By Pascal Etienne (pascal.etienne at boran.com) for SecurityPortal
Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html
To receive this digest via Email:
http://securityportal.com/subscribe.html
This is a summary of changes to free security tools over the last week.
Updates to General free tools this week include PGPenvelope.
Auditing and Intrusion Monitoring tools include SnortSnarf, Smack, PIKT, AIDE, SAStk, Port Scan Attack Detector, Lsof and Carbonite.
Firewalls for UNIX/Linux/BSD & Cross-platform include Zorp, Iridium Firewall, GShield, Astaro Security Linux and Ferm.
Tools for Linux/Unix/Cross Platform include BFBTester, Jail, Ethereal, Crypto++, Jail, SILC, Srm and 3 other tools.
Tools for Windows include Advanced Password Generator.
PGP
- PGPenvelope 2.10.0
Frank Tobin
http://pgpenvelope.sourceforge.netPGPenvelope is an interface to help meld using Pine with GnuPG. It also includes procmail filtering mechanisms.
Changes: subkey-selection is available for when encrypting messages. Temporary files are not used for outgoing messages anymore. SourceForge-listed Bug #116774 is fixed, this bug causes the processing of large outgoing messages to fail. SourceForge-listed Bug #115734 is fixed, this bug causes the processing of large outgoing messages to fail. PGPenvelope now tries to detect if 'forged' PGPenvelope borders are being sent into incoming messages, and highlights them appropriately. New default processed-block borders are used, to help working with String::Approx, the tool which is used to help detect 'forged' borders. To allow for the detection of 'forged' borders, String::Approx is needed, and bundled with.
Snort 1.7
Martin Roesch
http://www.snort.orgSnort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.
Changes: the ruleset has been updated and is now available at http://www.snort.org/files/snortrules.tar.gz.
- SnortSnarf 041501.1
Silicon Defense
http://www.silicondefense.com/snortsnarfSnortSnarf is a Perl program to take files of alerts from the free Snort Intrusion Detection System, and produce HTML output intended for diagnostic inspection and tracking down problems. It uses a cron job to produce a daily/hourly/whatever file of snort alerts. This script can be run on each such file to produce a convenient HTML breakout of all the alerts.
Changes: eliminated warnings when running snortsnarf.pl without -rulesfile. Improved treatment of alerts without a (parsed) signature, source IP, and/or destination IP. Added computability with Solaris 8 syslog format and now skips over interfaces printed in syslog format under -I. Added -rulesscanonce option to scan the rules files only once to decrease CPU use at the cost of increased memory usage. Improved sanity checking of some command line arguments. Removed a debugging statement from MemStorage. Clarified documentation about needing to install the Time modules.
- Smack 1.31
Iain Lea
ftp://ftp.bricbrac.de/pub/security/smackSmack is a perl5 script that watches the output of the Snort IDS (Intrusion Detection System), iplog port logging package, and the IPchains logging info looking for matches. If certain patterns are met, it issues an IPchains input DENY rule. It supports the concept of an ignore list of IPs and IP networks in CIDR notation (i.e.:1.2.3.0/24, with the help of the included prips support program) so that you do not end up getting locked out of your own system. This is based on code and ideas from the excellent guardian.pl script.
Note: first time in the Tools Digest.
PIKT - Problem Informant/Killer Tool 1.12.1 - Devel: 1.13.0pre8
Robert Osterlund
http://pikt.uchicago.edu/piktPIKT is a cross-platform (AIX, FreeBSD, HP-UX, IRIX, Linux, Solaris, SunOS), multi-functional toolkit for monitoring systems, reporting and fixing problems, and managing system configurations. It consists of an embedded scripting language with unique, labor-saving features, a script and system config file preprocessor, a scheduler, an installer, and other tools.
Changes: eighth pre-release of the 1.13.0 series: introduced a new alerts.cfg keyword, execcmd, for registering crontab-like, one-liner command entries in piktd.conf. Modified how #-style comments are parsed in *.pkt PIKT scripts (and removed support for #-style comments in *.alt alarm scripts). Fixed several small bugs. Made other code improvements.
AIDE 0.7
Rami Lehti and Pablo Virolainen
http://www.cs.tut.fi/~rammer/aide.htmlAIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more. There are other free replacements available so why build a new one? All the other replacements do not achieve the level of Tripwire. And I wanted a program that would exceed the limitations of Tripwire. AIDE creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5,sha1,rmd160,tiger,haval,etc.) that are used to check the integrity of the file. More algorithms can be added with relative ease. All of the usual file attributes can also be checked for inconsistencies. Basically AIDE runs on any moderns Unix: Solaris 2.5.1,2.6,7, Linux 2.2.x,2.0.x, FreeBSD 2.2.8,3.4, UnixWare 7.0.1, BSDI 4.1, OpenBSD 2.6, AIX 4.2, TRU64 4.0x
Note: first time in the Tools Digest.
