Weekly Security Tools Digest
2001/05/25 to 2001/05/31

By Pascal Etienne (pascal.etienne at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to General free tools this week include MindTerm SSH, OpenSSH SRP, GnuPG, OpenLDAP and Linux Kernel.

Auditing and Intrusion Monitoring tools include IDScenter, Guardian, AutoInstall, Nessus, LIDS and FireStorm NIDS.

Firewalls for UNIX/Linux/BSD & Cross-platform include Zorp, Securepoint Firewall Server SB, FwLogWatch, Dante and rTables Linux Firewall.

Tools for Linux/Unix/Cross Platform include Crypto++, Tinc, Kernel Insider and 3 other tools.

Tools for Windows include AntiVir Personal Edition, InoculateIT Personal Edition and Advanced Directory Printer.


General Tools

SSH

MindTerm is a complete ssh-client in pure Java. It can be used either as a standalone Java application or as a Java applet. Three packages of importance are provided (terminal, ssh, and security). The terminal package is a rather complete vt102/xterm-terminal, and the ssh-package contains the ssh- protocol and also "drop-in" socket replacements to use ssh-tunnels transparently from a Java application/applet. It also contains functionality to realize a ssh-server. Finally, the security package contains RSA, DES, 3DES, Blowfish, IDEA, and RC4 ciphers. MindTerm is free for personal use and for use in noncommercial settings.

Changes: this is the first release candidate of MindTerm v2.0. This release-candidate is only released in binary but the final release will include full source.

This patch adds Secure Remote Password (SRP) support to OpenSSH. The Stanford SRP distribution is not required, although this is compatible with that (it will use your existing SRP configuration files, if they exist).

Note: first time in the Tools Digest.

 

PGP

GnuPG is a complete and free replacement for PGP. Because it does not use the patented IDEA algorithm, it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application.

Changes: this is an important bug fix release and should be installed as soon as possible. This version fixes a format string bug which is exploitable if --batch is not used, checks all translations for format strings bugs, removes the Russian translation due to too many bugs and fixes keyserver access and expire time calculation.

 

OpenLDAP 2.0.11
The OpenLDAP Foundation
http://www.openldap.org

The OpenLDAP Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and open source LDAP suite of applications and development tools.

Changes: the attribute parse bug (ITS#1159) has been fixed.

 

Linux 2.4.5 and Linux 2.2.19
Linux Kernel Archives
http://www.kernel.org

Linux is a clone of the operating system Unix, written from scratch by Linus Torvalds with assistance from a loosely-knit team of hackers across the Net. It aims towards POSIX and Single UNIX Specification compliance. It has all the features you would expect in a modern fully-fledged Unix, including true multitasking, virtual memory, shared libraries, demand loading, shared copy-on-write executables, proper memory management, and TCP/IP networking.

Changes: new version 2.4.5 of Linux Kernel. Refer to http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.5 for more information about the changes.


Auditing and Intrusion Monitoring Tools

Snort 1.7
Martin Roesch
http://www.snort.org

IDScenter is a tool for setting up Snort for Win32. It is a tool for managing, controlling, and monitoring the Snort IDS. IDScenter support alarm sound functions and has error checking procedures. If Snort is killed, IDScenter restarts Snort immediately. It runs under Windows 2000, Windows 95/98 and Windows NT. Its features are: all features of snort.panel are implemented. The IP / Interface detection is possible. It includes an integrated Alertviewer and an external viewer can be set. An alarm sound can be started if an alert occurs (WAV/Beep). An EXE-File can be started (this is also possible to set in RULES) in case of alert. The autostart in Registry\RUN can be set in IDScenter. Non-visible FORMS, only an icon with alert/stop/start-Status is visible in the taskbar.

Changes: version 1.08c includes Snort 1.7 and Snort 1.6 support, integration in taskbar (tray-icon), immediate autorestart of Snort if it was killed (TaskManager, Ctrl-Break or unusual exits), IP/Interface detection, audio alert (WAV) / beep alerts, execution of other programs on alerts (e.g. net send, etc.), integrated log viewer, "Test configuration" button, e-mail alert, download link for new rulesets, support for external viewers/editors (alertlog and ruleset file) and process priority option.

Guardian is a standalone Perl script that works in conjunction with SNORT. Guardian will watch the Snort alert log file for alerts and put the offending host into denial by defining an IPchains rule to deny the host and will remember which hosts it has put into this list. Hosts will remain in denial for a configurable period of time after which they will be removed from the denial list. This functionality should keep the denial list manageable and small for busy hosts.

Note: first time in the Tools Digest.

This is a batch file which will do the following operations: download all necessary files if they do not already exist, extract all downloads into temporary installation directory, install WinPcap driver, install Snort for Windows with Mysql support, setup Vision rules and create a default configuration file, install Activestate Perl, install SnortSnarf, install Mysql database running as a service, create the snort database, tables and user in Mysql and install and configure Acid, including php405 and adodb.

Note: first time in the Tools Digest.

