By Pascal Etienne (pascal.etienne at boran.com) for SecurityPortal
Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html
To receive this digest via Email:
http://securityportal.com/subscribe.html
This is a summary of changes to free security tools over the last week.
Updates to General free tools this week include Tripwire and BIND.
Auditing and Intrusion Monitoring tools include Snort, IDScenter, SARA, PIKT, FireStorm NIDS, StMichael LKM and Samhain.
Firewalls for UNIX/Linux/BSD & Cross-platform include GshieldConf and Astaro Security Linux.
Tools for Linux/Unix/Cross Platform include Ngrep, FreeS/Wan, FreeS/Wan Config, APG, SILC, Zebedee, BorZoi and Solaris Security Toolkit.
Tools for Windows include AntiVir Personal Edition and LibnetNT.
Tripwire 2.3.1-47 - Tripwire, Inc.
http://www.tripwire.orgTripwire is a system integrity checker, a utility that compares properties of designated files and directories against information stored in a previously generated database. Any changes to these files are flagged and logged, including those that were added or deleted, with optional email reporting. Additionally, support files (databases, reports, etc.) are cryptographically signed.
Changes: The latest version is still 2.3.1, two RPMs are available for Red Hat Linux: Tripwire Open Source RPM 3.0 and RPM 4.0 .
BIND 9.1.2 - Internet Software Consortium
http://www.isc.org/products/BINDBIND (Berkeley Internet Name Domain) is an implementation of the Domain Name System (DNS) protocols and provides an openly re-distributable reference implementation of the major components of the Domain Name System, including: a Domain Name System server (named), a Domain Name System resolver library and tools for verifying the proper operation of the DNS server.
Changes: Version 9.1.2 is still the latest current release but BIND 9.1.3rc2 has been released as a candidate for BIND 9.1.3 and contains fixes for a number of bugs in 9.1.3rc1 but no new features. BIND 9.2.0a2 has been released as the second alpha release of BIND 9.2.0, it includes a number of new features over 9.1. BIND version 8 is still in wide usage: the version 8.2.5 has been released and is a maintenance release of BIND 8.2, containing minimal changes from 8.2.4. BIND 8.3.0 is the first release of 8.3, and contains new features not found in 8.2.5.
Snort 1.7 - Martin Roesch
http://www.snort.orgSnort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.
Changes: New signatures: Erik Fichtner sent MS01-035 Signatures. Please check your snort.conf file and verify you have $EXTERNAL_NET and $HTTP_SERVERS defined, if you do not these rules will cause errors on startup. (ERROR: = Port value missing in rule!).
IDScenter 1.08d - Ueli Kistler
http://www.eclipse.fr.fmIDScenter is a tool for setting up Snort for Win32. It is a tool for managing, controlling, and monitoring the Snort IDS. IDScenter support alarm sound functions and has error checking procedures. If Snort is killed, IDScenter restarts Snort immediately. It runs under Windows 2000, Windows 95/98 and Windows NT. Its features are: all features of snort.panel are implemented. The IP / Interface detection is possible. It includes an integrated Alertviewer and an external viewer can be set. An alarm sound can be started if an alert occurs (WAV/Beep). An EXE-File can be started (this is also possible to set in RULES) in case of alert. The autostart in Registry\RUN can be set in IDScenter. Non-visible FORMS, only an icon with alert/stop/start-Status is visible in the taskbar.
Changes: New Features: start minimized Snort console, internal log viewer: search function, arachNIDS lookup, IP WHOIS lookup (ARIN) and cursor position at list line (latest alert information). External viewer (default browser) support for WinSnort2HTML, SnortSnarf and ACID generated sites. Better error information. Dialogs opens in already selected folder. Changed layout. Corrected bugs: email function: log file bug corrected and Snort starts now in its own directory ("Test configuration" too).
SARA 3.4.6 - Advanced Research Corporation
http://www-arc.com/saraSecurity Auditor's Research Assistant (SARA) is a security analysis tool based on Satan. Checks for common old holes, backdoors, trust relationships, default CGI, common logins, open shares, and much more.
Changes: Added authoritative test for IIS Index services exploit and authoritative test for IIS FrontPage-RAD exploit (extreme only). Corrected minor bugs in http.sara and in configuration management. Improved hosttype-ing of Windows 2000.
PIKT - Problem Informant/Killer Tool 1.13.1 - Devel: 1.14.0pre5 - Robert Osterlund
http://pikt.uchicago.edu/piktPIKT is a cross-platform (AIX, FreeBSD, HP-UX, IRIX, Linux, Solaris, SunOS), multi-functional toolkit for monitoring systems, reporting and fixing problems, and managing system configurations. It consists of an embedded scripting language with unique, labor-saving features, a script and system config file preprocessor, a scheduler, an installer, and other tools.
