Weekly Security Tools Digest
2001/03/02 to 2001/03/08

By Pascal Etienne (pascal.etienne at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to General free tools this week include mod_ssl and Tripwire.

Auditing and Intrusion Monitoring tools include Snort and 2 Snort tools, PIKT, BigBrother, MergeLog, ScanSSH and 3 other tools.

Firewalls for UNIX/Linux/BSD & Cross-platform include FloppyFw, IPtables Linux Firewall, Iridium, Knetfilter and Firestorm Firewall Monitor.

Tools for Linux/Unix/Cross Platform include Mozilla NSS, Ethereal, Sectar, OpenCL and 5 other tools.

Tools for Windows include Tiny Personal Firewall, ACL tools and VCatch.


General Tools

SSL

mod_ssl provides provides strong SSL/TLS cryptography for Apache.

Changes: version 2.8.1 for Apache 1.3.19. Conditionally adjusted source to build quietly also under latest OpenSSL 0.9.7-dev versions. Added a bunch of (untested!) adjustments and fixes for the Win32 platform as posted to modssl-users some time ago by various people. Fixed SSLCipherSuite example in httpd.conf-dist: The string EXP56 is actually EXPORT56, although OpenSSL internally the variable is named SSL_TXT_EXP56. Extended FAQ entry for MSIE problems. Added FAQ entry for questions "Why do I get lots of random SSL errors under heavy load?".

 

Tripwire 2.3.1-2
Tripwire, Inc.
http://sourceforge.net/projects/tripwire

Tripwire is a system integrity checker, a utility that compares properties of designated files and directories against information stored in a previously generated database. Any changes to these files are flagged and logged, including those that were added or deleted, with optional email reporting. Additionally, support files (databases, reports, etc.) are cryptographically signed.

Changes: support for FreeBSD 4.2 and bug fixes: fixed long standing bug with recurse=3. If TEMPDIRECTORY was missing trailing /, bad things could happen, Tripwire now appends a / if one isn't present. Fixed GLOBALEMAIL bug where no global emails would be sent unless there were emailto attributes somewhere in the policy file, additionally, reports were being sliced to global recipients, despite the fact that global recipients should get the full report. Fixed possible security problem with the handling of temp files. Added the configuration file variable TEMPDIRECTORY, this variable can be set to the full path to where tripwire should write its temporary files. Added the configuration file variable GLOBALEMAIL, this variable can be set to a list of email addresses which are semi-colon or comma separated; if a report is about to be emailed to addresses reaped from the policy file, it will also be emailed to the addresses in the GLOBALEMAIL list, allowing designation of one or more people to always get email reports. Began a convention of providing a "Solution:" line to all errors (exceptions) emitted by tripwire.


Auditing and Intrusion Monitoring Tools

Snort 1.7
Martin Roesch & many others
http://www.snort.org

Changes: the new ruleset has been released by Jim Forster. This set has had many rules removed from it (mostly false positives, or poorly written rules) as well as new additions and refinements to those remaining. The new snort.conf released with this set uses a modular rule selection to speed changes and updates. The local.rules file is for any rules written in-house, or any refinements you have made to monitor your own network. This file will not be released with any sets after this release.

Release note/disclaimer: SnortSnarf HTML output is broken with this ruleset due to the change in the msg output to reference IDs. This ruleset will ONLY work with Snort 1.7 or later, earlier releases will fail.

RazorBack is a log analysis program that interfaces with the SNORT open source Intrusion Detection System to provide real time visual notification when an intrusion signature has been detected on the network. RazorBack is designed to work within the GNOME framework on Unix platforms.

Changes: preference bug fixed.

Incident.pl is a small script that, when given logs generated by snort, can generate an incident report for every event that appears to be an attempted security attack, and report the attack to the appropriate administrators.

Note: first time in the Tools Digest.

 

PIKT - Problem Informant/Killer Tool 1.12.1 - Devel: 1.13.0pre4
Robert Osterlund
http://pikt.uchicago.edu/pikt

PIKT is a cross-platform (AIX, FreeBSD, HP-UX, IRIX, Linux, Solaris, SunOS), multi-functional toolkit for monitoring systems, reporting and fixing problems, and managing system configurations. It consists of an embedded scripting language with unique, labor-saving features, a script and system config file preprocessor, a scheduler, an installer, and other tools.

