The first prototype for our HTTP acceleration project is out and about in the [asl-2.0-testing] channel. This is an attempt at building acceleration tech into apache using one of the more popular open source packages called nginx. So far the results have been promising, but not conclusive. One test showed a simple PHP based "Hello World" application increasing performance signifigantly. I'd like to tell you how much... but its such a big change I refuse to publically say it. :P Something in my testing methodology was wrong... because a more complex test using a wiki application showed marginal improvement over not having it (granted... apache 2.2 vs apache 2.0). 5-7% at the most... still the research is early, and the integration issues are huge so we've all agreed that the data is compelling enough to keep going.

If you'd like to give this a shot, its currently designed to drop into a Plesk 9.3 or above environment with no configuration required:

yum --enablerepo=asl-2.0-testing install atomic-accelerator

and to remove it:

yum --enablerepo=asl-2.0-testing install atomic-accelerator

Our internal naming convention will show this package as clamav-0.96-0.1. The "rc1" tag is dropped from the version field to make upgrades to later versions seamless. (Wow... really long changelog!)

Changelog:
* win32/platform.h: make sleep() wait seconds rather than ms (bb#1866)
* clamd/scanner.c: fix logg output, patch from Mark Pizzolato
* libclamav: don't cache clean results due to EMAX - final fix for bb#1856
* libclamav: fix scanning of utf16 data (bb#1853)
* libclamav/matcher-bm.c: properly handle scan boundaries in
offset mode (bb#1840)
* libclamav: fix cl_cvdparse() leak (bb#1859)
* libclamav/matcher-bm.c: fix array check (bb#1840)
* libclamav/scanners.c: set container type in cli_scanraw() (bb#1842)
* libclamav/matcher-bm.c: only sort correct offsets (bb#1840)
* docs: update signatures.pdf
* libclamav/cvd.c: enable new dsig check for main db
* freshclam/manager.c: handle empty cdiffs more gently
* libclamav: refactor checkfp logic
* libclamav: refactor binhex processor with one pass decoder (bb#1236)
* libclamav: add cl_countsigs() (bb#1473)
* clamav-milter: allow SkipAuthenticated to read names from a file
(bb#1684)
* libclamav/scanners.c: fix gzip handler
* libclamav: prefix all engine detections with "Heuristics." (bb#1808)
(also change Phishing.Heuristics.* -> Heuristics.Phishing.*)
* libclamav: drop support for type 8 signatures. disasm matching is now
done via bytecode
* freshclam, sigtool: use zlib's Z_FILTERED strategy
Thanks to Edwin
* clamd/server-th.c: reset the selfcheck timeout even if we reload
by other means (bb#1812)
* clamd: new options LocalSocketMode and LocalSocketGroup
* clamav-milter: new options MilterSocketMode and MilterSocketGroup
(bb#1789)
* clamscan: properly report errors from libclamav; simplify
error codes
* clamdscan: fix error logic once again
* win32: workaround HUP reset in poll, set stdin to binary mode
* freshclam: new option Bytecode
* sigtool: add support for bytecode.cvd
* win32: clamdscan added
* win32: clamd (sort of) works
* libclamav: provide information about lsig matches to bytecode (bb#1799)
* libclamav: provide offset in cli_ac_result (bb#1799)
* win32: automatically check and regenerate vcprojs,
drop support and tblgen from llvm as these are now prebuilt and
shipped
* libclamav: handle digitally signed .info files
* libclamav: fix shifts >= width (bb#1778)
* sigtool: create digitally signed .info files
* libclamav/pe.c: fix handling of 15h byte skew in upx-lzma (bb#1591)
* libclamav: check .info files while loading CVD/CLD
* clamdscan/proto.c: don't stop scanning if a file is not found (bb#1760)
* clamscan/manager.c: use unsigned fsize (bb#1788)
* libclamav: cache negative matches
* libclamav: cdb: drop FileType; cover ARJ, CAB, TAR, CPIO and 7Z
* libclamav/readdb.c: fix compatibility issue with .zmd sigs (bb#1793)
* libclamav: allow lsigs be anchored to specific containers (bb#1293),
eg. Container:CL_TYPE_ZIP
* libclamav/readdb.c: when some lsig's attribute is unknown ignore the
entire signature and not the attribute itself
* libclamav: handle zmd/rmd with cdb (bb#1579)
* libclamav: base code for unified container metadata matcher (bb#1579)
* libclamav/readdb.c: force VI anchored sigs into AC
* libclamav: merge PE VersionInformation matcher
* libclamav: fix error reporting for BinHex files (bb#1685)
* libclamav: add support for FileSize, EntryPoint and NumberOfSections in
lsig's tdb
* sigtool/sigtool.c: handle lsigs created by the bytecode compiler
* sigtool/sigtool.c: properly handle anchored sigs (bb#1780)
* libclamav/fmap.h: fix build on FreeBSD and Mac OS X (bb #1776). Thanks to
Renato Botelho.
* libclamav/unzip.c: do not mark embedded zipfiles as
encrypted.zip (bb#1768)
* clamd/server-th.c: remove c++ comment (bb#1751)
* libclamav/c++, win32: win32 compile system for llvm refactored
