diff --git a/docs/development/release_management.rst b/docs/development/release_management.rst
index 26049b445a..1008b74eff 100644
--- a/docs/development/release_management.rst
+++ b/docs/development/release_management.rst
@@ -82,7 +82,7 @@ Pre-Release
    <https://github.com/freedomofpress/securedrop-dev-packages-lfs>`_.
    Only commit packages with an incremented version number: do not
    clobber existing packages.  That is, if there is already a deb
-   called e.g. ``ossec-agent-3.0.0-amd64.deb`` in ``master``, do not
+   called e.g. ``ossec-agent-3.6.0-amd64.deb`` in ``master``, do not
    commit a new version of this deb. Changes merged to ``master`` in
    this repo will be published within 15 minutes.
 
diff --git a/install_files/ansible-base/group_vars/securedrop_application_server.yml b/install_files/ansible-base/group_vars/securedrop_application_server.yml
index 3874a95c1a..a8c88fc764 100644
--- a/install_files/ansible-base/group_vars/securedrop_application_server.yml
+++ b/install_files/ansible-base/group_vars/securedrop_application_server.yml
@@ -8,9 +8,9 @@ ip_info:
 local_deb_packages:
   - "securedrop-keyring-0.1.3+{{ securedrop_app_code_version }}-amd64.deb"
   - "securedrop-config-0.1.3+{{ securedrop_app_code_version }}-amd64.deb"
-  - "securedrop-ossec-agent-3.0.0+{{ securedrop_app_code_version }}-amd64.deb"
+  - "securedrop-ossec-agent-3.6.0+{{ securedrop_app_code_version }}-amd64.deb"
   - "{{ securedrop_app_code_deb }}.deb"
-  - "ossec-agent-3.0.0-amd64.deb"
+  - "ossec-agent-3.6.0-amd64.deb"
 
 # Configuring the tor Onion Services
 tor_instances:
diff --git a/install_files/ansible-base/group_vars/securedrop_monitor_server.yml b/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
index b646d02af2..acc26ec410 100644
--- a/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
+++ b/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
@@ -8,8 +8,8 @@ ip_info:
 local_deb_packages:
   - "securedrop-keyring-0.1.3+{{ securedrop_app_code_version }}-amd64.deb"
   - "securedrop-config-0.1.3+{{ securedrop_app_code_version }}-amd64.deb"
-  - "securedrop-ossec-server-3.0.0+{{ securedrop_app_code_version }}-amd64.deb"
-  - ossec-server-3.0.0-amd64.deb
+  - "securedrop-ossec-server-3.6.0+{{ securedrop_app_code_version }}-amd64.deb"
+  - ossec-server-3.6.0-amd64.deb
 
 # Configure the tor Onion Services. The Monitor server has only one,
 # for SSH, since no web interfaces.
diff --git a/install_files/ansible-base/roles/build-ossec-deb-pkg/defaults/main.yml b/install_files/ansible-base/roles/build-ossec-deb-pkg/defaults/main.yml
index c849066a23..16f545fd96 100644
--- a/install_files/ansible-base/roles/build-ossec-deb-pkg/defaults/main.yml
+++ b/install_files/ansible-base/roles/build-ossec-deb-pkg/defaults/main.yml
@@ -1,8 +1,8 @@
 ---
-build_ossec_deb_pkg_dependencies: []
+build_ossec_deb_pkg_dependencies: ['libevent1-dev','libpcre2-dev']
 
 ossec_server_hostname: ossec-server
-ossec_version: 3.0.0
+ossec_version: 3.6.0
 # Parent directory for performing build operations. All files related
 # to build, including source tarball, will be created inside this dir.
 build_path: /tmp/build
@@ -22,4 +22,4 @@ ossec_build_rsync_generic_opts:
 ossec_build_rsync_ansible_hack_opt:
   - "--rsync-path='sudo rsync'"
 
-ossec_source_checksum: sha256:a271d665ed502b3df4ff055a177159dfc0bc8a69dd44eab1f7c57fe8fff42a98
+ossec_source_checksum: sha256:653828a19137b8a7e98af65e873318f7bb48137fe1e61b80577e13c316e04708
diff --git a/install_files/ansible-base/roles/build-ossec-deb-pkg/library/ossec_urls.py b/install_files/ansible-base/roles/build-ossec-deb-pkg/library/ossec_urls.py
index 73500aafa0..ea431782de 100644
--- a/install_files/ansible-base/roles/build-ossec-deb-pkg/library/ossec_urls.py
+++ b/install_files/ansible-base/roles/build-ossec-deb-pkg/library/ossec_urls.py
@@ -14,7 +14,7 @@
   ossec_version:
     description:
       - version number of release to download
-    default: "3.0.0"
+    default: "3.6.0"
     required: no
 notes:
   - The OSSEC version to download is hardcoded to avoid surprises.
@@ -23,7 +23,7 @@
 '''
 EXAMPLES = '''
 - ossec_urls:
-    ossec_version: "3.0.0"
+    ossec_version: "3.6.0"
 '''
 
