Weekly Security Tools Digest
2001/07/06 to 2001/07/12

By Pascal Etienne (pascal.etienne at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to General free tools this week include OpenSSL and PinePGP.

Auditing and Intrusion Monitoring tools include Snort, Nmap, ACID, RazorBack, Snort2IPtables, PIKT, LIDS, Syslog-ng and SecureIT.

Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, GuardDog, Astaro Security Linux and Fwanalog.

Tools for Linux/Unix/Cross Platform include Secure FTP, Jail, APG, SILC, Grsecurity, Hogwash and Tsocks.

Tools for Windows include Stealth HTTP Security Scanner and Log2Intrusions.


General Tools

SSL

OpenSSL 0.9.6b - The OpenSSL Project
http://www.openssl.org

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson.

Changes: The version 0.9.6b has been released. Ssleay_rand_bytes has been changed to avoid a SSLeay/OpenSSL PRNG weakness: PRNG state recovery was possible. When only the key is given to "enc", the IV is undefined; an error message is printed out in this case. Special case when X509_NAME is empty in X509 printing routines is now handled. In dsa_do_verify, this release now verifies that "r" and "s" are positive and less than "q". Verify that incoming data obeys the block size in ssl3_enc and tls1_enc. The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 RSA encryption was accidentally removed in OpenSSL 0.9.5 and is now included. Fixed various bugs related to DSA S/MIME verification. This new version also includes several other bug fixes.

 

PGP

PinePGP 0.16.0-1 - Peter Hanecak
http://www.megaloman.com/~hany/software/pinepgp

PinePGP provides PGP and GnuPG filters for pine. PGP versions 2.6.x, 5.x, and 6.5.x are supported.

Changes: New stable release: added info about my public key, added section "Other Resources", added TODO items for next development version, minor fixes and updates.


Auditing and Intrusion Monitoring Tools

Snort 1.8 - Martin Roesch
http://www.snort.org

Snort is a lightweight network intrusion detection system, capable of performing real-time  traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much  more. Snort  uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine  that  utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.

Changes: Snort 1.8 has been released! Version 1.8 incorporates a number of changes and new features: stateful inspection and TCP stream reassembly module, high performance IP defragmenter module, high performance unified binary output module, tagging allows hosts that trip events to be tracked/logged, unique rule IDs for every Snort rule and new printout code make machine processing of Snort output much easier, enhanced cross-reference data with alerts, classifications and priorities added to rules language, ARP spoofing detection, "IP" is now a supported protocol type in the Snort rules language, Back Orifice detection plugin, Telnet normalization plugin defeats Telnet and FTP evasion techniques, RPC normalization plugin defeats RPC fragmentation evasion techniques, CSV format output plugin, "uricontent" keyword allows HTTP traffic to be searched for data in the URI field only, 802.1Q decoder support, linux_sll decoder support, TCP window detection plugin and same IP detection plugin. New command line options are: "-T" to test Snort config before running, "-y" to add year to timestamps, "-I" to print interface name in Snort alerts, "-G" for backward compatibility with old cross-reference lookup progs, "-L" for naming the "-b" binary output file, "-k" to tune checksum verification routines and "-z" to run the rules engine in stateful mode (with stream4). This new version also includes a lot of fixes and development in the rest of the code. The spo_xml and spo_database routines have matured over the past 6 months as well. Additionally, a new SSH rule that will detect SSH traffic on ports other than the standard (port 22) is available. A PDF file covering Snort and Windows 2000 is now available at http://www.snort.org/Files/snort-w2k.pdf.

ACID 0.9.5 - Devel. 0.9.6b12 - Roman Danyliw
http://acidlab.sourceforge.net

ACID stands for Analysis Console for Intrusion Databases and is a PHP-based analysis engine to search and process a database of security incidents generated by the NIDS Snort. The features currently include: search interface for finding alerts matching practically any criteria, this includes arrival time, signature time, source/dest address/port, flags, payload, etc. furthermore, these queries can be made arbitrarily complex to satisfy almost any parameters. Alert Groups: allow for a logical grouping of alerts on which analysis can be done, it is a quick way to combine multiple searches or to associate a comment with an alert or group of alerts. Alert purging to remove false positives. Statistics: snapshot statistics to assess current network state, aggregate statistics on a per sensor, IP, or alert basis and graphing alert arrival over time. All analysis is done in real-time.

Changes: New development version 0.9.6b12: removed Bcmath dependency and bug fixes.

 

RazorBack 1.0.2 - InterSect Alliance
http://www.intersectalliance.com/projects

RazorBack is a log analysis program that interfaces with the Snort open source Intrusion Detection System to provide real-time visual notification when an intrusion signature has been detected on the network. Snort should be configured to send data to syslog for RazorBack to display the data. RazorBack is designed to work within the GNOME framework on Unix platforms.

