Weekly Security Tools Digest
2001/01/12 to 2001/01/18

By Seán Boran (sean at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to General free tools this week include PinePGP, BIND and TrustedBSD.

Auditing and Intrusion Monitoring tools include SnortSnarf, SAINT, Syslog-ng, LIDS and 4 other tools.

Firewalls for UNIX/Linux/BSD & Cross-platform include IP-Filter, LogWatch, GShield, FloppyFw and 4 other tools.

Tools for Linux/Unix/Cross Platform include Ethereal, Crypto++, APG and 7 other tools.

Tools for Windows includes SecureStack and XploiterStat Pro.


General Tools

PGP

PinePGP provides PGP and GnuPG filters for pine. PGP versions 2.6.x, 5.x, and 6.5.x are supported.
• Changes: added support for encrypting to multiple recipients as well as added encrypting to yourself to previous. In file inegpgp.in, fixed "recode" sed command - it was dropping "r"s from decrypted and/or checked messages when using GnuPG support. In file pinegpg, use 'sed' instead of 'awk'. The filter configuration in .pinerc has been changed (so users which are upgrading have to run a particular install script again). The temp directory has been changed: ~/.pinepgp; it is created by install scripts if it does not exists. The documentation has been updated.

 

BIND 9.1.0
Internet Software Consortium
http://www.isc.org/products/BIND

BIND (Berkeley Internet Name Domain) is an implementation of the Domain Name System (DNS) protocols and provides an openly re-distributable reference implementation of the major components of the Domain Name System, including: a Domain Name System server (named), a Domain Name System resolver library and tools for verifying the proper operation of the DNS server.
• Changes: BIND 9.1.0 is the first release of BIND 9.1. Compared to BIND 9.0, BIND 9.1 has a number of new features as well as numerous bug fixes and cleanups. BIND version 9 is a major rewrite of nearly all aspects of the underlying BIND architecture. Features added since 9.0.x include: Many BIND 8 features previously unimplemented in BIND 9, including domain-specific forwarding, the $GENERATE master file directive, and the "blackhole", "dialup", and "sortlist" options, Forwarding of dynamic update requests; this is enabled by the "allow-update-forwarding" option, A new, simplified database interface and a number of sample drivers based on it; see doc/misc/sdb for details, Support for building single-threaded servers for environments that do not supply POSIX threads, New configuration options: "min-refresh-time", "max-refresh-time", "min-retry-time", "max-retry-time", "additional-from-auth", "additional-from-cache", "notify explicit" and Faster lookups, particularly in large zones. BIND 9.1.0 also includes experimental implementations of a number of DNS protocols extensions still under development in the IETF. These include transparent processing of unknown RR types and use of the EDNS "DNSSEC OK" bit to explicitly enable DNSSEC processing in responses.

 

TrustedBSD Project
Robert Watson & Ilmar S. Habibulin
http://www.trustedbsd.org/downloads

TrustedBSD provides a set of trusted operating system extensions to the FreeBSD operating system, targeting the Common Criteria for Information Technology Security Evaluation (CC). The targeted features include: Extensible and audited authorization framework for integrating third-party authorization modules, include general-purpose subject and object labeling and centralized policy management. Fine-grained capabilities for system functions so as to implement least-privilege and reduce the risks of compromise. Mandatory access control for privacy and integrity, allowing FreeBSD to be used in environments hosting mutually suspicious parties and multi-level security models. Access control lists for the file system and other kernel resources allowing fine-grained and manageable discretionary access control. Event auditing support, and single-host modular IDS system to monitor security events and notify administrators in the event of irregularities.
• Changes: the version 0.5.1 of the ACL patches has been released. This new version provides minor improvements over the 0.5, but mainly serves to fix compiles on recent -CURRENT trees, which improve the stability of the extended attribute implementation, as well as to add the setfacl implementation and fix bugs in the acl_from_text() implementation. This patch requires a FreeBSD 5.0-CURRENT checkout from January 11, 2001.

