Weekly Security Tools Digest
2001/05/18 to 2001/05/24

By Pascal Etienne (pascal.etienne at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to General free tools this week include Mod_ssl, OpenLDAP and Apache.

Auditing and Intrusion Monitoring tools include SnortSnarf, LIDS, BigBrother and John the Ripper.

Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, FloppyFw, Knetfilter and rTables Linux Firewall.

Tools for Linux/Unix/Cross Platform include AES Encryption for Shell Script, Ethereal, SILC, Samhain, FreeVSD and 3 other tools.

Tools for Windows include RATS.


General Tools

SSL

Mod_ssl provides provides strong SSL/TLS cryptography for Apache.

Changes: version 2.8.4 for Apache 1.3.20. Removed old db1/ndbm.h kludge from mod_ssl.h, because it should be not needed at all, because mod_ssl downgrades to SDBM anyway on all Linux platforms. Additionally made the Linux check more accurate by using src/Configure's $PLAT variable instead of $OS.  Upgraded to Apache 1.3.20.

 

OpenLDAP 2.0.10
The OpenLDAP Foundation
http://www.openldap.org

The OpenLDAP Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and open source LDAP suite of applications and development tools.

Changes: fixed TLS-less build (ITS#1156) OpenLDAP 2.0.9 Release. Added slapd obsolete schema check and slapd collective schema check. Fixed slapd printableString syntax bug and ldbm bdb3 set_cachesize bug. Added nisMailAlias (ITS#876), fixed inet_ntop configure test (ITS#1146) and thr_nt.c syntax bug.

 

Apache 1.3.20 - Apache 2.0.16 Beta
Apache Software Foundation and The Apache Server Project
http://www.apache.org/dist

Changes: release of Apache 1.3.20. This version of Apache is principally a security fix release which closes a problem under the Windows and OS/2 ports that would segfault the server in response to a carefully constructed URL. It also fixes some potential configuration quirks present in the 1.3.19 release. The main new features include: enhanced rotatelogs to allow a UTC offset to be specified, and the format logfile names with human-readable date/time stamps. Added the NOESCAPE (NS) flag to RewriteRule, to disable *all* normal URI escaping. Note incautious use can give unexpected results or introduce security risks. Added the '\' character to RewriteRule to allow escaping of   special characters. Added the -V flag to suexec, to display the compile-time settings with which it was built. Introduced EBCDIC conversion configuration options, controlling the conversion based on MIME type or file suffix. Support for the Cygwin 1.x platform. Support for building modules with apxs under Win32. Cygwin builders must use a Cygwin build of Perl to avoid MSVC handling. For more information about the bugfixes, refer directly to the announcement or to the changelog file.


Auditing and Intrusion Monitoring Tools

Snort 1.7
Martin Roesch
http://www.snort.org

SnortSnarf is a Perl program to take files of alerts from the free Snort Intrusion Detection System, and produce HTML output intended for diagnostic inspection and tracking down problems. It uses a cron job to produce a daily/hourly/whatever file of snort alerts. This script can be run on each such file to produce a convenient HTML breakout of all the alerts.

Changes: fixed 'unmatched [] in regexp' problem under Windows. Included support for the variation on syslog formatting that was announced last time but not included in the released package. Classification/priority lines in fast alerts now disregarded in parsing. Restored correct parsing of portscan logs; was broken in the last release due to generalizing the syslog formats accepted. Restored space accidentally removed before the '->' in alerts shown in the HTML. Removed some warning messages that were not too helpful.

 

LIDS 0.9.1 - Devel: 0.9.15 (2.2.19 kernel) / 1.0.8 (2.4.4 kernel)
Xie Hua Gang
http://www.lids.org

The Linux Intrusion Detection System is a patch which enhances the kernel's security. When it's in effect, many system administration operations can be made impossible even for root. You can turn the security protection on or off on the fly and you can hide sensitive processes and prevent anyone from using ptrace or any other capability on your system. LIDS can also provide raw device and I/O access protection.