Changes: Changes include updated code base so that it should parse snort1.8 log files, modified output format slightly, and removed a few small memory leak problems that used to be in the old version. Hostname lookup reimplemented.

 

Snort2IPTables 0.1 - Alexander Newald
http://dsli.hannover-internet.de

Snort2IPTables is a Perl script that watches a Snort log file and adds dynamic rules to an IPtables ruleset. The program can be configured by a single config file and uses forks to be fast enough to handle high amounts of new logfile entries.

Note: First time in the Tools Digest.

 

Nmap 2.53 - Devel: 2.54beta26 - Fyodor
http://www.insecure.org/nmap

Nmap is a utility for port scanning large networks, although it works fine for single hosts. Sometimes you need speed, other times you may need stealth. In some cases, bypassing firewalls may be required. Not to mention the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.). Nmap supports Vanilla TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning, SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and Window scanning, UDP raw ICMP port unreachable scanning, ICMP scanning (ping-sweep), TCP Ping scanning, Direct (non portmapper) RPC scanning, Remote OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning. Nmap also supports a number of  performance and reliability features such as dynamic delay time calculations, packet timeout and retransmission, parallel port scanning, detection of down hosts via parallel pings.

Changes: New development version 2.54beta26. Added Idlescan (IPID blind scan). Fixed a bunch of fingerprints that were corrupt due to violations of the fingerprint syntax/grammar. Fixed command-line option parsing bug. Fixed an OS fingerprinting bug that caused many extra packets to be sent if you request a lot of decoys. Added some debug code to help diagnose the "Unknown datalink type" error, if Nmap is giving you this error, please send the following info to fyodor@insecure.org : the full output from Nmap (including the command arguments), what OS and OS version are you using and what type of adapter are you using (modem, Ethernet, FDDI, etc). Added a bunch of IDS sensor/console/agent port numbers.

 

PIKT - Problem Informant/Killer Tool 1.14.0 - Robert Osterlund
http://pikt.uchicago.edu/pikt

PIKT is a cross-platform (AIX, FreeBSD, HP-UX, IRIX, Linux, Solaris, SunOS), multi-functional toolkit for monitoring systems, reporting and fixing problems, and managing system configurations. It consists of an embedded scripting language with unique, labor-saving features, a script and system config file preprocessor, a scheduler, an installer, and other tools.

Changes: Release of PIKT 1.14.0! Significant changes since 1.13.0 are: ported to SCO OpenServer and Digital UNIX, improved the coding of piktx, added the 'pikt +C <cmd>' option, added the #exec and #piktexec (also #pexec) preprocessor directives, reworked parts of the script and config file lexers, fixed several minor lexer and parser bugs, improved the formatting of installed alarm scripts, permitted the use of #ifdef, #setdef, #define, ... within defines.cfg, fixed it so that doing a '#include "/dev/null" [<proc>]' won't clobber /dev/null and fixed some security flaws in master-slave network communications. For a more detailed listing of 1.14.0 additions, changes and bug fixes, see the "PIKT Changes" section on the web site are the distribution changelog.

 

LIDS 0.9.1 - Devel: 0.10.0 (2.2.19 kernel) / 1.0.11 (2.4.6 kernel) - Huagang Xie
http://www.lids.org

The Linux Intrusion Detection System is a patch which enhances the kernel's security. When it's in effect, many system administration operations can be made impossible even for root. You can turn the security protection "on" or "off" on the fly and you can hide sensitive processes and prevent anyone from using ptrace or any other capability on your system. LIDS can also provide raw device and I/O access protection.

Changes: The new development version LIDS 1.0.11 for 2.4.6 is out. This version move to kernel 2.4.6, bugfixed the symbol export error, update the default lids.conf to fix the install error, and add a new feature: CAP_NET_BIND_SERVICE to special port. With this new feature, you can specify one program can only bind to special port.

 

Syslog-ng 1.4.12 - Devel: 1.5.8 - Balazs Scheidler
http://www.balabit.hu/en/products/syslog-ng

Syslog-ng is a syslogd replacement, but with new functionality for the new generation. The original syslogd allows messages only to be sorted based on priority/facility pair, Syslog-ng adds the possibility to filter based on message contents using regular expressions. The new configuration scheme is intuitive and powerful. Syslog-ng includes filtering using regular expressions, logging forwarding and hash protected logging (planned in version 1.5). It is multi-platform and requires libol-0.2.17.

