By Pascal Etienne (pascal.etienne at boran.com) for SecurityPortal
Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html
To receive this digest via Email:
http://securityportal.com/subscribe.html
This is a summary of changes to free security tools over the last week.
Updates to General free tools this week include SSH Secure Shell and Stunnel.
Auditing and Intrusion Monitoring tools include Snort, SARA, NetSaint, Vlad, DEMARC, PortSentry and Log_analysis.
Firewalls for UNIX/Linux/BSD & Cross-platform include GuardDog, PCX Firewall and Astaro Security Linux.
Tools for Linux/Unix/Cross Platform include Ethereal, Hogwash, Stephanie, Lomac, OpenCL, MaraDNS, nPULSE and Inflex.
Tools for Windows include AntiVir Personal Edition and Mailscanner for Postfix.
SSH
SSH Secure Shell 3.0 - SSH Communications Security
http://www.ssh.com/products/sshSSH Secure Shell is the de facto standard for remote logins. Typical applications include "lite VPN" applications, remote system administration, automated file transfers, and access to corporate resources over the Internet. Secure Shell for Workstation contains precompiled clients for Windows platforms and for several Unix platforms: Solaris 2.6, 7 and 8, HP/UX 11.x and 10.20, AIX 4.3.x and Linux 2.2.x. The Secure Shell for Servers contains precompiled server binaries for Solaris 2.6, 7 and 8, HP-UX 10.20 and 11.x, AIX 4.3.x and Linux 2.2.x. Source code is also available for Solaris 2.6, 7 and 8, HP-UX 10.20 and 11.x, AIX 4.3.x, Compaq OSF/1 4.0 and Tru64 UNIX, Linux 2.2.x (SuSE and Red Hat), FreeBSD, NetBSD, BSDI, OpenBSD.
Changes: The latest version 3.0 includes the following new features: PKI support, Smart card support, PKCS#11 and 12, CMPv2, CRL, LDAP, (PC/SC), x.509v3, Rijndael (proposed AES) encryption algorithm, ASCII / Binary transfer, remote file editing, NIS support, password aging (allows changing an expired password on Solaris, HP/UX, Linux and AIX), enhanced file transfer speed and PAM (Pluggable Authentication Module) support for Windows client.
SSL
Stunnel 3.15 - Michal Trojnara
http://www.stunnel.orgThe Stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code. It will negotiate an SSL connection using the OpenSSL or SSLeay libraries. It calls the underlying crypto libraries, so Stunnel supports whatever cryptographic algorithms you compiled into your crypto package. Runs on Windows and UNIX.
Changes: Stunnel-3.15 released. This new version includes new features and fixes the random transfer bug. Warning: Stunnel 3.15 does not correctly include TCP wrapper support due to a bug. Do not install 3.15 unless you also apply the patch just released to the mailing list! This new release also includes Stunnel patches (for previous versions of Stunnel): Stunnel is now able to read from stdin and to write to stdout and includes '-n pop' negotiation option and '-n nntp' negotiation option.
Snort 1.8p1 - Martin Roesch
http://www.snort.orgSnort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.
Changes: Snort Revision 1.8p1 has been released and it is recommended to update your Snort 1.8 release to this revision. Snort RPMs for Redhat are available. On a standard system, these RPMs should autoconfigure the HOME_NET and DNS_SERVERS, the config file will be otherwise unchanged. A ruleset update is now available to detect the ISAPI Overflow Worm: your Snort ruleset must be updated to include these two rules: alert tcp $EXTERNAL any -> $INTERNAL 80 (content: ".ida?"; dsize: >239; msg: "ida ISAPI Overflow"; flags: A+; nocase;) and alert tcp $EXTERNAL any -> $INTERNAL 80 (content: ".idq?"; dsize: >239; msg: "idq ISAPI Overflow"; flags: A+; nocase;). A ruleset update is available to detect the "CodeRed" overflow but it should be tested to know how it works for you: alert tcp any any - any 80 (msg: "CodeRed Worm Defacement Sent"; flags: PA+; content: "|FF8B8D64 FEFFFF0F BE1185D2 7402EBD3|"; depth:16;) and alert tcp any any - any 80 (msg: "CodeRed Worm Overflow Sent"; dsize: 1000; flags: PA+; content:"|2F646566 61756C74 2E696461 3F4E4E4E|"; depth:16;).
