Weekly Security Tools Digest
2001/06/15 to 2001/06/21

By Pascal Etienne (pascal.etienne at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to General free tools this week include OpenSSH.

Auditing and Intrusion Monitoring tools include Snort, ACID, SAINT, SARA, FireStorm NIDS and John the Ripper.

Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, Securepoint Firewall Server SB, GuardDog, Knetfilter, PCX Firewall and 3 other tools.

Tools for Linux/Unix/Cross Platform include Secure FTP, Kaladix Linux, SILC, NSA Security-enhanced Linux and Hypersec Linux Kernel Patch.

Tools for Windows include Tiny Personal Firewall and Pulse.


General Tools

SSH

OpenSSH 2.9p2 - Damien Miller
http://www.openssh.com/portable.html

This is a Unix/Linux port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups. OpenSSH also features an independent implementation of the SSH2 protocol.

Changes: A lot of change since the last official release 2.9p1 (2001/05/03). For information about the changes, consult directly the Changelog included in the TAR file.


Auditing and Intrusion Monitoring Tools

Snort 1.7 - Martin Roesch
http://www.snort.org

Snort is a lightweight network intrusion detection system, capable of performing real-time  traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much  more. Snort  uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine  that  utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.

Changes: Rule update. Jim Forster has released two new Snort rules to detect the IIS ISAPI buffer overflow which was announced yesterday.

 

ACID 0.9.5 - Devel. 0.9.6b10 - Roman Danyliw
http://acidlab.sourceforge.net

ACID stands for Analysis Console for Intrusion Databases and is a PHP-based analysis engine to search and process a database of security incidents generated by the NIDS Snort. The features currently include: search interface for finding alerts matching practically any criteria, this includes arrival time, signature time, source/dest address/port, flags, payload, etc. furthermore, these queries can be made arbitrarily complex to satisfy almost any parameters. Alert Groups: allow for a logical grouping of alerts on which analysis can be done, it is a quick way to combine multiple searches or to associate a comment with an alert or group of alerts. Alert purging to remove false positives. Statistics: snapshot statistics to assess current network state, aggregate statistics on a per sensor, IP, or alert basis and graphing alert arrival over time. All analysis is done in real-time.

Changes: Full internal support for manipulating IP addresses as 32-bit integers (required the bcmath library, --enable-bcmath). Fixed links from event listing on single IP statistics page, fixed bug with the browsing between alerts on the alert display when the only criteria is layer-4 protocol. Re-organized related code out of acid_common.php into separate *.inc. Fixed bug with email export when old-style inline references are used in the signature name. DNS hostname caching. Fixed bug in SQL generated for "Last x Unique Alerts". Increased debugging information and explicit test for a correct version of PHP. Hyperlink IP address in portscan messages. Native whois queries with caching (requires --enable-sockets). Configuration parameter (max_script_runtime) to set max_execution_time PHP variable for time consuming operations. Fixed bug with shared state incorrectly being carried over from acid_stat_ipaddr links back to query results. Previous timestamp of unique alert; link to the actual first/previous/last alert added on the unique alert page. Complete re-write of alert actions; new alert action API. Archive alert action and several updates to alert data graphing: chart period and begin/end time.

 

SAINT 3.2 - World Wide Digital Security, Inc.
http://www.wwdsi.com/saint

Saint is a security scanning tool based on Satan. Latest version of SAINT are now released only to SAINTwriter™ and SAINTexpress customers. The latest SAINT version is 3.3.2 (18/June/01). Some versions of SAINT are still released to all users.

Changes: Version 3.2 has been released to all users (18/June/01). This version features exclusions, which allow you to easily show, hide, and manage false alarms, all from the graphical user interface. This new version has the capability to save scan data after merging. The option -k allow to stop the server in remote mode (see man page). This version includes a new configuration option for setting the TCP ports to scan to determine if a target is alive when ping is disabled. New vulnerability checks in this version: check for Lion worm, check for Solaris snmpXdmid, updated checks for MDaemon and Icecast and check for ILMI community string (found in Crosscomm/Olicom and some Cisco routers).

 

SARA 3.4.5a - Advanced Research Corporation
http://www-arc.com/sara

Security Auditor's Research Assistant (SARA) is a security analysis tool based on Satan. Checks for common old holes, backdoors, trust relationships, default CGI, common logins, open shares, and much more.

Changes: Added authoritative test for IIS Index services exploit. Upgraded to CVE Version 20010507. Fixed problem RED/YELLOW repeats for Vulnerable Web Server. Downgraded cim.sara color to yellow due to difficulty in assessing all components. Added test for: iPlanet 4.1 buffer overflow vulnerability, Oracle Application Server buffer overflow, PDG_Cart exploits, remote root backdoors, the Cheese backdoor, rpc.yppasswdd backdoors and vulnerability. Upgraded POP3 test for additional vulnerable QPOP servers. Added test for ftp anonymous directory traversal and for Mailman Web exploit.