Changes: this version upgrade to 2.4.4, change most of the "-EROS" to "-EPERM". Thus the output of violation should be "permission deny" but not "Read only file system"any more. This version also merged patch on Configure.help and lidsadm.c.

 

BigBrother 1.8a for UNIX/Linux, 1.07f for NT and Win2k WS, 2.2f for NT and Win2k SRV
Sean McGuire
http://bb4.com/index.html

BigBrother is a system and network monitor. It use a web-based monitoring notification & reporting. Big Brother uses a client-server architecture combined with methods which both push and pull data. Network testing is done by polling all monitored services from a single machine, and reporting these results to a central location (the BBDISPLAY). If you want local system information, you can install a BB client on the local machine, which will send CPU, process, disk space, and logfile status reports in periodically. Each report is timestamped with an expiration date (like milk). This lets us know when a report is no longer valid, which is usually an indication of a more serious problem.

Changes: new version 1.8a for Unix and Linux platforms. No information about the changes.

 

John the Ripper 1.6 - Devel: 1.6.27
Openwall Project
http://www.openwall.com/john

John the Ripper is a password cracker, currently available for UNIX, DOS, Win32. Its primary purpose is to detect weak UNIX passwords.

Changes: no information about the changes.


Firewalls for UNIX/Linux/BSD & Cross-platform

GShield 2.6.5
R. Gregory
http://muse.linuxmafia.org/gshield.html

GShield is an aggressive, modular firewall script for IPtables which features easy configuration through a BSD-style configuration file, optional NAT support, TCP-wrapper-like functionality for service access, port forwarding, routable protection, DMZ support, and more.

Changes: gforward.pl now included (for setting up generic portforwards). Added QoS marking for typical game ports, IRC. gShield.conf reorganized. Added "error" documentation for common errors and miscellaneous cleanups (added restart runtime).

 

FloppyFw 1.0.11 (kernel 2.2.18), 1.1.3 (kernel 2.2.17), 1.9.3 (kernel 2.4.0)
Thomas Lundquist
http://www.zelow.no/floppyfw

FloppyFw is a static router with the firewall-capabilities in Linux. Although it is called a firewall it does not have all the functionality we are expecting from a firewall of today. It is basically a Screening router or Package filtering firewall.

Changes: new version 1.0.11 for kernel 2.2.18. This new version is in the download directory at http://www.zelow.no/floppyfw/download. This new release includes a better support for the PPPoE stuff, VPN patches and NIC's based on the RealTek rt8139.

 

Knetfilter 2.1.2
Luigi Genoni
http://expansa.sns.it/knetfilter

Knetfilter is a KDE 1.X front-end to IPtables, used with Linux kernels 2.4.0 and up to manage the NetFilter functions. It is possible to perform all standard and most "exceptional" system management of a complex firewall within the program.

Changes: packet tracking enabled also for mark based rules.

 

FreshMeat

rTables Linux Firewall 1.05.22.0 (Devel)
Rebby
http://rtables.rebby.com

rTables is a detailed, custom, IPtables firewall for Linux 2.4.x, easily implemented on boxes with one to three network interfaces. It is currently set up to handle a single external LAN, single internal LAN, and a single internal DMZ with support for multiple LANs/DMZs to follow.

Changes: added several email services. Optimized the code and added a few features.


Tools for UNIX/Linux/BSD & Cross-platform

AES Encryption for Shell Scripts 0.7 (devel.)
Eric Lee Green and Randy Kaelber
http://aescrypt.sourceforge.net

AES Encryption for Shell Scripts provides strong encryption/decryption using the Advanced Encryption Standard algorithm "Rijndael" to do 128-bit encryption. This program was deliberately kept extremely simple. It is not intended to be a full encryption solution, it is intended to be used within scripts as part of a complete solution. Key chain management, public key signatures, etc. are all expected to be done external to this program.

Changes: added support for 192 bit and 256 bit keys. Cleaned up some messages a bit. Stripped some version control stuff for a CVS archive that probably will cease to exist. Arguments are also now parsed using getopt().

 

Ethereal 0.8.18
Gerald Combs
http://www.ethereal.com

Ethereal is a GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and to give Ethereal features that are missing from closed-source sniffers.

