Weekly Security Tools Digest
2000/09/22 to 2000/09/28

By Seán Boran (sean at boran.com) for SecurityPortal

This is a summary of changes to free security tools over the last week. This is now the third edition, let us know how we are doing: for example, should we cover 'development releases' or only stable releases? Should we focus on well known tools, or try to track as many as possible? Would you like other tools added to the favorites list?


The Rundown

Updates to favourite free tools this week include Snort, Nessus, SSL, BUGS, GnuPG, TCT, Bastille, OpenLDAP, chrootkit, Amavis.

Tools for Windows include ShadowSecurityScanner and Natas.

Linux/Unix/Cross Platform: 21 tools in the basket this week!


Favourite Tools

Snort www.snort.org
• 09262k.rules file released. This updated ruleset has too many changes to list. From rule corrections using '/' characters to adding IDS# matching the arachNIDS database. (Many were not listed properly)
• Snort-1.6.3-patch2 is now available in the file section.
• Snort 1.7 beta (dev.) is available via CVS (this works well and is needed if you want to try out the ACID tool mentioned two weeks ago).
• snortstart updated to v0.17
• Snorticus v1.0 is a collection of shell scripts designed to allow easy management of Snort sensors. It allows you to routinely collect Snort sensor data, analyze the data via snortsnarf, and easily maintain rule files. http://snorticus.baysoft.net/

TCT: The Coroner's Toolkit 1.03
Dan Farmer and Wietse Venema, http://www.porcupine.org/forensics/tct.html
TCT is a collection of programs that can be used for a post-mortem analysis of a UNIX system after break-in. Changes: Fixed a bug that caused icat etc. to remember the wrong file seek position, updated help-recovering-file document.

NMAP
• NDiff 0.03
NDiff compares two nmap scans and outputs the differences. Changes: Performance improvements to the ndiff program. Tweaks/workarounds to silence pod2man complaints when installing. These changes have not been heavily tested. www.vinecorp.com/ndiff  

SSL
•  Using OpenSSL's S/MIME facilities
•  "Introducing SSL and Certificates using SSLeay", by Frederick J. Hirsch, www.linuxsecurity.com/resource_files/cryptography/ssl-and-certificates.html. Although it does not refer to the newer OpenSSL/mod_ssl, it is thorough and useful.
•  OpenSSL v0.9.6 www.OpenSSL.org
Changes: This stable release includes bugfixes and extra documentation in addition to new sign and verify options to 'dgst' application, support for DER and PEM encoded messages in 'S/MIME' application, and new 'rsautl' application (low level RSA utility.)

Chkrootkit has a new web site www.chkrootkit.org
The latest version is still v0.17.

Nessus www.nessus.org
Nessus v1.05 has been released for Windows.

BUGS/becrypt
www.bcrypt.com (in French: www.bcrypt.com/index_fr.html), by Sylvain Martinez
• New Library version: v 3.4.1, Windows BCRYPT 2.3, UNIX BUGS v3.4.2
• Changes: Few Minor bugs corrected and addition of the official BUGS LOGO.
• Editor's note: this is a different project from BeeCrypt www.virtualunlimited.com/products/beecrypt/

OpenLDAP development v2.0.4 released, stable release is still v1.2.11. www.OpenLDAP.org
Changes: Fixed clients printf/usage bugs, lldap SASL interoperability, lldap PF_LOCAL declaration/call bugs, slapd SASL log error, slapd spasswd support, slapd/tools fixed sasl_props, slurpd SASL support, documentation, --enable-spasswd, ldif(5) file:/// . Added slapd accept(2).
Updated ldap_schema(3).

PGP
GnuPG v1.0.3 released. http://www.gnupg.org Changes: RSA support, supports the new MDC encryption packet, default options changed for better compatibility with PGP 7. The usual fixes and other enhancements.

Bastille Linux v1.1.1.pre4
Jay Beale, www.bastille-linux.org
Changes: this release resolves some stability issues, and includes some initial work on RH7.0 and Mandrake 7.0/7.1 updating

AMaViS - A Mail Virus Scanner  0.2.1-pre3
Christian Bricart, http://www.amavis.org/
Apart from the usual typo and cosmetic changes: broken links updated in documentation improved detection for uuencoded mails (if sent inline) improved handling of self-extracting files a bit fixed possible mail loss in sendmail and postfix when used as relay


Tools for Windows

PacketStorm

Sqlpoke.zip
Xaphan, http://packetstorm.securify.com/NT/scanners/Sqlpoke.zip
Sqlpoke is a NT based tool that locates MSSQL servers and tries to connect with the default sa account. A list of SQL commands is executed if the connection is successful. Win32 source included.

tcpip_lib2.zip
Barak Weichselbaum, http://www.komodia.com
Tcpip_lib V2 is a library for Windows 2000 which allows arbitrary packet creation. It uses sockets 2 and opens up a raw socket, allowing you to send raw IP headers, do IP spoofing, and play with the nuts and bolts of networking protocols. Changes: now works also with NT (regular async sockets), supports regular sockets (async and blocked) and added ICMP. (samples like traceroute, ping, TCP server, simple attacker).