 


Auditing and Intrusion Monitoring Tools

Snort
http://ww.snort.org

SnortSnarf is a Perl program to take files of alerts from the free Snort Intrusion Detection System, and produce HTML output intended for diagnostic inspection and tracking down problems. It uses a cron job to produce a daily/hourly/whatever file of snort alerts. This script can be run on each such file to produce a convenient HTML breakout of all the alerts.
• Changes: SnortSnarf v011601.1 is a minor update to Silicon Defense's popular Snort alert browsing tool. These are the changes from the previous version: fixed ordering of port numbers in links to log file names, it should be always correct now; adjusted parsing of Snort alerts for ICMP to support Snort 1.7 alert format; this eliminates the warning messages.

 

SAINT 3.1.3
World Wide Digital Security, Inc.
http://www.wwdsi.com/saint

Saint is a security scanning tool based on Satan.
• Changes: new vulnerability checks in this version: writable FTP /pub directory and /.nsf vulnerability in Lotus Notes HTTP server.

 

BigBrother 1.6d UNIX, 1.07c NT
Sean McGuire
http://bb4.com/index.html

BigBrother is a system and network monitor. It use a web-based monitoring notification & reporting. Big Brother uses a client-server architecture combined with methods which both push and pull data. Network testing is done by polling all monitored services from a single machine, and reporting these results to a central location (the BBDISPLAY). If you want local system information, you can install a BB client on the local machine, which will send CPU, process, disk space, and logfile status reports in periodically. Each report is timestamped with an expiration date (like milk). This lets us know when a report is no longer valid, which is usually an indication of a more serious problem.
• Changes: minor changes since version 1.6c: in file www/help/bb-rep.html: the end period is now 31-12-2001 by default. In file src/bbd.c: fixed missing recovery message for certain OSs and in file src/bbpage.c: cleared up a debug message.

 

Syslog-ng 1.4.10 - devel: 1.5.2
Balazs Scheidler
http://www.balabit.hu/products/syslog-ng

Syslog-ng is a syslogd replacement, but with new functionality for the new generation. The original syslogd allows messages only to be sorted based on priority/facility pair, Syslog-ng adds the possibility to filter based on message contents using regular expressions. The new configuration scheme is intuitive and powerful. Syslog-ng includes filtering using regular expressions, logging forwarding and hash protected logging (planned in version 1.5). It is multi-platform and requires libol-0.2.17.
• Changes: in file configure.in: bumped version number to 1.5.2. The integrated service name has been patched (by Matthew Crosby) and in Makefile.am: the files strptime.c, strptime.h has been added to dist.

FreshMeat

LIDS 0.9.1 - Devel: 0.9.12 for 2.2.18
Xie Hua Gang and Biondi Philippe
http://www.lids.org

The Linux Intrusion Detection System is a patch which enhances the kernel's security. When it's in effect, many system administration operations can be made impossible even for root. You can turn the security protection on or off on the fly and you can hide sensitive processes and prevent anyone from using ptrace or any other capability on your system. LIDS can also provide raw device and I/O access protection.
• Changes: new version development version 0.9.12 for kernel 2.2.18 of LIDS. The file that ACLs inherit has had several bugs removed. Multiplatform support has been added to the Makefile. The initial LIDS FAQ Documentation by Steve Bremer has been released.

 

Log2mail 0.91
Michael Krax
http://innominate.org/~krax

Log2mail sends an email to a specified address if a pattern in a logfile is matched. It runs as a daemon and is very configurable.

 

SpaceWatcher 1.5
Wayne Pascoe
http://www.penguinpowered.org.uk/scripts

SpaceWatcher is meant to be run from cron to keep an eye on your disk partitions and warn you by e-mail/sms if the amount of free space falls below a threshold that you set.

 

SecuriTeam

IFStatus 1.3
Rob Thomas
http://www.enteract.com/~robt/Tools

IFStatus is a promiscuous mode detector for Solaris. IFStatus was designed to detect Solaris 8 HME (Fast Ethernet) and QFE (Quad Fast Ethernet) interfaces that have been placed in promiscuous mode. IFStatus can be run from cron to keep a close watch on the attached interfaces. The version also detects sniffers attached to unplumb'd interfaces.
• Remark: first time in the Tools Digest.

