014-04-23 10:59:16" "Create TimeStamp","2014-04-23 07:43:43"
>
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#186]"" "Merged TimeStamp","2014-04-23 10:57:52" "Create TimeStamp","2014-04-23 07:43:31"
>
Pull Request info
"Submitted by" ,"[danpop60](https://github.com/danpop60) " "Full Pull Request","[ossec/ossec-hids#185]"" "Merged TimeStamp","2014-04-22 15:10:09" "Create TimeStamp","2014-04-22 11:06:40"
> Avoid a crash of agentd on Solaris. > Replaced AF_UNIX by PF_UNIX in a couple of socket() calls.
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#180]"" "Merged TimeStamp","2014-04-07 21:47:48" "Create TimeStamp","2014-04-06 03:26:18"
> See discussion at https://groups.google.com/forum/#!topic/ossec-list/FOTncDNnNk0 > > The ossec-lua addition included a regression on @cgzones changes for using clang correctly. This corrects that regression (as suggest by cgzones on the mailing list). > > I think this should also be merged into stable for the 2.8 release as the ossec-lua introduced a regression into clang builds. > > Please note travis will not pick up this try of errors due to gcc still being installed. > > >
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#179]"" "Merged TimeStamp","2014-04-06 16:32:56" "Create TimeStamp","2014-04-05 18:27:10"
> Added local_internal_options.conf to the installation process. This > file will not be overwritten when an upgrade occurs so changes to how > the agent runs can be made in this file and persist through upgrades. > This fixes #169. > > Also, some small fixes like removing whitespace and making the message > box definitions in ossec-installer.nsi a bit more readable.
-------------------------------------------------------Fix windows agent compile error/warnings #define ENOBUFS, ALERT_SYSTEM_ERR -------------------------------------------------------
Pull Request info
"Submitted by" ,"[jbcheng](https://github.com/jbcheng) " "Full Pull Request","[ossec/ossec-hids#176]"" "Merged TimeStamp","2014-04-04 23:45:27" "Create TimeStamp","2014-04-04 23:35:02"
> The errno.h in some versions of MinGW do not have ENOBUFS defined, causing Travis CI windows_agent build to fail. This PR fixs that. > Also, this PR gets rid of compile warnings regarding ALERT_SYSTEM_ERROR being redefined in rootcheck/rootcheck.h, which was also defined in /i686-w64-mingw32/include/winuser.h:4997
-------------------------------------------------------Moving ossec-lua back to posix so that we do no have a libreadline dep -------------------------------------------------------
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#175]"" "Merged TimeStamp","2014-04-04 21:58:32" "Create TimeStamp","2014-04-04 02:17:42"
>
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#173]"" "Merged TimeStamp","2014-04-12 02:50:25" "Create TimeStamp","2014-04-03 15:42:00"
> changes: > * new make target for coverage report of testcases > - cd src/ > - make test > - cd tests/ > - make generate_coverage > * xml error messages harmonized > * speedup when applying variables > - xml array only traversed once > - names and contents of variables are not copied > * add some testcases > - multiple values per node (<node>first<child/>second</node>) > - space before attribute definition (<node attr= "value"/>) > - comments with '!' and '-' > - string overflow tests for xml nodes and variables > >
-------------------------------------------------------Added more Vista+-associated event IDs for existing rules -------------------------------------------------------
Pull Request info
"Submitted by" ,"[mstarks01](https://github.com/mstarks01) " "Full Pull Request","[ossec/ossec-hids#163]"" "Merged TimeStamp","2014-03-31 22:58:22" "Create TimeStamp","2014-03-26 04:01:51"
>
Pull Request info
"Submitted by" ,"[denied39](https://github.com/denied39) " "Full Pull Request","[ossec/ossec-hids#160]"" "Merged TimeStamp","2014-04-02 01:28:53" "Create TimeStamp","2014-03-24 12:10:01"
> Added include for errno.h in src/os_net/os_net.c to remove Windows agent compile error.
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#159]"" "Merged TimeStamp","2014-04-03 01:36:26" "Create TimeStamp","2014-03-23 15:27:45"
> Updated the style of ossec-installer.nsi so it is easier to read. > > Turned on Uninstallation details same as is done for installtion > details. > > Start to use SimpleSC plugin (Rainer Döpke) to handle the intial > stopping of the OSSEC agent service. The hope is this plugin can later > be used to do handle all of the necessary service configuration that > is required. > > Added error checking around many of the (un)installation steps. There > is plenty of room for more error checking but hopefully this covers > some of the major problem areas. > > Added logic to create the ossec.log on every installation. > > Fixed cleaning up the bookmarks directory. > > Start to use nsProcess plugin (Shengalts Aleksander aka Instructor) to > detect if either manage_agents.exe or win32ui.exe are running during > an uninstall. When they are running the uninstallation will fail to > remove those files and thus fails to remove the ossec-agent directory.
Pull Request info
"Submitted by" ,"[mstarks01](https://github.com/mstarks01) " "Full Pull Request","[ossec/ossec-hids#157]"" "Merged TimeStamp","2014-03-26 01:06:22" "Create TimeStamp","2014-03-22 16:29:43"
> Since it is only on Windows 2000 and support for that OS has been deprecated.
Pull Request info
"Submitted by" ,"[mstarks01](https://github.com/mstarks01) " "Full Pull Request","[ossec/ossec-hids#151]"" "Merged TimeStamp","2014-03-20 01:08:40" "Create TimeStamp","2014-03-20 00:35:53"
> Event 672 is related to the granting of Kerberos tickets. It is extraneous due to other authentication events for the same action being logged, and causes the number of logon failures to appear higher than they really are. From Microsoft: > > Does not contain any additional information if audit details from logon events 528 and 540 are already being collected. This event records that a Kerberos TGT was granted, actual access will not occur until a service ticket is granted, which is audited by Event 673.
