Weekly Security Tools Digest
2001/03/30 to 2001/04/05

By Pascal Etienne (pascal.etienne at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to General free tools this week include OpenSSL, Mod_ssl, OpenSSH, TCTUTILs, Autopsy Forensic Browser, BIND, Apache.

Auditing and Intrusion Monitoring tools include Snort, Rnmap, NEAT, NSClient, Syslog-ng, LIDS, BigBrother and Riley.

Firewalls for UNIX/Linux/BSD & Cross-platform include Smoothwall, Fireparse, GShield, Iridium Firewall.

Tools for Linux/Unix/Cross Platform include Linux International Kernel Patch, Secure FTP, SILC and 2 other tools.

Tools for Windows include Tiny Personal Firewall and SSHD for WinNT.


General Tools

SSL

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson.

Changes: no information about the changes in this new version.

Mod_ssl provides provides strong SSL/TLS cryptography for Apache.

Changes: version 2.8.2 for Apache 1.3.19. This version includes bug fixes and cleanups.

 

SSH

This is a Unix/Linux port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups. OpenSSH also features an independent implementation of the SSH2 protocol.

Changes: this version reduces the amount of information a passive attacker can deduce from observing an encrypted session. Also includes lots of fixes from the CVS branch, including scp and ssh issues, portability issues, PAM issues, and miscellaneous bugs.

 

TCTUTILs 1.0
Brian Carrier
http://www.cerias.purdue.edu/homes/carrier/forensics

TCTUTILs is a collection of utilities that adds functionality to The Coroners Toolkit (TCT). Features: list directory inode contents to view file, device, and directory names. This also allows deleted file names to be viewed and with some platforms an entire file that was recently deleted can be easily recovered. Get Modified, Accessed, and Created time data on deleted files (not possible on all systems) and merge the data into the mactimes output from TCT. Find the names of files and directories that are using a given inode. On some systems, deleted file names will also be given. Find the inode that is using a given block. On some systems, the inode may not even be allocated. Display the contents of a given block in several formats. Display the details of an inode (including all block numbers). TCTUTILs requires TCT 1.06 (or greater) and runs under OpenBSD (tested on 2.8), Linux (tested on Debian 2.2) and Solaris (tested on 2.7).

Note: first time in the Tools Digest.

 

Autopsy Forensic Browser 1.0
Brian Carrier
http://www.cerias.purdue.edu/homes/carrier/forensics

The Autopsy Forensic Browser is an HTML based front-end interface to TCT and TCTUTILs. It allows an investigator to browse forensic images (an image generated from using dd(1)) from a file, inode, or block level abstraction. It also provides a convenient interface for searching for key words on an image. Features: browse a forensic image from the file/directory level using a "File Manager" style interface. By utilizing the functions from TCTUTILs, recently deleted file names are displayed. View file contents in raw, as ASCII, or by running it through strings(1). Browse a forensic image from the inode level. Browse a forensic image from the block level. View block contents in raw, ASCII, or hexdump. Search a forensic image at the block level for specified strings. Generate "autopsy reports" on files, blocks, or inodes that also include MD5 hash values. Autopsy Forensic Browser require TCT 1.06 (or greater) and TCTUTILs 1.00.

Note: first time in the Tools Digest.

 

BIND 9.1.1
Internet Software Consortium
http://www.isc.org/products/BIND

BIND (Berkeley Internet Name Domain) is an implementation of the Domain Name System (DNS) protocols and provides an openly re-distributable reference implementation of the major components of the Domain Name System, including: a Domain Name System server (named), a Domain Name System resolver library and tools for verifying the proper operation of the DNS server.

Changes: the latest version of BIND 8 is still version 8.2.3. New version 9.1.1 released. BIND 9.1.1 is a maintenance release, containing fixes for a number of bugs in BIND 9.1.0 but no new features.

 

Apache 1.3.19 - Apache 2.0.15 Alpha
Apache Software Foundation and The Apache Server Project
http://www.apache.org/dist

Changes: release of the fifteenth release of Apache 2.0. Apache 2.0 offers numerous enhancements, improvements and performance boosts over the 1.3 code base. The most visible and noteworthy addition is the ability to run Apache in a hybrid thread/process mode on any platform that supports both threads and processes. For more information about the changes with this new version, please consult http://www.apache.org/dist/httpd/CHANGES_2.0a.