Slackware Administrators Security Toolkit 0.1.2.1
John Jenkins
http://sourceforge.net/projects/sastkSAStk (Slackware Administrators Security tool kit) aims to provide a set of tools and utilities to install and maintain a reasonable level of security for the Slackware GNU/Linux distribution. At the same time, it should ease administration with a new centralized initialization setup and background information on what the daemons do.
Changes: change /root from 0755 to 0700. This is mainly a bugfix and documentation update release.
Port Scan Attack Detector 0.8.6
Michael Rash
http://www.cipherdyne.com/psadPort Scan Attack Detector (psad) is a program written in Perl that is designed to work with Linux firewalling code (IPtables in the 2.4.x kernels, and IPchains in the 2.2.x kernels) to detect port scans. It features a set of highly configurable danger thresholds (with sensible defaults provided), verbose alert messages that include the source, destination, scanned port range, begin and end times, TCP flags and corresponding Nmap options (Linux 2.4.x kernels only), email alerting, and automatic blocking of offending IP addresses via dynamic configuration of IPchains/IPtables firewall rulesets. In addition, for the 2.4.x kernels psad incorporates many of the TCP signatures included in Snort to detect highly suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (syn, fin, Xmas) which are easily leveraged against a machine via Nmap.
Note: first time in the Tools Digest.
Lsof 4.55
Vic Abell
ftp://vic.cc.purdue.edu/pub/tools/unix/lsofLsof is an extremely powerful Unix diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system. It easily pinpoints which process is using each network connection / open port.
Changes: added support for deleted files in /proc/PID/maps, added support for command name selection by regular expression, restored UnixWare support, and changed PGRP output title to PGID.
Carbonite 1.0
Foundstone, Inc.
http://www.foundstone.com/rdlabs/proddesc/carbonite.htmlCarbonite v1.0 is a LKM which is designed to investigate and detect rootkits, even LKM rootkits which patch calls to /proc. It works like lsof and ps at the kernel level, querying every process in Linux's task_struct, which is the kernel structure that maintains information on every running process in Linux. It gives administrators a more reliable method to identify all running processes on the system.
Note: first time in the Tools Digest.
Zorp 0.8.3
Balazs Scheidler
http://www.balabit.hu/products/zorpZorp is a new-generation modular proxy firewall suite to fine tune proxy decisions with its built in script language, fully analyze complex protocols (like SSH with several forwarded TCP connections), and utilize outband authentication techniques (unlike common practices where proxy authentication had to be hacked into the protocol).
Changes: FTP: fixed a problem which caused a SIGSEGV after large number of file transfers. Core: read umbrella zone support, zorpctl takes care about stale pidfiles, experimental support for Linux 2.4 NetFilter.
Iridium Firewall 1.49a - Devel: 1.5pre12-test2
Ryan Edwards
http://www.karynova.com/iridiumIridium Firewall is a script which uses the IPchains facility in Linux 2.2 to perform network packet filtering in an attempt to protect against network-based computer attacks. It's written so that users that know what they are doing can easily configure the script themselves, but it also offers a beginner many convenience flags to turn common features on and off. Iridium Firewall is packed with features, and it is heavily commented with instructions and explanations in an easy-to-read format.
Changes: new development version 1.5pre12-test2. Fixed a nasty bug where ftp connections where not being accepted when the FTP_SERVER flag was set and where falling through to the default DENY rule, this caused massive filling of the logs. Finally added the check to see if the 3rd-party ICQ module is actually installed before loading it if the appropriate flag is set.
GShield 2.3
R. Gregory
http://muse.linuxmafia.org/gshield.htmlGShield is an aggressive, modular firewall script for IPtables which features easy configuration through a BSD-style configuration file, optional NAT support, TCP-wrapper-like functionality for service access, port forwarding, routable protection, DMZ support, and more.
Changes: ifconfig is now defined as a variable. The blacklist/NAT chain ordering has been reordered. Folded in multi-homed logic based on diff by Duebbert. Fixed outgoing typos. Fixed protocol typo for HTTPS. Miscellaneous comment fixes. GShield.conf has been updated.
Astaro Security Linux 1.806
Astaro AG
http://www.astaro.com/products/index.htmlAstaro Security Linux is a new firewall solution. It does stateful inspection, packet filtering, content filtering, virus scanning, VPN with IPsec, and much more. With its Web-based management tool and the ability to pull updates over the Internet, it it is pretty easy to manage. It is based on a special hardened Linux 2.4 distribution where most daemons are running in change-roots and are protected by kernel capabilities. See also the discussion board on http://www.astaro.org.
Changes: new virus pattern files. Bugfix: fixed problem with daemon-watcher memory management.
Ferm 0.0.18 (Devel)
Auke Kok
http://www.geo.vu.nl/~koka/fermFerm compiles ready-to-go firewall rules from a structured rule-setup. These rules will be executed by the preferred kernel interface, such as IPchains and IPtables. Ferm will also add in modularizing firewalls, because it creates the possibility to split up the firewall into several different files, which can be loaded at will, so you can dynamically adjust your rules.