 

PacketStorm

antiroute 1.1
http://www.lovric.net/software/antiroute

Antiroute prevents and logs UDP-based route tracking. Programs like traceroute utilize the IP protocol `time to live' field to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to a host, or an ICMP PORT_UNREACH from the host itself. This is of course impossible if the target ports are open. Antiroute listens on ports used in UDP-based route tracking and determines the IP address, source port and distance (in hops) of the host from which the trace is being performed. Tested on Linux 2.2.13, SunOS 5.6, Digital UNIX 4.0, and FreeBSD 4.1.1-STABLE.
Changes: Syslog support has been added.


Firewalls for UNIX/Linux/BSD & Cross-platform

IP Filter 3.4.16
Darren Reed
http://coombs.anu.edu.au/~avalon

IP Filter is a TCP/IP packet filter, suitable for use in a firewall environment. To use, it can either be used as a loadable kernel module or incorporated into a UNIX kernel; use as a loadable kernel module where possible is highly recommended. Scripts are provided to install and patch system files, as required.
• Changes: this version fixes race condition in flushing of state entries that are timing out, adds TCP ECN patches and logs all NAT entries created, not just those via rules.

 

FwLogWatch-0.1.2
Boris Wesslowski
http://www.kyb.uni-stuttgart.de/boris/software.shtml

FwLogWatch analyzes the IPchains packet filter logfiles and generates text and HTML summaries. It features real-time anomaly response capability and has an interactive report generator. FwLogWatch has the following modes: log summary mode, interactive report mode and Real-time response mode.
• Changes: this new version includes various small fixes and some remaining problems in real-time response mode were fixed.

 

Ferm 0.0.13
Auke Kok
http://www.geo.vu.nl/~koka/ferm

Ferm compiles ready-to-go firewall rules from a structured rule-setup. These rules will be executed by the preferred kernel interface, such as IPchains and IPtables. Ferm will also add in modularizing firewalls, because it creates the possibility to split up the firewall into several different files, which can be loaded at will, so you can dynamically adjust your rules.
• Changes: improved IPtables support: the following parameters: table, out-interface, tcp-option, mac-source, limit, limit-burst, all owner-parameters, state, logging options, reject-with. Changed 'tos' into 'settos' to allow 'tos' matching in IPtables and implemented "!" operator.

 

Fw-alert
Rob Thomas
http://www.enteract.com/~robt/Tools

Fw-alert is a collection of two Perl scripts. These scripts, when combined with the FW-1 UserDefined alert option, provide syslog aware real-time alerts. When generating types and forms of alerts, the scripts are only as limited as syslogd.
• Remark: first time in the Tools Digest.

 

FreshMeat

GShield 2.0.1
R. Gregory
http://muse.linuxmafia.org/gshield.html

GShield is an aggressive, modular firewall script for IPtables which features easy configuration through a BSD-style configuration file, optional NAT support, TCP-wrapper-like functionality for service access, port forwarding, routable protection, DMZ support, and more.
• Changes: this new version includes: added DNS chain to ease readability, moved DMZ rule entrace lower in filtering, cleaned up logging output (no logging smb broadcasts) and added conf/open_ports for user-defined open ports.

 

FloppyFw stable: 1.0.9 - devel: 1.9.2
Thomas Lundquist
http://www.zelow.no/floppyfw

A Linux firewall on a single floppy.
• Changes: several changes from version 1.0.7: initrd.gz filesystem now made with (a lot) more inodes, makes the PPPoE packages work. Added another example in the syslog.cfg file. Floppy file system now mounts with VFAT. Kernel now compressed with UPX (http://upx.tsx.org). Moved libraries around a bit to save more space (from initrd to add.bz2). Changed syslog.cfg (added *.* entries for simplicity). Removed /dev/hd* and /dev/sd*, use mknod if you need the entries.

