By Pascal Etienne (pascal.etienne at boran.com) for SecurityPortal
Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html
To receive this digest via Email:
http://securityportal.com/subscribe.html
This is a summary of changes to free security tools over the last week.
Updates to General free tools this week include GnuPG::Interface, PGPenvelope, OpenLDAP and BIND.
Auditing and Intrusion Monitoring tools include ACID, SnortSnarf, SAINT, SARA, PIKT, BigBrother and John the Ripper.
Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, IPtables Linux Firewall, Zorp, Securepoint Firewall Server SB, Dante, Astaro Security Linux and 3 other tool.
Tools for Linux/Unix/Cross Platform include Jail, OpenCL, SILC, Lomac and 4 other tools.
Tools for Windows includes Wininterrogate and CryptoSoft Enigma.
PGP
- GnuPG::Interface 0.31
Frank J. Tobin
http://GnuPG-Interface.sourceforge.netGnuPG::Interface is a Perl module interface to interacting with GnuPG. It implements a rich set of file handle communication with GnuPG and includes a key object organization structure with information gathered from GnuPG's with-colons option.
Changes: fixed stalling test cases. Added deprecation support for fields of GnuPG::Interface::wrap_call.
- PGPenvelope 2.10.2
Frank J. Tobin
http://pgpenvelope.sourceforge.netPGPenvelope is an interface to help meld using Pine with GnuPG. It also includes procmail filtering mechanisms.
Changes: change to needing and bundling GnuPG::Interface 0.30 or later, as previous versions cause a fatal error.
OpenLDAP 2.0.8
The OpenLDAP Foundation
http://www.openldap.orgThe OpenLDAP Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and open source LDAP suite of applications and development tools.
Changes: a lot of changes since the release of version 2.0.7 (11.Nov.00). Please refer to the change log file for more information: http://www.openldap.org/software/release/changes.html.
BIND 9.1.2
Internet Software Consortium
http://www.isc.org/products/BINDBIND (Berkeley Internet Name Domain) is an implementation of the Domain Name System (DNS) protocols and provides an openly re-distributable reference implementation of the major components of the Domain Name System, including: a Domain Name System server (named), a Domain Name System resolver library and tools for verifying the proper operation of the DNS server.
Changes: the latest version of BIND 8 is still version 8.2.3. New version 9.1.2 released. BIND 9.1.2 is a maintenance release, containing fixes for a number of bugs in BIND 9.1.0 but no new features.
Snort 1.7
Martin Roesch
http://www.snort.org
- ACID 0.9.5 - Devel. 0.9.6b9
Roman Danyliw
http://acidlab.sourceforge.netACID stands for Analysis Console for Intrusion Databases and is a PHP-based analysis engine to search and process a database of security incidents generated by the NIDS Snort. The features currently include: search interface for finding alerts matching practically any criteria, this includes arrival time, signature time, source/dest address/port, flags, payload, etc. furthermore, these queries can be made arbitrarily complex to satisfy almost any parameters. Alert Groups: allow for a logical grouping of alerts on which analysis can be done, it is a quick way to combine multiple searches or to associate a comment with an alert or group of alerts. Alert purging to remove false positives. Statistics: snapshot statistics to assess current network state, aggregate statistics on a per sensor, IP, or alert basis and graphing alert arrival over time. All analysis is done in real-time.
Changes: bug fixes, security hardening.
- SnortSnarf 051601.1
Silicon Defense
http://www.silicondefense.com/snortsnarfSnortSnarf is a Perl program to take files of alerts from the free Snort Intrusion Detection System, and produce HTML output intended for diagnostic inspection and tracking down problems. It uses a cron job to produce a daily/hourly/whatever file of snort alerts. This script can be run on each such file to produce a convenient HTML breakout of all the alerts.
Changes: fixed the full qualification of input files under Windows. Fixed a bug when using -rulesdir and -rulesfile with a path under Windows. Fixed a couple warning messages often encountered when using -homenet. Restored port lookup links (was not being generated due to a bug). Optimized additional accesses to HTMLMemStorage (should speed up run time, especially for large inputs). Xref lines in full alerts now scanned for links to include on signature pages. Classification/priority lines in full alerts now disregarded in parsing. Added support for another variation on syslog format. Fixed generation of Silicon Defense logo on Windows. Now ensures all chosen signature page names are unique. Added note in README about installing the time modules under Windows.