Changes: fourth pre-release (beta) of the 1.13.0 series: made changes permitting the use of piktc when updating #include|#verbatim files (as in: #verbatim <systems/nfsserver_systems.cfg> [piktc -xI ...]). Fixed a bug where non-existent #include files referenced by a #include|#verbatim <file> [<proc>] directive might zero out subsequent existing #include files. Fixed other minor bugs.

 

BigBrother 1.6e1 for UNIX, 1.07d for NT WS, 2.2a for NT SRV
Sean McGuire
http://bb4.com/index.html

BigBrother is a system and network monitor. It use a web-based monitoring notification & reporting. Big Brother uses a client-server architecture combined with methods which both push and pull data. Network testing is done by polling all monitored services from a single machine, and reporting these results to a central location (the BBDISPLAY). If you want local system information, you can install a BB client on the local machine, which will send CPU, process, disk space, and logfile status reports in periodically. Each report is timestamped with an expiration date (like milk). This lets us know when a report is no longer valid, which is usually an indication of a more serious problem.

Changes: new version 2.2a for NT server.

 

MergeLog 4.3
Bertrand Demiddelaer
http://download.sourceforge.net/mergelog

MergeLog is a small and fast C program which merges and sorts http log files in 'Common Log Format' from web servers behind round-robin DNS. It has been designed to easily manage huge log files from highly stressed servers. MergeLog is distributed with ZMergeLog which supports gzipped log files.

Changes: corrections on manpages, fix in configure.in to abort if zlib is not present and fixed a potential segmentation fault on malformed log lines.

 

FreshMeat

ScanSSH 1.5
Niels Provos
http://www.monkey.org/~provos/scanssh

ScanSSH scans a list of addresses and networks for running SSH servers and their version numbers. ScanSSH supports random selection of IP addresses from large network ranges and is useful for gathering statistics on the deployment of SSH servers in a company or the Internet as whole.

Changes: no information regarding the changes.

 

PacketStorm

Samhain 0.9.12 - Devel: 1.1.7
Rainer Wichmann
http://la-samhna.de/samhain

Samhain is a file system integrity checker that can optionally be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, tamper-resistant log file, and syslog) are available. Samhain has been tested on Linux, AIX 4.1, HP-UX 10.20, UnixWare 7.1.0, and Solaris 2.6.

Changes: new development version 1.1.7. This release includes support for specifying files as shell-style wildcard patterns, fixes for some compilation problems on FreeBSD and Alpha/Linux, and a couple of fixes for other bugs.

 

Viperdb 0.9.6
Peter Surda
http://panorama.sth.ac.at/viperdb

Viperdb is a file checker. It is meant to be run from cron on a regular basis in order to monitor strange activity on a system. It supports checking of size, mtime, privileges, UID/GID, added/deleted files, and MD5 checksums. Data isn't stored in a single archive as in tripwire, but is split among all the monitored directories. This Viperdb is in fact a fork of the original, as the original authors seem unreachable.

Changes: fixes for bugs introduced by the 0.9.5 rewrite, new/strengthened internal security checks, and minor updates.

 

SecurityFocus

pH 0.1
Anil Somayaji
http://www.cs.unm.edu/~soma/pH

pH performs two important functions: it monitors individual processes at the system-call level, and it automatically responds to anomalous behavior by either slowing down or aborting system calls. Normal behavior is determined by the currently running binary program; response, however, is determined on a per-process basis.

Note: first time in the Tools Digest.


Firewalls for UNIX/Linux/BSD & Cross-platform

FloppyFw stable: 1.0.9 - Devel: 1.9.3 (kernel 2.4) - 1.1.3 (kernel 2.2)
Thomas Lundquist
http://www.zelow.no/floppyfw

A Linux firewall on a single floppy.

Changes: new development version: kernel 2.4.0, IPtables 1.2, busybox 0.49pre, new glibc-2.1.3 from Debian and a lot of small fixes.

 

FreshMeat

IPtables Linux Firewall  4.3f - Devel: 4.4c
Patrik Hildingsson
http://www.kurd.nu

IPtables Linux Firewall is a firewall that uses NetFilter in Linux 2.4. It features easy configuration and a DMZ option, logs portscans (limited so they won't flood the logfile), and has stateful inspection, masquerading, and general NAT support.

