Weekly Security Tools Digest
2000/12/02 to 2000/12/08

By Seán Boran (sean at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to General free tools this week include: Mindterm, GnuPG, SSHD for NT, BIND9.

Auditing and Intrusion Monitoring tools include Snort and 7 other tools.

Firewalls for UNIX/Linux/BSD & Cross-platform include IPchains and 6 other tools.

Tools for Linux/Unix/Cross Platform: 9 tools this week.

Tools for Windows include the Random Number Generator Pro.


General Tools

SSH

Mindterm is a complete SSH-client in pure Java. It can be used either as a standalone Java application or as a Java applet. Three packages of importance are provided (terminal, SSH, and security). The terminal package is a rather complete VT102/xterm-terminal, and the SSH-package contains the SSH- protocol and also "drop-in" socket replacements to use SSH-tunnels transparently from a Java application/applet. It also contains functionality to realize a SSH-server. Finally, the security package contains RSA, DES, 3DES, Blowfish, IDEA, and RC4 ciphers.

• Changes: Fixed bug in http proxy code (parsed "sloppy" response header incorrect). Fixed bug in terminal "select all" after drag-select "backwards" (wasn't cleared when deselected). Fixed X11 channels in ssh2 code. Fixed bug in ssh2 kex method diffie-hellman-group-exchange-sha1, didn't request correct group order (thanks to Niels Provos for pointing this out). Fixed code in ssh1 that triggered funny bug in MS's jvm jview (causing ArrayIndexOutOfBoundsException in blowfish and 3des ciphers). Fixed bug when connecting through "Settings Dialog", settings couldn't be saved (thanks to Jade Cravy for pointing this out). Fixed bug, didn't send correct CHANNEL_OPEN_FAILURE to draft incompatible servers.
• Note: the available version are currently only demos. Sources and old code will be available soon as the webpages are being restructured. The license for the ssh2 package has not yet been decided but will be before the end of this year.

 

PGP

• Changes: GnuPG security patch released for GnuPG 1.0.4. This patch fixes a serious bug which could lead to false positives when checking detached signatures.

 

BIND 9.1.0b1
Internet Software Consortium
http://www.isc.org/products/BIND/bind9-beta.html

Comment: Although the famous DNS server is not a security tool, we will inform you of updates as it is a critical element of TCP/IP networks and several security extensions are included in the new BIND9.

BIND 9.1.0b1 is the first beta release of BIND 9.1.0. It includes a number of new features:

There are a few known bugs:


Auditing and Intrusion Monitoring Tools

Snort
http://ww.snort.org

Windows version of the lightweight network intrusion detection system.
• Changes: new beta release: snort-1.6.3-patch2-win32 including the following enhancement: updated WIN32 port to the new 1.6.3 code base. Added the -s bug handling patch into rules.c. Snort actually starts Winsock now because it does a getprotobynumber() look up, which needs Winsock to be started - only Winsock 1.1 is start that should satisfy the masses. Decided to add service code for the -D option in the next version. Possibly fixed the problem reported on Windows Advanced Server in which it was not possible to specify the adapter to bind to - further tests are necessary.

 

FreshMeat

X-SARte 1.0
Ralf Wiegand and Todd Fraser
http://www.x-sarte.com

X-SARte, or Systems Activity Reporter and Traffic Examiner gathers system statistics and displays them on easy-to-read graphs. By using X-SARte's easy-to-use Web front end, these graphs can be quickly accessed with any Web browser that supports PNG images. Possible uses for X-SARte include diagnosing system performance issues, keeping track of system and network load, detecting possible cracking attempts, performance tuning of your systems, finding rogue programs, finding peak and low points of system usage, finding possible problems with network configuration or hardware, and checking to see when upgrades are needed.
• Remark:  the version 1.0 is free and is a modified version of the Open Source utility SARGE by Ed Finch. The version 2.0 costs $29.95 but can be tested  for a 60 day trial period.

 

Uptime Client 4.14 - Devel: 4.16
Alex de Haas
http://uptimes.atomicvoid.net

Uptime Client is a little program that keeps track of your uptime and sends it to a server where you can compare it to many other hosts and browse through various statistical information.