SAINT 3.1.6
World Wide Digital Security, Inc.
http://www.wwdsi.com/saintSaint is a security scanning tool based on Satan. Latest version of SAINT are just released to SAINTwriter™ and SAINTexpress customers. The latest SAINT version is 3.2.4 (16/May/01). Some version of SAINT are still released to all users.
Changes: version 3.1.6 has been released to all users (16/May/01). New vulnerability checks in this version: IMAP lsub vulnerability, Lotus Domino malformed HTML attachment vulnerability, latest vulnerability in ProFTP, multiple vulnerabilities in Zope, PHP Nuke (opendir.php), VShell, Hex-encoded space (%20) source code exposure vulnerability in Netscape and Website Pro web servers, Cold Fusion startstop denial of service, SCO OpenServer calserver, web servers allowing read access by escaped dot-dot-slash (\../) and man-cgi.
SARA 3.4.3
Advanced Research Corporation
http://www-arc.com/saraSecurity Auditor's Research Assistant (SARA) is a security analysis tool based on Satan. Checks for common old holes, backdoors, trust relationships, default CGI, common logins, open shares, and much more.
Changes: developed test for latest IIS Directory Traversal. Developed test for IIS password backdoor. Developed reliable test for buffer overflow (IIS/WIN 2K). Upgraded CIM test for latest exploits. Tweaked tcp_scan for better performance. Added test for bugzilla vulnerabilities. Fixed bug in rlogin.sara. Updated Web tutorials. Clarified reporting for "directory traversal (command execution)". Improved test for the IIS 5.0/Windows 2000 vulnerability. Tightened up NAI FTP vulnerability test. Fixed a JavaScript error. Fixed printing error. Generic test for NAI identified vulnerable FTP services. Fixed false positive on http showcode. Improved detection of command execution via directory traversal. Downgraded many RED's to YELLOW's to minimize false alarms in the current environment. Fixed problem with detection of duplicate ssh daemons. Upgraded fping to handle 'number of bytes sent' for worms.sara. Combined worms.sara and ddosscan.sara into backdoor.sara.
PIKT - Problem Informant/Killer Tool 1.13.0
Robert Osterlund
http://pikt.uchicago.edu/piktPIKT is a cross-platform (AIX, FreeBSD, HP-UX, IRIX, Linux, Solaris, SunOS), multi-functional toolkit for monitoring systems, reporting and fixing problems, and managing system configurations. It consists of an embedded scripting language with unique, labor-saving features, a script and system config file preprocessor, a scheduler, an installer, and other tools.
Changes: version 1.13.0 of PIKT has been released! Highlights of this new release are: introduced the #include|#verbatim <file> [<proc>] variants, for including process output (not just file content) into config files. Added the '-I' piktc option, which--together with #include|#verbatim <file> [<proc>]--can auto-update your configuration files. PIKT scripts may now be stand-alone (exist outside of .alt files) and directly executable (much like scripts in other languages). Client-side PIKT scripts may now contain #-style comments. Introduced a new, "official" PIKT utility, piktx, piktx does remote command execution with PIKT-style macros and command-line (+H and -H) host lists, moreover, piktx allows concurrent operation from any PIKT host, not just the piktmaster. Introduced a new alerts.cfg keyword, execcmd, for registering crontab-like, one-liner command entries in piktd.conf. Introduced several new piktc options, including: -M (expand macro(s)), +M (macro(s)), -V (show version info). Added the #setdef and '!' variant define preprocessor directives. Added #verbatim support within systems.cfg (correcting an oversight). During the preprocessor syntax check, a parse error used to abort the entire piktc process. Resolved most AIX problems (especially relating to master operations) and fixed lots of bugs.