Changes: new development version 4.4c: hosts that are to be masqueraded/snat/redirected are now specified in /etc/firewall/host1+ You'll have to specify both MAC and Source IP at the moment. This will be updated so it depends on CHECK_MAC in configuration file.

 

Iridium Firewall 1.49a - Devel: 1.5k
Ryan Edwards
http://www.karynova.com/iridium

Iridium Firewall is a script which uses the IPchains facility in Linux 2.2 to perform network packet filtering in an attempt to protect against network-based computer attacks. It's written so that users that know what they are doing can easily configure the script themselves, but it also offers a beginner many convenience flags to turn common features on and off. Iridium Firewall is packed with features, and it is heavily commented with instructions and explanations in an easy-to-read format.

Changes: no information about the changes.

 

Knetfilter 2.1.0
Luigi Genoni
http://expansa.sns.it/knetfilter

Knetfilter is a KDE 1.X front-end to IPtables, used with Linux kernels 2.4.0 and up to manage the NetFilter functions. It is possible to perform all standard and most "exceptional" system management of a complex firewall within the program.

Changes: added packet state check for regular chains, updated save script, some spec file cleans up.

 

SecurityFocus

Firestorm Firewall Monitor 1.0.3
Scaramanga
http://firestorm.geek-ware.co.uk

Firestorm Firewall Monitor is a sister project of the firestorm NIDS. It allows you to monitor your Linux IPchains firewall in real-time. It utilizes the Linux kernel firewall netlink device. Be aware that you need to have this compiled in to your kernel to work. Most recent Linux ditros have it by default.

Note: first time in the Tools Digest.


Tools for UNIX/Linux/BSD & Cross-platform

Mozilla NSS 3.2
The Mozilla Organization
http://www.mozilla.org/projects/security/pki/nss

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. For detailed information on standards supported, see Overview of NSS.

Changes: NSS 3.2 supports shared libraries for the first time. NSS 3.2 introduces the mandatory use of the official NSS initialization functions. New NSS functions for runtime checking of DSO version compatibility: with NSS packaged in DSOs (or DLLs) instead of being statically linked into the applications, it is now possible for an application to be installed with an incompatible version of the NSS DSOs; NSS 3.2 provides a new function, NSS_VersionCheck, that allows the application to tell the DSO what version of NSS it was built to use and receive a reply indicating whether the DSO is compatible with that version. Additional SSL/TLS cipher suites supported: SSL_RSA_WITH_RC4_128_SHA or TLS_RSA_WITH_RC4_128_SHA is now supported. To maximize compatibility with older programs, unlike all the TLS and SSL3 cipher suites that were implemented in older versions of NSS, this new cipher suite is NOT enabled by default. NSS 3.2 provides new macros (#defines) used to access SEC_ASN1 templates that are inside a DLL/DSO from outside of that DSO/DLL: if you use these macros, your code will work on both NT and UNIX. Five old SSL functions are deprecated and no longer available in NSS 3.2, more information here. Finally, for applications on Solaris and HP-UX that use each platform's 32-bit ABI, NSS 3.2 now dynamically loads one or more DLLs at run time.

 

Ethereal 0.8.16
Gerald Combs
http://www.ethereal.com

Ethereal is a GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and to give Ethereal features that are missing from closed-source sniffers.

Changes: new dissectors include SUA Light, HCLNFSD, Rquota. Many other dissectors were updated and bug-fixed. The wiretap library can now read Etherpeek files, and write NetMon 2.x files. Capture filters and display filters are kept in separate dialogues/files to help minimize confusion. A new "Decode As" feature allows some run-time configuration of which dissectors are called for a particular packet. You can now click on a byte in the hex dump and the appropriate field in the protocol tree will be selected. The display filter code was re-written, and some syntax changed (esp. for boolean variables).

 

FreshMeat

Sectar 1.02
Brian Wagener
http://sourceforge.net/projects/star

Secure Tar (Sectar) doesn't create encrypted tape archives (tar files) yet, but it can encrypt/decrypt files only using multiple blocksizes, and keysizes using the AES algorithm Rijndael. Once the standalone application is stable, then I will incorporate it with tar. The encryption is exported under exemption TSU 740.13.

Changes: added a small patch.

 

Passwdd 0.11pl1
Alexander Feldman
http://sourceforge.net/projects/passwdd

Passwdd is a client/server packages which allows basic synchronization of password files among different machines. There are Linux/Solaris server and console clients. With Visual C/C++, you can compile the Windows version of the clients. Perl CGIs are included as well.