 

Firestorm NIDS 0.1.5 - Scaramanga
http://www.scaramanga.co.uk/firestorm

Firestorm will be a fully featured network intrusion detection system. It aims to support lots of open standards. At the moment it is just a sensor, but plans are to support central correlation databases and an analyst console. Firestorm should compile on any POSIX-like OS. So far only Linux is tested. Current features are: fully pluggable, capture from libpcap files, Snort rule support, almost as many matchers as Snort, support for IP, Ethernet and other common protocols, string match, TTL, and IP ID matchers.

Changes: String match and TCP bugfix. Keep better track of internal resources. VIM syntax file for config files included. Targets get access to rule. Matchers need not have match functions (i.e.: they are metadata). Added some better cleanup templates. Aggregated TCP/IP headers to improve cross platform support. Added TCP flags display to alert target, fixed chroot/drop privileges to warn if not superuser and added IP TOS matcher, like snorts, not very user friendly. Fragbits IP matcher.

 

John the Ripper 1.6 - Devel: 1.6.28 - Openwall Project
http://www.openwall.com/john

John the Ripper is a password cracker, currently available for UNIX, DOS, Win32. Its primary purpose is to detect weak UNIX passwords.

Changes: No information about the changes.


Firewalls for UNIX/Linux/BSD & Cross-platform

GShield 2.6.7 - R. Gregory
http://muse.linuxmafia.org/gshield.html

GShield is an aggressive, modular firewall script for IPtables which features easy configuration through a BSD-style configuration file, optional NAT support, TCP-wrapper-like functionality for service access, port forwarding, routable protection, DMZ support, and more.

Changes: Added sanity loop for several kernel options, bugfix for TCP/sshd in routables.rules, added blocked_addresses to conf/, added GRE-specific logging, added NNTP/sshd TOS/QoS suggestions and updated gforward.pl w/ option to use external file.

 

Securepoint Firewall Server SB 1.166 - Lutz Hausmann
http://www.securepoint.cc

The Securepoint Firewall Server is a high-performance, commercial-grade application designed to offer full protection for network assets. The Securepoint is a complete software system with an operation system, based on a secure Linux. You can use the firewall on a standard PC with two or three network cards, and is easy to install and administer.

Changes: This update includes a new version of the client set-up program. In some cases there could be time outs with the client if changes were made in the set-up program. This is corrected in the new release.

 

GuardDog 1.0.0 - Devel: 1.9.2 - Simon Edwards
http://www.simonzone.com/software/guarddog

GuardDog is a user friendly firewall generation/management utility for KDE on Linux. It allows you simply specify which protocols should be allowed and requires no knowledge of port numbers. It is intended for client machines and currently does not support router/gateway configurations. Generates scripts for IPchains. Sane defaults for new firewalls, RPM packages for Redhat and Mandrake, and display glitch fixes.

Changes: There no new version of GuardDog. However the previous Mandrake RPM had a problem concerning dependencies and libGLcore.so.1. A new Mandrake RPM is now available in the download section. It should install fine without demanding some libGLcore.so stuff.

 

Knetfilter 2.1.3 - Luigi Genoni
http://expansa.sns.it/knetfilter

Knetfilter is a KDE 1.X front-end to IPtables, used with Linux kernels 2.4.0 and up to manage the NetFilter functions. It is possible to perform all standard and most "exceptional" system management of a complex firewall within the program.

Changes: Added support to clam TcpMSS to MTU.

 

FreshMeat

PCX Firewall 2.3 - James A. Pattie
http://pcxfirewall.sourceforge.net

PCX Firewall is an IPtables firewalling solution that uses Perl to generate static shell scripts based upon the user's configuration settings. This allows the firewall to startup quickly, as it does not have to parse config files every time it starts.

Changes: Limiting of normal rules and log rules now use different parameters to allow you to limit the log, limit the rule or limit both at different rates, etc. New parameters are now log-limit, log-limit-rate and log-limit-burst. Locations are now customizable for grouping interfaces under. You can now specify an interface to enable/disable the following protections on (logMartians, icmpRedirects, antiSpoofing and sourceRouting). If you want to cover all interfaces then don't specify the int parameter or use int => "all".

 

rTables Linux Firewall 1.06.14.0 (Devel) - Rebby
http://rtables.rebby.com

rTables is a detailed, custom, IPtables firewall for Linux 2.4.x, easily implemented on boxes with one to three network interfaces. It is currently set up to handle a single external LAN, single internal LAN, and a single internal DMZ with support for multiple LANs/DMZs to follow.

Changes: DMZ network is now "trusted". Optimized install script.

 

EasyChains 0.9.4-4 - Dejavo
http://dejavo.virtualave.net/linux.html

EasyChains is a very easy-to-use GUI for the console firewall script. It makes it easy to create a custom firewall using the firewall generator, or you can add and remove custom rules from a numbered list. You can generate a monitor for the console and for X.

