ossec-hids v3.3.0 releases: Open Source Host-based Intrusion Detection System


OSSEC is a full platform to monitor and control your systems. It mixes together all the aspects of HIDS (host-based intrusion detection), log monitoring and SIM/SIEM together in a simple, powerful and open source solution. It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows.




OSSEC watches it all, actively monitoring all aspects of system activity with file integrity monitoring, log monitoring, rootcheck, and process monitoring. With OSSEC you won’t be in the dark about what is happening to your valuable computer system assets.


When attacks happen OSSEC lets you know through alert logs and email alerts sent to you and your IT staff so you can take quick actions. It also exports alerts to any SIEM system via syslog so you can get real-time analytics and insights into your system security events.


Got a variety of operating systems to support and protect? OSSEC has you covered with comprehensive host-based intrusion detection across multiple platforms including Linux, Solaris, AIX, HP-UX, BSD, Windows, Mac and VMware ESX.
Changelog v3.3.0

Whats New

  • (@jubois) – PCRE2 regular expression support – PR#1652
  • (@atomicturtle) – ossec-analysisd, Dynamic decoder support. Original: Vikman Fdez-Castro – PR#1678
  • (@ddpbsd) – ossec-execd, Switch “white lists” to “allow lists” – PR#1687

New Rules / Decoders

  • (@Bob-Andrews) – rootcheck, update for NullSessionShares – PR#1669
  • (@Bob-Andrews) – topleveldomainrules.xml, Shady TLD web traffic detection – PR#1671
  • (@Bob-Andrews) – last_rootlogin_rules.xml, Sensitive login detection – PR#1671
  • (@Bob-Andrews) – unbound_rules.xml, added rule for maybe critical TLD request – PR#1672
  • (@Bob-Andrews) – rootcheck, Deleted repeating rules – PR#1674
  • (@ddpbsd) – Update info links in Windows rules – PR#1675
  • (@aquerubin) – Added decoder for pam_succeed_if – PR#1684


  • (@MangyCoyote) – ossec-analysisd, support Syslog ISO timestamp events with optional fraction of second – PR#1664
  • (@ddpbsd) – Fix compilation with PCRE2_SYSTEM=yes – PR#1666
  • (@aquerubin) – ossec-batch-manager.pl, update regexp for ipv6 addresses – PR#1667
  • (@mephesto1337) – Fix part of issue#1663, compiling with PCRE2_SYSTEM=yes – PR#1677
  • (@ddpbsd) – active-response, Fix for issue#1647, log disable-account.sh to the correct location – PR#1683
  • (@aquerubin) – Copy resolv.conf on build event – PR#1685
  • (@almirb) – active-response, Corrected the way active-response logs are generated on windows – PR#1689
  • (@atomicturtle) – ossec-execd, Expose filename variable in AR add/delete events – PR#1695

Copyright (C) 2018 Trend Micro Inc