Weekly Security Tools Digest
2001/04/06 to 2001/04/12

By Pascal Etienne (pascal.etienne at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to General free tools this week include OpenSSL, KSEC, KSTAT, Apache and Linux Kernel.

Auditing and Intrusion Monitoring tools include SCRAM, Snorticus, SnortRules, Nessus, Remote Nmap, SAINT, NEAT, NetSaint_statd, Saintmap, Chkrootkit, PIKT, BigBrother, MergeLog, Samhain and 3 other tools.

Firewalls for UNIX/Linux/BSD & Cross-platform include Zorp, IP Filter, FwLogWatch, FloppyFw, Knetfilter, GShield, Astaro Security Linux and 2 other tools.

Tools for Linux/Unix/Cross Platform include Bastille Linux, Amavis, FreeS/WAN, SILC, Linux VPN, Lomac, Saint Jude LKM and 3 other tools.

Tools for Windows: no tools this week.


General Tools

SSL

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson.

Changes: version 0.9.6a has been released. This is a major release. Security fixes that prevent the RSA-CRT attack and Bleichenbacher's RSA attack, and ignore environment variables in the library if run suid. There are also 50+ bugfixes, better big number tests, and more documentation.

 

Digital Forensic Utilities

KSEC is useful to find an attacker in your system by a direct analysis of the kernel through /dev/kmem and bypassing the hiding techniques of the intruder (kernel static recompilation/use of LKMs). KSEC can find the modified syscalls from userspace, detect the promisc interfaces, find the modifications applied to a protocol and much more!

Note: first time in the Tools Digest.

KSTAT can find the syscalls which were modified by a LKM, list the linked LKMs, query one or all the network interfaces of the system, list all the processes and much more!

Note: first time in the Tools Digest.

 

Apache 1.3.19 - Apache 2.0.16 Beta
Apache Software Foundation and The Apache Server Project
http://www.apache.org/dist

Changes: release of the sixteenth release of Apache 2.0. Apache 2.0 offers numerous enhancements, improvements and performance boosts over the 1.3 code base. The most visible and noteworthy addition is the ability to run Apache in a hybrid thread/process mode on any platform that supports both threads and processes. Change the default installation directory to /usr/local/apache2. OS/2: Added support for building loadable modules as OS/2 DLLs. Make generic hooks to work, with mod_generic_hook_import/export experimental modules. Fix segfaults for configuration file syntax errors such as "" followed by "" followed by "". Changes to 'ab'; fixed int overrun's, added statistics, output in csv/gnuplot format, rudimentary SSL support and various other tweaks to make results more true to what is measured. Clean up mod_cgid's temporary request pool. Performance: Add quick_handler hook. Enable mod_status by default. For more information about the changes with this new version, please consult http://www.apache.org/dist/httpd/CHANGES_2.0a.

 

Linux 2.4.3 and Linux 2.2.19
http://www.kernel.org

Changes: new version 2.4.3 of Linux Kernel. This new version fixes Makefile dependencies, updates to ISDN, another reiserfs tail writing fix, unified pte/pmd allocation, and undoing of some VIA PCI fix-ups which caused conflicting behavior.


Auditing and Intrusion Monitoring Tools

Snort 1.7
Martin Roesch
http://www.snort.org

Snorticus is a collection of shell scripts designed to allow easy management of Snort sensors. It allows you to routinely collect Snort sensor data, analyze the data via SnortSnarf, and easily maintain rule files.

Changes: no information about the changes.

SnortRules is a VB program to merge old and new rules files. This program will re-comment those rules in the new rule files downloaded from snort.org.

Note: first time in the Tools Digest.

 

Nessus 1.0.7a - Devel: 1.2
Renaud Deraison
http://www.nessus.org

The "Nessus" Project aims to provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner. A security scanner is a software which will audit remotely a given network and determine whether bad guys (AKA 'crackers') may break into it, or misuse it in some way. Unlike many other security scanners, Nessus does not take anything for granted. That is, it will not consider that a given service is running on a fixed port - that is, if you run your web server on port 1234, Nessus will detect it and test its security. It will not make its security tests regarding the version number of the remote services, but will really attempt to exploit the vulnerability. Nessus is very fast, reliable and has a modular architecture that allows you to fit it to your needs.

Changes: development of Nessus 1.2 is going well, and development version can be tested. For more information about how to retrieve the current version of Nessus, refer to this document: http://www.nessus.org/cvs_manual.html#CURRENT. A quick installer script for Nessus is available by typing lynx -source http://install.nessus.org | sh.