-------------------------------------------------------Added <email_idsname> option to ossec.conf (additional email header) -------------------------------------------------------
Pull Request info
"Submitted by" ,"[dopefish](https://github.com/dopefish) " "Full Pull Request","[ossec/ossec-hids#150]"" "Merged TimeStamp","2014-03-20 12:05:06" "Create TimeStamp","2014-03-19 19:34:37"
> This feature adds an additional option to the ossec_config/global config > block in ossec.conf called <email_idsname>. The value of this field gets > added o the email headers as "X-IDS-OSSEC: $value" to make sorting of > emails from different ossec servers easier (e.g. development and production > servers). install.sh uses the $HOST variable as the default value for the > field when creating an ossec.conf > > Example: > > <ossec_config> > <global> > <email_idsname>development</email_idsname> > </global> > </ossec_config>
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#145]"" "Merged TimeStamp","2014-03-17 22:56:10" "Create TimeStamp","2014-03-17 22:00:14"
> Added the shebang. Also used 'set -e' to exit the scripts upon > getting an error from any of the command being run. That is it say > if there is an issue compiling anything for any reason stop there > and continue not further. > > Previously, it would just continue on until something would look > for the executables that weren't there and exit. Usually after makensis. > > This makes it a lot clearer on where things went wrong and you don't have > to trudge through a lot of output to find compile issues.
Pull Request info
"Submitted by" ,"[ddpbsd](https://github.com/ddpbsd) " "Full Pull Request","[ossec/ossec-hids#144]"" "Merged TimeStamp","2014-03-17 19:31:15" "Create TimeStamp","2014-03-17 17:04:29"
>
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#142]"" "Merged TimeStamp","2014-03-20 17:16:06" "Create TimeStamp","2014-03-15 10:39:09"
> changes: > * remove global XML_VAR compile directive > * restructure header structure (os_xml.h + os_xml_writer.h -> os_xml.h (for external includes) + os_xml_internal.h (for internal macros) > * always ensure valid OS_XML state so OS_ClearXML() never encounter a nullpointer or memory leak > * remove unused function _checkmemory() > * clean up memory in failure branches > * fix a bunch of compiler warnings > * add test cases
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#139]"" "Merged TimeStamp","2014-03-13 20:44:40" "Create TimeStamp","2014-03-12 15:55:25"
> Basic import of os_regex/example/tests into check unit test setup start by @cgzones. This will test OS_Match2 and OS_Regex >
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#136]"" "Merged TimeStamp","2014-03-11 20:54:47" "Create TimeStamp","2014-03-10 18:52:47"
> The buffer variable in InstallService() was not ever used. > > The other warning was about windows.h being included before winsock2.h
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#134]"" "Merged TimeStamp","2014-03-11 00:43:13" "Create TimeStamp","2014-03-10 13:27:01"
> These seem pretty useless to me. They also aren't used in the code > anywhere. There are plenty of other tools available to start/stop > the OSSEC services. Probably best to get rid of these.
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#133]"" "Merged TimeStamp","2014-03-10 20:53:02" "Create TimeStamp","2014-03-10 13:20:58"
> * updating zlib to 1.2.8 > * adding some documentation > * adding some unit tests for wrapper functions
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#132]"" "Merged TimeStamp","2014-03-10 20:44:21" "Create TimeStamp","2014-03-10 11:22:19"
> This pull request changes two things: > > * The complete ossec code can now be compiled with clang. > Therefore the external openssl was changed according to http://www.andric.com/freebsd/clang/clang-bootstrap-r210374-1.txt. > You can verify the unchanged crypto results by using the test binaries, e.g. by: > ` > cd src/ > make all > cd os_crypto/md5/ > make main > echo "next line should be 'MD5Sum for \"test\" is: 098f6bcd4621d373cade4e832627b4f6'" > ./main str test > cd ../sha1/ > make main > echo "next line should be 'SHA1Sum for \"main.c\" is: 4b35e3f3e19d9861db9eeb7827f8bdf46fe4b89c'" > ./main main.c >
` > > * The install and make script does search and set gcc as the default compiler. > Instead ossec relies on either a properly set "CC" environment variable or on a reachable "cc" binary. > So for debian/red hat respectively freebsd based systems cc is a symlink to gcc respectively clang. > If you want to use a different compiler (e.g. clang on debian) you can set the CC environment variable before running the install script (export CC=/path/to/clang) or use the maketarget setclang (which sets the CC environment variable to clang).
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#131]"" "Merged TimeStamp","2014-03-10 02:10:52" "Create TimeStamp","2014-03-10 01:54:58"
>
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#130]"" "Merged TimeStamp","2014-03-10 02:01:17" "Create TimeStamp","2014-03-10 01:46:57"
> When doing a win32 installation the details are hidden and only shown > very briefly. In some cases when doing an Exec on some of the OSSEC > command line tools it will spawn a cmd.exe that only appears for a > second. Some of the details those processes do are logged in the > ossec.log but it would be nice if they were also displayed in the details > window and those details can be reviewed. > > Changed all Exec's to use ExecToLog so their details show up in the > installer details section. > > Configured the details to be displayed by default and to not skip > past the details page automatically when the installation is completed. > > This also has the added benefit of now popping up cmd.exe windows when > an installation takes place.
