By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html
You can receive this digest via email.
http://securityportal.com/subscribe.html
This document is a summary of changes to free security tools over the last week.
Updates to favourite free tools this week include: Snort, Mozilla, PGP, BSD, BUGS/becrypt, Linux Crypto Kernel, LIDS, Sendmail, SAINT, SARA, Dante, Cryptix, Ipchains.
Tools for Windows include TCP/IP library, Portascan, NTrpcinfo, DNSis
Linux/Unix/Cross Platform: 19 tools in the basket this week!
Snort
http://ww.snort.org
- SPADE Spade-092200 released. http://www.silicondefense.com/spice/
SPICE, the Stealthy Portscan and Intrusion Correlation Engine, is a project at Silicon Defense to detect portscans, even those in which the attacker has attempted to make the scan stealthy. For example, they may have slowed down the scan or randomized it. SPADE stands for the Statistical Packet Anomaly Detection Engine and is an implementation for snort.- A new Snort log file rotation script by Jim O'Gorman - snort_log_rotate
- The 'discussions forum' section is quite good: new Rules, Exploits, Usage, Troubleshooting sections have been added.
- Updates to rule database: added each portion of the ruleset now has it's download. Be sure to update the MailVirus sigs, there was a problem in the last set. A fully updated 10042k.rules file for those wanting a complete update is also available.
Editor's note: This is a useful idea, since each rule set can be maintained in a separate file, included as appropriate in the rules file for a specific sensor, for example:
include /etc/snort/lib/webcgi-lib
include /etc/snort/lib/webcf-lib
include /etc/snort/lib/webiis-lib
include /etc/snort/lib/webfp-lib
include /etc/snort/lib/webmisc-lib
include /etc/snort/lib/overflow-lib
include /etc/snort/lib/finger-lib
include /etc/snort/lib/ftp-lib
include /etc/snort/lib/smtp-lib
include /etc/snort/lib/telnet-lib
include /etc/snort/lib/misc-lib
include /etc/snort/lib/netbios-lib
include /etc/snort/lib/scan-lib
include /etc/snort/lib/ddos-lib
include /etc/snort/lib/backdoor-lib
include /etc/snort/lib/ping-lib
include /etc/snort/lib/rpc-libThese files can be updated from the snort CVS, as well as from the download page.
- Snort2html has been updated to v1.5
http://freshmeat.net/projects/snort2html/
Mozilla NSS 3.1 Beta 1 Release
http://www.mozilla.org/projects/security/pki/nss/Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.
PGP
http://www.pgpi.org.
- The full PGP 6.5.8 source code is now available for Windows 9x/NT/2000, MacOS and Unix. This is an interesting development indeed, hopefully v7 will follow soon.
- The 'OpenPGPMessage Format' Internet draft standard has been updated http://www.ietf.org/internet-drafts/draft-ietf-openpgp-rfc2440bis-01.txt
- PinePGP updated to v0.14.0 http://www.megaloman.com/~hany/RPM/pinepgp.html
BSD
• Ports Collection http://OpenPackages.org
The NetBSD, FreeBSD and OpenBSD packages collection are being brought together: more unified, more up-to-date, more secure and more features. Linux and Solaris will even be supported!
• FreeBSD 4.1.1: ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/4.1.1-RELEASE/
Changes in security: includes OpenSSL 0.9.5a (the native OpenSSL implementation of the RSA algorithm is now activated by default and the rsaref port and librsaUSA are no longer required for USA residents) and sshd is enabled by default.
BUGS/becrypt
http://www.bcrypt.com (in French: http://www.bcrypt.com/index_fr.html)• New Library version: v 3.5.1, Windows BCRYPT 2.5, UNIX bugs v3.5.2
• Changes: There is now a new feature in the Library allowing you to produce cipher file in ASCII format. You can therefore copy and paste in an email. The new Library also corrects a bug with the power level 3. This update corrects a Windows compatibility BUGS in ASCII mode.
Linux International (crypto) Kernel Patch 2.2.17.7
Alexander Kjeldaas, http://www.kerneli.org• International kernel patch 2.2.17.7 released.
• Changes: speed.c cleanups. The crypto API now compiles when proc support has been disabled, AES cipher added, the AES cipher is implemented by the rijndael module, but with a separate cipher id/name. Updated Rijndael implementation from Brian Gladman merged. ECB testvectors for rijndael from the AES submission added.
LIDS: Linux Intrusion Detection
Xie Hua Gang, http://www.lids.orgLIDS is a kernel patch and admin tool to enhance the linux kernel security. It is an implementation of a reference monitor and Mandatory Access Control in the kernel.