 

PACT 0.9c
Garry Glendown
http://pact.insider.org

PACT is a software package to do complete port accounting for SNMP-manageable devices like routers, hubs, and switches. Administration is done using an HTML interface with dynamic data fed through PHP and MySQL database backend.

 

PacketStorm

Adwids 0.8b2
Defense Worx
http://www.defenseworx.com

The Defense Worx Network Intrusion Detection System is a Linux based IDS which performs TCP/IP traffic analysis to detect unauthorized traffic in near real-time. It includes a Java-based console to display alerts remotely and several open-source attack signatures.
• Changes: the version 0.8b2 includes bug fixes in the sensor and speed improvements. The Java GUI has been changed.

 

Netwatch 0.9h
Gordon MacKay
http://www.slctech.org/~mackay/netwatch.html

Netwatch allows monitoring of an Ethernet segment or PPP line and examine activity on the network, highlighting hostnames in colors to indicate activity on the bus network based on time. The monitor includes packet statistics and a TOP mode which allows a sorted list of hosts based on IP usage. All info is updated on a per second basis.
• Changes: New features include configuration files for logging and colors, a passive mode for logging, a Netbus and Back Orifice packet watch, Mac-Ethernet Address watch, HTTP and FTP server types.

 

Spoofaudit 0.1.3
Ghede
http://spoofaudit.op.nu

SpoofAudit is a Perl tool which helps you determine what basic spoofing filters are present between two test points on two networks, and what anti-spoofing filters are missing. It is designed to work between endpoints that would not normally have any filtering between them except for anti-spoofing filters. Spoofaudit requires the Net-RawIP Perl module.

 

Qaudit.pl
Vade79
http://www.fakehalo.org

Qaudit.pl is a script for quickly auditing .c and .cc source files for stack and heap overflows, format bugs, exec calls, environment variables, and misc functions which often have security issues.


Firewalls for UNIX/Linux/BSD & Cross-platform

Knetfilter 2.0.1
Luigi Genoni
http://expansa.sns.it/knetfilter

Knetfilter is a KDE 1.X front-end to IPtables, used with Linux kernels 2.4.0 and up to manage the netfilter functions. It is possible to perform all standard and most "exceptional" system management of a complex firewall within the program.
• Changes: new version 2.0.1 released, stable version for KDE2. Knetfilter 1.2.X for KDE1 will still be maintained, but just for bug fixes, no more features will be added to 1.2.X versions, the latest stable version for KDE1 is version 1.2.3.

 

Smoothwall 0.9.6
http://sourceforge.net/projects/smoothwall

SmoothWall is a popular Linux Distro cut down to a complete minimal automated installation providing out of the box security & functionality as a router & firewall managed by platform independent web browsers. No prior Linux experience required.
Changes: Included for the first time in a SmoothWall release are the following: 1) SSH for remote access managed by SmoothWeb interface. 2) Increased management logging of all processes and services. 3) Support for up to 5 ISP dial in accounts (as requested by many) 4) New look front end with new color scheme 5) Menu bar for ease of navigation 6) DHCP modifications  7) Inclusion of Rawrite and RawWrite for Win for those unable to use DD 8) Modification and bug fixes in the calendar engine

 

FreshMeat

EasyChains 0.9.3 Release 2 (devel)
Dejavo
http://dejavo.homepage.com/djvlinux.html

EasyChains is a very easy-to-use GUI for the console firewall script. It makes it easy to make a custom firewall using the script generator or you can add custom rules and remove rules from a numbered list.
• Some features: EasyChains permits to easily add and remove rules. It allows to generate rules by asking simple questions during the process about the ports, for who to open, etc. It includes a monitoring script for the console that will log all connections (IP, time, port and status) to a logged port.