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#129]"" "Merged TimeStamp","2014-03-10 02:10:06" "Create TimeStamp","2014-03-09 23:40:02"
> There were quite a few issues with the win32 service code that this > corrects. The first is that some of the comments in the code needed > to be updated. Looks like code was copied and reused but the comments > were not updated to reflect what the reused code was doing. > > There was the potential in InstallService() where not all the service > handles would be closed if errors were hit at certain spots. > > Before installing a new service the old service was not uninstalled. > This is desireable in the case where the new service has different > options or points to a different path location for example. In some > cases it might be bad where some type of user change was made but that > is difficult to account for. I leaned toward cleaning up the old so that > the new service can be installed fresh. > > This also causes an error when the service goes to install because the service > already exists. This would actaully happen each time the OSSEC installer was ran > but due to some incorrect logging statements (which I'll explain below) a blank > line would appear. > > When doing an uninstall of a service the service wasn't stopped prior to > the uninstallation. This would leave the service running until the service > was stopped or the computer rebooted at which point the service would dissappear. > It is better to stop the service before unintsalling. I'd imagine that is what > the user would expect to happen during such an operation. > > The logging in this code was not done correctly. Namely, the call to merror() > in the InstallService() function after the "install_error" label was completely > wrong and would result in a nearly blank line in the logs. There were also reports > of times where a user would install the agent on a win32 machine and everything > would work except the service would never register. Fixing all of the logging to > use verbose() should hopeflly lead to better troubleshooting of errors like that > in the future.
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#128]"" "Merged TimeStamp","2014-03-09 18:26:19" "Create TimeStamp","2014-03-09 17:55:41"
> Added /? as a help parameter. This is a pretty standard way of getting help information from other command line executable's on Windows.
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#127]"" "Merged TimeStamp","2014-03-10 01:57:42" "Create TimeStamp","2014-03-09 16:52:02"
> Log the cacls command about to be run.
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#126]"" "Merged TimeStamp","2014-03-10 02:01:52" "Create TimeStamp","2014-03-09 15:56:51"
> Use the full ability of the the File command. Before when upgrading and doing a Rename after without the /Reboot command most of those commands would "fail silently" which is the best way I can describe it. It would just leave these files in the main ossec-agent directory never really upgrading parts of the system. Using the File command has the added benefit of complaining if a file is in use during the installation. For example have the win32ui.exe open and try to run a new installation. It hould complain that the file is inaccessible until the application is closed. Previously, this would just leave os_win32.exe in the ossec-agent directory and never successfully upgrade the executable.
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#125]"" "Merged TimeStamp","2014-03-10 02:08:11" "Create TimeStamp","2014-03-09 15:49:08"
> Explicitly set SetOverwrite to on. This is the default but for clarity it is good to show exactly what action we are hoping to take with these files.
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#124]"" "Merged TimeStamp","2014-03-10 02:06:02" "Create TimeStamp","2014-03-09 15:46:10"
> Turned SetDateSave to off. Reference http://nsis.sourceforge.net/Reference/SetDateSave for more information on what this does. While keeping the original DateModified times has some advantages I think not having NSIS overwrite the new DateModified times with the originals is much better. It lets the user see when a file was actually modified.
Pull Request info
"Submitted by" ,"[mstarks01](https://github.com/mstarks01) " "Full Pull Request","[ossec/ossec-hids#123]"" "Merged TimeStamp","2014-03-09 15:47:37" "Create TimeStamp","2014-03-09 15:43:42"
>
Pull Request info
"Submitted by" ,"[mstarks01](https://github.com/mstarks01) " "Full Pull Request","[ossec/ossec-hids#122]"" "Merged TimeStamp","2014-03-09 02:51:36" "Create TimeStamp","2014-03-09 02:19:46"
>
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#121]"" "Merged TimeStamp","2014-03-10 03:35:26" "Create TimeStamp","2014-03-08 19:27:09"
> Deploy with travis does not make sense for us and fails a lot more often then it should. >
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#120]"" "Merged TimeStamp","2014-03-17 14:49:20" "Create TimeStamp","2014-03-08 18:55:18"
> This add a lua interpreter to ossec agent and master install. This is the smallest change allowing Lua to become the defacto script language for ossec. > > Their are many reasons for lua support to be added to ossec: > > 1. LUA run any place ossec does and maybe even more > 2. Constant interface for more advanced active response script on agents and manager > 3. Constant set of libraries and tools for adding utils and interfaces. > 4. Easy integration into C > 5. Bloody fast > 6. Simple > > Once having ossec-lua we can start adding utils to the standard install without having to preform C everyplace. Here are some areas that I see: > > 1. Active response scripts > 2. check perm script > 3. move reporting from C to LUA so anyone can make changes > 4. Templating using LUA for formatting emails. > > I have gotten ossec-lua to compile on windows using mingw and will create a second pull request to make that complete. > > This will also need decimation updates. > >
Pull Request info
"Submitted by" ,"[mstarks01](https://github.com/mstarks01) " "Full Pull Request","[ossec/ossec-hids#119]"" "Merged TimeStamp","2014-03-08 18:01:10" "Create TimeStamp","2014-03-08 17:59:21"
> It was just plain... broken.
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#118]"" "Merged TimeStamp","2014-03-08 17:40:55" "Create TimeStamp","2014-03-08 17:22:57"
> I can't seem to figure out what purpose the ui.nsi file serves if any. > In my tests on Windows 2008R2 not making it and even having it present > seem to make no difference in the agent functionality. The win32ui > still gets installed and everything about it still seems to work. > > Getting rid of it seems like a good idea to me at this point. > > If anyone can tell me if this does get used for anything and what that anything is it would be much appreciated. Further testing always welcome.
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#117]"" "Merged TimeStamp","2014-03-08 16:42:54" "Create TimeStamp","2014-03-08 16:15:25"
> Move the logic that determines whether the ossec.conf should be > replaced/renamed out of the C code and into NSIS. The NSIS stuff is > built for installing things. No need to write a bunch of C code to do > something that there is already a system for. Going to try and move > as much out of C and into NSIS to help cut down on the amount of code > that needs to be maintained for no real reason.