BigBrother 1.7b4 for UNIX, 1.07f for NT and Win2k WS, 2.2f for NT and Win2k SRV
Sean McGuire
http://bb4.com/index.htmlBigBrother is a system and network monitor. It use a web-based monitoring notification & reporting. Big Brother uses a client-server architecture combined with methods which both push and pull data. Network testing is done by polling all monitored services from a single machine, and reporting these results to a central location (the BBDISPLAY). If you want local system information, you can install a BB client on the local machine, which will send CPU, process, disk space, and logfile status reports in periodically. Each report is timestamped with an expiration date (like milk). This lets us know when a report is no longer valid, which is usually an indication of a more serious problem.
Changes: new version 2.2f for Windows NT Server and Windows 2000 Server. No information about the changes.
John the Ripper 1.6 - Devel: 1.6.26
Openwall Project
http://www.openwall.com/johnJohn the Ripper is a password cracker, currently available for UNIX, DOS, Win32. Its primary purpose is to detect weak UNIX passwords.
Changes: no information about the changes.
GShield 2.6.4
R. Gregory
http://muse.linuxmafia.org/gshield.htmlGShield is an aggressive, modular firewall script for IPtables which features easy configuration through a BSD-style configuration file, optional NAT support, TCP-wrapper-like functionality for service access, port forwarding, routable protection, DMZ support, and more.
Changes: bugfix for hosts.deny logic. BLACKLIST defaults to normal. Toggle for locking down possible NetBIOS leaks. Removal of a few bashisms. Toggle for ICMP logging. Error checking for UNCLEAN match. SYSLOG option defaults to false. Bugfix for loopback interface and miscellaneous documentation updates.
IPtables Linux Firewall 4.4d - Devel: 4.4d-1
Patrik Hildingsson
http://my.netfilter.seIPtables Linux Firewall is a firewall that uses NetFilter in Linux 2.4. It features easy configuration and a DMZ option, logs portscans (limited so they won't flood the logfile), and has stateful inspection, masquerading, and general NAT support.
Changes: new development version 4.4d-1: fixed IP address check bug, fixed FORWARD chain bug (traffic from LAN-DMZ dropped), Script now utilizes the pkttype match.
Zorp 0.9.1
Balazs Scheidler
http://www.balabit.hu/products/zorpZorp is a new-generation modular proxy firewall suite to fine tune proxy decisions with its built in script language, fully analyze complex protocols (like SSH with several forwarded TCP connections), and utilize outband authentication techniques (unlike common practices where proxy authentication had to be hacked into the protocol).
Changes: the first release in the 0.9.x branch is released containing our three months' worth work. Most notable changes, news are: connection tracking for UDP based protocols, an example can be found in Plug which is now able to proxy UDP packet streams in both directions. Authentication framework, inband authentication support in HTTP authenticating against TIS fwtk compatible authserv. General cleanup, fixes, small additions to proxies.
Securepoint Firewall Server SB 1.166
Lutz Hausmann
http://www.securepoint.ccThe Securepoint Firewall Server is a high-performance, commercial-grade application designed to offer full protection for network assets. The Securepoint is a complete software system with an operation system, based on a secure Linux. You can use the firewall on a standard PC with two or three network cards, and is easy to install and administer.
Changes: the Securepoint Firewall Client is now updated in version 1.166. The most significant changes are the complete workaround of the firewall server administration GUI. The administration GUI is now much faster. The update to the professional version is now possible without problems. You have only to install the professional client. All firewall configurations will be automatically available.
Dante Socks 1.1.10 pre1
Inferno Nettverk A/S
http://www.inet.no/dante/index.htmlDante is a circuit-level firewall/proxy that can be used to provide convenient and secure network connectivity to a wide range of hosts while requiring only the server Dante runs on to have external network connectivity.
Changes: the support for PAM has been added, but it has mainly been tested on Linux. Feedback from users with other platforms would be appreciated. The 'configure' script contains a new test for detecting systems which use ELF. The let client-rules have their own global method line, "clientmethod", default value set to "none". The global "method" is only used for socks-rules now. Compatibility notes for users upgrading from the previous version of Dante: server part: configurations that use methods in client-rules should verify their configuration with regards to the introduced "clientmethod" variable. Client part: none known.
rTables Linux Firewall 1.05.16.0 (Devel)
Rebby
http://rtables.rebby.comrTables is a detailed, custom, IPtables firewall for Linux 2.4.x, easily implemented on boxes with one to three network interfaces. It is currently set up to handle a single external LAN, single internal LAN, and a single internal DMZ with support for multiple LANs/DMZs to follow.