Changes: During the last week, release of the fourth and fifth pre-release (beta) of the 1.14.0 series: ported to SCO OpenServer and Digital UNIX. Added the directives #ifsys and #endifsys. Permitted the use of #ifdef, #setdef, #define, etc. within the defines.cfg file. Improved the formatting of installed alarm scripts. Fixed several parser bugs.
Firestorm NIDS 0.1.6 - Scaramanga
http://www.scaramanga.co.uk/firestormFirestorm will be a fully featured network intrusion detection system. It aims to support lots of open standards. At the moment it is just a sensor, but plans are to support central correlation databases and an analyst console. Firestorm should compile on any POSIX-like OS. So far only Linux is tested. Current features are: fully pluggable, capture from libpcap files, Snort rule support, almost as many matchers as Snort, support for IP, Ethernet and other common protocols, string match, TTL, and IP ID matchers.
Changes: Libpcap_file understands Redhat "Extended" capfiles. Linux firewall netlink capture. Optional internal leak checker. Fixed a memory leak in IP matcher. Some better macros for plugin hackers. Uncommented locking code in print functions. Changed lots of print_out()s to print_raw()s (more efficient). Removed fsync() in print_xxx, less syscalls, more efficient. Tidied up code by wrapping it all before 80 chars. Installer and RPM spec file are included. Alert target yet more verbose, prints time, etc.
StMichael_LKM 0.04 - Tim Lawless
http://www.sourceforge.net/projects/stjudeStMichael is a Linux kernel module (LKM) that attempts to detect and divert attempts to install a kernel-module backdoor into a running Linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. This is a experimental version, and a spin off from the Saint Jude Project.
Changes: Added the SHA1 checksum to complement the md5 checksumming. Added timers: periodically revalidate the kernel, this is done via a timer and by wrapping the exit call to call the integrity checking. Added configuration script. Code cleanup to accommodate future inclusion in the StJude_LKM. Inclusion of demo modules that will trigger the StMichael LKM.
Samhain 1.2.2 - Samhain Labs
http://la-samhna.de/samhainSamhain is a file system integrity checker that can optionally be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, tamper-resistant log file, and syslog) are available. Samhain has been tested on Linux, AIX 4.1, HP-UX 10.20, UnixWare 7.1.0, and Solaris 2.6.
Changes: Make tmp file directory a compile time option. Fixed several minor bugs. Obsolete testpipe script has been removed. Removed a debug fprintf(). Removed the pre 1.1.9 code bloat. This version includes a module to check the file system for SUID/SGID files. Optional database reload on SIGHUP. Redirect stderr to /dev/null for c_random. Check whether /dev/random is a character device in c_random.sh. Make the bitmask for tests configurable, make the bitmask for tests a static variable and make (database/logfile/lockfile) path configurable. SysV message queue as compile option. Config file option to set console device. Don't print the LOGKEY to the console.
GshieldConf 0.35 - Vince Hodges
http://members.home.com/vhodges/gshieldconf.htmlGshieldConf is a simple tool to edit GShield configuration files. It can be extended when changes are made to the configuration file format and preserves settings which it does not know about.
Changes: Fixed a bug in the parser. Applied patch for GShield 2.5.0 from Max Heijndijk. Ported to libxml2 and tested against libxml2.3.2 (This is what configure is checking for). RPM of the development version is also maintained and is available at http://go.to/conmen.
Astaro Security Linux 1.820 - Devel: 2.0 - Astaro AG
http://www.astaro.com/products/index.htmlAstaro Security Linux is a new firewall solution. It does stateful inspection, packet filtering, content filtering, virus scanning, VPN with IPsec, and much more. With its Web-based management tool and the ability to pull updates over the Internet, it it is pretty easy to manage. It is based on a special hardened Linux 2.4 distribution where most daemons are running in change-roots and are protected by kernel capabilities.
Changes: Bugfix: slow Up2Date connection timeout. Updated the virus pattern files.
Ngrep 1.40 - Jordan Ritter
http://ngrep.sourceforge.netNgrep strives to provide most of GNU grep's common features, applying them to the network layer. Ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as Tcpdump and snoop.
Changes: License change, amends the BSD advertising clause. Fixed bug from not considering caplen in payload length calculations. Added -s (set bpf caplen). Fixed header include for Linux glibc 2.2 (time.h was not being included).
FreeS/Wan 1.91 - Linux FreeS/WAN Team
http://www.freeswan.orgLinux FreeS/WAN provides IPsec (IP Security, which is both encryption and authentication) kernel extensions and an IKE (Internet Key Exchange, keying and encrypted routing daemon) allowing you to build secure tunnels through untrusted networks. Compatible with with other IPsec and IKE systems already deployed by other vendors such as OpenBSD.