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#116]"" "Merged TimeStamp","2014-03-08 16:07:10" "Create TimeStamp","2014-03-08 15:57:44"
> Instead of using a relative jumpto use the NoAbort label for clarity.
Pull Request info
"Submitted by" ,"[gaelmuller](https://github.com/gaelmuller) " "Full Pull Request","[ossec/ossec-hids#115]"" "Merged TimeStamp","2014-03-07 21:58:30" "Create TimeStamp","2014-03-07 15:38:06"
> Restore eventchannel support, with proper build. Only mingw-w64 can be used.
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#114]"" "Merged TimeStamp","2014-03-07 21:55:01" "Create TimeStamp","2014-03-06 18:23:07"
> os_err.h is located in src/headers and sysinfo is never ever used
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#113]"" "Merged TimeStamp","2014-03-06 17:08:36" "Create TimeStamp","2014-03-06 16:00:51"
> In my opinion adding these should be a user decision and shouldn't get done by default.
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#111]"" "Merged TimeStamp","2014-03-07 21:53:35" "Create TimeStamp","2014-03-06 03:19:14"
> The ARGV0 names of manage-agents and the win32ui needed more clarity. > Using 'ossec-agent' doesn't really makes sense. This will help in > figuring out what is doing what in the log file for example a little > easier.
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#110]"" "Merged TimeStamp","2014-03-05 12:53:48" "Create TimeStamp","2014-03-05 11:17:29"
>
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#109]"" "Merged TimeStamp","2014-03-05 12:58:41" "Create TimeStamp","2014-03-05 11:17:21"
>
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#108]"" "Merged TimeStamp","2014-03-07 21:57:20" "Create TimeStamp","2014-03-05 11:17:12"
>
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#107]"" "Merged TimeStamp","2014-03-08 16:14:47" "Create TimeStamp","2014-03-04 21:47:36"
> The manage_agents.exe would never change into the proper ossec-agents > directory. There is now some logic added to attempt to chdir() into > the right directory when it starts but it is not foolproof. > > Also, corrected the permissions on the client.keys file. They were > not being set properly after the file was written out leaving it > readable to any system user.
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#106]"" "Merged TimeStamp","2014-03-07 21:50:49" "Create TimeStamp","2014-03-04 19:19:58"
> After commit 75a91043 the os_auth daemon no longer gets made during builds on NIX based systems so copying over the files is no longer necessary.
Pull Request info
"Submitted by" ,"[joshgarnett](https://github.com/joshgarnett) " "Full Pull Request","[ossec/ossec-hids#105]"" "Merged TimeStamp","2014-03-04 14:38:51" "Create TimeStamp","2014-03-04 14:13:11"
> Nothing fancy, just a new rule for an sshd message I encountered recently. Unit test created also.
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#104]"" "Merged TimeStamp","2014-03-05 02:07:23" "Create TimeStamp","2014-03-03 21:54:03"
> These messages were a little all over the place with their style > and what they were saying. This my attempt at cleaning them up a > bit so they are a little more clear and cleaner in their presentation.
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#103]"" "Merged TimeStamp","2014-03-07 22:00:56" "Create TimeStamp","2014-03-03 21:49:45"
> I could be wrong about this being necessary but nothing bad happened when I added it and ran my tests.
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#102]"" "Merged TimeStamp","2014-03-08 16:17:34" "Create TimeStamp","2014-03-03 21:46:31"
> These debug messages aren't particularly helpful and there isn't > any easy way to even put the win32ui into debug mode that I have > found so I feel they should be removed.
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#100]"" "Merged TimeStamp","2014-03-07 21:48:03" "Create TimeStamp","2014-03-03 21:39:10"
> When using the win32ui to change the server IP or import the > authentication key the permissions on ossec.conf and client.keys > were not set correctly resulting in any system user being able to > read the contents of these files. > > This brought on some additional problems where the win32ui was unable > to properly detect if it was running with Administrative privileges. > The previous logic would attempt to read/write a .test file in the > OSSEC directory but thanks to a mixture of UAC redirection, an > unsigned binary and not requiring Administrative privileges these > tests would always pass. That means the win32ui would be able to run > without Administrative privileges. > > This solution still isn't the best. It would be better if proper > win32 APIs were used to set permissions and determine if the win32ui > was started with the proper privileges. This is just an iterim > solution to get something out the door.
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#99]"" "Merged TimeStamp","2014-03-05 02:02:30" "Create TimeStamp","2014-03-03 21:20:55"
> When installing the win32 agent it does a call to checkVista() which > logs a message. The problem is no name is set so (null) is placed > where the executable name should be. This sets the name so that > the executable name is displayed instead of (null). > > Before: > ![before](https://f.cloud.github.com/assets/3237256/2314652/adfc22e6-a319-11e3-90d9-2fbe43a47dc7.PNG) > > After: > ![after](https://f.cloud.github.com/assets/3237256/2314653/b139b55e-a319-11e3-87ae-02aebc9fdc0d.PNG) >
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#98]"" "Merged TimeStamp","2014-03-07 21:52:47" "Create TimeStamp","2014-03-03 21:12:32"
> This adds the install date to the lower right status area in the > win32ui. It also gets rid of the sizegrip that was getting added > by the status data area. It gave the impression that the window > could be resized which it can't. It also took up space in the > status area. > > Before: > ![before](https://f.cloud.github.com/assets/3237256/2314558/794ebc8a-a318-11e3-9997-b309ab6fbbdd.PNG) > > After: > ![after](https://f.cloud.github.com/assets/3237256/2314559/7ed94134-a318-11e3-8d47-2dbc0c16fc74.PNG) >
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#97]"" "Merged TimeStamp","2014-03-07 21:43:54" "Create TimeStamp","2014-03-03 20:58:42"
> The delimiter of just '-' (no spaces) was not as strict as it could > be making adding things like releases to the version file, 2.7.1-1 > for example not possible. This makes the delimiter " - " (with spaces) > which allows for that type of flexibility.