* libclamav: integrate ldb sigs with icon matcher
* sigtool: fix some messages (bb#1777)
* man/freshclam.conf.5: describe SafeBrowsing (bb#1772)
* man/clamd.8: add info about signals
* libclamav: merge icon extraction and matching branch(exeicons)
* freshclam/manager.c: improve handling of problematic mirrors (bb#1758)
* libclamav/qsort.c: fix CMP1 macro (bb#1769)
* libclamav/readdb.c: make sure static sigs with floating chars go into AC
* libclamav/scanners.c: print inflateinit2 return code
* clamd/server-th.c: enable more than 256 FD support on Solaris (bb #1764).
* sigtool/sigtool.c: handle .ign2 files (bb#1625)
* libclamav/qsort.c: don't call med3 when using internal cmp
* libclamav: add qsort to the win32 build
* libclamav: replace qsort implementation and optimize its common
usage (bb#1721)
(bb#1743)
* freshclam/notify.c: fix clamd notification in TCP mode (bb#1756)
* doc/man/clamav-milter.8.in: fix typo
reported by Thomas Harold <thomas * betasearch.com>
* libclamav/tnef.c: don't use fgetc (bb#1695)
* freshclam: add support for DetectionStatsHostID (bb#1503)
* libclamav, freshclam: fix handling of dbs when both daily.cvd and daily.cld
are present in the db directory and ScriptedUpdates
are turned off (bb#1739)
* libclamav/readdb.c: return error if lsig contains redundant subsigs
* win32: improve build system
* win32: add resources
* win32: fix warnings
* configure, m4/acinclude.m4: Avoid trailing slash in libdir for old gcc (#1738).
* win32/3rdparty/pthreads: upgrade to CVS HEAD
* win32: don't use . or .. in UNC names
* clamd/thrmgr.c: use a double instead of integer to avoid negative time (bb #1731).
* libclamav/filetypes_int.h: sync with daily.ftm
* clamdscan: improve error handling (bb#1729)
* clamdscan, libclamav, clamdtop, freshclam, sigtool: fix some error path
leaks (bb#1730)
* libclamav/scanners.c: drop hardcoded offset limits for embedded objs (bb#1664)
* libclamav/others.c: call srand() already in cli_init() (bb#1728)
* clamdscan/proto.c: handle recv() == 0 (bb#1717)
* libclamav/mpool.c: increase max pool to 8M to allow loading huge custom dbs
* clamd/scanner.c, libclamav/others_common.c: fix error path leak (bb #1711)
* libclamav/unarj: fix error path leaks and valgrind warnings
* win32: introduce safe_open() (sic!)
* shared, win32: make hardcoded paths relocable in win32 builds
* win32: add clamconf
* win32: glob() complete
* win32: glob() before main (WIP)
* win32: stat added, dirent updated
* clamdscan: fix some output msgs (bb#1716)
* win32: res_query compatible interface
* win32: add freshclam
* win32: remove stale netcode
* win32: preliminary winsock support files
* win32: unrar support
* win32: clamscan builds (and will scan soon...)
* win32/compat: add POSIX compatible snprintf
* win32: libclamav compiles
* /win32: VC project file and 3rd party stuff
* libclamav: completed merge of fmap4all
* libclamav/matcher-bm.c: don't use mpool (bb#1710, #1715)
* shared/misc.h: #include <sys/types.h>
* libclamav: check file sizes for MD5 sigs in all cases
Reported by Edwin
* libclamav: unify fp checking; output fp signatures in debug mode
* libclamav/scanners.c: fix whitelisting of scripts (bb#1706)
* configure, m4/acinclude.m4: Avoid trailing slash in libdir for old gcc (#1738).
* configure{.in,}: Only use -fno-strict-aliasing for gcc-4.3+ to avoid bugs
with older compilers (bb #1581)
* libclamav/matcher-bm.c: fix cli_bm_freeoff() (bb#1710)
* clamdscan/clamdscan.c: properly init variable (bb#1708)
* clamd, shared: merge a set of win32 patches from
Gianluigi Tiesi <sherpya*netfarm.it>
* libclamav/matcher-ac.c: fix matching of logical sigs (bb#1707)
Reported by Thiyaga <mthiyaga*corp.untd.com>
* libclamav/readdb.c: fix handling of broken .ldb sigs (bb#1701)
Thanks Luca&Edwin
* libclamav: new signature blacklisting format (bb#1625)
* libclamav: allow arbitrary names for .ign/.ign2 files (bb#1683)
* sigtool/vba.c: s/cli_errmsg/logg/
* shared/misc.h: in_addr_t is now already declared
* libclamav/special.c: do not include netinet/in.h on win32
All the patches from Gianluigi Tiesi <sherpya*netfarm.it>
* clamav-milter/clamav.milter.c: remove debug printf
* libclamav/matcher-ac.c: add support for line marker (L) (matches CR,
CRLF and boundaries)
* libclamav/sis.c: size check fix, thanks Tomasz
* fix several problems introduced by the win32 commits
many thanks edwin and sherpya
* libclamav/others_common.c: Accept "/" as an absolute path
* merge a set of win32 patches from Gianluigi Tiesi <sherpya*netfarm.it>
* drop OS/2 "support"
* clamd, libclamav: drop INTERIX "support"
* win32 paths handling
* merge initial set of win32 patches from Gianluigi Tiesi <sherpya*netfarm.it>
* clamav-milter: Add option ReportHostname to mangle the host name in X headers
* libclamav/mpool.c: update frag sizes, small cleanup
* clamd: add support for DazukoFS (bb#1691)
Patch from John Ogness <dazukocode*ogness.net>