Auditing and Intrusion Monitoring Tools

Snort 1.7
Martin Roesch
http://ww.snort.org

Snort is a lightweight network intrusion detection system, capable of performing real-time  traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much  more. Snort  uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine  that  utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.

Changes: rule updates. Jim Forster decided to keep the database around and he will be updating the current download sets from the database from now on. The download files is now standardized to http://www.snort.org/files/snortrules.tar.gz. Individual .rule files will also be in this directory from now on.

 

Nmap 2.53 - Devel: 2.54 beta 22
Fyodor
http://www.insecure.org/nmap

Remote Nmap (Rnmap) is a pair of client and server programs which allow for various authorized clients to run their port scans from a centralized server. Clients should run on any Python supported platform. For server, Python and Nmap portscanner are required. For the client, Python needs to be installed.

Changes: some optimizations/improvements, changes and bugfixes. Now GUI client uses threads.

 

NetSaint Network Monitor 0.0.7 beta3
Ethan Galstad
http://www.netsaint.org

NetSaint is a program that will monitor hosts and services on your network. It has the ability to email or page you when a problem arises and when it gets resolved. NetSaint is written in C and is designed to run under Linux, although it should work under most other Unix variants. It can run either as a normal process or as a daemon, intermittently running checks on various services that you specify. The actual service checks are performed by external "plugins" which return service information to NetSaint. Several CGI programs are included with NetSaint in order to allow you to view the current service status, history, etc. via a web browser.

NEAT is a web administration interface for NetSaint written in Perl. Version 2.5 works for both the 0.0.4 and 0.0.5 releases of NetSaint, while version 4.5 works with NetSaint versions 0.0.6 and 0.0.7. Allows you to add/edit/delete definitions in your host configuration file and restart NetSaint upon completion of the configuration changes. Does not require a database to store configuration data.

Note: first time in the Tools Digest.

This add-on has been developed to get vital information from Windows NT servers (CPU load, memory usage, disk usage, service states, processes, and performance data). Includes a service which runs on the NT server and a plugin which is called from the monitoring box.

Note: first time in the Tools Digest.

 

Syslog-ng 1.4.11 - Devel: 1.5.5a
Balazs Scheidler
http://www.balabit.hu/en/products/syslog-ng

Syslog-ng is a syslogd replacement, but with new functionality for the new generation. The original syslogd allows messages only to be sorted based on priority/facility pair, Syslog-ng adds the possibility to filter based on message contents using regular expressions. The new configuration scheme is intuitive and powerful. Syslog-ng includes filtering using regular expressions, logging forwarding and hash protected logging (planned in version 1.5). It is multi-platform and requires libol-0.2.17.

Changes: development version 1.5.5a. Fixed a bug in -HUP handling (implemented a cleaner solution, though less tested than in 1.4.11). Added DNS cache. Added klogctl program to control kernel logging level on Linux (to make it easier to set up a completely klogd-less logging). Template support for output files. Fixed a dist problem (missing nscache.h) in 1.5.5.

 

LIDS 0.9.1 - Devel: 0.9.15 (2.2.19 kernel) / 1.0.7 (2.4.3 kernel)
Xie Hua Gang
http://www.lids.org

The Linux Intrusion Detection System is a patch which enhances the kernel's security. When it's in effect, many system administration operations can be made impossible even for root. You can turn the security protection on or off on the fly and you can hide sensitive processes and prevent anyone from using ptrace or any other capability on your system. LIDS can also provide raw device and I/O access protection.

Changes: new development version 1.0.7 for 2.4.3. Upgrade to 2.4.3. Update lids.h, lidsext.h from Dieter Stolte. A lot of code cleanup for lidsadm from Dieter Stolte. lidsadm manpage updated.

 

BigBrother 1.7a for UNIX, 1.07f for NT WS, 2.2d for NT SRV
Sean McGuire
http://bb4.com/index.html

BigBrother is a system and network monitor. It use a web-based monitoring notification & reporting. Big Brother uses a client-server architecture combined with methods which both push and pull data. Network testing is done by polling all monitored services from a single machine, and reporting these results to a central location (the BBDISPLAY). If you want local system information, you can install a BB client on the local machine, which will send CPU, process, disk space, and logfile status reports in periodically. Each report is timestamped with an expiration date (like milk). This lets us know when a report is no longer valid, which is usually an indication of a more serious problem.

Changes: new version 1.07f for NT workstation and new version 2.2d for NT server. No information about the changes.