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#96]"" "Merged TimeStamp","2014-03-08 17:46:27" "Create TimeStamp","2014-03-03 20:51:20"
> If you close the win32ui, the win32ui is running with Administrative > privileges, everything to run the win32 agent is configured and the > Agent service is not running a dialog box will pop informing the user > the service is not running and ask them if they would like to start it. > > This to me is an annoyance more than anything. It is likely the user > went into the win32ui to stop the service to begin with and knows it is > stopped. > > If anyone has any strong opinions on keep this I'm all ears.
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#95]"" "Merged TimeStamp","2014-03-04 14:39:32" "Create TimeStamp","2014-03-03 20:43:44"
> Added temporary vim files and left over files from patches being run.
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#94]"" "Merged TimeStamp","2014-03-07 21:42:41" "Create TimeStamp","2014-03-03 20:40:48"
> This starts to add support for 2012. Change the log message to be > more flexible with what it spits back out to the user after the > checkVista() function is run. > > Although this helps with 2012 detection it is not perfect. With the > addition of Windows 8.1/2012 R2 the documentation provided by > Microsoft indicates that the GetVersionEx APIs have been deprecated. > This means that if you are on an 8.1 machine and run GetVersionEx it > will return the Windows 8 version (6.2.0.0). In order to get the > correct version you must target your application for Windows 8.1. > > I am just trying to fix installations on 2012 and 2012 R2 so this > code works well enough for now but should be revisited at some point > so that it will work with future Windows versions. > > For more details on how to target your application for Windows 8.1 read > the following http://msdn.microsoft.com/en-us/library/windows/desktop/dn481241(v=vs.85).aspx.
Pull Request info
"Submitted by" ,"[pdrakeweb](https://github.com/pdrakeweb) " "Full Pull Request","[ossec/ossec-hids#93]"" "Merged TimeStamp","2014-03-04 14:43:59" "Create TimeStamp","2014-03-03 20:09:25"
> Mody ossec-client.sh and ossec-hids-debian.init such that both ossec-control and service ossec commands will exit with the proper status code, based on the ossec client process status.
-------------------------------------------------------fix problem with umlaut in date string when pre-decoding the log message -------------------------------------------------------
Pull Request info
"Submitted by" ,"[ChristianBeer](https://github.com/ChristianBeer) " "Full Pull Request","[ossec/ossec-hids#92]"" "Merged TimeStamp","2014-03-07 21:53:10" "Create TimeStamp","2014-03-03 16:47:55"
>
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#87]"" "Merged TimeStamp","2014-03-01 16:03:08" "Create TimeStamp","2014-03-01 15:49:17"
>
Pull Request info
"Submitted by" ,"[ddpbsd](https://github.com/ddpbsd) " "Full Pull Request","[ossec/ossec-hids#86]"" "Merged TimeStamp","2014-02-28 14:21:09" "Create TimeStamp","2014-02-28 12:55:16"
> The bro-ids stuff is old, out of date, and never worked properly.
Pull Request info
"Submitted by" ,"[ChristianBeer](https://github.com/ChristianBeer) " "Full Pull Request","[ossec/ossec-hids#85]"" "Merged TimeStamp","2014-02-26 18:59:09" "Create TimeStamp","2014-02-26 18:56:35"
> reported by Antonio Querubin on ossec-dev > > I could reproduce the segfault with with ossec-analysisd -t -d -d and fixed it
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#82]"" "Merged TimeStamp","2014-02-25 13:10:37" "Create TimeStamp","2014-02-25 10:51:15"
>
Pull Request info
"Submitted by" ,"[ChristianBeer](https://github.com/ChristianBeer) " "Full Pull Request","[ossec/ossec-hids#81]"" "Merged TimeStamp","2014-02-25 13:11:50" "Create TimeStamp","2014-02-24 19:15:09"
> * fixed resource leaks (found by cppcheck)
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#80]"" "Merged TimeStamp","2014-02-24 15:20:04" "Create TimeStamp","2014-02-24 15:07:24"
>
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#79]"" "Merged TimeStamp","2014-02-24 15:06:42" "Create TimeStamp","2014-02-24 15:06:01"
>
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#78]"" "Merged TimeStamp","2014-02-24 15:18:07" "Create TimeStamp","2014-02-24 15:05:09"
>
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#77]"" "Merged TimeStamp","2014-02-24 15:22:04" "Create TimeStamp","2014-02-24 15:04:13"
>
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#76]"" "Merged TimeStamp","2014-02-24 15:25:18" "Create TimeStamp","2014-02-24 15:03:21"
> rename global agent struct from logr to agt due to naming conflict to global remoted struct logr
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#75]"" "Merged TimeStamp","2014-02-24 15:25:41" "Create TimeStamp","2014-02-24 15:02:06"
> rename syscheck config struct from config to syscheck_config due to naming conflict to struct config in zlib
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#74]"" "Merged TimeStamp","2014-02-24 15:25:59" "Create TimeStamp","2014-02-24 15:00:49"
>
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#73]"" "Merged TimeStamp","2014-02-24 15:28:55" "Create TimeStamp","2014-02-24 15:00:00"
>
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#72]"" "Merged TimeStamp","2014-02-24 15:29:18" "Create TimeStamp","2014-02-24 14:59:13"
>
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#71]"" "Merged TimeStamp","2014-02-24 15:29:50" "Create TimeStamp","2014-02-24 14:58:21"
>
-------------------------------------------------------remove complete bin directory on make clean and ignore failure by removi... -------------------------------------------------------
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#70]"" "Merged TimeStamp","2014-02-24 14:58:31" "Create TimeStamp","2014-02-24 14:57:17"
> ...ng non existent files
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#69]"" "Merged TimeStamp","2014-02-24 15:08:21" "Create TimeStamp","2014-02-24 14:56:18"
>
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#68]"" "Merged TimeStamp","2014-02-25 13:11:13" "Create TimeStamp","2014-02-24 14:55:23"
>
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#67]"" "Merged TimeStamp","2014-02-24 14:58:52" "Create TimeStamp","2014-02-24 14:54:13"
>
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#66]"" "Merged TimeStamp","2014-02-24 14:59:05" "Create TimeStamp","2014-02-24 14:53:12"
>
Pull Request info
"Submitted by" ,"[cgzones](https://github.com/cgzones) " "Full Pull Request","[ossec/ossec-hids#65]"" "Merged TimeStamp","2014-02-24 14:58:01" "Create TimeStamp","2014-02-24 14:50:27"
>
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#61]"" "Merged TimeStamp","2014-02-19 22:08:45" "Create TimeStamp","2014-02-19 19:58:04"
> Please accept this - travis does not deploy on pull request builds but I would like to download the generated win32 agents anyway. >
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#59]"" "Merged TimeStamp","2014-02-19 17:21:36" "Create TimeStamp","2014-02-19 16:30:29"
>
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#58]"" "Merged TimeStamp","2014-02-19 16:32:12" "Create TimeStamp","2014-02-19 16:25:47"
> This should allow the user to specify a debug level for the remoted > daemon using the remoted.debug option in the internal_options.conf. > The debug level specified on the command line takes precedence.
