By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html
This document is a summary of changes to free security tools over the last week.
You can receive this digest via email.
http://securityportal.com/subscribe.html
Updates to favorite free tools this week include: Nmap, Snort tools, PGP, saint, bugs/bcrypt, lids, chrootkit, Openldap, Ipfilter
Tools for Windows include Site watcher, dumpevt.pl, dumpevt2.pl, wmievt.pl, rcrypt
Linux/Unix/Cross Platform: 17 tools in the basket this week!
Nmap
Fyodor, http://www.nmap.org
• New development release, 2.54BETA7 is available. Latest stable release is 2.53. http://www.insecure.org/nmap/#download
• Changes: Fixes for NetBSD, some minor bugs in Nmap and Nmapfe have been fixed, RPC scan has been updated, Russian and Lithuanian documentation has been included, code cleanups. Console and X-Window versions are available.• New: Nmap now has a moderated discussion list (nmap-hackers@insecure.org) where people can send patches and which I plan to use to announce new versions and beta releases. To subscribe, send a blank email to nmap-hackers-subscribe@insecure.org or insert your email address below.
• Remote Nmap, Tuomo Makinen, http://rnmap.sourceforge.net
Rnmap is a pair of client and server programs which allow for various authorized clients to run their port scans from a centralized server. Clients should run on any Python supported platform.
• Localscan, Dylan Greene, http://staff.washington.edu/dgreene/localscan
Localscan is a Perl-based front-end for Nmap. It allows the user to compare the results of an Nmap port scan with the results of a previous Nmap port scan made when the subnet or IP range being scanned was in a "known-good" configuration. Essentially, Localscan allows the user to use a portscanner and
ask "What new ports are open?" instead of just asking "What ports are active?"
• BWNM, Antonio Musumeci, http://www-ec.njit.edu/~asm3072/programming.html
BWNM is a python program which uses Nmap to scan for open Windows shares and then mounts them all for browsing.Editors note: I've been doing some work with 'ndiff' over the last few weeks and can recommend it as a way of reporting differences between scans, i.e. changes in ports on a network. It even has excellent documentation!
http://www.vinecorp.com/ndiff/
I also use and recommend 'nmap2html', which is part of snortsnarf and has just been upgraded (see the snort section below). Ditto for 'nlog'.
Snort
http://ww.snort.org• The downloads section with the newest ruleset 10102k has been updated on 10th October. Additions include updates from the arachNIDS database, as well as the IDS# in current rules. Ruleset checked with newdupl this time! 'Beta' rules (user submitted) are also available for download here.
SnortSnarf 100400.1
James Hoagland, Stuart Staniford, Joe McAlerney, http://www.silicondefense.com/snortsnarfSnortSnarf is a Perl program to take files of alerts from the free Snort Intrusion Detection System, and produce HTML output intended for diagnostic inspection and tracking down problems. It uses a cron job to produce a daily/hourly/whatever file of snort alerts. This script can be run on each such file to produce a convenient HTML breakout of all the alerts.
• Changes: New CGI script to show an updated list of alerts as text, 3 DNS lookup sites now linked to from host pages (sites contribution by Jim Forester), added www.snort.org port lookup links (contribution by Mike Biesele), improved wrapping on some browsers, included alerts counts on other page, included number of distinct IPs on alert pages, corrected log file naming for Win32 snort (contribution by sliverdragon), nmap2html page heading improved (contribution by Sean Boran), small enhancements and bug fixes.Snorticus v. 1.0.2
Paul Ritchey, http://snorticus.baysoft.netSnorticus is a collection of shell scripts designed to allow easy management of Snort sensors. It allows you to routinely collect Snort sensor data, analyze the data via SnortSnarf, and easily maintain rule files.
• Changes: New release of Snorticus. Snorticus now supports multiple network interfaces in a sensor box (convenient if one machine is used to monitor multiple networks). Fixed a bug in code that determined the proper number of bits for CIDR notation. Made the code responsible for stopping processes more generic in order to support more platforms and OS versions.
GNU PGP
http://www.gnupg.org• New: German version of the GPH (GNU Privacy Handbook) online.
Cryptography, PGP and Pine, By Matteo Dell'Omodarme
http://www.linuxgazette.com/issue58/dellomodarme.htmlThis article introduces the PGP commandline on UNIX and how to use PGP in the Pine email reader.
Secure Programming:
SecurityFocus has opened a new mailing list. It's called SECPROG and is dedicated to the discussion of secure programming methods and techniques.
To subscribe to this list, send a message to listserv@securityfocus.com with the following in the body of the message: "subscribe secprog"
Trusted BSD Interview
http://www.ispworld.com/bw/sep/Unix_Flavor.htm
http://www.trustedbsd.org/An interview with one of the lead developers explains how this project can give FreeBSD military standard security.
SSH in NetBSD
http://www.bsdtoday.com/2000/October/News299.htmlAn OpenSSH-based Secure Shell is now available in the main NetBSD sources. And it will be pulled into the netbsd-1-5 branch, so it will be available in NetBSD 1.5. (ssh-1.2.27 and OpenSSH were already available in the NetBSD packages collection.)