 

MmTcpFwd 0.5
Matthew Mondor
http://mmondor.rubiks.net

MmTcpFwd is a port forwarder daemon for Linux firewalls, a server which starts a standalone, non-root daemon per service. It has ability to limit connections on how many IPs and connections per IP, auto-DENY IPs upon an exceeded connection threshold, or fake services a-la portsentry. It uses a single configuration file.
• Changes: this new version includes several bugfixes and two security enhancements: a proper error checking has been added around the functions to drop root privileges, to properly log the error entry. The connection limits sanity checking code was rewritten around a better design. There is not only a list per port forwarder with one node entry per IP, but also a list of connected clients for every IP node, which permits more control and thus better security. This way I can control the whole multithreading architecture. When an IP address is to be denied, the children forwarding the connections will properly exit, connections closed and IP node entry freed, before the DENY command be applied. This ensures a much cleaner system despite many attacks. Now greatly resists to tcpflood.c. This new version also includes new features: the command to DENY an IP address is now provided in the configuration file. This permits much better portability between 2.2 and 2.4 systems and more flexibility for the user. The message line sent to the client before DENYing an IP when connecting on a fake service is now in the configuration file as well. Now truly supports kernel transparent proxying support properly without being root. If set to resolve hostnames of IPs connecting to us, we only do so once for any active IPnode, so if we have 10 connections from the same IP at the same time the hostname is only resolved once, thus accelerating things.

 

rChains 200101171610
Curt Rebelein, Junior
ftp://ftp.rebby.com/pub/Linux/software/scripts/firewall

rChains is a highly detailed firewall script which implements many features including per host bandwidth monitoring w/ MRTG.

 


Tools for UNIX/Linux/BSD & Cross-platform

Ethereal 0.8.15
Gerald Combs and a lot of contributors
http://www.ethereal.com

Ethereal is a GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and to give Ethereal features that are missing from closed-source sniffers.
• Changes: Ethereal 0.8.15 has one of the biggest GUI changes in recent history; display filters can now be constructed via an easy-to-use point-and-click interface. Protocol dissectors now exist for: NFSv4, Mobile IPv6, X.25 over TCP, LAPBETHER, DEC LANBridge Spanning Tree Protocol, X.25 over LLC, Frame Relay, MTP3 User Adaptation Layer, and ISDN Q.921 User Adaptation Layer. Many other dissectors and core features were improved, and bugs were squashed. The wiretap library can now read Sniffer Frame Relay files. It is now possible to browse the anonymous CVS repository.

 

Pwchk 1.0
Rob Thomas
http://www.enteract.com/~robt/Tools

Pwchk is a tool that verifies and validates login accounts, including both local and NIS/NIS+ accounts. This is a nice "double check" to ensure that a created account is actually visible on a given host.
• Remark: first time in the Tools Digest.

 

Crypto++ 4.1
Wei Dai
http://www.eskimo.com/~weidai/cryptlib.html

Crypto++ is a free C++ class library of cryptographic schemes. Currently the library consists of the following, some of which is other people's code, repackaged into classes. It works for Linux, Solaris and UNIX.
• Changes: the new version 4.1 includes more support for the recommended elliptic curve parameters in SEC 2. Panama MAC and MARC have been added. Added IV stealing feature to CTS mode. Added support for PKCS #8 private key format for RSA, DSA, and elliptic curve schemes. Changed Deflate, MD5, Rijndael, and Twofish to use public domain code. Fixed a bug with flushing compressed streams. Fixed a bug with decompressing stored blocks. Fixed a bug with EC point decompression using non-trinomial basis. Fixed a bug in NetworkSource::GeneralPump(). Fixed performance issue with EC over GF(p) decryption. Fixed syntax to allow GCC to compile without -fpermissive. Relaxed some restrictions in the license.