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#57]"" "Merged TimeStamp","2014-02-19 16:12:27" "Create TimeStamp","2014-02-19 16:06:27"
>
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#56]"" "Merged TimeStamp","2014-02-19 15:29:13" "Create TimeStamp","2014-02-19 15:25:29"
> I have merged this but i have not tested it. >
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#55]"" "Merged TimeStamp","2014-02-19 15:18:46" "Create TimeStamp","2014-02-19 15:18:01"
>
-------------------------------------------------------Travis ci build windows and fix for setenv not being avaiable on win32 -------------------------------------------------------
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#53]"" "Merged TimeStamp","2014-02-18 21:05:15" "Create TimeStamp","2014-02-18 20:54:58"
>
-------------------------------------------------------Use cJSON instead of writing a custom JSON output format. -------------------------------------------------------
Pull Request info
"Submitted by" ,"[reyjrar](https://github.com/reyjrar) " "Full Pull Request","[ossec/ossec-hids#49]"" "Merged TimeStamp","2014-02-18 18:01:52" "Create TimeStamp","2014-02-17 18:42:26"
> This addresses Issue#32. I have tested that this code builds and runs. I had to tweak the config for the ZeroMQ output stuff, so if @jrossi can sanity check, that would be ideal. I also added a .gitignore.
-------------------------------------------------------Disable /var/ossec/queue/diff/*state.$epoch files, they were not used. -------------------------------------------------------
Pull Request info
"Submitted by" ,"[reyjrar](https://github.com/reyjrar) " "Full Pull Request","[ossec/ossec-hids#45]"" "Merged TimeStamp","2014-02-16 14:10:53" "Create TimeStamp","2014-02-15 12:58:54"
> This feature isn't being used and can lead to running out of inodes on server systems. Mickey removed the tracking of old diffs because we had no need for it.
Pull Request info
"Submitted by" ,"[reyjrar](https://github.com/reyjrar) " "Full Pull Request","[ossec/ossec-hids#44]"" "Merged TimeStamp","2014-02-17 15:44:44" "Create TimeStamp","2014-02-15 12:52:50"
> Will require an update to the documentation as the filename is appended to the argument list for AR events with filename attributes in the eventinfo struct. > Includes a test for the os_shell_escape() function that's been added to string_op.c >
Pull Request info
"Submitted by" ,"[joshgarnett](https://github.com/joshgarnett) " "Full Pull Request","[ossec/ossec-hids#43]"" "Merged TimeStamp","2014-02-15 03:32:23" "Create TimeStamp","2014-02-14 15:06:05"
> Added some new sshd rules for 1002 errors I encountered in production.
Pull Request info
"Submitted by" ,"[gaelmuller](https://github.com/gaelmuller) " "Full Pull Request","[ossec/ossec-hids#40]"" "Merged TimeStamp","2014-02-04 15:55:29" "Create TimeStamp","2014-02-04 13:45:31"
> Fixes a bug present in the eventchannel log_format when using bookmarks (only-future-events not set in config file), that results in events not being monitored, with the following error in the log: > > Subscription error: 87 >
-------------------------------------------------------Output unformatted JSON and include the file path for syscheck alerts in ZeroMQ JSON output -------------------------------------------------------
Pull Request info
"Submitted by" ,"[justintime32](https://github.com/justintime32) " "Full Pull Request","[ossec/ossec-hids#38]"" "Merged TimeStamp","2014-02-03 18:27:50" "Create TimeStamp","2014-02-03 18:25:26"
> Unformatted JSON should be used rather than formatted JSON since it would typically be used by other programs and not read directly by users. > > The file path should be included in syscheck alerts so a receiving program doesn't have to scrape it from the log message.
-------------------------------------------------------Removed keepalive message from win_agent.c when not in debug -------------------------------------------------------
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#35]"" "Merged TimeStamp","2014-02-03 16:46:30" "Create TimeStamp","2014-02-03 15:46:35"
> Seems a bit excessive to have this message in the logs when not in any kind of debug mode. That is what I am observing on some of the windows agents we are running as of right now.