Changes: Added a REDIRECT option for the INPUT chain for redirecting ports. Fixed the Monitor and XMonitor to be able to read the REDIRECT log line (because the log line is a bit different). Fixed a bug in the Add Rule option. if all ports specified (*) in a rule a backspace char wrote with the output lines and IPchains couldn't recognize the char and failed to add the rule. Removed some unneeded text in the main script.

 

SecurityFocus

Reptor 0.99 - Alex Howansky
http://www.wankwood.com/reptor

Reptor is a Perl utility designed to aid the analysis of Axent/Raptor firewall logfiles. It generates HTML reports which can include traffic summaries and alert messages that are based on highly customizable conditions. Reptor is intended to be run on a daily basis in order to provide details of the previous day's activity. Its built-in support for secure remote logfile retrieval, FTP, and SMTP allow it to be easily automated. Reptor has been tested with logfiles generated by Raptor Firewall versions 4, 5, 6, and 6.5.

Note: First time in the Tools Digest.


Tools for UNIX/Linux/BSD & Cross-platform

Secure FTP 1.5 - Glub Tech, Inc.
http://www.glub.com/products/secureftp

Secure FTP is a client package that allows for a secure connection to be made to an FTP daemon. In this release, we support connecting via the Secure Sockets Layer, or SSL. Future releases may support other authentication mechanisms (e.g. Kerberos, one-time-passwords). This client is supported on Windows, MacOS X, and any Unix platform where a Java 2 (or Swing) runtime environment is present. It was written in 100% Pure Java and can act as either an application or an applet. The applet version will only run under Windows at this time, but we are looking into other solutions. Secure FTP is available in English, Japanese, Italian, French, and German.

Changes: Introduction of drag and drop. Minor UI bug fixes.

 

Kaladix Linux pre 0.3 - Kaladis
http://www.maganation.com/~kaladix

Kaladix Linux is designed to be a hyper-secure Linux distribution. It comes shipped with Mandatory Access Control and Access Control Lists (RSBAC), extensive logging facilities (Syslog-NG), protection against format string vulnerabilities, buffer overflows, and /tmp race condition vulnerabilities (Openwall, Formatguard, Libsafe 2). Nearly all daemons are chrooted by default, cryptography support is integrated, encryption of partitions is supported, strong firewall and intrusion detection systems are included, both the stack and the heap are non-executable, and very tight permissions are set by default.

Changes: The new pre-release version 0.3 is now available. No information about the changes.

 

FreshMeat

SILC 0.3.1 (Client and Toolkit) - 0.3.3 (Server) - Pekka Riikonen
http://silc.pspt.fi

SILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. The purpose of SILC is to provide secure conferencing services. Strong cryptographic methods are used to secure all traffic.

Changes: New version 0.3.1 of SILC client and SILC toolkit. New version of SILC server 0.3.3. A lot of changes since the previous version. Please refer to http://silc.pspt.fi/changes.txt for more details.

 

NSA Security-enhanced Linux 200103151617 (Devel) - NSA
http://www.nsa.gov/selinux

NSA Security-enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong, flexible mandatory access control architecture into the major subsystems of the kernel. It provides a mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats of tampering and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications. It includes a set of sample security policy configuration files designed to meet common, general-purpose security goals.

Changes: Kernel patches are now provided for 2.4.3 and 2.2.19. Small updates were made to the example policy configuration.

 

Hypersec Linux Kernel Patch 2.2 series - Kaladis
http://www.maganation.com/~kaladix/hypersec.html

Hypersec Linux is a compilation of security-related patches for the Linux kernel. It provides extreme security on the kernel level. It integrates cryptography, support for encrypting loopback devices (partitions), random PIDs and random TCP Sequence Numbers to prevent TCP/IP Session Hijacking, Mandatory Access Control with Access Control Lists, non-exec heap and stack areas to prevent overflow techniques, restricted access to /proc and /tmp, protection against OS fingerprinting, other network protections, and several other security-related enhancements.

Note: First time in the Tools Digest.


Tools for Windows

Tiny Personal Firewall build 14 - Tiny Software, Inc.
http://www.tinysoftware.com/pwall_news.php

Tiny Personal Firewall represents smart, easy-to-use personal security technology that fully protects personal computers against hackers. Built on ICSA-certified security technology, it is also an integral part of The Tiny Software Centrally Managed Desktop Security (CMDS) system selected by the US Air Force for its approximately 500,000 desktop computers. Note: Tiny Personal Firewall is intended for users that are NOT running either WinRoute Pro or WinRoute Lite.

Changes: Added support of ICMP types 9 and 10. Now compatible with Windows XP. This version also includes minor cosmetic enhancements.

 

SecurityFocus

Pulse beta1 - Security Storm
http://www.securitystorm.net/software/pulse/index.htm

Pulse is a network stress tool that allows system administrators to test their network security. Pulse is designed to test network firewalls' ability to stop common denial of service attacks (Echo spoofing, SYN scan and UDP flooding). It runs under Windows 2000.

Note: First time in the Tools Digest.


Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.

© Copyright 2001, SecurityPortal Inc. & Pascal Etienne, All Rights Reserved, Last Update: 20 juin, 2001