Changes: no information about the changes.
GuardDog 1.0.0 - Devel: 1.9.1
Simon Edwards
http://www.simonzone.com/software/guarddogGuardDog is a user friendly firewall generation/management utility for KDE on Linux. It allows you simply specify which protocols should be allowed and requires no knowledge of port numbers. It is intended for client machines and currently does not support router/gateway configurations. Generates scripts for IPchains. Sane defaults for new firewalls, RPM packages for Redhat and Mandrake, and display glitch fixes.
Changes: development version 1.9.1 is now in the download section. The ability to mark a protocol to be rejected by the firewall was added. (Rejecting a protocol is like blocking it as normal but it also informs the source that the packet was blocked). You can now specify "User Defined Protocols" which will then show up in on the protocol page. This makes it possible to open up specific ports and generally drill holes through your firewall when you need to.
FK 0.6.3
Matthew Kirkwood
http://ferret.lmh.ox.ac.uk/~weejock/fkFK is an application proxy suite designed for building IP gateways. Ultimately, the intent is to provide a free software replacement for the TIS firewall toolkit.
Note: first time in the Tools Digest.
Astaro Security Linux 1.811
Astaro AG
http://www.astaro.com/products/index.htmlAstaro Security Linux is a new firewall solution. It does stateful inspection, packet filtering, content filtering, virus scanning, VPN with IPsec, and much more. With its Web-based management tool and the ability to pull updates over the Internet, it it is pretty easy to manage. It is based on a special hardened Linux 2.4 distribution where most daemons are running in change-roots and are protected by kernel capabilities.
Changes: no information about the changes.
Jail 1.3
Juan M. Casillas
http://www.gsyc.inf.uc3m.es/~assman/jailJail is a chrooted environment using bash. its main use is to put it as shell for any user you want to be chrooted. Their primary goals is to be simple, clean, and highly portable.
Changes: removed path splitting, due it is not necessary. Now we choose the user directory and its shell from the data stored into the /etc/passwd inside the chrooted environment. Now the "no such file or directory" bug has been removed. (the home directories in the two passwd files have existing paths).
mkenv.sh has been fully rewritten, and now supports the different platforms inside it. mkenv.sh supports guessing the right libraries for the files so you don't need to know what libraries have to be copied into the chrooted environment. Also, mkenv.sh protect you for overwriting the customized files (/etc/passwd, /etc/group and /etc/shadow) so you can have multiple users into a single chrooted environment.
OpenCL 0.7.1
Jack Lloyd
http://opencl.sourceforge.netOpenCL is a C++ cryptographic class library which aims for high portability and ease of use. It currently includes a wide selection of block and stream ciphers, hash functions, MACs, various utility functions and classes, and a high level filter interface.
Changes: rewrote configure script: more consistent and complete. Made it easier to find out parameters of types at run time (in opencl.h). New functions for finding the version being used (in version.h). New SymmetricKey interface for Filters (in symkey.h). InvalidKeyLength now records what the invalid key length was. Optimized DES, CS-Cipher, MISTY1, Skipjack, XTEA. Changed GOST to use correct S-box ordering (incompatible change). Benchmark code was almost totally rewritten. Many more entries in the test vector file. Fixed minor and idiotic bug in check.cpp.
SILC 0.2.4
Pekka Riikonen
http://silc.pspt.fiSILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. The purpose of SILC is to provide secure conferencing services. Strong cryptographic methods are used to secure all traffic.
Changes: a lot of changes since the previous version. Please refer to http://silc.pspt.fi/changes.txt for more details.
OtpCalc 0.94
Anthonyu
http://original.killa.net/infosec/otpCalcOtpCalc generates one time passwords for responding to S/Key (RFC1760) and OTP (RFC2289) challenges. It supports MD4, MD5, and SHA1 message digests.
Changes: no information about the changes.