-------------------------------------------------------better install for eventchannel support (now only 1 installer) -------------------------------------------------------
Pull Request info
"Submitted by" ,"[gaelmuller](https://github.com/gaelmuller) " "Full Pull Request","[ossec/ossec-hids#34]"" "Merged TimeStamp","2014-02-03 20:48:37" "Create TimeStamp","2014-02-03 10:41:37"
> This follows this commit: ossec/ossec-hids@75a91043c3d64cd2a7e5dcbb077755bf2aa85760 > > This commit modifies the build process of the Windows installer in order to have only one installer handle two cases: > > - Deploy ossec-agent-eventchannel.exe on Vista or greater > - Deploy ossec-agent.exe otherwise > > The installer packages the two executables and checks Windows version at runtime in order to decide which version of "ossec-agent.exe" should be used.
-------------------------------------------------------Fix debug level message used by NIX daemons to be more clear -------------------------------------------------------
Pull Request info
"Submitted by" ,"[awiddersheim](https://github.com/awiddersheim) " "Full Pull Request","[ossec/ossec-hids#33]"" "Merged TimeStamp","2014-02-02 14:44:14" "Create TimeStamp","2014-02-02 14:16:06"
>
-------------------------------------------------------add eventchannel support for ossec agent on windows vista or greater -------------------------------------------------------
Pull Request info
"Submitted by" ,"[gaelmuller](https://github.com/gaelmuller) " "Full Pull Request","[ossec/ossec-hids#28]"" "Merged TimeStamp","2014-01-31 20:49:36" "Create TimeStamp","2014-01-30 15:49:35"
> This pull request adds a new feature to the windows agent, to be able to monitor "Application and Services Logs" that appeared with Windows Vista. This is not currently possible (OSSEC will read the "Applications" eventlog instead). > > Previous discussions on this topic: > * https://groups.google.com/forum/#!searchin/ossec-list/eventlog/ossec-list/9AhapIAjMOk/SFRzG38XAQ4J > * https://groups.google.com/forum/#!msg/ossec-list/C9jmVkAmiRg/_3zj0Fw_v_EJ > > For example, we can now monitor the "Microsoft-Windows-PrintService/Operational" eventlog with this config: > > <localfile> > <location>Microsoft-Windows-PrintService/Operational</location> > <log_format>eventchannel</log_format> > </localfile> > > By default, OSSEC will keep track of where it was before stopping, which means that it will read (at start time) all events that occured between stop and start in order not to miss any event. However, you can cancel this behaviour with the "only-future-events" parameter: > > <localfile> > <location>Microsoft-Windows-PrintService/Operational</location> > <log_format>eventchannel</log_format> > <only-future-events>yes</only-future-events> > </localfile> > > You can also use an XPATH query if you are not interrested in all the events (see the event schema to construct queries: http://msdn.microsoft.com/en-us/library/windows/desktop/aa385201%28v=vs.85%29.aspx): > > <localfile> > <location>System</location> > <log_format>eventchannel</log_format> > <only-future-events>yes</only-future-events> > <query>Event/System[EventID=7040]</query> > </localfile> > > With this config, OSSEC will only receive events from the "System" eventlog that have an event ID equal to 7040. > > Few things to note: > * When changing the configuration, you should delete saved bookmarks (in the "bookmarks" directory) if you want to avoid unwanted behaviour (getting two much eventlog history on start) > * This relies on relatively new APIs available on Windows Vista or greater. This has two implications: > * We cannot use mingw32 to compile anymore, because it is missing these APIs. That is why this PR uses mingw-w64 (which explains a few changes in this PR not related to the added feature). > * We now have to generate two distinct installers: "ossec-win32-agent.exe" and "ossec-win32-agent-with-eventchannel.exe" because the new one cannot be used on systems older than Vista. We could have only one if we dropped compatibility with older systems (such as Windows XP). This is obvioulsy not wanted at this time. > > Note: replaces PR 27 (contained two many commits for an unknown reason ...)
-------------------------------------------------------Validate if a file is readable text when report_changes is set -------------------------------------------------------
Pull Request info
"Submitted by" ,"[northox](https://github.com/northox) " "Full Pull Request","[ossec/ossec-hids#25]"" "Merged TimeStamp","2014-01-30 14:38:15" "Create TimeStamp","2014-01-30 03:51:45"
> Syscheckd will save (in <ossec>/queue/diff/) any file with report_changes > option, e.g. /chroot/dev/urandom (yes it really happened to me), iso, mp3. This patch integrates libmagic > to validate mime type. Only mime type beginning with 'text/', e.g. text/html, > text/plain, will be copied and reported by diff. > > This should pave the way for binary diff. ;) > > Reviewers: I'm not quite sure about the build process (e.g. MEXTRA, MAGICCMD) so please advice.