 

IPchains-firewall 1.7.3
Ian Hall-Beyer
http://firewall.langistix.com

IPchains-firewall is an easily-configurable shell script to establish masquerading and firewalling rules using IPchains. The script self-configures out of the box for IP addresses, netmasks, and interfaces. All that is needed is a command line specification of external and internal interface names. It automatically determines type of firewall to set up (standalone, routing, or masquerading) based on interface IP addresses. The distribution also includes a copy of midentd, to enable identd over the masqueraded network.
• Changes: added blocks for LDAP, Kerberos and CIFS

 

Seattle Firewall 3.2.4
Tom Eastep
http://seawall.sourceforge.net

The Seattle Firewall is an IPchains firewall that supports IP masquerading and can be used on a standalone system, on a dedicated firewall system, or on a multi-use gateway/server. It supports VPN via IP tunnels, IPSec, and PPTP. It is easily configurable by editing configuration files, and can be extended without modifying the base product. It also includes real-time monitoring with an audible alarm that sounds when suspect packets are detected.
• Changes: the version 3.2.4 is a bug-fix release of Seattle Firewall and correct the following known problems in version 3.2.2: the version 3.2.2 (and LRP version 3.2.3) failed to start on systems that have a DMZ configured and that have IP installed. The installation of Coyote LRP failed. Seattle Firewall failed to start on systems with pptpserver set. Coyote was incompatible with the version of "grep" released with Coyote (Seattle Firewall assumes that grep searches for regular expressions while Coyote grep only searches for strings). It broke dial-up. Restarting the firewall when masquerading an IPSec tunnel results in the message: IOCADDRT: File exists. A "seawall stop" command will cause subsequent attempts to obtain an IP address via DHCP to fail. More information about these bug fixes at http://seawall.sourceforge.net/errata.html.

 

SecurityFocus

IPchains Firewalling Module for Webmin 0.83.1
Tim Niemueller
http://www.niemueller.de/webmin/modules/ipchains

The IPchains Firewalling Module, part of the RockSolid Linux Distribution, allows you to easily maintain a firewall based on IPchains with the Webmin look and feel. It has three modes: Newbie (select one of five security levels), Template (define from a table with protocols and directions what should be allowed to pass your firewall), and Expert (have the real IPchains experience by having every parameter under control by editing a script file which has all IPchains rules). Nearly all of the IPchains options are supported.

 

Gibraltar Firewall 0.91a
Rene Mayrhofer
http://www.gibraltar.at

Gibraltar is a Debian-based router/firewall distribution, fully workable from a bootable, live CD-ROM. Log files can be stored on a hard-disk, and configuration data is stored on a floppy disk and kept on a RAM disk during run-time. It runs directly from the CD-ROM. The official ISO images of Gibraltar can be used freely but commercial distribution is restricted.

 

Firewall Log Daemon 1.1
Ian Jones
http://www.speakeasy.org/~roux/dmn

Firewall Log Daemon provides two programs, chaindaemon and tabledaemon, that you can choose between, depending on your firewall type (IPchains or IPtables-netfilter). The program will start a small daemon process that parses and resolves firewall logs in real-time by reading a FIFO that syslog writes to. It will queue a batch of alerts and mail them to you. It features hostname, port, protocol, and ICMP type/code lookup, with formatted output for easy reading.
• Changes: bug fixes and code cleanup.


Tools for UNIX/Linux/BSD & Cross-platform

TrustedBSD
http://www.trustedbsd.org

0.5 of the ACL patches provides improvements on the 0.4 release, including better handling of directories, fixing of chmod() interaction bugs involving the updated -CURRENT VADMIN changes. Further work is still required on the POSIX.2c utility set; this revision requires a FreeBSD 5.0-CURRENT source tree from 12/1/2000.

 

Exiscan v0.9
Tom Kistner
http://duncanthrax.net/exiscan

Exiscan is an email virus scanner which works together with the Exim MTA (http://www.exim.org). It is written in Perl and designed to be as subtle and lightweight as possible. Exiscan relies on McAffee's uvscan or Trend Micro's vscan to do the actual scanning work.
• Changes: AVP Scanner support (thanks to Marcus Klein) and Sophos Sweep support (thanks to Chris Beauchamp).