 

Nessus 1.0.8 - Devel: 1.1.2
Renaud Deraison
http://www.nessus.org

The "Nessus" Project aims to provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner. A security scanner is a software which will audit remotely a given network and determine whether bad guys (AKA 'crackers') may break into it, or misuse it in some way. Unlike many other security scanners, Nessus does not take anything for granted. That is, it will not consider that a given service is running on a fixed port - that is, if you run your web server on port 1234, Nessus will detect it and test its security. It will not make its security tests regarding the version number of the remote services, but will really attempt to exploit the vulnerability. Nessus is very fast, reliable and has a modular architecture that allows you to fit it to your needs.

Changes: the version 1.0.8 of Nessus has been released and includes various minor bugfixes and over 650 security checks.

 

LIDS 0.9.1 - Devel: 0.10.0 (2.2.19 kernel) / 1.0.8 (2.4.4 kernel)
Xie Hua Gang
http://www.lids.org

The Linux Intrusion Detection System is a patch which enhances the kernel's security. When it's in effect, many system administration operations can be made impossible even for root. You can turn the security protection on or off on the fly and you can hide sensitive processes and prevent anyone from using ptrace or any other capability on your system. LIDS can also provide raw device and I/O access protection.

Changes: new version 0.10.0 for 2.2.19 kernels. After a long time of development, a stable version is out! This version merged the bugfixed sent mail alert compatible with qmail, many code clean and typo changes. This version also fixes a compilation bug in do_execve(). An updated LIDS FAQ is also attached in this release.

 

PacketStorm

Firestorm NIDS 0.1.2
Scaramanga
http://www.scaramanga.co.uk/firestorm

Firestorm will be a fully featured network intrusion detection system. It aims to support lots of open standards. At the moment it is just a sensor, but plans are to support central correlation databases and an analyst console. Firestorm should compile on any POSIX-like OS. So far only Linux is tested. Current features are: fully pluggable, capture from libpcap files, Snort rule support, almost as many matchers as Snort, support for IP, Ethernet and other common protocols, string match, TTL, and IP ID matchers.

Note: first time in the Tools Digest.


Firewalls for UNIX/Linux/BSD & Cross-platform

Zorp 0.8.4 - Devel: 0.9.1
Balazs Scheidler
http://www.balabit.hu/en/products/Zorp

Zorp is a new-generation modular proxy firewall suite to fine tune proxy decisions with its built in script language, fully analyze complex protocols (like SSH with several forwarded TCP connections), and utilize outband authentication techniques (unlike common practices where proxy authentication had to be hacked into the protocol).

Changes: new version 0.8.4. This release includes the following changes: zorpctl: fixed a problem in "restart" without instance name, core: added --idle-threads parameter, http: added request_timeout processing, changed default I/O timeout value to 5 minutes and POP3: a multi-line response related problem was fixed, which sometimes caused misbehavior.

 

Securepoint Firewall Server SB 1.166
Lutz Hausmann
http://www.securepoint.cc

The Securepoint Firewall Server is a high-performance, commercial-grade application designed to offer full protection for network assets. The Securepoint is a complete software system with an operation system, based on a secure Linux. You can use the firewall on a standard PC with two or three network cards, and is easy to install and administer.

Changes: the patch 1.1 is updated because of the release from 09. May 2001. The changes are a correction of a small bug in routing of internal to external networks. The patch is available now for all server with version 1.1 and clients with version 1.1, 1.15X, 1.16X. If the older patch 1.1 is installed, there is no problem to install again the newer patch 1.1.

 

FwLogWatch 0.31
Boris Wesslowski
http://www.kyb.uni-stuttgart.de/boris/software.shtml

FwLogWatch analyzes the IPchains packet filter logfiles and generates text and HTML summaries. It features real-time anomaly response capability and has an interactive report generator. FwLogWatch has the following modes: log summary mode, interactive report mode and Real-time response mode.

Changes: rewrote NetFilter prefix parsing code, made long list/chain/branch/interface names the default, fixed a sorting stability problem, OpenBSD portability changes and various small fixes.

 

Dante Socks 1.1.10
Inferno Nettverk A/S
http://www.inet.no/dante/index.html

Dante is a circuit-level firewall/proxy that can be used to provide convenient and secure network connectivity to a wide range of hosts while requiring only the server Dante runs on to have external network connectivity.

Changes: compared to the previous release, this version brings amongst other changes the following: new method added: "pam" and let client-rules have their own global methodline, "clientmethod", default value set to "none". The global "method" is only used for socks-rules now. For more information about the changes, refer to the "news" file included in the zipfile.

 

FreshMeat

rTables Linux Firewall 1.05.25.1 (Devel)
Rebby
http://rtables.rebby.com

rTables is a detailed, custom, IPtables firewall for Linux 2.4.x, easily implemented on boxes with one to three network interfaces. It is currently set up to handle a single external LAN, single internal LAN, and a single internal DMZ with support for multiple LANs/DMZs to follow.