* libclamav/matcher-bm.c: use mpool in BM's offset mode
* libclamav/matcher-ac.c: implement word delimiter (B) as requested in bb#1631
* freshclam: return 0 instead of 1 when database is up-to-date (bb#1312)
* clamd/server-th.c: fix possible race condition when restarting clamuko
(bb#1692), patch from John Ogness
* libclamav/matcher-ac.c: initial limited support for word boundary (bb#1631)
* libclamav/matcher-ac.c: alternatives can now be negated: !(aa|bb|cc)
* libclamav/matcher-bm.c: fix uninitialized value warning
* libclamav/scanners.c: properly scan text files with a mail container
* freshclam/mirman.c: make backoff time proportional to FLEVEL (bb#1687)
* libclamav: use BM matcher in offset mode for PE files larger than 256kB
(10% speedup on average; 30-40% for large executables)
* libclamav: in bm_offmode only load sigs with non-floating absolute and
relative offsets into BM matcher (load other ones into AC)
and use per-file computed offset table to pick up best shifts
(not enabled by default, bb#1300)
* libclamav: unify CL_TYPE_MAIL scanning
* libclamav/matcher-ac.c: improve handling of signature offsets
* libclamav: improve handling of PDF files (bb#1682)
* libclamav: handle relative offsets with cli_ac_data; fix offset logic
* libclamav/ishield.c: properly free() header
* build system: upgrade to autoconf 2.64 and automake 1.11 (bb#1528)
* libclamav/matcher-bm.c: micro-optimization
* libclamav/cpio.c: wrap unistd.h, reported by Nigel Horne
* libclamav/7z: convert EOL to unix for compat with suncc
* libclamav: improve handling of signature offsets
* libclamav/7z/Types.h: workaround "Byte" clash in lzma/7z (bb#805 - regression)
* libclamav/7z*: cosmetic fixes
* contrib/test: sync test files
* libclamav: add preliminary 7z support
* clamd, clamscan, libclamav: drop support for MailFollowURLs (bb#1677)
* clamd/clamd.c: ignore SIGHUP and SIGUSR2 during initial setup (bb#1671)
* configure, libclamav: fix compile issues on IRIX (bb#1532)
* libclamav/macho.c: wrap unistd.h, reported by Nigel Horne
* libclamav/readdb.c: make the parser more sensitive to errors in
numerical fields
* freshclam, libclamav: work around possible race condition during
db updates (bb#1624)
* freshclam/manager.c: fix confusing error message (bb#1648)
* libclamav/unzip.c: fix detection of encrypted zip files embedded into
other files (bb#1660)
* libclamav/bytecode_vm.c: fix SIGBUS on sparc.
* libclamav, clamd: handle file exclusion in cli_ftw() (bb#1656)
* unit_tests/check_regex.c: fix unit-test failure on Solaris
* libclamav/pe.c: fix check for pe32+
* clamscan, clamd, libclamav: load cvd files on-the-fly (without unpacking them
to /tmp) by default
* libclamav: improve loading speed of compressed databases (bb#1105)
* libclamav/macho.c: improve detection of Universal Binaries
* libclamav/macho.c: fix section alignment (bb#1667)
* shared/actions.c: wrap unistd - reported by njh
* libclamav/pe.c: check IS-cab scan result
* test/: add IS test files
* libclamav/regex_list.[ch]: improve safebrowsing.cvd load speed (20s -> 3s)
* libclamav/others.h, libclamav/ishield.c: fix typo,
workaround crappy preprocessors (bb#1658)
* libclamav/cab.c: downgrade warning message (bb#1659)
* libclamav, build system: fix portability issues for fseeko, sysconf(_SC_PAGESIZE),
getpagesize() (bb#1658)
* libclamav/pe.c, yc.c: Make yC able to handle more samples and variants.
* clamd: honour value of 0 in Max* options
* unit_tests/check_clamd.c: fix unit tests when run as root (bb #1635).
* libclamav/ishield.c: fix distcheck, patch from edwin
* clamd, clamav-milter: make pid files globally readable (bb#1642)
* libclamav/ishield.c: use mmap for big files, fix some leaks,
some portability fixes
* libclamav/filetypes.c: fix off-by-one error (bb#1639)
* libclamav/mspack.c: fix valgrind warnings about use of uninitialized
values (bb#1655)
* libclamav: add preliminary support for IS executables (IS-cab and IS-msi)
part of bb#1571
* libclamav: add support for Universal Binaries (archives with Mach-O files for
different architectures, bb#1592)
* docs/signatures.pdf: cover Mach-O files
* libclamav: handle Mach-O files with type-9 signatures; all special offsets are
supported for PPC32/64 and x86 executables; for ARM and other archs
only section based extensions (Sx[+-]n, SL[+-]n) are supported atm
* clambc/, libclamav/, unit_tests/: Initial draft of bytecode interpreter (bb #1243).
* libclamav/macho.c: handle LC_THREAD; calculate EP
* libclamav/filetypes_int.h: sync with daily.ftm
* libclamav: initial support for Mach-O executables (part of bb#1592)
* test: add cpio test files
* libclamav: add support for cpio archives (bb#1649)
* clamav-milter: use s/STREAM/INSTREAM/ (bb#1548)
* clamav-milter/netcode.c: Properly handle clamd disconnection (bb#1643)
* clamav-milter/whitelist.c: print failed whitelist filename
* libclamav/elf.[ch]: add support for 64-bit ELF files (bb#1593)