SAINT 3.0
http://www.wwdsi.com/saintSaint is a security scanning tool based on Satan.
• Version 3.0 released.
• Changes: SAINT checks for new vulnerabilities. The compilation problem on Red Hat 7 has been fixed.
BUGS/bcrypt
http://www.bcrypt.com (in French: http://www.bcrypt.com/index_fr.html)• New Windows version: BCRYPT 3.0
• Changes: This version has got a new GUI and corrects few minor bugs
LIDS: Linux Intrusion Detection System
Xie Hua Gang, http://www.lids.orgLIDS is a kernel patch and admin tool to enhance the Linux kernel security. It is an implementation of a reference monitor and Mandatory Access Control in the kernel.
• New: the document Portuguese documentation is now available.
• Development version LIDS 1.0.2 for kernel 2.4.0-test9 released.
• Changes: bug fixed with sys_utime () to prevent "touch" the inode attribution.
IP Filter 3.4.11
Darren Reed, http://coombs.anu.edu.au/~avalon/IP Filter is a TCP/IP packet filter, suitable for use in a firewall environment. It could be used as a loadable kernel module or incorporated into the UNIX kernel.
• Changes: Solaris8 support, IPV6 Support (ipf -6/ipfstat -6), includes the feature to Save/Restore state and NAT information (ipfs), includes "top" style output option for ipstat (ipfstat -t), includes destination and source address matching for map/rdr rules, includes program to monitor redirection destinations for layer 4 load balancing, round-robin redirection to spread traffic load over multiple IP addresses added in this version as well as Load-splitting for redirection (splits IP traffic between two alternate destinations).
chkrootkit 0.18
Nelson Murilo, http://www.chkrootkit.org/chkrootkit is a tool to locally check for signs of a rootkit. The following rootkits are currently detected: Solaris rootkit, FreeBSD rootkit, lrk3, lrk4, lrk5, t0rn and some lrk variants. chkrootkit has been tested on: Linux 2.0.x, 2.2.x, FreeBSD 2.2.x, 3.x and 4.0, Solaris 2.5.1.
• Changes: chkrootkit 0.18 released. This version includes some bug fixes and checking for the t0rn rootkit. It also tries to detect some LKM Trojans.
OpenLDAP v2.0.6
http://www.openldap.org/OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol.
Site Watcher
Forix Business Solutions, http://www.forixnt.com/tools.htmlSite Watcher is a Perl module that 'watches' a directory for activity. If a file is deleted or changed, the script will reload that file from a repository and the activity is logged to a log file. This utility is very useful for NT administrators to monitor web, FTP, or user's home directories. Site Watcher was developed on NT 4.0 SP6, using ActiveState Perl build 618 and requires Digest::MD5 and Convert::ASN1. It has not been tested under Windows 9x, Windows 2000 and with remote directories.
dumpevt.pl and dumpevt2.pl
Forix Business Solutions, http://www.forixnt.com/tools.htmlThese Perl scripts dump the contents of the EventLogs from a selected system. These scripts could be used with a parsing script to extract alerts or statistics information from Windows NT logs. Both of these scripts use the modules Win32::Lanman and Win32::perm.
evt.pl
Forix Business Solutions, http://www.forixnt.com/tools.htmlThis version of an EventLog script dumps the contents of each log to the screen.
wmievt.pl
Forix Business Solutions, http://www.forixnt.com/tools.htmlThis script collect EventLog entries from the local machine.
rcrypt
http://207.33.208.248/Free_Tools/Rcryptrcrypt is a Rijndael file encryption/decryption program.
• Changes: new Windows version, new Linux version.
Scout 1.3.2
Maciej Plewa, http://redstar-2.tripod.com/products/scoutSCOUT is a CGI program which displays information about a client's connection like IP address(es), browser type, and system information. Scout supports port scanning (with Nmap), traceroute, and ping statistics for the remote host.
JASS Toolkit v. 0.12
Alex Noordergraaf, alex.noordergraaf@SUN.COM, http://www.sun.com/blueprints/toolsThe JumpStart Architecture and Security Scripts (Toolkit) is a tool designed to harden, minimize, and secure Solaris systems. The Toolkit is a set of scripts and directories implementing the recommendations made in the Sun online BluePrints program and permit to automate the process of securing Solaris systems.
Editor's note: it's very much betaware, see the analysis in the current Solaris Weekly Digest.
Adwids 0.8b1
Defense Worx, http://www.defenseworx.comThe Defense Worx Network Intrusion Detection System is a linux based IDS which performs TCP/IP traffic analysis to detect unauthorized traffic in near real-time. It includes a Java-based console to display alerts remotely and several open-source attack signatures.
• Changes: Adwids now decodes DNS, detects port scans and sweeps and contains performance improvements.
exiscan v0.6
http://duncanthrax.net/exiscanExiscan is an email virus scanner which works together with the Exim MTA and McAfee's uvscan or Trend Micro's vscan. It is written in Perl and is designed to be as subtle and lightweight as possible. The special thing about exiscan is that is does not resend messages after scanning them, so that the process is fully transparent to the MTA and requires only minimal reconfiguration of Exim.