Passwords On Card 1.2
Henning Koester
http://poc.crackinghacking.deWith Passwords On Card you can manage passwords on smartcards. The passwords are stored encrypted on the card.
Changes: configure.in: stop configure, if ctapi.h or the library can't be found. cipher.c: moved the wipeout functions to the module files of the cipher (blowfish.c,rijndael.c). Password.c: added wipe_out_data() macros to wipe sensitive data on program exit. Better error handling. Moved function prototypes from poc.h to <module>.h. poc_macros.h: contains new macros. cipher.c: new encrypt_data() function, which makes it easier to add new algorithms to the program. Furthermore it reduces code size. password.c: fixed a bug in the remove function.
Crypt++.el 2.89
Christoph
ftp://ftp.cs.umb.edu/pub/misc/crypt++.elCrypt++.el is a package of Lisp functions that recognize automatically encrypted and encoded (i.e., compressed) files when they are first visited or written. The BUFFER corresponding to the file is decoded and/or decrypted before it is presented to the user. The file itself is unchanged on the disk. When the buffer is subsequently saved to disk, a hook function re-encodes the buffer before the actual disk write takes place.
Note: first time in the Tools Digest.
Keep in touch 0.1.1
Henrik Abelsson
http://abelsson.com/kitKeep in Touch aims to be a secure IM system for multiple platforms. It supports its own XML-based protocol as well as ICQ and AIM (toc). It provides encrypted connections between the server and client as well as encrypted chat on all supported networks. The client can store contacts on the server allowing users to keep their contact lists between different locations.
Note: first time in the Tools Digest.
Lomac 1.1.0
Network Associates, Inc.
http://the.wiretapped.net/security/host-security/lomacLomac (Low Water-Mark Integrity Protection for Linux) is a security enhancement for Linux that uses Low Water-Mark Mandatory Access Control to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users, and compromised root daemons. Lomac is implemented as a loadable kernel module - no kernel recompilations or changes to existing applications are required. Although not all the planned features are currently implemented, it presently provides sufficient protection to thwart script-kiddies, and is stable enough for everyday use.
Changes: the 1.1.0 release improves Lomac's protective functionality and makes LOMAC easier to use. The 1.1.0 release features restructured system call argument handling to addresses the time-of-check/time-of-use problems present in the 1.0 release, and provides new mediation on directory modification operations. With the 1.1.0 release, Lomac's default configuration allows the mounting of remote NFS filesystems and the use of SSH for remote administration: restructured argument handling to avoid time-of-check/time-of-use errors, added mediation on the addition and removal of directory entries and changed all -EPERM ("operation not permitted") return values to the proper value: -EACCES ("permission denied").
Wininterrogate 0.1.2
Kirby Kuehl
http://winfingerprint.sourceforge.netWininterrogate recurses directory structure obtaining the following information according to filemask: File Name, Complete Path, Directory, File Size, Creation Time, Last Access Time, Last Write Time, and MD5 Checksum. Extra information Gathered on *.DLL, *.VBX, *.DRV, *.EXE, *.OCX, *.BIN, *.SCR (IF THE DEVELOPER ADDED IT) includes CompanyName, FileDescription, FileVersion, InternalName, LegalCopyright, OriginalFilename, ProductName, ProductVersion, Comments, LegalTrademarks, PrivateBuild, and SpecialBuild.
Note: first time in the Tools Digest.
CryptoSoft Enigma 1.4 (32 bits version)
CryptoSoft GmbH
http://www.cryptosoft.com/html/cse.htmCryptoSoft Enigma enables you to encrypt, decrypt, and wipe files and folders of any type. It supports various encryption engines such as 3DES, Blowfish, Cast-128 and some of the AES finalists including the new AES Rijndael along with zip compression. It also lets you easily create self-extracting encrypted zip files. This powerful program can combine several files in a single encrypted package and optionally wipe the original files. CS Enigma runs under Windows 2000, Windows 95/98 and Windows NT.
Note: first time in the Tools Digest.
Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.
| © Copyright 2001, SecurityPortal Inc. & Pascal Etienne, All Rights Reserved, Last Update: 17 mai, 2001 |