Weekly Security Tools Digest
2000/10/28 to 2000/11/03

By Seán Boran (sean at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.
Firewall tools are put in a separate section starting this week.


The Rundown

Updates to favourite free tools this week include: Snort tools, Nessus, PGP tools, Tripwire, SAINT, Ethereal, Security-Script and AMaViS.

Tools for Windows include E4M, IISUni.pl and AccountPolicy

Firewalls for UNIX/Linux/BSD & Cross-platform: IPfilter and some log analysis tools.

Tools for Linux/Unix/Cross Platform: 28 updates this week.


Favourite Tools

Snort
http://ww.snort.org

Ruleset-retrieve is a new program that will retrieve the latest rules from snort.org or WhiteHats and restart Snort.

5n0r7 is a snort alert file parser. It sorts the alerts on source IP, destination IP and frequency to stdout. 5n0r7 allows detecting attacks (portscans, probes, or whatever snort logs).

SnortSnarf is a Perl program to take files of alerts from the free Snort Intrusion Detection System, and produce HTML output intended for diagnostic inspection and tracking down problems. It uses a cron job to produce a daily/hourly/whatever file of snort alerts. This script can be run on each such file to produce a convenient HTML breakout of all the alerts.
• Changes: modified alert parsing to accept latest version of the full alert format as well as the old version, a check to make sure snortsnarf.pl is using correct version of snort_alert_parse.pl. Cleaned up page headers and footers for improved readability; Silicon Defense logo now present in header (GIF file auto-generated) + eliminated need to specially name alert files in different formats; alert format is now automatically inferred (finally!) + generated pages now split across multiple directories to reduce the load on any one directory [suggestion by Chris Green and Dread Pirate Roberts] + added option (-refresh=X) to add HTML that causes generated pages to reload in your browser every X seconds + ./include now searched by snortsnarf.pl (but not any CGIs) for its includes + added TRIUMF as a DNS lookup option + fixed bug where certain pages were referenced as .html even if $html was set to 'htm' instead + new default input file for Windows + changes in SISR to better permit labelled set and incident files to be rolled over + SISR: automatic IP and network annotations upon labelled set creation now includes a link to view the labelled set + SISR: fixed bug in earliest_latest_times.pl in finding the latest time.
• More information from http://www.silicondefense.com/snortsnarf/Changes

 

Nessus
http://www.nessus.org
http://www.nessus.org/doc/detached_scan.html

The CVS version of Nessus now implements diff scan as well as constant background scans with email notification. Nessus permits a detached scan. It is a scan that runs in background, disconnected from the client.

 

PGP

PGPacket analyzes and displays the contents of a PGP-encrypted file (or anything that follows the OpenPGP spec), showing the nature and contents of each packet (of course, the contents of many packets may be encrypted, and PGPacket does not decrypt).

GnuPG.pm is a perl interface to the Gnu Privacy Guard. To communicate with gpg, this modules takes advantage of the shared memory coprocess interface offered by gnupg. The perl API can be used to encrypt, decrypt, sign and verify messages. It also offers basic key management.

PGPenvelope is an interface using Pine with GnuPG, the GNU Privacy Guard. It allows signing/encrypting/decrypting/verifying mail messages using GnuPG from within Pine. In addition to being just a Pine filter, PGPenvelope tries to maximize the use of procmail so that signed messages only need to be verified only once.

GPG4pine is a script that automatically encrypts/decrypts mail under Pine using PGP. It is compatible with PGP versions 2.6.3, 5.0, and 6.5.1, and GNUPG 1.0, and has support for an aliases file and signature-rotating programs. It can also remember the passphrase for a session if needed to keep decoded messages for a session.

PGPforwarder is a Perl server that accepts plain-text mails for users and sends them out encrypted. It allows a non-PGP-enabled person (e.g., a boss) to communicate safely with a PGP-enabled person (e.g. the IT development department).

PGP4pine is an interactive program for using encryption within the Pine email client. It is compatible with PGP 2/5/6 and GnuPG 1.0.

PinePGP provides PGP and GnuPG filters for pine. PGP versions 2.6.x, 5.x, and 6.5.x are supported.

BkGnuPG is an email plugin for the email software Becky! 2 beta.
• Changes: this version includes a manual in English and some tips.