Changes: Ethereal 0.8.18 has been released. New dissectors include YPPASSWD, KLM, SPRAY, rquota, RANAP, and Modbus/TCP support. Many other dissectors were updated and bug-fixed. The release adds IP fragment reassembly, plugin support on HPUX machines, and a command line option to set 'automatic scrolling' during captures.

 

FreshMeat

SILC 0.2.6
Pekka Riikonen
http://silc.pspt.fi

SILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. The purpose of SILC is to provide secure conferencing services. Strong cryptographic methods are used to secure all traffic.

Changes: a lot of changes since the previous version. Please refer to http://silc.pspt.fi/changes.txt for more details.

 

Samhain 0.9.16 - Devel: 1.1.12
Rainer Wichmann
http://la-samhna.de/samhain

Samhain is a file system integrity checker that can optionally be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, tamper-resistant log file, and syslog) are available. Samhain has been tested on Linux, AIX 4.1, HP-UX 10.20, UnixWare 7.1.0, and Solaris 2.6.

Changes: new development version 1.1.12: now detects Linux LKM rootkits. Problems with repetitive reports by the daemon have been fixed, the installation has been streamlined, init scripts for Linux (SuSE, Redhat, and Debian) have been added, and the docs have been revised.

 

PacketStorm

FreeVSD 1.4.8
Nick Burrett
http://www.freevsd.org

FreeVSD facilitates true Linux Virtual Servers within a 'chroot' environment, allowing Web servers and other applications to be deployed and administered discretely, without compromise to security. Each Virtual Server has its own IP address(es), Apache webserver, and view of the process table. FreeVSD expands the Linux system by creating a pseudo-'super user' (admin) for each Virtual Server. The admin user has the ability to create extra POP3/FTP and Telnet users  and also administrate vital services such as the webserver.

Changes: improved OpenSSL support, improved certificate handling, PAM-based privileges, upgraded 'addon' packages, and added multiple skel support.

 

SecurityFocus

Flawfinder 0.12
David Wheeler
http://www.dwheeler.com/flawfinder

Flawfinder can scan source code and identify out potential security flaws, ranking them by likely severity. Flawfinder works on Unix-like systems (tested on GNU/Linux), and it should be easy to port to Windows systems. It requires Python to run.

Note: first time in the Tools Digest.

 

SideKick
Sun Microsystems, Inc.
http://www.sun.com/blueprints/tools/fingerprint_license.html

SideKick is a Solaris tool developed to automate the collection of MD5 file signatures. SideKick can be used to collect signatures for files known to be replaced by "rootkits", files with Set-UID or Set-GID permissions in addition to several other collection methods. SideKick can optionally be used with sfpC to automated the collection and processing of MD5 file signatures. SideKick can also be used in a standalone capacity for distributed signature collection.

Note: first time in the Tools Digest.

 

Solaris Fingerprint Database Companion (sfpC) 1.2
Sun Microsystems, Inc.
http://www.sun.com/blueprints/tools/fingerprint_license.html

The Solaris Fingerprint Database Companion (sfpC) is a tool designed to automate the process of querying the Solaris Fingerprint Database (sfpDB). sfpC is used to process MD5 file signatures and present the collected database output information in human readable form. The tool eliminates the need for the manual task of cut and pasting MD5 output onto an HTML form. In addition, the tool performs the necessary checks to enable files of arbitrary size to be processed using multiple queries if necessary.

Note: first time in the Tools Digest.


Tools for Windows

SecurityFocus

RATS 0.9
Secure Software Solutions
http://www.securesw.com/projects.html

RATS, the Rough Auditing Tool for Security, is a security auditing utility for C and C++ code. RATS scans source code, finding potentially dangerous function calls. The goal of this project is not to definitively find bugs (yet). The current goal is to provide a reasonable starting point for performing manual security audits. RATS runs under Windows 2000, Windows 95/98 and Windows NT.

Note: first time in the Tools Digest.


Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.

© Copyright 2001, SecurityPortal Inc. & Pascal Etienne, All Rights Reserved, Last Update: 24 mai, 2001