SARA 3.4.7 - Advanced Research Corporation
http://www-arc.com/saraSecurity Auditor's Research Assistant (SARA) is a security analysis tool based on Satan. Checks for common old holes, backdoors, trust relationships, default CGI, common logins, open shares, and much more.
Changes: Added definitive test for IRIX-telnet vulnerability (extreme only), added time-of-day timer in rules/timing, fixed several bugs in the CSV generation programs and fixed a major bug in ftp.sara.
NetSaint Network Monitor 0.0.7 beta6 - Ethan Galstad
http://www.netsaint.orgNetSaint is a program that will monitor hosts and services on your network. It has the ability to email or page you when a problem arises and when it gets resolved. NetSaint is written in C and is designed to run under Linux, although it should work under most other Unix variants. It can run either as a normal process or as a daemon, intermittently running checks on various services that you specify. The actual service checks are performed by external "plugins" which return service information to NetSaint. Several CGI programs are included with NetSaint in order to allow you to view the current service status, history, etc. via a web browser.
Changes: This new version fixes a bug with creation of lockfile, corrects a memory leak with PostgreSQL backed and fixes stats in availability CGI. Two $$ can now be used as a way to escape a single $ in commands.
Vlad 0.9.1 - Razor Security
http://razor.bindview.com/tools/vlad/index.shtmlVLAD the Scanner is an open-source security scanner that checks for the SANS Top Ten security vulnerabilities commonly found to be the source of a system compromise. It has been tested on Linux, OpenBSD, and FreeBSD. It requires several Perl modules to run (see the README for more details).
Changes: VLAD has been updated and will check for the latest IIS Unicode bug recently reported in MS00-078.
DEMARC 1.04-1 - DEMARC Organization
http://demarc.orgDEMARC is an all-inclusive network monitoring program that allows you to monitor an entire network of servers from one powerful web interface. Instead of having several programs to perform file integrity checks, network monitoring and intrusion detection, DEMARC combines all three services into one powerful client/server program. DEMARC centralizes the reporting and analysis for the entire network and allows you to more easily weed out the important data from the superfluous background noise, thereby targeting your efforts where they really belong. DEMARC requires a Unix operating system (has so far been tested on FreeBSD, Linux, OpenBSD, and NetBSD), Snort version 1.8, Mysql database server and Perl with the following Perl modules: CGI, DBI, DBD::mysql, and Digest::MD5.
Note: First time in the Tools Digest. DEMARC has been released for public consumption for the first time and looks very interesting.
PortSentry 1.1 - Psionic Software, Inc.
http://www.psionic.com/abacus/portsentryPortSentry is a program designed to detect and respond to port scans against a target host in real-time. It runs on TCP and UDP sockets and works on most UNIX systems. Advanced stealth detection modes are available under Linux only and detect SYN, FIN, NULL, XMAS, and Oddball packet scans. All modes support real-time blocking and reporting of violations.
Note: First time in the Tools Digest. This new tool looks interesting.
Log_analysis 0.38 - Mordechai T. Abzug
http://linux.umbc.edu/~mabzug1/log_analysis.htmlLog_analysis is a log file analyzer which extracts relevant data for any of the recognized log messages and produces a summary that is much easier to read and can be easily configured to recognize entirely new log types. Log_analysis natively understands about 100 different kinds of syslog messages, as well as sulog and wtmp messages for Linux, Solaris, and OpenBSD.
Note: First time in the Tools Digest.
GuardDog 1.0.0 - Devel: 1.9.3 - Simon Edwards
http://www.simonzone.com/software/guarddogGuardDog is a user friendly firewall generation/management utility for KDE on Linux. It allows you simply specify which protocols should be allowed and requires no knowledge of port numbers. It is intended for client machines and currently does not support router/gateway configurations. Generates scripts for IPchains. Sane defaults for new firewalls, RPM packages for Redhat and Mandrake, and display glitch fixes.