 

PacketStorm

Riley 0.2
Reid Fleming
http://www.bigredrockeater.com/goodies/riley/riley.html

Riley is a file integrity checker written in Perl. It checks to see that specified files/directories have not been tampered with. It's been tested only under Redhat Linux 6.2 so far. It requires Perl and the MD5 Perl package. Riley is free code and it comes with no guarantee.

Note: first time in the Tools Digest.


Firewalls for UNIX/Linux/BSD & Cross-platform

Smoothwall 0.9.8
Richard Morrell and Lawrence Manning
http://sourceforge.net/projects/smoothwall

Smoothwall is a popular Linux Distro cut down to a complete minimal automated installation providing out of the box security & functionality as a router & firewall managed by platform independent web browsers. No prior Linux experience required.

Changes: setup program: possibility to reconfigure hostname, ISDN and network configuration at will. ISDN probing and support: automatically sets up most ISDN cards. MultiNIC: finally Smoothwall supports ADSL, cable modems, etc. Portforwarding: setup from the web page. Java based SSH client: log in from a Java applet on the Smoothwall webpage.

 

Fireparse 2.2
Aaron D. Marasco
http://aaron.marasco.com/linux.html

Fireparse is a Perl script that emails a report of all packets that have been logged by the kernel's IPtables packet filtering subsystem. The report includes source and destination ports, direction, logged packet count, IPtables rules, and fully resolved host names (if available). The report can be formatted as plain text or as a colored HTML table. Fireparse also moves all IPtables entries from your syslog file into a second message file so that other syslog entries are more easily noticed and filtered. HTML output can also be sent to a dated file.

Changes: added customizable "subject" tags and re-merged IPchains and IPtables branches.

 

FreshMeat

GShield 2.1
R. Gregory
http://muse.linuxmafia.org/gshield.html

GShield is an aggressive, modular firewall script for IPtables which features easy configuration through a BSD-style configuration file, optional NAT support, TCP-wrapper-like functionality for service access, port forwarding, routable protection, DMZ support, and more.

Changes: cleaned up reserved_address (was causing some issues). Added auto-configuration logic for DNS servers. Added option to log INVALID state drops. Added framework for outgoing filters. Added blocked_outgoing to enable outgoing filtering. Added no_log option for specific ports.

 

Iridium Firewall 1.49a - Devel: 1.5pre12-test1
Ryan Edwards
http://www.karynova.com/iridium

Iridium Firewall is a script which uses the IPchains facility in Linux 2.2 to perform network packet filtering in an attempt to protect against network-based computer attacks. It's written so that users that know what they are doing can easily configure the script themselves, but it also offers a beginner many convenience flags to turn common features on and off. Iridium Firewall is packed with features, and it is heavily commented with instructions and explanations in an easy-to-read format.

Changes: new development version 1.5pre12-test1. The old "leaky" port variables have been replaced by a far superior system using an external file called 'deny' by default. The "sanity checking" at startup has been much improved. Various minor changes and interface improvements. The script has been "functioned" even further: some of the larger and more convoluted functions have been moved to a new "functions" directory where each exists as an individual file. Restructured the way the firewall files are layed out: all firewall related files are now located in /etc/firewall/, the actual firewall code has been moved into a new file called iridium, previously called firewall, the Red Hat/Debian style rc.d script is now in the file firewall, the individual "function" files are located by default in /etc/firewall/functions/, the firewall configuration has now been moved from /etc/iridium.conf to /etc/firewall/firewall.conf, the new files for specifying which ports and IPs to block are also in the new directory. Added a new installer script. The configuration file is now generated automatically when the script is first run. Support for dynamic external IPs from a DHCP or PPP server. Bug fix: the rule to block loose Multicast traffic when Multicast was disabled was being erased immediately after its creation. Removed some outdated, ambiguous files from the tarball: post and fwctl, that should not have been there to begin with. Added updated copies of this changelog and the LICENSE agreement.


Tools for UNIX/Linux/BSD & Cross-platform

Linux International Kernel Patch 2.4.3.1
Alexander Kjeldaas
http://www.kerneli.org

Due to previous regulations on export and use of crypto, especially in the US, the Linux source distribution has not contained crypto up to this point. The International Kernel Patch has tried to remedy this situation by providing the missing functionality in the form of a unified patch to the Linux kernel source. Lately, some US export restrictions have been lifted, and it is therefore possible that crypto will be part of the Linux kernel source code in the future. However, until that happens, this is where you can get crypto support in your Linux kernel.