Changes: fixed two minor bugs.
BFBTester 2.0.1 - Devel 3.0 Beta
Mike Heffner
http://sourceforge.net/projects/bfbtesterBFBTester (Brute Force Binary Testes) is great for doing quick, proactive, security checks of binary programs. BFBTester will perform checks for single and multiple argument command line overflows and environment variable overflows. Versions 2.0-BETA and higher can also watch for temp file creation activity to alert the user of any programs using unsafe temp file names.
Changes: new stable version 2.0.1. Just a small change in the makefile/configure scripts. No functional changes, so you don't have to update if you already have 2.0 installed.
Jail 1.2
Juan M. Casillas
http://www.gsyc.inf.uc3m.es/~assman/jailJail is a chrooted environment using bash. its main use is to put it as shell for any user you want to be chrooted. Their primary goals is to be simple, clean, and highly portable.
Changes: this release adds path splitting, so you can have multiple users in a single chrooted environment (useful for isolating groups of users). It adds changelog, TODO, and INSTALL files, renames the mkenv.sh for each platform, and adds a Mkenv for Redhat 6.2.
Ethereal 0.8.17
Gerald Combs
http://www.ethereal.comEthereal is a GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and to give Ethereal features that are missing from closed-source sniffers.
Changes: Ethereal 0.8.17 has been released, the new files are tagged 0.8.17-a because of an error during the initial release. New dissectors include CUPS browsing protocol, Cisco HDLC, DCE RPC support, LMI for frame relay, Wellfleet compression, BACNET, and RWALL. Many other dissectors were updated and bug-fixed. New 3D logo. The Windows version can now dynamically load the wpcap.dll at run-time. A Windows installer has been added. The flag -D is now available to show list of all network. This version includes support for packet data decompression and decoding.
Crypto++ 4.1
Wei Dai
http://www.eskimo.com/~weidai/cryptlib.htmlCrypto++ is a free C++ class library of cryptographic schemes. Currently the library consists of the following, some of which is other people's code, repackaged into classes. It works for Linux, Solaris and UNIX.
Changes: there is no new version of Crypto++ but a project file is now available for Code Warrior Pro 6.1. This file contains the changes to apply in order to compile Crypto++ on MacOS and Win32 with Code Warrior Pro 6.1.
SILC 20010413 (Devel)
Pekka Riikonen
http://silc.pspt.fiSILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. The purpose of SILC is to provide secure conferencing services. Strong cryptographic methods are used to secure all traffic.
Changes: a lot of changes since the previous version. Please refer to http://silc.pspt.fi/changes.txt for more details.
Srm 1.2.3
Matthew Gauthier
http://srm.sourceforge.netSecure rm (Srm) is a command-line compatible rm(1) which completely destroys file contents before unlinking. The goal is to provide drop in security for users who wish to prevent command line recovery of deleted information, even if the machine is compromised.
Changes: no changes. However, a file descriptor leak is plugged.
Fwipe 0.35
Len Budney
http://www.pobox.com/~lbudney/linux/software/fwipe.htmlFwipe overwrites your file a specified number of times (default: 5) and then deletes it. It is extremely secure; it will not be confused by filenames containing special characters, and is suitable for use in cleanup scripts by system administrators.
Changes: no information about the changes.
Crank 0.1.1
Matthew Russell
http://crank.sourceforge.netCrank is a project to provide a GUI toolkit to facilitate (and where possible, automate) the breaking of classical (pen-and-paper) cryptosystems. Initial focus is on the cryptanalysis of mono-alphabetic substitution ciphers.
Changes: this release moves to a plug-in architecture for the various tools, which now include automatic and manual monoalphabetic crackers, an n-gram statistics display, a set of simple text filters, and a notepad.
Libmix 122
Mixter
http://mixter.void.ruLibmix is a library that provides an API for various useful functions, including an AES encryption interface, various network front-ends and low level datagram functions, as well as functions for string manipulations and other miscellaneous utility functions. It also includes functions to transmit encrypted data via stateless spoofed datagrams (tfntransmit/tfnread).
Note: first time in the Tools Digest.
Advanced Password Generator 2.75
Segobit Software
http://www.securityfocus.com/tools/1907Advanced Password Generator is a application designed to generate passwords of any length and character content. Advanced Password Generator allow users to do choice random number generator, which built into this application.This feature is used to generate an extremely random seed value. Random number generators written in low-level language, and some of random number generators, which built into this application, is impossible to write in high-level language (Basic,Pascal,C++ and other). After registration user can to obtain the application with the own additional random number generator. Advanced Password Generator will create alphabetic, numeric, alphanumeric or all keyboard characters password of user-defined lengths. Password can be generated in lowercase or mixed case. All passwords can be printed. It runs under Windows 2000, Windows 95/98 and Windows NT.
Changes: no information about the changes.
Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.
© Copyright 2001, SecurityPortal Inc. & Pascal Etienne, All Rights Reserved, Last Update: 18 avril, 2001 |