 

Tripwire 2.3-47
Tripwire, Inc.
http://www.tripwire.org

Tripwire is a system integrity checker, a utility that compares properties of designated files and directories against information stored in a previously generated database. Any changes to these files are flagged and logged, including those that were added or deleted, with optional email reporting. Additionally, support files (databases, reports, etc.) are cryptographically signed.
• News: Tripwire Open Source, Linux edition is now available. Tripwire, Inc. announces the availability of its Open Source product for the Linux operating system. The Linux Edition is hosted on VA Linux Systems' SourceForge. The open source code is functionally equivalent to Tripwire 2.2.1 for the Linux platform.

 

SAINT v. 3.1
World Wide Digital Security, Inc.
http://www.wwdsi.com/saint

Saint is a security scanning tool based on Satan.
• New: the version 3.1 has been released.
• Changes: This version features a new custom scan level, giving you complete control over which probes SAINT will run, all from the graphical user interface. This version checks for folder traversal vulnerability in IIS 4.0 and 5.0, JRun server vulnerabilities, iPlanet Directory Server and Certificate Management System, hex-encoded dot-dot-slash vulnerability in web servers, dot-dot-slash vulnerability in Web+, and HTTP PUT vulnerabilities. The FAQ and documentation has been improved including instructions on using rules/drop to ignore false alarms. The compilation problem on BSDI has been fixed.

 

Ethereal 0.8.13
Gerald Combs
http://ethereal.zing.org

Ethereal is a network protocol analyzer, or "sniffer", that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality packet analyzer for Unix, and the most useful packet analyzer on any platform.
• Changes: New dissectors include H.261, TPKT, and IGRP. RTP and RTCP were re-written. Many other dissectors were updated and improved. The wiretap library enables Ethereal to read Nokia-firewall tcpdump files, Shomiti Surveyor 3.x files, pppd log files (pppdump format), and NetXRay ATM files.

 

Security-script v0.1.1
Peter Halliday
http://halliday.wl.vg/scripts

Security-script is a port of FreeBSD's /etc/security script. It check many aspects of your system's security and then emails you with the results. Checks include finding setuid of files and directories, uid's of 0, the count of the firewall wall rules set up to deny or reject, checks for failed logins, and checks for rejected connections.
• Changes: this version checks for interfaces in promiscuous mode, for files with incorrect permissions. The umask is corrected to a more secure umask, and many other checks were added. There is also other minor bug fixes and some changes to the howto.

 

AMaViS - A Mail Virus Scanner  0.2.1
Christian Bricart
http://www.amavis.org

AMaViS is a mail virus scanner tool.
• Changes: the version 0.2.1 has been released. Hints for sendmail M4 configuration have been added to the documentation. Th TNEF detection and handling (obsoletes recent patch) has been fixed. This version also includes general documentation updates.


Tools for Windows

E4M 2.02
Paul Le Roux
http://www.e4m.net

E4M is program form Windows that encrypts the hard disk.
• Changes: the version 2.02 for Windows has been released.
• News: an alpha version for Linux is in development.

 

IISUni.pl
Forix Business Solutions
http://www.forixnt.com/tools.html

This Perl code checks for IIS web servers, and then checks for susceptibility to the IIS Unicode Vulnerability that has recently been sweeping the security forums. This script is specific to English language servers.

Packetstorm

devicelock
http://ntutility.com/dlme

Devicelock gives network administrators control over which users can access what removable devices (floppies, Magneto-Optical disks, CD-ROMs, ZIPs, etc.) on a local computer. It can protect network and local computers against viruses, trojans and other malicious programs often injected from removable disks. This version is for Windows 2000/NT. Windows ME version available here.

SecurityFocus

Note: tools announced on SecurityFocus are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you of new or updated, free, tools.

AccountPolicy 0.2
Darren Tucker
http://www.zipworld.com.au/~dtucker/accountpolicy.html

AccountPolicy allows setting of NT's User Account Policy of the local machine from the command line. It is almost functionally equivalent to the "Policy->Account" Menu in the User Manager tool, but is operated from the command line. It can set maximum and minimum password age, minimum password length, password history size, number of login attempts and time between them allowed before lockout, and the length that accounts are locked out. It can be used by domain logon scripts, at jobs, lockdown scripts and the like.