Changes: added keylength checks in blowfish_set_key.

 

Secure FTP 1.1
Gary Cohen and Brian Knight
http://www.glub.com/products/secureftp

Secure FTP is a client package that allows for a secure connection to be made to an FTP daemon. In this release, we support connecting via the Secure Sockets Layer, or SSL. Future releases may support other authentication mechanisms (e.g. Kerberos, OPIE). This client is supported on Windows and any Unix platform where a Java 2 (or Swing) runtime environment is present. It was written in 100% Pure Java and can act as either an application or an applet. The applet version will only run under Windows at this time, but we are looking into other solutions. Since crypto is present in this product, US export restrictions are in affect. If you reside in an embargoed country you will not be allowed to use this product. Secure FTP is a joint production with the San Diego Supercomputer Center.

Changes: there is now a German and a French version of Secure FTP. Upgraded to JSSE 1.0.2 which allows for 128-bit encryption to be exported. Added "Yes to All" and "Cancel" buttons to the file overwrite dialog. Fixed handling of local directory listing on slow drive (e.g. network drive). Allow for a default directory to be set for local and remote windows via bookmarks; this is an unsupported feature. Better handling of server commands. Better handling of a dropped connection. Smarter update of local and remote windows after each transfer.

 

SILC 20010402 (Devel)
Pekka Riikonen
http://silc.pspt.fi

SILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. The purpose of SILC is to provide secure conferencing services. Strong cryptographic methods are used to secure all traffic.

Changes: a lot of changes since the previous version. Please refer to http://silc.pspt.fi/changes.txt for more details.

 

FreshMeat

Tsocks 1.6 - Devel: 1.7 Beta 3
Shaun Clowes
http://tsocks.sourceforge.net

Tsocks provides transparent network access through a SOCKS version 4 or 5 proxy (usually on a firewall). Tsocks intercepts the calls applications make to create TCP connections and determines if they can be directly accessed or need the SOCKS server. If they need the SOCKS server they connection is negotiated with the server transparently to the application. This allows existing applications to use SOCKS without recompilation or modification. Tsocks is a wrapper library for the libc connect() call.

Note: first time in the Tools Digest.

 

SecurityFocus

RSBAC (Rule Set Based Access Control) 1.1
Amon Ott
http://www.rsbac.org

Rule Set Based Access Control (RSBAC) is an open source security extension for current Linux kernels. It is based on the Generalized Framework for Access Control (GFAC) by Abrams and LaPadula and provides a flexible system of access control based on several modules. All security relevant system calls are extended by security enforcement code. This code calls the central decision component, which in turn calls all active decision modules and generates a combined decision. This decision is then enforced by the system call extensions.

Note: first time in the Tools Digest.


Tools for Windows

Tiny Personal Firewall build 12
Tiny Software, Inc.
http://www.tinysoftware.com/pwall_news.php

Tiny Personal Firewall represents smart, easy-to-use personal security technology that fully protects personal computers against hackers. Built on ICSA-certified security technology, it is also an integral part of The Tiny Software Centrally Managed Desktop Security (CMDS) system selected by the US Air Force for its approximately 500,000 desktop computers. Note: Tiny Personal Firewall is intended for users that are NOT running either WinRoute Pro or WinRoute Lite.

Changes: Tiny Personal Firewall is now compatible with Microsoft Internet Connection Sharing. Resolved delay for NT domain logon. Resolved issues of deadlocking for logon into Windows 9x machines. The error message "too many associated endpoints" has been properly addressed. Status window now offers the option to display the application's full directory path. Memory management has been improved. Complications with particular anti-virus software such as NAV and NIS have been potentially fixed but not fully tested.

 

SSHD for WinNT 1.0.2
Brandon Zehm
http://marvin.criadvantage.com/caspian/Software/SSHD-NT/default.php

SSHD is a SSH server for Windows NT. The installation is very simple: just extract the contents of the .zip file to a temp folder, and run 'setup.bat'. An option pack including a collection of Linux utilities for DOS from the cygnus-gun32 tools package is also available. It includes all sorts of stuff like: grep, ps, kill, bash, ls, cat, etc. In addition, when you install the option pack after the SSHD package, it changes the default shell to BASH instead of the default cmd.exe.

Note: first time in the Tools Digest.


Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.

© Copyright 2001, SecurityPortal Inc. & Pascal Etienne, All Rights Reserved, Last Update: 04 avril, 2001