Changes: added support for "trusted" hosts. Fixed problems w/DMZ/INT tables introduced in 1.05.24.0. Altered install.sh script to work better without Debian.


Tools for UNIX/Linux/BSD & Cross-platform

Crypto++ 4.1
Wei Dai
http://www.eskimo.com/~weidai/cryptlib.html

Crypto++ is a free C++ class library of cryptographic schemes. Currently the library consists of the following, some of which is other people's code, repackaged into classes. It works for Linux, Solaris and UNIX.

Changes: there is no new version of Crypto++ but a patch is available in order to compile Crypto++ on Win32 systems with Borland C++Builder 5.

 

FreshMeat

Tinc 1.0pre4
Ivo Timmermans
http://tinc.nl.linux.org

Tinc is a Virtual Private Network (VPN) daemon that uses tunneling and encryption to create a secure private network between multiple hosts on the Internet. This tunneling allows VPN sites to share information with each other over the Internet without exposing any information.

Changes: new authentication protocol (better security, and faster too). TCPonly and IndirectData are back (but not fully tested). Documentation revised, it's really up to date with the released package now. tincd -K now stores public/private keys in PEM format, but keys of 1.0pre3 can still be used. Faster and more secure encryption of tunneled packets. Stress tested to see if it handles large VPNs with more than 100 sites (it does!).

 

Kernel Insider 1.6
Rodrigo A. Diaz Leven
http://securityportal.com.ar/insider.php

Kernel Insider is a Linux kernel modification that allows you to decide which UID, PID, or file can open a TCP socket in listening state. When a program tries to open a port it first makes a md5 checksum of the file and compares it with the config list then it compares the user id and finally the PID. If there was no match then the call is denied. The policy is to deny everything that is not in the allowed list.

Note: first time in the Tools Digest.

 

SecurityFocus

VirusNotification 1.9
Heavyk
http://heavyk.org/virusNotification

VirusNotification is a simple Perl script that can be run (either manually, or automatically through cron) to detect, download, and send a notification by email when new DATs are present for the McAfee antivirus software. The email notification contains the location where the DAT file can be retrieved (both locally and remotely), as well as a list of the changes from the previous to the newest DAT. If any viruses on the Top Threats list or the Virus Alerts pages have been addressed by the new DAT, this information will also be noted in the email.

Note: first time in the Tools Digest.

 

DansGuardian 0.9.1
Daniel Barron
http://dansguardian.org

DansGuardian is a filtering proxy that uses Squid to do all the fetching. It filters using four methods: First, it checks the actual content of the pages against a configurable denied phrase list. This list contains profanities and phrases often associated with pornography and other undesirable content. Second, it implements PICS filtering. Third, it checks the MIME type of the requested file and checks this against a configurable denied MIME type list. Fourth, it checks the file extension of the requested file against a configurable denied file extension list. The filtering has a configurable URL exception list. It does not implement a URL check against a list of sites like squidGuard; it checks the actual content of the pages.

Note: first time in the Tools Digest.

 

rc.firewall 5.2
Jean-Sebastien Morisset
http://www.jsmoriss.dyndns.org/linux/firewall.html

rc.firewall is an IPchains-based firewall script with extensive support for network services (including NFS, IPsec VPNs, Proxies, etc.), masquerading, port forwarding (including definitions for games), and IP accounting. Protections include spoofing, stuffed routing/masquerading, DoS, Smurf attacks, outgoing port scans, and much more. Multiple private and public interfaces are also supported.

Note: first time in the Tools Digest.


Tools for Windows

AntiVir® Personal Edition 6.07.00.51
H+BEDV Datentechnik GmbH
http://www.free-av.com

AntiVir Personal Edition is an anti-virus software that is completely free of charge for private and individual use. AntiVir Personal Edition is available in German and English and runs under Windows 9x/Me and NT/2000.

Note: first time in the Tools Digest.

 

InoculateIT Personal Edition 5.2
Computer Associates International, Inc.
http://antivirus.cai.com

InoculateIT Personal Edition is a promotional program providing antivirus software for personal and home use only. It runs under Windows 95/98/ME, Windows NT Workstation and Windows 2000 Professional.

Note: first time in the Tools Digest.

 

SecurityFocus

Advanced Directory Printer 1.02
Segobit Software
http://www.segobit.com/adp.zip

Advanced Directory Printer is a Windows based application designed to print or export a list of directories, subdirectories and files. Information fields include file name, type, extension, size, creation time/date,last access date, last write time/date and file attributes -- and you can choose which fields to print or export. Advanced Directory Printer allows you to sort the list of directories, subdirectories and files by any information fields. File and folder listings can be saved as text file or as file ready for import into main spreadsheet or database programs. Advanced Directory Printer runs under Windows 2000, Windows 95/98 and Windows NT.

Note: first time in the Tools Digest.


Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.

© Copyright 2001, SecurityPortal Inc. & Pascal Etienne, All Rights Reserved, Last Update: 30 mai, 2001