 

APG - Automated Password Generator 1.1.6b
Adel I. Mirzazhanov
http://www.adel.nursat.kz/apg

APG is the tool set for random password generation. There is a Standalone version that generates some random words of required type and prints them to standard output and there is a network version that consist of an APG server and of an APG client. When client's request is arrived, the server generates some random words of predefined type and send them to client over the network (according to RFC0972). APG uses two Password Generation Algorithms: the Pronounceable Password Generation Algorithm (according to NIST FIPS 181) and the Random Character Password Generation Algorithm with 19 configurable modes of operation. The password length parameters are configurable as well as the amount of generated passwords. It supports /dev/random. It has the ability to use password generation service from any type of box (Mac, WinXX, etc.) that connected to network and has the ability to enforce remote users to use only allowed type of password generation.
• Changes: the version 1.1.6b fixes the directory permissions, fixes the random segfault when run with the -s argument and fixes the random number generation error. Now RNG uses local time with precision of microseconds as initial seed. An error that was the reason of random APG crashes has been fixed. The support for /dev/random for seed generation has been added in this version.

 

FreshMeat

Cryptpw 0.4
Andreas Heil
ftp://ftp.linux-hq.de/pub/console/cryptpw

Cryptpw generates one-way-encrypted passwords with crypt. It's used for the CRYPT-PW in RIPE's database.
• Remark: first time in the Tools Digest.

 

PacketStorm

Ctk-dns-chroot 0.2
Cyril Bouthors
http://sourceforge.net/projects/ctk-dns-chroot

Ctk-dns-chroot is a small to that helps to set up BIND as chroot unprivileged user.

 

SecurityFocus

IDSA 0.90.3
Marc Welz
http://jade.cs.uct.ac.za/idsa

IDS/A is an experimental interface between applications and a daemon which functions as system logger, reference monitor, and soon intrusion detection system. IDS/A is not yet complete, but can already be used as system log replacement with extra neat features such as automatic log rotation. It also ships with two example applications which demonstrate how the system can be used to block basic banner grabbing port or CGI scanners. It runs under Linux platforms.

 

Sun Enterprise Network Security Service (SENSS)
Bruce Development Team (Sun)
http://www.sun.com/software/communitysource/senss

SENSS "Bruce" is a flexible, Java-based infrastructure that permits centralized security management of small, medium and large-sized intranets. The Bruce software provides you with a network service daemon that should be installed on each host in your network; these daemons are linked together in a hierarchy of trust.  This hierarchy may be used for the distribution and execution of digitally-signed packages containing (java, binary, or script) code that may be used to check and fix host security issues in a bulk, batch-oriented manner. Execution requests are likewise digitally signed, replay attacks are prevented, and network communications are secured by access-control lists and pluggable authentication and secrecy modules.

Comment: This is not completely free...

 

GTunnel 1.0
George Turner
http://www.securityfocus.com/tools/1908

Utility that uses ssh and ppp to create secure tunnels. Features include built in routing and optional public/private key configuration. Written in perl.


Tools for Windows

SecurityFocus

XploiterStat Pro 2.7.1.27
Simon Steed
http://www.xploiter.com/xploiterstat

XploiterStat Pro is a shareware network management tool in a similar vein to the dos program 'Netstat.exe' - i.e. shows all the connections to your machine, listening ports (identifying trojans) etc. allowing you the user to see TCP/UDP & ICMP connections are present on your machine. This is the latest release of the program formerly known as Totostat Enhanced. It can be used by networking professionals to determine what connections are on the machine at any time along with all the ports that may be listening (i.e. services, trojan horses etc.). It runs under Windows 2000, Windows 95/98 and Windows NT.

 

SecureStack 1.0
SecureWave
http://www.securewave.com/html/secure_stack.html

SecureStack 1.0 is capable of protecting Windows NT/2000 systems from buffer overflow attacks. Buffer overflow attacks are one of the biggest security threats on the Internet today. A recent survey published in the Information Security magazine found that 24% of all US companies have suffered a "buffer overflow" attack in the year 2000. Buffer overflow exploits provide ideal conditions for attackers to take control over your corporate network. SecureStack exists in two versions: the Free version that only detect buffer overflows and the Pro version that detects buffer overflows and protects the system.

 

WinScan
Patrick Parson
http://members.nbci.com/pparson58/Winscan.html

WinScan is a security tool for Windows. It is a port scanner that aspires to evolve into a multipurpose security tool. Currently WinScan is available in three versions. The Freeware version provides good general purpose scanning.


Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 18 January, 2001