Changes: There are lots of improvements in operations, better security when networking fails and most bugs were fixed (See the changelog file for more information). The big news for the 1.91 release is that you can now begin to use Opportunistic Encryption, i.e. you don't have to setup by hand each secure link with someone else, it just happens if both of ends set up their reverse DNS correctly. It's not fully done, but you can (and should!) start playing with it!
FreeS/WAN Config Webmin Module 0.83.1 (Devel) - Tim Niemueller
http://www.niemueller.de/webmin/modules/freeswanThis Webmin module allows one to configure nearly every detail of the FreeS/WAN IPsec implementation. This module is currently in a development state, and considered to be beta. Key management and connection status are missing at the moment, but will be available soon.
Note: First time in the Tools Digest.
APG - Automated Password Generator 2.0.0a2 - Adel I. Mirzazhanov
http://www.adel.nursat.kz/apgAPG is the tool set for random password generation. There is a Standalone version that generates some random words of required type and prints them to standard output and there is a network version that consist of an APG server and of an APG client. When client's request is arrived, the server generates some random words of predefined type and send them to client over the network (according to RFC0972). APG uses two Password Generation. Algorithms: the Pronounceable Password Generation Algorithm (according to NIST FIPS 181) and the Random Character Password Generation Algorithm with 19 configurable modes of operation. The password length parameters are configurable as well as the amount of generated passwords. It supports /dev/random. It has the ability to use password generation service from any type of box (Mac, WinXX, etc.) that connected to network and has the ability to enforce remote users to use only allowed type of password generation.
Changes: Finally fixed some warnings during compilation process. Added support for OpenBSD. Hash function used in apgbfm changed to SHA1. Added support for SHA1 algorithm used for random numbers and hash generation. Added info to APG_TIPS file.
SILC 0.3.1 (Toolkit) - 0.3.2 (Client) - 0.3.4 (Server) - Pekka Riikonen
http://silc.pspt.fiSILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. The purpose of SILC is to provide secure conferencing services. Strong cryptographic methods are used to secure all traffic.
Changes: New version 0.3.2 of SILC client. New version of SILC server 0.3.4. A lot of changes since the previous version. Please refer to http://silc.pspt.fi/changes.txt for more details.
Zebedee 2.2.2 - Neil Winton
http://www.winton.org.uk/zebedeeZebedee is a simple program to establish an encrypted, compressed tunnel for TCP/IP or UDP data transfer between two systems. This allows traffic such as telnet, ftp and X to be protected from snooping as well as potentially gaining performance over low-bandwidth networks from compression.
Changes: Include missing Japanese documentation. Handle files without a terminating newline. On FreeBSD, only create a parent process if the program is going to detach. This means there is not an idle parent process if the program is not run in detached mode. Fix "PUT" handling in ftpgw.tcl. Added RPM spec file to the distribution.
BorZoi 0.8.3 (Devel) - Anthony Mulcahy
http://www1.kcn.ne.jp/~anthony/softwareBorZoi is an elliptic curve cryptography library for developers who want a simple means of adding privacy protection to their applications. Ease of use and a minimum risk of security problems due to incorrect use are its strong points.
Note: First time in the Tools Digest.
Solaris Security Toolkit 0.3 - Sun Microsystems, Inc.
http://www.sun.com/blueprints/tools/license.htmlThe Solaris Security Toolkit is a tool designed to assist in creation and deployment of secured Solaris Operating Environment systems. The Toolkit is comprised of a set of scripts and directories implementing the recommendations made in the Sun BluePrints OnLine program http://www.sun.com/blueprints.
Note: First time in the Tools Digest.
AntiVir Personal Edition 6.08.00.51 - H+BEDV Datentechnik GmbH
http://www.free-av.comAntiVir Personal Edition is an anti-virus software that is completely free of charge for private and individual use. AntiVir Personal Edition is available in German and English and runs under Windows 9x/ME/NT and 2000.
Changes: New version 6.08.00.51 of the software and new VDF file version 6.08.00.55. No information about the changes.
LibnetNT - Eeye Digital Security
http://www.eeye.com/html/Research/Tools/libnetnt.htmlLibnet for Unix is used in many of today's popular security programs because of how easy it is to implement low level packet functionality into a program. Well now that same ease of use development API is available for Windows NT platforms. LibnetNT has the exact same functionality and abilities as Libnet except LibnetNT can be used to develop low level packet injection programs on Windows NT4.0 and Windows NT5.0. LibnetNT has been encapsulated in a DLL file so you can call the Libnet functions from almost any Windows NT programming language. This is the first beta of LibnetNT so there is probably a few bugs still to be worked out.
Note: First time in the Tools Digest.
Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.
© Copyright 2001, SecurityPortal Inc. & Pascal Etienne, All Rights Reserved, Last Update: 27 juin, 2001 |