 

OpenCA
Massimiliano Pala
http://www.openca.org

The OpenCA project is a collaborative effort to develop a full featured interfaces structure for currently available security-related and administrative toolkit developed for managing x509 digital certificates common operations (i.e. admission, verify, revocation, suspension, etc... ). The project will therefore cover various aspects of administrative solutions in managing digital certificates and will be using many different software today available among the Open Source community.
• Changes: a new series of updated OpenCA PERL modules are available for download. Don't update to the new versions if you are not a very skilled developer (especially the DB module) as them are meant for the new upcoming release and should be used only for testing - them are not fully compatible with current releases or SNAPs. The new modules could be downloaded at http://www.openca.org/docs/download.shtml

 

FreshMeat

Trustix Secure Linux 1.2
The Trustix Team
http://www.trustix.net

Trustix Secure Linux is a project to make a hardened Linux distribution for servers. It features FreeS/WAN, OpenSSL, OpenSSH, Apache w/SSL & PHP, Postfix, POP3 and IMAP with SSL support, ProFTP, ftpd-BSD, and PostgreSQL.

 

Antiroute 1.0
Neven Lovric
http://www.lovric.net/software/antiroute

Antiroute prevents and logs UDP-based route tracking. Programs like traceroute utilize the IP protocol `Time to live' field to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to a host, or an ICMP PORT_UNREACH from the host itself. This is impossible if the target ports are open. Antiroute listens on ports used in UDP-based route tracking and determines the IP address, source port, and distance (in hops) of the host from which the trace is being performed.

 

PacketStorm

Freeswan 1.8
Linux FreeS/WAN Team
http://www.freeswan.org

Linux FreeS/WAN provides IPSec (IP Security, which is both encryption and authentication) kernel extensions and an IKE (Internet Key Exchange, keying and encrypted routing daemon) allowing you to build secure tunnels through untrusted networks. Compatible with with other IPSec and IKE systems already deployed by other vendors such as OpenBSD.
• Changes: this release features mostly stabilization changes due to the large amount of new code since the 1.5 release.

 

LibMix 120
Mixter
http://mixter.void.ru

LibMix is a library that provides an API for various useful functions, including an AES encryption interface, various network front-ends and low level datagram functions, as well as functions for string manipulations and other miscellaneous utility functions. It also includes functions to transmit encrypted data via stateless spoofed datagrams (tfntransmit/tfnread).
• Changes: added exclude database function, to add and match classless ranges of IP addresses (for network scanners, access control, etc.), added new packet headers, updated man pages.

 

Fpf
Fusys and Cyrax
http://www.pkcrew.org

FPF is a lkm for Linux which changes the TCP/IP stack in order to emulate other OS's TCP fingerprint. The package contains the lkm and a parser for the Nmap file that let you choose directly the OS you want.

 

HttpTunnel 3.0.5
Lars Brinhoff
http://www.nocrew.org/software/httptunnel.html

HttpTunnel creates a bi-directional data channel through an HTTP proxy, from your isolated computer behind a restrictive firewall, to a system on the Internet you have access to.
• Changes: bug fixes.

 

SecurityFocus

FormatGuard 1.0
Immunix
http://www.immunix.org/download2.html

FormatGuard is designed to provide a rapid, general solution to the large number of unknown format bugs expected to emerge in the next year. FormatGuard works by employing CPP's ability to distinguish macros with identical names but a different number of arguments.


Tools for Windows

SecurityFocus

Random Number Generator Pro 1.23
Segobit Software
http://www.segobit.com/rng.zip

Random Number Generator is a Windows based application designed to generate random numbers. Program allow users choose lower and upper limits and increments of the numbers. Limits can be positive or negative values. User can exclude digits from generated random numbers. Random numbers can be edit and copied to the clipboard for pasting into other applications. Random Number Generator can print all random numbers or save numbers as file. Random Number Generator will generate to 9999 numbers at the time. It runs under Windows 2000, Windows 95/98 and Windows NT.


Note: tools announced on forums like SecurityFocus are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 07 December, 2000