 
@@ -68,7 +68,7 @@ def ossec_signature_filename(self):
 def main():
     module = AnsibleModule(  # noqa: F405
         argument_spec=dict(
-            ossec_version=dict(default="3.0.0"),
+            ossec_version=dict(default="3.6.0"),
         ),
         supports_check_mode=False
     )
diff --git a/install_files/ansible-base/roles/build-ossec-deb-pkg/tasks/main.yml b/install_files/ansible-base/roles/build-ossec-deb-pkg/tasks/main.yml
index a95005f027..3a891944a1 100644
--- a/install_files/ansible-base/roles/build-ossec-deb-pkg/tasks/main.yml
+++ b/install_files/ansible-base/roles/build-ossec-deb-pkg/tasks/main.yml
@@ -76,6 +76,12 @@
     src: "{{ purpose }}-preloaded-vars.conf"
     dest: /tmp/ossec-hids-{{ ossec_version }}/etc/preloaded-vars.conf
 
+- name: Disable JIT in OSSEC Makefile
+  lineinfile:
+    path: /tmp/ossec-hids-{{ ossec_version }}/src/Makefile
+    regexp: '^USE_PCRE2_JIT=yes$'
+    line: 'USE_PCRE2_JIT=no'
+
 - name: Run OSSEC installer script on extracted source.
   command: /tmp/ossec-hids-{{ ossec_version }}/install.sh
 
diff --git a/install_files/ossec-agent/etc/ossec-init.conf b/install_files/ossec-agent/etc/ossec-init.conf
index ce14078df3..6ef841f671 100644
--- a/install_files/ossec-agent/etc/ossec-init.conf
+++ b/install_files/ossec-agent/etc/ossec-init.conf
@@ -1,4 +1,4 @@
 DIRECTORY="/var/ossec"
-VERSION="v3.0.0"
-DATE="Tue Aug 21 10:52:11 PDT 2018"
+VERSION="v3.6.0"
+DATE="Mon Apr 13 14:41:37 EST 2020"
 TYPE="agent"
diff --git a/install_files/ossec-agent/usr/share/doc/ossec-agent/changelog.Debian b/install_files/ossec-agent/usr/share/doc/ossec-agent/changelog.Debian
index 5e490fa285..3b97651f16 100644
--- a/install_files/ossec-agent/usr/share/doc/ossec-agent/changelog.Debian
+++ b/install_files/ossec-agent/usr/share/doc/ossec-agent/changelog.Debian
@@ -1,3 +1,10 @@
+ossec-agent (3.6.0) unstable; urgency=low
+
+  [ SecureDrop Team ]
+  * Release Notes https://github.com/ossec/ossec-hids/releases/tag/3.6.0
+
+ -- SecureDrop Team <securedrop@freedom.press>  Mon, 13 Apr 2020 14:53:21 -0400
+
 ossec-agent (3.0.0) unstable; urgency=low
 
   [ SecureDrop Team ]
diff --git a/install_files/ossec-server/etc/ossec-init.conf b/install_files/ossec-server/etc/ossec-init.conf
index ead135f99f..f4f51eccd0 100644
--- a/install_files/ossec-server/etc/ossec-init.conf
+++ b/install_files/ossec-server/etc/ossec-init.conf
@@ -1,4 +1,4 @@
 DIRECTORY="/var/ossec"
-VERSION="v3.0.0"
-DATE="Tue Aug 21 10:52:11 PDT 2018"
+VERSION="v3.6.0"
+DATE="Mon Apr 13 15:15:11 EST 2020"
 TYPE="server"
diff --git a/install_files/ossec-server/usr/share/doc/ossec-server/changelog.Debian b/install_files/ossec-server/usr/share/doc/ossec-server/changelog.Debian
index bb4890c3bc..b2809215fe 100644
--- a/install_files/ossec-server/usr/share/doc/ossec-server/changelog.Debian
+++ b/install_files/ossec-server/usr/share/doc/ossec-server/changelog.Debian
@@ -1,3 +1,10 @@
+ossec-server (3.6.0) unstable; urgency=low
+
+  [ SecureDrop Team ]
+  * Release Notes https://github.com/ossec/ossec-hids/releases/tag/3.6.0
+
+ -- SecureDrop Team <securedrop@freedom.press>  Mon, 13 Apr 2020 15:22:54 -0400
+
 ossec-server (3.0.0) unstable; urgency=low
 