Changes: A glitch was fixed in the dequeuing process that, in rare cases, caused more than one message to be dequeued at once, resulting in a stale header file with only the "X-Scanner" line in it.
nrm v0.9
Octavian Popescu, http://hideout.art.rounrm is a small linux utility which can, under some circumstances, recover almost 99% of your erased data (similar to DOS's undelete). Changes: Numerous bugfixes and cosmetic changes have been added. The command-line support has been enhanced and a man page was added.
Webalizer 2.01-05
NevaLabs (Claudio Neves), http://www.mrunix.net/webalizerWebalizer is a web server log analysis program. Written in C to be extremely fast and highly portable, Webalizer supports standard Common Logfile Format server logs, generates report that could be configured from the command line, supports multiple languages and could be used with unlimited log file sizes or with partial logs (rotating logs).
• Changes: several bugs have been fixed, configure allows specification of the default config directory, configuration options have been added for DailyGraph and DailyStats, visit calculation improved, DNS lookup capability added, ability to dump Sites added, username analysis added, support for squid proxy logs added, ability to group domains, user configurable search engine specifications.
Refugee devel: 0.98
http://freshmeat.net/projects/refugee/Refugee is a file encryption utility. It implements Blowfish and Rijndael and is portable between big and little endian platforms. It supports key sizes from 32-448 bits and gives the user many ways to make keys.
• The development version 0.98 is available.
• Changes: some bug fixes, a new option "-q" as been added, Steganography programs have been added (currently hide and seek only work with 8 bit png files) and a wipe program has been added.
Zorp 0.5.24
Balazs Scheidler, http://www.balabit.hu/products/zorpZorp is a new generation proxy firewall suite running on Linux platforms. Its core framework allows the administrator to fine-tune proxy decisions (with its built in script language), fully analyze complex protocols (like SSH with several forwarded TCP connections) and utilize outband authentication techniques (unlike common practices where proxy authentication had to be hacked into the protocol). FTP and HTTP protocols are fully supported with an application-level proxy.
• Changes: version 0.5.24 released.
security-script v0.06
Peter Halliday, http://halliday.wl.vg/scriptssecurity-script is a port of FreeBSD's /etc/security script. It check many aspects of your system's security and then emails you with the results. Checks include finding setuid of files and directories, uid's of 0, the count of the firewall wall rules set up to deny or reject, checks for failed logins, and checks for rejected connections.
Pad v1.0.4
xercist, http://freshmeat.net/projects/pad/PAD is a small command-line utility to separate data into multiple files, each mathematically indistinguishable from white noise, and to reassemble them into the original.
Note: tools announced on SecurityFocus are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you of new or updated, free, tools.
Multiscan 0.6
Karl Söderström, http://sourceforge.net/projects/multiscanMultiscan is a simple portscanner coded in c and running under Linux, which allows you to scan a range of ip addresses.
SILC (Secure Internet Live Conferencing) 20001009
Pekka Riikonen, http://silc.pspt.fiSILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. Strong cryptographic methods are used to secure all traffic. SILC has been coded and tested under Linux platforms but has not been tested on other Unix platforms.
• Changes: Some errors have been fixed in the protocol specification drafts. In the application itself: the notify client operation has been changed for a fit better with the messages sent by server, the public keys have been changed to comply with the protocol specification (old public keys are not supported anymore and are not compatible). This new version is not compatible with older versions.
IDSA 0.75
Marc, http://jade.cs.uct.ac.za/idsaIDSA is an Intrusion Detection System running on Linux platforms that tries to have a host-based intrusion detection systems integrated into the host/operating system infrastructure.
The system is currently incomplete (some features have not been implemented). It can be used as a system logger and tcpd (tcp wrapper) replacement.
Fireparse 1.9
Aaron D. Marasco, http://aaron.marasco.com/linux.htmlfireparse is a Perl script that emails a report of all packets that have been logged by the kernel's ipchains packet filtering subsystem. The report includes source and destination ports, direction, packet count, ipchains rule, and fully resolved host name (if available) and can be formatted as plain text or as a colored HTML table.
SDSC/GT Secure FTP
Gary Cohen and Brian Knight, http://www.glub.com/products/secureftpSecure FTP is a JAVA client package that allows for a secure connection to be made to an FTP daemon via SSL.
PIKT - Problem Informant/Killer Tool 1.12.0pre3
Robert Osterlund, http://pikt.uchicago.edu/piktPIKT is a cross-platform (AIX, FreeBSD, HP-UX, IRIX, Linux, Solaris, SunOS), multi-functional toolkit for monitoring systems, reporting and fixing problems, and managing system configurations. It consists of an embedded scripting language with unique, labor-saving features, a script and system config file preprocessor, a scheduler, an installer, and other tools.
Knetfilter 1.2.1
Luigi Genoni, http://expansa.sns.it/knetfilterKnetfilter is a KDE 1.X frontend to iptables, used with Linux kernels 2.4.0 and up to manage the netfilter functions. It is possible to perform all standard and most "exceptional" system management of a complex firewall within the program.
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
| © Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 13 October, 2000 |