Firewalls for UNIX/Linux/BSD & Cross-platform

IP Filter 3.4.14
Darren Reed
http://coombs.anu.edu.au/~avalon

IP Filter is a TCP/IP packet filter, suitable for use in a firewall environment. To use, it can either be used as a loadable kernel module or incorporated into a UNIX kernel; use as a loadable kernel module where possible is highly recommended. Scripts are provided to install and patch system files, as required.
• Changes: this version includes round-robin redirection to spread traffic load over multiple IP addresses, load-splitting for redirection (splits IP traffic between two alternate destinations), Solaris8 support, IPV6 Support (ipf -6/ipfstat -6), Save/Restore of state and NAT information (ipfs), "top" style output option for ipstat (ipfstat -t), destination and source address matching for map/rdr rules, l4check (program to monitor redirection destinations, for layer 4 load balancing).

 

FreshMeat

MonMotha's IPtables Masquerading Firewall 2.1.12 (devel)
MonMotha and Steff
http://t245.dyndns.org/~monmotha/firewall/index.php

MonMotha's IPtables firewall is a shell script that implements masquerading and basic security using IPtables. It is easily configurable by modifying the options near the beginning and does not need to be rerun every time the IP address changes, making it perfect for users with dialup connections. Many features, such as a built-in list of the root DNS servers (for people who run their own DNS servers), are available.
• Changes: The status reporting in SSH has been fixed as well as a parameter error in SSH. An option for hostbased AUTH support and an option to explicitly deny certain hosts have been added.

 

Pixlog 1.0
Matt Post
http://cs.calvin.edu/~mpost89/pixlog

Pixlog is a utility for logging INFO level log traffic from a Cisco PIX firewall. As tens of megabytes of data can be generated by a PIX firewall per minute, Pixlog cooperates with syslogd to parse the data as it comes in, saving the system from the huge log files that would otherwise make it impossible to view logging messages at the INFO level.

 

Fwlogsum 0.2
Rui Bernardino and Paul J. Ewing Jr.
http://fwlogsum.sourceforge.net

Fwlogsum is a generic, all purpose, flexible summarizer for Checkpoint's Firewall-1 logs. It has been implemented using standard Perl 5. The generated output is HTML including most of the graphics.

 

Fwlogstat 1.0
Rajeev Kumar
http://www.geocities.com/SiliconValley/Bit/9363

Fwlogstat helps system administrators to analyze Checkpoint FW-1 (4.0) Account Logs. The program can run from the command line (to process the raw ASCII account log) and after that a Web interface presents a nice report, based on various selection criteria.

 

SecuriTeam

Fwlogwatch-0.0.24
Boris Wesslowski
http://www.kyb.uni-stuttgart.de/boris/software.shtml

Fwlogwatch analyzes the IPchains packet filter logfiles and generates text and HTML summaries. It features real-time anomaly response capability and has an interactive report generator.


Tools for UNIX/Linux/BSD & Cross-platform

FreshMeat

Calamaris 2.40
Cord Beermann
http://calamaris.cord.de/Welcome.html.en

Calamaris parses Squid and NetCache Native Logfiles and generates reports about Peak-usage, Request-Methods, Status- report of incoming and outgoing requests, second and Top-level destinations, content-types and performance.
• Changes: in this version 'nse' (Netscape Extended Logfile-Format) has been added to the manpage, a workaround-hint for reusing cache-files has been added. The manpage now describes v2.40 and later of Calamaris. The Netscape Extended-1/2 Logfile Format support has been improved and a seldom occurring problem with some perl-versions has been fixed.

 

BlindCrypt 0.3 (devel)
Hellraiser
http://www.ezkracho.com.ar

BLiND is a new encryption algorithm

 

OpenCA PKCS#7 Tool 0.2.0
Massimiliano Pala
http://www.openca.org

The OpenCA PKCS#7 Tool (also known as SV or Sign & Verify) allows signature verification, chain certification, signature generation (either detached or non-detached), and signature modification from the detached form to the non-detached one.

 

Sol-Crypt 1.2
The 11th Angel
http://home.cyberarmy.com/angel11/download

Sol-crypt is a variation of the Solitaire encryption scheme, as described in the book Cryptonomicon. It can encrypt any file using a user-specified key.

 

PyCA 0.6.5
Michael Ströder
http://www.pyca.de

PyCA is a collection of scripts and CGI-BIN programs written in Python for setting up and maintaining a certification authority.