Changes: New stable version 1.4.12. New development version 1.5.8: updated user contributions in /contrib, added syslog-ng.conf syntax highlighting for vim and a README file containing a short description for each file. More log processing options. catchall flag specifies that a given log statement catches all messages regardless which sources it refers to. final specifies that processing this statement ends message distribution. fallback specifies that if a given message doesn't match anything it'll be delivered to that statement. New destination remctrl which can reopen files based on their name.

 

SecureIT 0.1.5 - Brendon M. Maragia
http://www.commaflex.com/projects.html

SecureIT uses MD5 to generate fingerprints of some commonly-manipulated system files and alerts the system administrator via email if they have been altered. It lets you specify the most commonly-trojaned system files for fingerprinting and filing.

Changes: No information about the changes.


Firewalls for UNIX/Linux/BSD & Cross-platform

GShield 2.7 - R. Gregory
http://muse.linuxmafia.org/gshield.html

GShield is an aggressive, modular firewall script for IPtables which features easy configuration through a BSD-style configuration file, optional NAT support, TCP-wrapper-like functionality for service access, port forwarding, routable protection, DMZ support, and more.

Changes: Miscellaneous routable fixes. Update of gforward.pl. Internal forwarding mechanism and portscan detection options added.

 

GuardDog 1.0.0 - Devel: 1.9.3 - Simon Edwards
http://www.simonzone.com/software/guarddog

GuardDog is a user friendly firewall generation/management utility for KDE on Linux. It allows you simply specify which protocols should be allowed and requires no knowledge of port numbers. It is intended for client machines and currently does not support router/gateway configurations. Generates scripts for IPchains. Sane defaults for new firewalls, RPM packages for Redhat and Mandrake, and display glitch fixes.

Changes: New development version 1.9.3. This version is not compatible with the last development version. This development version features a much needed clean up of the GUI. The screenshots have been updated so go have a look. Also some bugs have been fixed and it is now possible to specify which zones are connected to each other. The download section has now Redhat 7.0 RPMs for 1.9.3.

 

FreshMeat

Astaro Security Linux 1.821 - Devel: 1.920 - Astaro AG
http://www.astaro.com/products/index.html

Astaro Security Linux is a new firewall solution. It does stateful inspection, packet filtering, content filtering, virus scanning, VPN with IPsec, and much more. With its Web-based management tool and the ability to pull updates over the Internet, it it is pretty easy to manage. It is based on a special hardened Linux 2.4 distribution where most daemons are running in change-roots and are protected by kernel capabilities.

Changes: New version 1.821 including update of the virus pattern files and of the anti banner ads database.

 

Fwanalog 0.2.2 - Balázs Bárány
http://tud.at/programm/fwanalog

Fwanalog is a shell script that parses and summarizes firewall logfiles. It understands logs from BSD ipf, Linux 2.2 IPchains and 2.4 IPtables. It uses the excellent log analysis program Analog (also free software) to create its reports. It does so by converting the firewall log into a fake web server log and calling Analog with a modified configuration.

Changes: Added FreeBSD support and new configuration file for FreeBSD. Changes for Analog 5.0 compatibility. Added support for Linux 2.2 IPchains logs (tested with 17 MB of logs). New configuration file for Linux 2.2 IPchains. The documentation has been updated.


Tools for UNIX/Linux/BSD & Cross-platform

Secure FTP 1.5.1 - Glub Tech, Inc.
http://www.glub.com/products/secureftp

Secure FTP is a client package that allows for a secure connection to be made to an FTP daemon. In this release, we support connecting via the Secure Sockets Layer, or SSL. Future releases may support other authentication mechanisms (e.g. Kerberos, one-time-passwords). This client is supported on Windows, MacOS X, and any Unix platform where a Java 2 (or Swing) runtime environment is present. It was written in 100% Pure Java and can act as either an application or an applet. The applet version will only run under Windows at this time, but we are looking into other solutions. Secure FTP is available in English, Japanese, Italian, French, and German.

Changes: Better handling of certificate verification.

 

Jail 1.5 - Juan M. Casillas
http://www.gsyc.inf.uc3m.es/~assman/jail

Jail is a chrooted environment using bash. its main use is to put it as shell for any user you want to be chrooted. Their primary goals is to be simple, clean, and highly portable.

Changes: Versions 1.4 and 1.5 were released during the week: removed a bug in jail.c that generates a segmentation fault when jail is launched from the shell. Splitted mkenv.sh in two programs; mkenv.sh now only builds the chrooted environment, addjailuser.sh installs new users into the chrooted environment. To install a new user under the chrooted environment, this user must be created in the system. Fixed a 'not group neither shadow entry bug in addjailuser.sh (this is a minor bug. The shadow and group entries for the user now are inserted right in the chrooted environment).