SecurityFocus

NATAS 2.20.1
Björn Stickler, http://intex.ath.cx/natas.shtml  
Natas is an advanced network packet capturing and analysing program designed for Windows 2000. It only works with the new Windows 2000 winsock v2.2 which supports raw sockets like *nix operating systems. You have to be admin on the machine you are running Natas on.

ShadowSecurityScanner 1.01.003
RedShadow, http://www.rsh.kiev.ua 
New version of ShadowSecurityScanner, updates: 1. The nucleus of the scanner was completely rewrote 2. The format of bases was changed 3. The possibility of homing of new bases has become better 4. The interface has changed 5. The options are rather widened 6. The NetBios control can work even under Win9x 7. The possibility of checking of list of hosts has appeared now 8. All of defects obtained in previous versions were reformed 9. Added new method for checking a users netbios password 10. Added function for checking a users password with a password list 11. Update SMTP and FTP kernel 12. Added socks server support (you can scan network by socks server) 13. Update database 14. Optimization code 15. New installation


Tools for UNIX/Linux/BSD & Cross-platform

Cryptcat
jojo, www.farm9.com or http://207.33.208.248/News/Free_Tools/Cryptcat
Cryptcat is netcat enhanced with twofish encryption.
Twofish is courtesy of counterpane and cryptix. We started with the Java version of twofish from cryptix, converted it to C++ (don't ask why) and enhanced it by adding CBC mode and the ciphertext stealing technique from Applied Cryptography.

Packet Storm

floppyfw-1.0.6.img
Thomas Lundquist, http://www.zelow.no/floppyfw
floppyfw is a router and simple packet filtering firewall using ipchains on one single floppy.
Changes: This release includes kernel 2.2.17, security updated glibc, syslogd, and klogd

 

FreshMeat

Big Brother v1.5c1
motu robert, http://freshmeat.net/projects/bigbrother/
Highly efficient network monitor.

NetSaint stable: v0.0.5 - devel: v0.0.6 beta 6
Ethan Galstad, http://www.netsaint.org
A relatively simple active network monitor.
Changes: Patched drop_privileges() to set supplementary group privileges properly. Patched subst and daemon-init scripts. Fixed bug where trends CGI would go into infinite loop if log rotation was not used. Commands that have a return code or 126 or 127 are now logged with a warning about potentially missing scripts or binaries. Added a check for NULL host name and service description in IPC message queue to avoid erroneous warnings about results being found for non-existent services. Services that are in an OK state are no longer escalated to a critical state (HOST_DOWN or UNREACHABLE) when there are host problems

LinuxMagic VPN Firewall x1.1.2
by Wizard Internet support, http://freshmeat.net/projects/linuxmagicvpnfirewall/

pam_smb v1.1.6
http://www.csn.ul.ie/~airlied/pam_smb/
pam_smb is a PAM module/server which allows authentication of UNIX users using an NT server. This release fixes security holes.

security-script v0.1
Peter Halliday, http://freshmeat.net/projects/security-script/
security-script is a port of FreeBSD's /etc/security script. It is a powerful tool that checks many aspects of your system's security and then emails you with the results. It is set up as a cron job to run once a day. As you continually use this script it will help you to monitor the security of your system.

httpf v1.03
http://httpf.sourceforge.net/
A WWW security proxy that forwards only allowed, harmless content, filtering of HTTP and HTML, using POSIX threads, written in plain C, generic configuration, extensive audit possible.

toby 0.77
http://www.buttsoft.com/~thumper/software/sysadmin/Toby/
Toby is another reimplementation of the ever-useful tripwire program. The original tripwire-1.3 is available for free, but ran a bit slow in my test comparisons. Also, newer versions of tripwire are not free for commercial users, but include much cooler cryptographic signatures and such. My feeling was that it it would be nice to have a GPL version of tripwire to use with some of my clients. The first major difference from tripwire is that toby is written in perl. Cryptographic modules from CPAN are used, hopefully ensuring that as better algorithms are found for some routines (e.g., MD5) then toby will inherit those improvements.

pvm_crack v0.1
Lukeboo, http://freshmeat.net/projects/pvmcrack/
pvm_crack is a pvm-enabled (Beowulf) brute-force UNIX password cracker.

ModLogAn v0.5.4
rockoo daniel, http://freshmeat.net/projects/modlogan/  
ModLogAn is a modular logfile analyzer that combines speed with flexibility. It parses the logfiles generated by Apache and friends (common/combined), MSIIS 5.0, Wu-FTP/ProFTP, Squid, and RealServer, and provides all the well-known statistics and some very specialized statistics like pages that were indexed by a robot, bookmarked pages, cache hit ratio, and many more. Stats for non-web logfiles (hicom116, elmeg, isdnlog) can also be created.