• LIDS 1.0.1 for kernel 2.4.0-test8 released
• LIDS 0.9.9 for 2.2.17 released
• Changes: code cleaned, fixed the lids_read_cap to read more comments in lids.cap, add lids_caps_desc[] to tell which capability violated, TTY named print out use tty_name.
Sendmail 8.11.1
http://www.sendmail.org/This is a bug fix release from v8.11 which was released in July. Changes are documented at ftp://ftp.sendmail.org/pub/sendmail/RELEASE_NOTES
SAINT v. 3.0 beta 2
http://www.wwdsi.com/saintSaint is a security scanning tool based on Satan.
• Changes: fixed bugs in configure script. Fixed bug in tcp scan which was causing SSH service to be missed. Fixed bug affecting hosts with mismatched forward/reverse DNS resolution. Other bug fixes. Improved checks for Calendar Manager and CGI shells. New checks for Net Tools PKI Server and Net.data db2www. Updated Candidate CVE.
SARA 3.2.2b
http://www.www-arc.com/saraSARA is also a security scanning tool based on Satan, with interfaces to other free tools, e.g. nmap, samba.
• Changes: Corrected error in Makefile. Updated tutorials. Updated to detect "wrapped" versions of ssh, telnet, ftp. Updated testing for Subseven DDOS tool. Added additional "custom" attack modes. Fixed problem in configuration management module.
• New features: Added timing options to start SARA (full date). Added -r option to command line to generate SARA Reporter report. Added a Delete option to Data Management. Tweaked ftp.sara and tutorial for current threat.
Cryptix 3.1.3/3.2.0
http://www.cryptix.org/products/cryptix31/Cryptix 3 is a cleanroom implementation of Sun's Java Cryptography Extensions (JCE) version 1.1. In addition to that it contains the Cryptix Provider which delivers a wide range of algorithms and support for PGP 2.x. Cryptix 3 runs on JDK 1.1, JDK 1.2 (Java 2) and JDK 1.3.
• Changes: Inclusion of Rijndael, the new AES. JDK 1.3 compatibility (3.2.0 only). A new package system: one jar for all classes and the separation of the PGP plugin. Several minor bugs fixes.
Dante v1.1.4
ftp://ftp.inet.no/pub/socks/This version fixes a problem with clients using socks version 4 servers.
Ipchains v1.3.10
http://netfilter.filewatcher.org/ipchains/Minor upgrade.
TCP/IP library 2.0
Komodia, http://www.komodia.com/tools.htmTcpip_lib V2 is a library for Windows 2000 which allows arbitrary packet creation. It uses sockets 2 and opens up a raw socket, allowing you to send raw IP headers, do IP spoofing, and play with the nuts and bolts of networking protocols. Changes: now works also with NT (regular async sockets), supports regular sockets (async and blocked) and added ICMP. (samples like traceroute, ping, TCP server, simple attacker).
Portascan
http://www.greymatrix.com/tools.htmPortascan is a small port scanner that runs from command line. It is capable of performing selective TCP or UDP port scans, and performing ICMP pings to see if the remote host is alive. The port scanner is freeware, and runs under Windows NT and Windows 2000. It runs completely from command line, and isn't dependent on libpcap or other external libraries.
NTRPCInfo
http://www.eeye.com/tools/NTRpcInfo.zipDnsID
http://www.eeye.com/tools/dnsid.zipeEye has released two information-gathering utilities for Windows NT that simulate the functionality of similar UNIX programs. NTRPCInfo Similar to the UNIX rpcinfo, NTRPCInfo retrieves available RPC information from the remote host. DnsID Retrieves the remote DNS version using chaos class requests (we described this technique in the article BIND version 8.2.2 and prior is vulnerable to root compromise).
bfbtester-2.0B-20000709.tar.gz
Mike Heffner, http://my.ispchannel.com/~mheffner/bfbtesterBFBTester is a utility for doing quick, proactive security checks of binary programs by performing checks of single and multiple argument command line overflows and environment variable overflows. It will also watch for tempfile creation activity to alert the user of any programs using unsafe tempfile names. While BFBTester can not test all overflows in software, it is useful for detecting initial mistakes that can red flag dangerous software. Tested on FreeBSD and Solaris. Some overflows found with BFBtester are here. Changes: Bug fixes and small enhancements.
siden-0.1.0.tar.gz
Lawrence Teo, http://siden.sourceforge.netSIDEN is a distributed network discovery tool which allows you to simulate coordinated/distributed network probes by a group of attackers against one or many target machines. It uses a client/agent architecture where the agents are installed on multiple hosts. Works well on OpenBSD and FreeBSD.