Changes: no information about the changes.

 

Crypt::Rijndael 0.1
Rafael R. Sevilla
ftp://ftp.cpan.org/pub/CPAN/modules/by-authors/id/D/DI/DIDO

Crypt::Rijndael is an implementation of the algorithm for the Advanced Encryption Standard, Rijndael, as a Perl module that interfaces to C code. It implements ECB and CBC encryption modes.

Changes: no information about the changes.

 

Averist 1.2.0.0 - Devel: 1.3.1.1
Henrik Edlund
http://www.edlund.org/hacks/averist

Averist is a module that adds an authentication layer to any CGI application written in Perl. It supports initial authentication through CGI (form), and it can use CGI (hidden form fields) or cookies for re-authentication after a configurable timeout. It can also use an SQL database or DBM file for storing session tickets for increased security. The username and password check at the initial authentication can be done via a DBM file, an LDAP directory, NIS, an SQL database, or a passwd-style file. Averist is written in Perl for easy customization and expansion.

Changes: fixed a bug in the SQL query in the vacuum function. Fixed so that the vacuum function don't complain when local re-authentication method is set to none. Added NIS support in local authentication. Switched from using my own SQL abstraction modules to using DBI, the database independent interface for Perl. Averist now works with any SQL database that has a DBI database driver available. This also means that you need to have the DBI and DBD modules installed if you are going to use an SQL database with Averist. Cosmetic changes to code and comments.

 

OpenCL 0.7.0
Jack Lloyd
http://opencl.sourceforge.net

OpenCL is a C++ cryptographic class library which aims for high portability and ease of use. It currently includes a wide selection of block and stream ciphers, hash functions, MACs, various utility functions and classes, and a high level filter interface.

Note: first time in the Tools Digest.

 

TkAPG 0.0.2a
Adel I. Mirzazhanov
http://www.adel.nursat.kz/tkapg

TkAPG is a GUI front-end to the Automated Password Generator (APG).

Note: first time in the Tools Digest.

 

PacketStorm

Freevsd 1.4.6
Idaya Ltd.
http://www.freevsd.org

Freevsd facilitates true Linux Virtual Servers within a 'chroot' environment, allowing Web servers and other applications to be deployed and administered discretely, without compromise to security. Each Virtual Server has its own IP address(es), Apache webserver, and view of the process table. Freevsd expands the Linux system by creating a pseudo-'super user' (admin) for each Virtual Server. The admin user has the ability to create extra POP3/FTP and Telnet users and also administrate vital services such as the webserver.

Note: first time in the Tools Digest.


Tools for Windows

Tiny Personal Firewall build 11
Tiny Software, Inc.
http://www.tinysoftware.com/pwall_news.php

Tiny Personal Firewall represents smart, easy-to-use personal security technology that fully protects personal computers against hackers. Built on ICSA-certified security technology, it is also an integral part of The Tiny Software Centrally Managed Desktop Security (CMDS) system selected by the US Air Force for its approximately 500,000 desktop computers. Note: Tiny Personal Firewall is intended for users that are NOT running either WinRoute Pro or WinRoute Lite.

Changes: minor fixes. Checksums of applications was separated from filter rules.

 

ACL tools v1.0
Todd Sabin
http://razor.bindview.com/tools/desc/acltools1.0-readme.html

ACL tools contains two tools: lsaacl and samacl. They are ACL editors for the LSA and SAM objects. Just like files, registry keys, and most every other object in NT, LSA and SAM objects have security descriptors. Normally, these are invisible, as the standard tools for managing the SAM and LSA don't display them. However, they are there, and lsaacl and samacl let you display and edit them.

Note: first time in the Tools Digest.

 

SecurityFocus

VCatch 3.5
CommonSearch
http://www.vcatch.com/home.html

VCatch is a virus protection software. When VCatch is active it will check all the files sent or downloaded to your computer via Email and Web applications. In the event that VCatch detects that a file is suspected to be a virus, the software automatically deletes the file and notifies you.VCatch runs under Windows 2000, Windows 95/98 and Windows NT.

Note: first time in the Tools Digest.


Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.

© Copyright 2001, SecurityPortal Inc. & Pascal Etienne, All Rights Reserved, Last Update: 08 mars, 2001