 

OpenCA 0.2.0-patch4 (devel)
Massimiliano Pala of OpenCA Developers Team
http://www.openca.org

The OpenCA Project is a collaborative effort to develop a robust, full-featured and Open Source out-of-the-box Certification Authority implementing the most used protocols with full-strength cryptography world-wide. OpenCA is based on many Open-Source Projects. Among the supported software is OpenLDAP, OpenSSL, Apache Project, Apache mod_ssl.

 

PPDD 1.2
Allan Latham
http://linux01.gwdg.de/~alatham/ppdd.html

PPDD is a Linux kernel driver that provides an encrypted filesystem. It is known to work with the 2.2.12-2.2.15 kernels.

 

Shsecret 20000619
David A. Madore
http://www.eleves.ens.fr:8080/home/madore/programs/#misc

Shsecret is an implementation of the "secret sharing" algorithm. This program will let you take a (secret) file and split it into N pieces such that any M of them can be used to reconstruct the secret, but less than M will give absolutely no information on the secret.

 

Blowfish
David A. Madore
http://www.eleves.ens.fr:8080/home/madore/programs/#misc

This is an implementation of the blowfish cipher that is supposed to be completely standard C and work on all architectures.

 

Encrypt 0.8
Suso Banderas
http://suso.suso.org/programs/encrypt

Encrypt is a program for turning plaintext words or strings into their encrypted forms in a variety of ways.

 

Sharesecret 0.2.0 (devel)
Stefan Karrmann
http://www.mathematik.uni-ulm.de/m5/sk/sharesecret.html

Sharesecret splits a secret into parts given a threshold t, such that at least T parts are needed to reconstruct the secret. If you have fewer parts you know only the length of the secret.

 

Chameleon file encryption 0.1
Ulli Meybohm
http://www.meybohm.de/os/chameleon.html

Chameleon is an experimental file encryption tool using a password-generated, plaintext-feedbacked 2048 bit key, feedbacked xor-chains, and a dummy-header system. It is designed to give the encrypted files a better security against brute-force and known-plaintext attacks.

 

SCAIN 2.0a1 (devel)
Patrizio Bruno and Daniele Ricci
http://scain.firenze.net

SCAIN (Simple Crypto Algorithm Ideated by a Novice) is a simple cryptographic algorithm that generates different output with the same input and the same password. It uses pass phrases and keys of 128, 256, 512, 1024, 2048 bits; the idea is to hide the key in the cipher based on the password.

 

Mcrypt 2.2.5
Nikos Mavroyanopoulos
http://hq.hellug.gr/~mcrypt

Mcrypt is a program for encrypting files or streams. It is intended to be a replacement for the old UNIX crypt. It uses well-known and well-tested algorithms like DES, BLOWFISH, TWOFISH, ARCFOUR, CAST-128, and more in several modes (CBC, CFB, etc.). It also has a compatibility mode with the old UNIX crypt and Solaris DES.

 

Libmcrypt 2.4.6
Nikos Mavroyanopoulos
http://hq.hellug.gr/~mcrypt

Libmcrypt is the library which implements all the algorithms and modes found in mcrypt. Unlike most encryption libraries Libmcrypt does not have everything (random number generators, hashes, hmac implementation, key exchange, public key encryption etc.). Libmcrypt only implements an interface to access block and stream encryption algorithms. Libmcrypt supports the algorithms: Blowfish, Twofish, DES, TripleDES, 3-WAY, Safer-sk64, Safer-sk128, Safer+, Loki97, GostT, RC2, RC6, Mars, IDEA, Rijndael-128 (AES), Rijndael-192, Rijndael-256, Serpent, Cast-128 (known as Cast5), Cast-256, Arcfour and Wake. Block algorithms can be used in: CBC, ECB, CFB and OFB (8 bit and n bit, where n is the size of the algorithm's block length).

 

Samhain 0.9.5 - devel: 1.1.2
Rainer Wichmann
http://la-samhna.de/samhain

Samhain is a file system integrity checker that can optionally be used as a client/server application for centralized monitoring of networked hosts.
• Changes: new development version.