Calamaris v2.37
Cord Beermann, http://freshmeat.net/projects/calamaris/
Statistics for Squid, NetCache, Oops, Inktomi Traffic Server, Compaq Tasksmart
This release adds a switch which alters the output of the byte-stats.

apachedb v0.15
Gottfried Szing, http://freshmeat.net/projects/apachedb/
apachedb logs Apache transfers and Squid log files into an MySQL database. You can convert an existing transfer log or you can log "on the fly" via the Apache logging facility. Changes: A fix for a mod user track bug, minor and major PHP fixes, support for incremental import, mail notification on DB errors, search possibility for a specific host and visits calculation, and a new logfilter script.

SecurityFocus

Note: tools announced on SecurityFocus are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you of new or updated, free, tools.

PIKT - Problem Informant/Killer Tool v1.12.0pre1
Robert Osterlund, http://pikt.uchicago.edu/pikt
PIKT is a cross-platform, multi-functional toolkit for monitoring systems, reporting and fixing problems, and managing system configurations. It consists of an embedded scripting language with unique, labor-saving features, a script and system config file preprocessor, a scheduler, an installer, and other tools.
Changes since release 1.11.0, the last official release, from the pikt-1.12.0pre1: Allowed for empty host lists (hosts and members stanzas) in systems.cfg. Fixed a log format string bug. Fixed a history value bug.

Kalasag Firewall Builder 0.1
Jeoffrey Lim, http://www.pinoycircle.org
Kalasag is a Java program to create, edit, and manipulate firewall rules on Linux 2.2.x Kernels. It uses the JNI (Java Native Interface) to allow easy access to firewall rules and retrieve firewall data for manipulation by the System Administrator. The firewall editor uses drag-and-drop and firewall rules can be specific for each ruleset.

Drall 1.1.5.13
Henrik Edlund, http://www.edlund.org/hacks/drall/index.html
Drall is a script which allows users to access their directories and files remotely without the need of using insecure FTP and telnet. It enables the user to treat the remote file system as if it was on their local hard disk trough a normal web browser. The interface resembles the well known Norton Commander (of DOS fame) and Midnight Commander (of UNIX fame). A dual-frame interface makes it easy to see an overview of the file system and the modular design means you only use the features you need. Drall is written in Perl for easy customization and expansion.

Nabou 1.5
Thomas Linden, http://www.0x49.org/nabou
nabou is a perl script which you can use to check file integrity and something more. One of it's main intentions is to be easy to use and easy to understand. It is written in perl, which ensures that it can run on many different platforms. Beside file integrity (MD5) it can also take a look at crontabs, suid files and user account changes. It stores all data in standard dbm databases. It can also check various file attributes, such as file-mode or size. Beside filesystem integrity you can use nabou as process monitor as well, in this special mode it can run as a daemon in the background and inform you if it finds a weird process.

rstd 1.1
Robert Salizar, http://www.energymech.net/madcamel/fm
rstd is a companion to the Linux Stealth kernel patch. In response to TCP SYN packets [connection attempts] on pre-configured ports, rstd will send a TCP RST packet back [connection refused]. This is normally handled by the kernel, but a user-space daemon offers more control. rstd will not send more than one RST packet a second.

Dante 1.1.3
Inferno Nettverk A/S, http://www.inet.no/dante
Dante is a free implementation of the proxy protocols socks version 4, socks version 5 (rfc1928) and msproxy. Dante is also a circuit-level firewall/proxy that can be used to provide convenient and secure network connectivity to a wide range of hosts while requiring only the server Dante runs on to have external network connectivity.
Major change: httpproxysupport in client (meaning "socksify" can work when going through webproxies too).

Email Security through Procmail 1.119
John Hardin, ftp://ftp.rubyriver.com/pub/jhardin/antispam/html-trap.procmail
Email Security through Procmail attempts to address the trend towards "enhancing" email clients with support for active content, which exposes end-users to many and varied threats, by "sanitizing" email: removing obvious exploit attempts and disabling the channels through which exploits are delivered. Facilities for detecting and blocking Trojan Horse exploits and worms are also provided.

LnxFire 0.1-3
John Hawk, http://lnxfire.sourceforge.net
LnxFire is a firewall tool for Linux aimed at the small business and home office client. Use the firewall creation wizard to quickly create a basic firewall. Featuring dynamic rule modifiers, pro-active monitoring, reporting, e-mail alerts and auto lock-out for port scanners. LnxFire requires the GNOME 1.2 libraries. LnxFire is a branch of Firestarter it was split to change structure and add functionality


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 29 September, 2000