 

Nmap 2.53 - Devel: 2.54 beta 22
Fyodor
http://www.insecure.org/nmap

Remote Nmap (Rnmap) is a pair of client and server programs which allow for various authorized clients to run their port scans from a centralized server. Clients should run on any Python supported platform. For server, Python and Nmap portscanner are required. For the client, Python needs to be installed.

Changes: this is bugfix release. Added more error checking.

 

SAINT 3.2
World Wide Digital Security, Inc.
http://www.wwdsi.com/saint

Saint is a security scanning tool based on Satan.

Changes: new versions of SAINT are not freely distributed anymore and is available only by purchasing SAINTwriter or SAINTexpress.

 

NetSaint Network Monitor 0.0.7 beta3
Ethan Galstad
http://www.netsaint.org

NEAT is a web administration interface for NetSaint written in Perl. Version 2.5 works for both the 0.0.4 and 0.0.5 releases of NetSaint, while version 4.5 works with NetSaint versions 0.0.6 and 0.0.7. Allows you to add/edit/delete definitions in your host configuration file and restart NetSaint upon completion of the configuration changes. Does not require a database to store configuration data.

Changes: the documentation has been updated and a feature to verify the VERIFY_COMMAND option has been added.

NetSaint_statd is a daemon which allows a NetSaint host to get information such as process count, users, disk usage, and load information using the corresponding plugin scripts. The daemon does not process the system information in anyway. It merely collects the information and hands it back to the calling script to do with as it pleases. This daemon script is designed in such a way as to allow for easy porting to other OSs by changing the which_os subroutine. Adding other checks should also be easy by adding the appropriate subroutine and changing CASE2 to look for the wanted command. Hosts restrictions are currently based on a file in $safedir directory, /var/netsaint_statd by default. If the files doesn't exist, the daemon talks to everyone. If it exists and is empty, the daemon talks to no one. The contents of the file is one IP address per line.

Note: first time in the Tools Digest.

This is a Perl/TCL application designed to work with NetSaint 0.0.7 that allows you to graphically create 2-D coordinates for the statusmap CGI by dragging hosts around. NetSaint 0.0.7 now requires you to specify coordinates for the statusmap and statuswrl CGIs. The hosts (and links between the hosts) that can be used in the map are pulled from the config files when the application starts.

Note: first time in the Tools Digest.

 

Chkrootkit 0.31
Nelson Murilo
http://www.chkrootkit.org

Chkrootkit locally checks for signs of a rootkit. Includes detection of LKM rootkits, ifpromisc.c to check and see if the interface is in promisc mode, chklastlog.c to check lastlog for deletions, and chkwtmp.c to check wtmp for deletions. Tested on Linux, FreeBSD, Solaris, and OpenBSD. The following commands are examined: basename, biff, chfn, chsh, cron, date, dirname, du, echo, env, find, fingerd, gpm, grep, identd, ifconfig, inetd,
killall, login, ls, mail, mingetty, netstat, passwd, pidof, pop2, pop3, ps, pstree, rlogin, rpcinfo, rshd, sendmail, sshd, su, syslogd, tar, tcpd, telnetd, timed, top, traceroute and write.

Changes: this version includes new tests: gpm, mingetty, rlogind, Adore Worm detection and some bug fixes.

 

PIKT - Problem Informant/Killer Tool 1.12.1 - Devel: 1.13.0pre7
Robert Osterlund
http://pikt.uchicago.edu/pikt

PIKT is a cross-platform (AIX, FreeBSD, HP-UX, IRIX, Linux, Solaris, SunOS), multi-functional toolkit for monitoring systems, reporting and fixing problems, and managing system configurations. It consists of an embedded scripting language with unique, labor-saving features, a script and system config file preprocessor, a scheduler, an installer, and other tools.

Changes: seventh pre-release of the 1.13.0 series: PIKT scripts may now be stand-alone (exist outside of .alt files) and directly executable (much like scripts in other languages). Client-side PIKT scripts may now contain #-style comments. Fixed several minor bugs.

 

BigBrother 1.7b4 for UNIX, 1.07f for NT and Win2k WS, 2.2d for NT and Win2k SRV
Sean McGuire
http://bb4.com/index.html

BigBrother is a system and network monitor. It use a web-based monitoring notification & reporting. Big Brother uses a client-server architecture combined with methods which both push and pull data. Network testing is done by polling all monitored services from a single machine, and reporting these results to a central location (the BBDISPLAY). If you want local system information, you can install a BB client on the local machine, which will send CPU, process, disk space, and logfile status reports in periodically. Each report is timestamped with an expiration date (like milk). This lets us know when a report is no longer valid, which is usually an indication of a more serious problem.