 

Openwall Linux kernel patch 2.2.17-ow1
Solar Designer
http://www.openwall.com/linux

The Openwall Linux kernel patch is patch is a collection of security "hardening" features for the Linux kernel. In addition to the new features, some versions of the patch contain various security fixes. The "hardening" features of the patch, while not a complete method of protection, provide an extra layer of security against the easier ways to exploit certain classes of vulnerabilities and/or reduce the impact of those vulnerabilities. The patch can also add a little bit more privacy to the system by restricting access to parts of /proc so that users may not see what others are doing.

 

Packet Storm

Mimedefang 0.5
David F. Skoll
http://www.roaringpenguin.com/mimedefang

MIME Defanger is a flexible MIME e-mail scanner designed to protect Windows clients from viruses and other harmful executables. It works with Sendmail 8.10 / 8.11 and will alter or delete various parts of a MIME message according to a flexible configuration file.
• Changes: Bug fixes and a new "notify_sender" feature which notifies sender that e-mail has been modified.

 

Sscan 2k-pre6
Eth0
http://www.hwa-security.net

Sscan2k is a remote auditing tool which scans for more than 200 known vulnerabilities that are able to be found remotely. Features remote OS detection to prevent unnecessary bandwidth usage, a scripting language, modules, improved multiple host scanning, and easy configuration.
• Changes: Bug fixes, enhancements, and more vulnerabilities checked for.

 

Pakemon 0.3.0b3
Keiji
http://www.sfc.keio.ac.jp/~keiji/ids/pakemon

Pakemon has been developed to share IDS components based on the open source model. Current version of  Pakemon monitors all traffic on a network, search given data patterns in the traffic and output session logs and summary logs of matched traffic. This is still a preliminary implementation so there are many things to improve. Pakemon has been tested on RedHat Linux 6.2j, OpenBSD2.7, FreeBSD 3.3 and NetBSD 1.4.

 

StJude_LKM-0.04
Tim Lawless
http://www.sourceforge.net/projects/stjude

Saint Jude LKM is a Linux Kernel Module for 2.2.11 and greater kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local, and ultimately, remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.
• Changes: fixed bugs, added a Makefile, hid the old execve better, added a homepage.
• Document: StJudeModel.pdf describes how the StJude kernel module stops local and remote exploits from being successful.

 

SecurityFocus

Note: tools announced on SecurityFocus are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you of new or updated, free, tools.

DBIx::Password 1.5
Brian Aker
http://tangent.org/DBIx-Password

DBIx::Password provides an abstraction layer for password maintenance. It is database independent and only overrides the connect method (so it basically behaves as DBI normally does). You provide a single virtual user name in the connect method and the module determines which database/which user/which password to provide.

 

User MONitor Daemon 0.3.5
Tomaj Vadasz
http://128.238.220.41/umond

Umond (User MONitor Daemon) is a simple interval-based monitoring program that checks UTMP records for new logins. It outputs new logins & logouts to the command prompt with several options. It runs on Linux, Solaris and UNIX platforms.

 

Malice 5.3.1
Natas
http://rsh.defacements.com

Malice is an anti-ids CGI scanner and webserver information gathering tool written in perl. It scans for more than 230 vulnerabilities and directories, grabs the webserver banner, and more.

 

AssItch 2.6
Thomas Biege
http://www.suse.de/~thomas/tools

Assitch is a remote packet filter analyzer, that detects in and OUT rules by doing ACK scanning. (It's useless against state-full filters.) Assitch is nearly 3 years old, but still useful for debugging filter rules. It runs on Linux platforms.

 

EmailScan 0.12
Mat
http://emailscan.sourceforge.net

EmailScan is an e-mail scanner for Linux, Solaris and SunOS platforms. It monitors in coming multipart mail messages and checks for file type, file names, and virus scan. It also works both using procmail for local deliver and can be invoked when mail is relayed.

 

FK 0.3
Matthew Kirkwood
http://ferret.lmh.ox.ac.uk/~weejock/fk

FK is an application proxy suite designed for building IP gateways on Linux platforms. Ultimately, the intent is to provide a free software replacement for the TIS firewall toolkit.

 

SILC (Secure Internet Live Conferencing) 20001101
Pekka Riikonen
http://silc.pspt.fi

SILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. Strong cryptographic methods are used to secure all traffic. SILC has been coded and tested under Linux platforms but has not been tested on other Unix platforms.
• Changes: this new version contains a lot of changes and includes new features. More information: http://silc.pspt.fi/changes.txt


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 02 November, 2000