-------------------------------------------------------HandleClient should try to open the m_queue in WRITE mode instead of READ -------------------------------------------------------
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#21]"" "Merged TimeStamp","2014-02-07 16:21:16" "Create TimeStamp","2014-01-29 15:15:54"
> HandleClient does not ever exit after ossec is stopped or restarted > because the call to StartMQ on line 146 is for READ mode instead of > WRITE. When changed to WRITE, the StartMQ call fails and ossec-remoted > exits. > > Original Pull REquest: https://bitbucket.org/jbcheng/ossec-hids/pull-request/27/handleclient-should-try-to-open-the/diff
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#20]"" "Merged TimeStamp","2014-02-07 16:20:45" "Create TimeStamp","2014-01-29 15:05:53"
> This patch adds creation of PID files for ossec-remoted children so they get properly killed when the ossec service is stopped or restarted. > > Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/28/create-pid-files-for-ossec-remoted/diff >
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#18]"" "Merged TimeStamp","2014-02-02 02:50:27" "Create TimeStamp","2014-01-29 14:48:32"
> This should allow the user to specify a debug level for the analysisd > daemon using the analysisd.debug option in the internal_options.conf. > The debug level specified on the command line takes precedence. > > Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/38/make-analysisddebug-in/diff
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#17]"" "Merged TimeStamp","2014-02-04 16:01:47" "Create TimeStamp","2014-01-29 14:36:49"
> Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/30/fix-timeout-comment-in-receiver-winc/diff
-------------------------------------------------------Allow NIX agent to use "-f" option and run in foreground -------------------------------------------------------
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#16]"" "Merged TimeStamp","2014-02-13 06:47:00" "Create TimeStamp","2014-01-29 14:32:30"
> While this works I'm not sure I fully understand how it affects this code when the agent is actually run in the foreground: > > srandom( time(0) + getpid()+ pid + getppid()); > > My guess is this is why the foreground option was never implemented for this daemon in the first place. Seems like the random stuff is only used with keep_alive messages and might not be that big of a deal but I'd appreciate someone double checking. > > Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/35/allow-nix-agent-to-use-f-option-and-run-in/diff >
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#14]"" "Merged TimeStamp","2014-02-02 03:02:44" "Create TimeStamp","2014-01-29 14:02:07"
> This should allow the user to specify a debug level for the syscheck > daemon on NIX machines using the syscheck.debug option in the > internal_options.conf. The debug level specified on the command line > takes precedence. Also, added starting up messages to match what some of > the daemons do. > > Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/34/make-syscheckdebug-in-internal_optionsconf/diff
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#13]"" "Merged TimeStamp","2014-02-02 02:53:43" "Create TimeStamp","2014-01-29 13:51:34"
> Orginal Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/31/fixed-agentdebug-option-in/diff
-------------------------------------------------------Made the command line debug level take precedence over what is specified -------------------------------------------------------
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#12]"" "Merged TimeStamp","2014-01-30 14:19:42" "Create TimeStamp","2014-01-29 13:43:00"
> in internal_options.conf. > > Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/33/fixed-logcollectordebug-option-in/diff
-------------------------------------------------------Fix the removal of start menu shortcuts for windows agent -------------------------------------------------------
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#11]"" "Merged TimeStamp","2014-02-13 06:42:14" "Create TimeStamp","2014-01-29 13:37:48"
> Refer to > http://nsis.sourceforge.net/Shortcuts_removal_fails_on_Windows_Vista. > This fixes issues on machines that run Vista or newer. > > Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/24/fix-the-removal-of-start-menu-shortcuts/diff
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#9]"" "Merged TimeStamp","2014-02-07 16:23:50" "Create TimeStamp","2014-01-29 05:14:31"
> Updated read_win_el.c to include TimeGenerated from an EVENTLOGRECORD > formatted into a human readable format for better logging. Also updated > the decoder to handle this change. > > Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/23/add-timegenerated-to-the-output-of-windows/diff
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#8]"" "Merged TimeStamp","2014-02-07 17:27:43" "Create TimeStamp","2014-01-29 05:09:29"
> Orginal Pull Request https://bitbucket.org/jbcheng/ossec-hids/pull-request/22/add-remove-agent-cmd-line-option-to/diff > >
-------------------------------------------------------Fix potential infinite loop when adding new agent using file input -------------------------------------------------------
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#7]"" "Merged TimeStamp","2014-02-07 17:26:50" "Create TimeStamp","2014-01-29 05:03:04"
> When adding a new agent using the -f option provided by manage_agents > there is a possibility that it loops infinitely if you have used up all > of the potential IDs. It will say that the ID needs to be unique since > the last ID checked is already in use. This commit adds a new message > stating the problem and prevents the infinite loop. It also increases > the amount of IDs manage_agents will look at when adding new agents both > in the interactive mode and when using the -f option. > > Original pull request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/21/fix-potential-infinite-loop-when-adding
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#6]"" "Merged TimeStamp","2014-01-30 14:15:37" "Create TimeStamp","2014-01-29 04:46:18"
> Current version of OSSEC's windows agent ignores every <config-profile> in its configuration. This PR corrects this bug so that config profiles also work on windows. > > Original Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/20/agent_config-profiles-for-windows/diff
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#4]"" "Merged TimeStamp","2014-01-31 21:14:22" "Create TimeStamp","2014-01-29 04:38:37"
> I was having problems with ossec-authd (SSL Accept error + SSL Read error). This was due to incorrect error handling for these two operations in the context of non blocking sockets (which is the case for the ossec-authd server). > > I don't know what I seem to be the only one to experience this issue (maybe my LAN is particularly slow ... :/) > The diff contains a lot of noise because I removed a if/else construct, and then reindented a big block of code. > > Orgianl Pull Request: https://bitbucket.org/jbcheng/ossec-hids/pull-request/26/fix-openssl-operations-on-non-blocking/diff > > @gaelmuller > >
Pull Request info
"Submitted by" ,"[jrossi](https://github.com/jrossi) " "Full Pull Request","[ossec/ossec-hids#2]"" "Merged TimeStamp","2014-02-01 01:06:37" "Create TimeStamp","2014-01-25 18:33:56"
> This is a complete patch that will allow the outputing of all alerts > to a zeromq PUB socket in JSON format. > > New Config: > `xml > <ossec> > <global> > <zeromq_output>yes|no</zeromq_output> > <zeromq_uri>tcp://localhost:11111</zeromq_uri> >
` > Somethings had to change to allow this to work. Based on the > preprossor defines > - WINDOWS was redefined by OSSEC and is used by GCC changed > the define to to DECODER_WINDOWS > - __name was redefinied by OSSEC and is used by GCC changed > the defeine to be __ossec_name