Changes: new version 1.07b4 for Unix and Linux. No information about the changes.

 

MergeLog 4.5
Bertrand Demiddelaer
http://download.sourceforge.net/mergelog

MergeLog is a small and fast C program which merges and sorts http log files in 'Common Log Format' from web servers behind round-robin DNS. It has been designed to easily manage huge log files from highly stressed servers. MergeLog is distributed with ZMergeLog which supports gzipped log files.

Changes: MergeLog does not abort anymore on corrupted log lines. BUFFER_SIZE value has been set to 32Ko.

 

FreshMeat

ScanSSH 1.55
Niels Provos
http://www.monkey.org/~provos/scanssh

ScanSSH scans a list of addresses and networks for running SSH servers and their version numbers. ScanSSH supports random selection of IP addresses from large network ranges and is useful for gathering statistics on the deployment of SSH servers in a company or the Internet as whole.

Changes: no information regarding the changes.

 

PacketStorm

Samhain 0.9.15 - Devel: 1.1.10
Rainer Wichmann
http://la-samhna.de/samhain

Samhain is a file system integrity checker that can optionally be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, tamper-resistant log file, and syslog) are available. Samhain has been tested on Linux, AIX 4.1, HP-UX 10.20, UnixWare 7.1.0, and Solaris 2.6.

Changes: new stable version including a lot of small bugfixes. New development version as well.

 

SecurityFocus

Pakemon 0.3.1
Keiji Takeda
http://www.sfc.keio.ac.jp/~keiji/ids/pakemon

Pakemon has been developped to share IDS components based on the open source model. Current version of Pakemon monitors all traffic on a network, search given data patterns in the traffic and output session logs and summary logs of matched traffic. It has been tested on Redhat Linux 6.2j, OpenBSD2.7, FreeBSD 3.3 and NetBSD 1.4.

Changes: some minor versionup. Added util.h and util.c for malloc_check, free_check. Added BPF filtering option.

 

File System Saint 0.1
Haver & Sah
http://www.insecure.dk

FSS is a Tripwire-like utility, with primary focus on speed, minimal complexity and simple usage. FSS runs under FreeBSD, Linux, OpenBSD and Perl (any system supporting Perl).

Note: first time in the Tools Digest.


Firewalls for UNIX/Linux/BSD & Cross-platform

Zorp 0.8.2
Balazs Scheidler
http://www.balabit.hu/products/zorp

Zorp is a new-generation modular proxy firewall suite to fine tune proxy decisions with its built in script language, fully analyze complex protocols (like SSH with several forwarded TCP connections), and utilize outband authentication techniques (unlike common practices where proxy authentication had to be hacked into the protocol).

Changes: this is another bugfix release for the 0.8 series. PSSL: backported EOF handling from 0.9, so stacking HTTP into PSSL works better. Some minor, cosmetic updates to the core (pulled in by the PSSL update).

 

IP Filter 3.4.17
Darren Reed
http://coombs.anu.edu.au/~avalon

IPfilter is a TCP/IP packet filter suitable for use in a firewall environment. To use, it can either be run as a loadable kernel module (recommended) or incorporated into your kernel. Scripts are provided to install and patch system files as required. IP Filter also supports transparent proxying via packet forwarding, including round-robin forwarding to achieve load-balanced proxy.

Changes: no information about the changes in this new release.

 

FwLogWatch 0.3
Boris Wesslowski
http://www.kyb.uni-stuttgart.de/boris/software.shtml

FwLogWatch analyzes the IPchains packet filter logfiles and generates text and HTML summaries. It features real-time anomaly response capability and has an interactive report generator. FwLogWatch has the following modes: log summary mode, interactive report mode and Real-time response mode.

Changes: rewrote real-time response mode to use external scripts for notifications and responses. Added a first version of Cisco PIX parser. Added 'last message repeated' handling code. Unrecognized text is now only displayed in verbose mode.

 

FloppyFw 1.0.9 (kernel 2.2.18), 1.1.3 (kernel 2.2.17), 1.9.3 (kernel 2.4.0)
Thomas Lundquist
http://www.zelow.no/floppyfw

FloppyFw is a static router with the firewall-capabilities in Linux. Although it is called a firewall it does not have all the functionality we are expecting from a firewall of today. It is basically a Screening router or Package filtering firewall.

Changes: new version 1.0.10 pre5 of kernel 2.2.18 branch. This new version is in the download directory at http://www.zelow.no/floppyfw/download.

 

Knetfilter 2.1.1
Luigi Genoni
http://expansa.sns.it/knetfilter

Knetfilter is a KDE 1.X front-end to IPtables, used with Linux kernels 2.4.0 and up to manage the NetFilter functions. It is possible to perform all standard and most "exceptional" system management of a complex firewall within the program.