To Upgrade:
yum --enablerepo=asl-2.0-testing upgrade clamav

More updates relating to the new template code for psmon, ossec, and denyhosts. The biggest change here is that denyhosts is no longer in active response mode, OSSEC will be doing all the work. So in order to test this you will need to upgrade both ASL and OSSEC. The OSSEC update is also based off of the latest snapshot, so a lot of irons in the fire with this build. I'd be especially interested in any feedback on denyhosts alerts you'll see in ASL Web.

Changelog:
- Added new templating engine to ossec_check
- Added new templating engine to psmon_check
- Added new config setting PSMON_NOTIFY, this allows you do disable email reporting from psmon
- Added new templating engine to denyhosts
- Deprecated active response in denyhosts, this is now handled by ossec
- Deprecated configuration setting DENYHOSTS_SHUN_TIME
- Deprecated the old psmon template system
- Bugfix #XXX, psmon_check will no longer always report "fixed" when operating in fix mode
- Bugfix #XXX, ossec_check now counts only valid whitelist entries for the exessive whitelist check
- Bugfix #305, Retire active response from denyhosts
- Bugfix #312, ASL Web now supports the custom layout upgrades when new interface features are added.

To upgrade:
yum --enablerepo=asl-2.0-testing upgrade asl asl-web ossec-hids

The first cut of ASL 2.2.5 is out in [asl-2.0-testing]. Initially I had planned to make this build all about the new dazuko module for the 2.6.32.x series kernels, but as we all know change is part of the design process. Instead there was a more pressing need for a template based configuration engine for the core utilities. The first module (seen in 0.1) has this in place on the ossec_check module. For testing purposes both methods (find & replace) and templating are still in place, which makes configuration changes completely redundant.

I assure you there is a method to this madness :P The idea was to see if we miss anything between the the two on the automated QA systems, for everyone else this will just mean that the config file for ossec (/var/ossec/etc/ossec.conf) goes through changes twice. The second time completely rewrites everything made the first time.

New features in this build include the aforementioned template engine, templates themselves are located in /var/asl/data/templates/template* and you'll see two for OSSEC, server and client. These files are intended to be modified by the end user for custom configurations. That means that directly modifying /var/ossec/etc/ossec.conf will no longer be supported.

OSSEC rules will now match brute force conditions against SMTP_AUTH, Courier IMAP and POP connections. The default policy is to respond if there are more than 10 failed connections in a 60 second period from the same IP. I suspect that this may need some additional vetting for those environments where multiple users come from the same IP.  This is something we'll need some community feedback on to fine tune the rule class.

The only other change is an update to ASL Web from Jim's team to handle custom user layouts.  2.2.4 was not compatible with the custom layouts from 2.2.3 and below, this update sets ASL to just ignore a setting if it doesn't jive with the new engine. Otherwise nothing new there, although I'm hoping they can finish up a reporting module in time for 2.2.5. We'll see!