inshellcode.h
sunx, http://www.cnns.netwin32 portbinding shellcode.
ipgen.tgz
bighawk, http://packetstorm.securify.com/UNIX/utilities/ipgen.tgzIP-Generator is a program that can be used for the creation of long ip lists that are necessary for various utilities which require said listings.
syslog-ng 1.4.7
Balazs Scheidler, http://www.balabit.hu/products/syslog-ngsyslog-ng is a syslogd replacement, but with new functionality for the new generation. The original syslogd allows messages only to be sorted based on priority/facility pair, syslog-ng adds the possibility to filter based on message contents using regular expressions. The new configuration scheme is intuitive and powerful.
• Features: filtering using regular expressions, log forwarding, hash protected log (planned in version 1.5), multi-platform. Requires libol-0.2.17.
• Changes: New stable release - Fixes memory leaks.
Claymore v0.3
Sam Carter, http://linux.rice.edu/magic/claymoreClaymore is an intrusion detection and integrity monitoring system. It runs from cron and reads in a list of files stored in flat ASCII, and uses md5digest to check their integrity against that recorded earlier in a database. If the database is placed on a read-only medium such as a write-protected floppy, then it should provide an infallible record against remotely installed trojan horses.
• Changes: This release adds ownership / permission tracking and switches to the Digest::MD5 instead of md5sum.
RNV
Yeti, ftp://ftp.eth-security.net/pubRNA (Resources Not for All) is a collection of security improvements for FreeBSD 4.0-Release. Features a restricted kernel process table, restricted /proc filesystem, and restricted who/w/last.
XOR Analyze v0.2
Marvin, http://freshmeat.net/projects/xoranalyzeA program for cryptanalyzing xor
floppyfw 1.0.6 (stable)
Thomas ez Lundquist, http://freshmeat.net/projects/floppyfwfloppyfw is a static router with the firewall-capabilities in Linux. It is basically a Screening router or Package filtering firewall.
ITS4 1.1
Viega, http://www.cigital.com/its4ITS4 is a command-line tool for statically scanning C and C++ source code for security vulnerabilities. ITS4 scans through source code for potentially dangerous function calls that are stored in a database. Anything that is in the database gets flagged. ITS4 tries to automate a lot of the grepping usually done by hand when performing security audits.
User MONitor Daemon 0.3.2
ctxspy, http://freshmeat.net/projects/umondA simple interval-based monitoring program that checks UTMP records for new logins.
p-masq-log
Roberto Zunino, http://freshmeat.net/projects/linuxmasqueraderlogpatchThe ip-masq-log patch can be used on a masquerading firewall (NAT) to keep a log of all the outgoing masqueraded TCP connections. It's even possible to log the name of the user who has opened the connection.
security-script v0.4
Peter Halliday, http://freshmeat.net/projects/security-scriptsecurity-script is a port of FreeBSD's /etc/security script.Checks many aspects of your system's security and then emails you with the results.
Automatic Security
Holden Karau, http://freshmeat.net/projects/asAutomatic Security is an expect script which tracks security notices on securityfocus.com and will download and test new updates when they are released. If your system is vulnerable the script will notify you through its log so that you can install the patch as soon as possible. Patching is not automatic for safety reasons.
Secret Agent v0.9
http://freshmeat.net/projects/secret-agent/Secret Agent keeps passphrases and passwords in memory for a configurable timespan. Various applications can be made to cooperate with the agent; support for PGP 2 and GnuPG is provided out of the box.
Refugee v0.95
http://freshmeat.net/projects/refugee/Refugee is a file encryption utility. It implements Blowfish and Rijndael and is portable between big and little endian platforms. It supports key sizes from 32-448 bits and gives the user many ways to make keys.
Samhain v0.9.5
Rainer Wichmann, http://freshmeat.net/projects/samhain/Samhain is a file system integrity checker that can optionally be used as a client/server application for centralized monitoring of networked hosts.
Checkservice v1.0.5
http://freshmeat.net/projects/checkservice/Checkservice is a Perl script that monitors services on remote hosts. It uses plugins to provide a more thorough check than just a socket check, and can be configured to check multiple services on multiple hosts using two different methods (simple and extended). It is able to write logs and when running in the background enables warnings. It features a beep-, mail-, and SMS-warning system.
Note: tools announced on SecurityFocus are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you of new or updated, free, tools.
BlindCrypt 2.0
Hellraiser, http://www.ezkracho.com.arBLiND is a new encryption algorithm
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
| © Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 06 October, 2000 |