Changes: destination IP address and netmask, if unspecified, will be 0/0. Check for malformed packets can be enabled inside a regular chains rules. Configure script updates. If present Knetfilter use IPtables native save binaries, otherwise it uses the save function. Users warning to upgrade to new IPtables to have use native save function.

 

FreshMeat

GShield 2.2
R. Gregory
http://muse.linuxmafia.org/gshield.html

GShield is an aggressive, modular firewall script for IPtables which features easy configuration through a BSD-style configuration file, optional NAT support, TCP-wrapper-like functionality for service access, port forwarding, routable protection, DMZ support, and more.

Changes: behavior when dropping packets now configurable, support for forwarding imap-ssl, toned down startup verbosity.

 

Astaro Security Linux 1.803
Astaro AG
http://www.astaro.com/products/index.html

Astaro Security Linux is a new firewall solution. It does stateful inspection, packet filtering, content filtering, virus scanning, VPN with IPsec, and much more. With its Web-based management tool and the ability to pull updates over the Internet, it it is pretty easy to manage. It is based on a special hardened Linux 2.4 distribution where most daemons are running in change-roots and are protected by kernel capabilities. See also the discussion board on http://www.astaro.org.

Changes: new virus pattern files.

 

Reptor 0.99
Alex Howansky
http://www.wankwood.com/reptor

Reptor is a utility designed to aid the analysis of Axent/Raptor firewall logfiles. It generates HTML reports which can include traffic summaries and alert messages that are based on highly customizable conditions. Reptor is intended to be run on a daily basis in order to provide details of the previous day's activity. Its built-in support for secure remote logfile retrieval, FTP, and SMTP allow it to be easily automated.

Note: first time in the Tools Digest.

 

Fwanalog 0.1
Balázs Bárány
http://tud.at/programm/fwanalog

Fwanalog is a shell script to parse and summarize firewall logfiles. It understands logs from BSD ipf and Linux 2.4 IPtables. It uses the excellent log analysis program Analog (also free software) to create its reports. It does so by converting the firewall log into a fake web server log and calling Analog with a modified configuration.

Note: first time in the Tools Digest.


Tools for UNIX/Linux/BSD & Cross-platform

Bastille Linux v1.1.1 - Devel: 1.2.0.rc2
Jay Beale
http://www.bastille-linux.org

The Bastille Hardening System attempts to "harden" or "tighten" the Linux operating system. It currently supports Red Hat and Mandrake systems. We attempt to provide the most secure, yet usable, system possible.

Changes: two Bastille Linux 1.2.0 Release Candidate have been released this week. Versions 1.2.0.rc1 and rc2 work on Mandrake systems, but fails on Redhat while the development team works out the RPM issues. If this release shows total stability, it will be re-release it as 1.2.0. This new version includes Paul Allen's X-based interface and a number of patches. Instructions for version 1.2.0.rc2 need to be read very carefully!

 

Amavis 0.2.1 - Amavis-perl 11 - Amavisd-snapshot 20010407
Christian Bricart
http://www.amavis.org

AMaViS is a mail virus scanner tool.

Changes: me: this is a first snapshot release of amavisd, the daemonised version of amavis-perl. Amavis-perl now consists of three components: amavisd (daemon), amavis client (or amavis-milter for sendmail milter support) and amavis.conf (config file). This version includes support for sendmail milter, unified logging/debugging, support for Command AntiVirus (CSAV) for Linux, many configure options have been removed - edit the config file instead, notification messages listing found virus(es) and many small bugfixes.

 

FreeS/Wan 1.9
Linux FreeS/WAN Team
http://www.freeswan.org

Linux FreeS/WAN provides IPsec (IP Security, which is both encryption and authentication) kernel extensions and an IKE (Internet Key Exchange, keying and encrypted routing daemon) allowing you to build secure tunnels through untrusted networks. Compatible with with other IPsec and IKE systems already deployed by other vendors such as OpenBSD.

