Today we are pleased to announce the release of Wazuh v2.1.0. We have added new features and fixed several bugs.

You can find all the details in our release notes and changelog file. Additionally, here is brief explanation of the new features:

Agent anti flood protection

Agents now include a mechanism to control event floods, avoiding outages, dropping events, or impact in network performance. We have seen in the past that, without any throughput control, an agent could get to collect and send incredibly high number of events per second (EPS), leading to unexpected outages or undesired situations.

For example, if an agent is reading noisy firewall logs, or it is doing real-time monitoring of files that are continuously changing, it will end up generating a high number of events per second (EPS). In a scenario with multiple agents in this state, both the network bandwidth and the manager’s ability to process all the received data can be impacted.

For this reason, at an agent level, events are now processed through a “leaky bucket” before being sent to the manager. This way it will control event floods or anomalous event rates, avoiding outages or loosing data.

The agent now implements a configurable queue and EPS threshold (default has been set to 500). The following graphic shows how the “leaky bucket” works when facing event floods.

Graph showing how the leaky bucket works and the different alerts during time.

Event labels

Now we can configure the agent to use labels as a way to tag events, what can help creating a taxonomy when searching or analyzing data. This feature becomes very useful as a way to add meta-data to our collected events.

For example, in a scenario where we have our servers deployed in Amazon AWS and we want to include the instance id, the security group, the IP address and the MAC address as part of the agent collected events. We just need to define the following labels in the agent configuration file:

<labels>

<label key="aws.instance-id">i-052a1838c</label> <label key="aws.sec-group">sg-1103</label> <label key="network.ip">172.17.0.0</label> <label key="network.mac">02:42:ac:11:00:02</label> <label key="installation" hidden="yes">January 1st, 2017</label> </labels> 

This way, when an alert is fired (as result of processing events through the analysis rules), the labels information will be added as additional meta-data:

{
  "timestamp": "2017-03-07T13:31:41-0800",
  "rule": {
    "level": 7,
    "description": "Integrity checksum changed.",
    "id": "550",
    "firedtimes": 1,
    "groups": [
      "ossec",
      "syscheck"
    ],
    "pci_dss": [
      "11.5"
    ]
  },
  "agent": {
    "id": "001",
    "name": "92603de31548",
    "ip": "192.168.66.1",
    "labels": {
      "aws": {
        "instance-id": "i-052a1838c",
        "sec-group": "sg-1103"
      },
      "network": {
        "ip": "172.17.0.0",
        "mac": "02:42:ac:11:00:02"
      }
    }
  },
  "manager": {
    "name": "ubuntu"
  },
  "full_log": "Integrity checksum changed for: '/var/ossec/etc/ossec.conf' Size changed from '3663' to '3664' Old md5sum was: '98b351df146410f174a967d726f9965e' New md5sum is : '7f4f5846dcaa0013a91bd6d3ac4a1915' Old sha1sum was: 'c6368b866a835b15baf20976ae5ea7ea2788a30e' New sha1sum is : 'c959321244bdcec824ff0a32cad6d4f1246f53e9'",
  "syscheck": {
    "path": "/var/ossec/etc/ossec.conf",
    "size_before": "3663",
    "size_after": "3664",
    "perm_after": "100640",
    "uid_after": "0",
    "gid_after": "999",
    "md5_before": "98b351df146410f174a967d726f9965e",
    "md5_after": "7f4f5846dcaa0013a91bd6d3ac4a1915",
    "sha1_before": "c6368b866a835b15baf20976ae5ea7ea2788a30e",
    "sha1_after": "c959321244bdcec824ff0a32cad6d4f1246f53e9",
    "event": "modified"
  },
  "decoder": {
    "name": "syscheck_integrity_changed"
  },
  "location": "syscheck"
}

Registration service (ossec-authd) is now another manager daemon

The registration service for Wazuh agents (ossec-authd) has now been fully integrated as another manager daemon. It is now fully compatible with the RESTful API, that will call it to register new agents. It can be enabled and configured in the manager configuration file “/var/ossec/etc/ossec.conf“:

  <!-- Configuration for ossec-authd.   To enable this service, run:  ossec-control enable auth -->
  <auth>
    <disabled>no</disabled>
    <port>1515</port>
    <use_source_ip>no</use_source_ip>
    <force_insert>no</force_insert>
    <force_time>0</force_time>
    <purge>no</purge>
    <use_password>no</use_password>
    <!-- <ssl_agent_ca></ssl_agent_ca> -->
    <ssl_verify_host>no</ssl_verify_host>
    <ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
    <ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
    <ssl_auto_negotiate>no</ssl_auto_negotiate>
  </auth>

Other new features

  • “ossec.log” file now supports JSON.
  • Improved “rootcheck” (module used to detect rootkits and anomalies) performance.
  • Added active responses for Windows 2012.

We would like to thank our developers, contributors, and users. We are looking forward to your feedback, so please don’t hesitate to post on our mailing list if you have any questions about Wazuh v2.1.0. You can also join our #community Slack channel or let us know what you think on Twitter (@wazuh).