   [ SecureDrop Team ]
diff --git a/install_files/securedrop-ossec-agent/DEBIAN/control b/install_files/securedrop-ossec-agent/DEBIAN/control
index 67c559eefb..87f4b95131 100644
--- a/install_files/securedrop-ossec-agent/DEBIAN/control
+++ b/install_files/securedrop-ossec-agent/DEBIAN/control
@@ -4,9 +4,9 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-ossec-agent
-Version: 3.0.0+1.3.0~rc1
+Version: 3.6.0+1.3.0~rc1
 Architecture: amd64
-Depends: ossec-agent,securedrop-keyring,securedrop-config
+Depends: libevent-1.4-2,libpcre2-8-0,ossec-agent,securedrop-keyring,securedrop-config
 Replaces: ossec-agent
 Conflicts: securedrop-ossec-server
 Description: Installs the securedrop pre-configured OSSEC agent
diff --git a/install_files/securedrop-ossec-agent/usr/share/doc/securedrop-ossec-agent/changelog.Debian b/install_files/securedrop-ossec-agent/usr/share/doc/securedrop-ossec-agent/changelog.Debian
index 680b313a00..9ed3cf4a70 100644
--- a/install_files/securedrop-ossec-agent/usr/share/doc/securedrop-ossec-agent/changelog.Debian
+++ b/install_files/securedrop-ossec-agent/usr/share/doc/securedrop-ossec-agent/changelog.Debian
@@ -1,3 +1,9 @@
+securedrop-ossec-agent (3.6.0) unstable; urgency=low
+
+  * Upgrade to ossec 3.6.0
+
+ -- SecureDrop Team <securedrop@freedom.press>  Mon, 13 Apr 2020 15:20:12 -0400
+
 securedrop-ossec-agent (3.0.0) unstable; urgency=low
 
   * Upgrade to ossec 3.0
diff --git a/install_files/securedrop-ossec-server/DEBIAN/control b/install_files/securedrop-ossec-server/DEBIAN/control
index 3ad4ef9e4d..7612531836 100644
--- a/install_files/securedrop-ossec-server/DEBIAN/control
+++ b/install_files/securedrop-ossec-server/DEBIAN/control
@@ -4,9 +4,9 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-ossec-server
-Version: 3.0.0+1.3.0~rc1
+Version: 3.6.0+1.3.0~rc1
 Architecture: amd64
-Depends: ossec-server,securedrop-keyring,securedrop-config
+Depends: libevent-1.4-2,libpcre2-8-0,ossec-server,securedrop-keyring,securedrop-config
 Replaces: ossec-server
 Conflicts: securedrop-ossec-agent
 Description: Installs the pre-packaged OSSEC server
diff --git a/install_files/securedrop-ossec-server/usr/share/doc/securedrop-ossec-server/changelog.Debian b/install_files/securedrop-ossec-server/usr/share/doc/securedrop-ossec-server/changelog.Debian
index fb2d4dcb77..061f26da6e 100644
--- a/install_files/securedrop-ossec-server/usr/share/doc/securedrop-ossec-server/changelog.Debian
+++ b/install_files/securedrop-ossec-server/usr/share/doc/securedrop-ossec-server/changelog.Debian
@@ -1,3 +1,9 @@
+securedrop-ossec-agent (3.6.0) unstable; urgency=low
+
+  * Upgrade to ossec 3.6.0
+
+ -- SecureDrop Team <securedrop@freedom.press>  Mon, 13 Apr 2020 15:15:32 -0400
+
 securedrop-ossec-agent (3.0.0) unstable; urgency=low
 
   * Upgrade to ossec 3.0
diff --git a/molecule/builder-xenial/tests/test_securedrop_deb_package.py b/molecule/builder-xenial/tests/test_securedrop_deb_package.py
index 28950b4f81..0f88c24b78 100644
--- a/molecule/builder-xenial/tests/test_securedrop_deb_package.py
+++ b/molecule/builder-xenial/tests/test_securedrop_deb_package.py
@@ -401,9 +401,7 @@ def test_ossec_binaries_are_present_agent(host, deb):
             "/var/ossec/bin/ossec-syscheckd",
             "/var/ossec/bin/ossec-agentd",
             "/var/ossec/bin/manage_agents",
-            "/var/ossec/bin/ossec-lua",
             "/var/ossec/bin/ossec-control",
-            "/var/ossec/bin/ossec-luac",
             "/var/ossec/bin/ossec-logcollector",
             "/var/ossec/bin/util.sh",
             "/var/ossec/bin/ossec-execd",
@@ -433,13 +431,11 @@ def test_ossec_binaries_are_present_server(host, deb):
             "/var/ossec/bin/ossec-reportd",
             "/var/ossec/bin/ossec-agentlessd",
             "/var/ossec/bin/manage_agents",
-            "/var/ossec/bin/ossec-lua",
             "/var/ossec/bin/rootcheck_control",
             "/var/ossec/bin/ossec-control",
             "/var/ossec/bin/ossec-dbd",
             "/var/ossec/bin/ossec-csyslogd",
             "/var/ossec/bin/ossec-regex",
-            "/var/ossec/bin/ossec-luac",
             "/var/ossec/bin/agent_control",
             "/var/ossec/bin/ossec-monitord",
             "/var/ossec/bin/clear_stats",
diff --git a/molecule/builder-xenial/tests/vars.yml b/molecule/builder-xenial/tests/vars.yml
index b6936b938f..b97bd8c7b8 100644
--- a/molecule/builder-xenial/tests/vars.yml
+++ b/molecule/builder-xenial/tests/vars.yml
@@ -1,6 +1,6 @@
 ---
 securedrop_version: "1.3.0~rc1"
-ossec_version: "3.0.0"
+ossec_version: "3.6.0"
 keyring_version: "0.1.3"
 config_version: "0.1.3"
 grsec_version: "4.14.175"