 

APG - Automated Password Generator 2.0.0a3 - Adel I. Mirzazhanov
http://www.adel.nursat.kz/apg

APG is the tool set for random password generation. There is a Standalone version that generates some random words of required type and prints them to standard output and there is a network version that consist of an APG server and of an APG client. When client's request is arrived, the server generates some random words of predefined type and send them to client over the network (according to RFC0972). APG uses two Password Generation. Algorithms: the Pronounceable Password Generation Algorithm (according to NIST FIPS 181) and the Random Character Password Generation Algorithm with 19 configurable modes of operation. The password length parameters are configurable as well as the amount of generated passwords. It supports /dev/random. It has the ability to use password generation service from any type of box (Mac, WinXX, etc.) that connected to network and has the ability to enforce remote users to use only allowed type of password generation.

Changes: Better error handling in apgbfm. Added -q option for apgbfm and apg (quiet mode). Added PHP front-end for APG.

 

FreshMeat

SILC 0.4 (Toolkit) - 0.3.2 (Client) - 0.4 (Server) - Pekka Riikonen
http://silc.pspt.fi

SILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. The purpose of SILC is to provide secure conferencing services. Strong cryptographic methods are used to secure all traffic.

Changes: New version 0.4 of SILC toolkit and SILC server. A lot of changes since the previous version. Please refer to http://silc.pspt.fi/changes.txt for more details.

 

Grsecurity 1.5 - Spender
http://freshmeat.net/projects/grsecurity

Grsecurity is a set of security patches for Linux 2.4 that contain all the features of Openwall and HAP-Linux, among many other patches for 2.2, and other OS's. It features the Openwall non-executable stack, PaX, /proc restrictions, chroot restrictions, linking and FIFO restrictions, exec and set*id logging, secure file descriptors, trusted path execution, randomized IP IDs, randomized PIDs, randomized TCP source ports, altered ping ids, randomized TTL, better IP stack randomness, exec protection, setuid/gid restrictions, socket restrictions, secure keymap loading, stealth networking enhancements, signal logging, failed fork logging, time change logging, and others.

Changes: No information about the changes.

 

SecurityFocus

Hogwash 0.1 beta - SourceForge
http://www.securityfocus.com/tools/2107

Hogwash is designed to take out 95% of the stock attacks all the kiddies throw at your network. Hogwash lives inline like a firewall, but it works differently. Instead of closing ports like a traditional firewall, it drops or modifies specific packets based on a signature match. Hogwash lives directly on top of the network driver, so it doesn't require an IP stack to work. It stops attacks that can't be blocked by a traditional firewall and can be used to protect systems that are unpatchable for one reason or another. The signature matching engine is based on Snort. Hogwash runs under UNIX.

Note: First time in the Tools Digest.

 

Tsocks 1.7 - Shaun Clowes
http://www.progsoc.uts.edu.au/~delius

SOCKS servers are a form of proxy that are commonly used in firewalled LAN environments to allow access between networks, and often to the Internet. The problem is that most applications don't know how to gain access through SOCKS servers. This means that network based applications that don't understand SOCKS are very limited in networks they can reach. An example of this is simple Telnet. If you're on a network firewalled from the internet with a SOCKS server for outside access, Telnet can't use this server and thus can't Telnet out to the Internet. Tsocks' role is to allow these non SOCKS aware applications (e.g Telnet, SSH, FTP, etc.) to use SOCKS without any modification. It does this by intercepting the calls that applications make to establish network connections and negotiating them through a SOCKS server as necessary.

Note: First time in the Tools Digest.


Tools for Windows

SecurityFocus

Stealth HTTP Security Scanner 1.0 build 29 - Felipe Moniz
http://www.hideaway.net/stealth

Stealth 1.0 scans for 2883 HTTP vulnerabilities. This tool is designed especially for the system administrators, security consultants and IT professionals to check the possible security holes and to confirm any present security vulnerabilities that hackers can exploit. Totally free for commercial and non-commercial use. Stealth HTTP Security Scanner runs under Windows 2000, Windows 95/98 and Windows NT.

Note: First time in the Tools Digest.

 

Logs2Intrusions v1.0 - Ekrem ORAL
http://www.trsecurity.net/logs2intrusions

This program parses IIS or Apache web server logfiles then create possible intrusions report. Log2Intrusions runs under Windows 2000, Windows 95/98 and Windows NT.

Note: First time in the Tools Digest.


Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.

© Copyright 2001, SecurityPortal Inc. & Pascal Etienne, All Rights Reserved, Last Update: 11 juillet, 2001