Changes: the big change is that FreeS/WAN works with the 2.4.x kernels (specifically, 2.4.2 at the moment). KLIPS Makefiles have been converted to the new 2.4.x style, with backwards compatibility for use under 2.2.x and 2.0.x. Various small KLIPS fixes have been done for 2.4.x kernels. Routing failure in _updown is now diagnosed in more detail, mysterious difficulties there are a frequent user problem. Pluto (and rsasigkey) have been fixed to do the "lcm" optimization for RSA private keys, which means that Pluto should no longer reject most keys generated by modern versions of PGP. There is a new --noopt option for rsasigkey, which suppresses the optimization, to generate private keys compatible with the old Pluto. showhostkey now has options to produce ipsec.conf (left/right) rsasigkey lines - it retains information on when and how the key was generated, as comments. The default hostname, for DNS format, now comes from the hostname supplied by rsasigkey (NOTE INCOMPATIBLE CHANGE) rather than from "hostname --fqdn". An obscure bug that caused Pluto to die midway through negotiating a connection has been fixed. Pluto now notices whether the kernel supports compression, and will refuse to negotiate it if there is no kernel support. The ipsec command now has a --directory option, reporting where the IPsec commands are kept, and a report of this is included in barf output. As usual, there are assorted small bug fixes and improvements to docs and messages.

 

SILC 20010410 (Devel)
Pekka Riikonen
http://silc.pspt.fi

SILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. The purpose of SILC is to provide secure conferencing services. Strong cryptographic methods are used to secure all traffic.

Changes: a lot of changes since the previous version. Please refer to http://silc.pspt.fi/changes.txt for more details.

 

FreshMeat

Linux VPN 1.3
Alex Fiori
http://anti.someone.net

Linux VPN is an easy way to set up a VPN using pppd over encrypted ssh tunnels with Linux.

Changes: changed whole vpn-server. Changed log system format. Added new documentation file UPGRADE, new documentation in file INSTALL and config file and log system to vpn-wrapper.

 

Lomac 1.0.5
Network Associates, Inc.
http://the.wiretapped.net/security/host-security/lomac

Lomac (Low Water-Mark Integrity Protection for Linux) is a security enhancement for Linux that uses Low Water-Mark Mandatory Access Control to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users, and compromised root daemons. Lomac is implemented as a loadable kernel module - no kernel recompilations or changes to existing applications are required. Although not all the planned features are currently implemented, it presently provides sufficient protection to thwart script-kiddies, and is stable enough for everyday use.

Changes: LOMAC now allows remote level-2 root logins via ssh. Fixed mediation logging to accurately report which operation (open, unlink, etc.) was denied. Took Redhat-specific code out of initialization scripts to allow installation on other distributions. Updated manual to include specific installations instructions for Redhat and Debian distributions, as well as some new text on using lup and ssh. Tweaked the lup program to retain the names of upgraded files.

 

Saint Jude LKM 0.12
Tim Lawless
http://freshmeat.net/projects/stjude

Saint Jude LKM is a Linux kernel module that implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local, and ultimately, remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.

Changes: updated checks and verified compatibility with 2.4.3. Identified and solved a potential endless recursion that could occur under crafted conditions. Identified and resolved a bug that could cause a failed execution by a privileged process to cause its set of allowed programs to decrease by not detecting the execution failure. The risk of gaining privilege was not present due to the downward flow of privileges, however intended execution paths could be cut off as a result of a failed execve.

 

Viralator Proxy Virus Scanner 0.8
Viralator
http://viralator.loddington.com

Viralator interfaces your network's squid proxy server with a virus scanner. Before a user can download a file, the proxy passes the file to the Viralator script which, in turn, uses a virus scanner (Inoculate for the first release) to scan, disinfect, or delete the download. This is especially good for stopping virus infected files from free email sites like hotmail, etc. Future enhancements will include other types of antivirus scanners, speed improvements, and limiting downloads to approved users. Support has now been added for AntiVir, AVP, RAV, and Sophos antivirus scanners, password protected sites, and filenames with spaces and special characters.

Note: first time in the Tools Digest.

 

PacketStorm

Linux 2.2.19 stealth1
Sean T.
http://www.innu.org/~sean

The Stealth Kernel Patch for Linux v2.2.19 makes the Linux kernel discard the packets that many OS detection tools use to query the TCP/IP stack. Includes logging of the dropped query packets and packets with bogus flags. Does a very good job of confusing Nmap and queso.

Note: first time in the Tools Digest.

 

FreeVSD 1.4.7
Nick Burrett
http://www.freevsd.org

FreeVSD facilitates true Linux Virtual Servers within a 'chroot' environment, allowing Web servers and other applications to be deployed and administered discretely, without compromise to security. Each Virtual Server has its own IP address(es), Apache webserver, and view of the process table. FreeVSD expands the Linux system by creating a pseudo-'super user' (admin) for each Virtual Server. The admin user has the ability to create extra POP3/FTP and Telnet users  and also administrate vital services such as the webserver.

Note: first time in the Tools Digest.


Tools for Windows

No Windows tools this week!


Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.

© Copyright 2001, SecurityPortal Inc. & Pascal Etienne, All Rights Reserved, Last Update: 11 avril, 2001