Changes: No new version but a manual for GuardDog has been released. A first draft is available on the site.
PCX Firewall 2.5 - James A. Pattie
http://pcxfirewall.sourceforge.netPCX Firewall is an IPtables firewalling solution that uses Perl to generate static shell scripts based upon the user's configuration settings. This allows the firewall to startup quickly, as it does not have to parse config files every time it starts.
Changes: Versions 2.4 and 2.5 were released during the week. When files are generated they are now put in their own directory named after the rules file used (output for Rules.pm). This is to make supporting multiple machines much easier. The install script has been updated accordingly to support pulling from the different directories. Removed protocol check in reject method so that it is now valid to reject on any protocol.
Astaro Security Linux 1.822 - Devel: 1.920 - Astaro AG
http://www.astaro.com/products/index.htmlAstaro Security Linux is a new firewall solution. It does stateful inspection, packet filtering, content filtering, virus scanning, VPN with IPsec, and much more. With its Web-based management tool and the ability to pull updates over the Internet, it it is pretty easy to manage. It is based on a special hardened Linux 2.4 distribution where most daemons are running in change-roots and are protected by kernel capabilities.
Changes: New version 1.822. This version updates the virus pattern and fix a bug in the Selfmonitoring Notifications.
Ethereal 0.8.19 - Gerald Combs
http://www.ethereal.comEthereal is a GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and to give Ethereal features that are missing from closed-source sniffers. Here is the list of features: data can be captured "off the wire" from a live network connection, or read from a capture file. Ethereal supports various capture file formats. Live data can be read from Ethernet, FDDI, PPP, token-ring, X.25, or Classical IP over ATM interfaces. Captured network data can be browsed via a GUI, or via the TTY-mode "tethereal" program. Capture files can be programmatically edited or converted via command-line switches to the "editcap" program. Output can saved or printed as plain text or PostScript. Data display can be refined using a display filter. Display filters can also be used to selectively highlight and color packet summary information. All of part of each captured network packet can be saved to disk.
Changes: Ethereal 0.8.19 has been released. New dissectors include Appletalk Data Stream Interface, AUTH_DES, DVMRP, GIOP, Gnutella, iSCSI, ISUP, M2PA, MP-BGP message, MSDP, MTP3, PAP, PIMv1, RFC 2250 MPEG1, and QuakeWorld and Quake II. Many other dissectors were updated and bug-fixed. The release adds a utility to convert text hexdumps into pcap files(text2pcap), and a utility to merge multiple captures into one file (mergecap). A powerful addition is the idl2eth tool. This tool can generate a dissector from an IDL file.
Hogwash 0.1c - Jason Larsen
http://hogwash.sourceforge.netHogwash is designed to take out 95% of the stock attacks all the kiddies throw at your network. Hogwash lives inline like a firewall, but it works differently. Instead of closing ports like a traditional firewall, it drops or modifies specific packets based on a signature match. Hogwash lives directly on top of the network driver, so it doesn't require an IP stack to work. It stops attacks that can't be blocked by a traditional firewall and can be used to protect systems that are unpatchable for one reason or another. The signature matching engine is based on Snort. Hogwash runs under UNIX.
Changes: No information about the changes.
Stephanie 0.1 - Mike Schiffman
http://www.packetfactory.net/Projects/stephanieStephanie is a software to harden OpenBSD. It includes a modified version of the series of patches for OpenBSD 2.4 for Trusted Path Execution (TPE) included in Phrack 54.
Note: First time in the Tools Digest.
Lomac 1.1.1 - Network Associates, Inc.
http://opensource.nailabs.com/lomacLomac (Low Water-Mark Integrity Protection for Linux) is a security enhancement for Linux that uses Low Water-Mark Mandatory Access Control to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users, and compromised root daemons. Lomac is implemented as a loadable kernel module - no kernel recompilations or changes to existing applications are required. Although not all the planned features are currently implemented, it presently provides sufficient protection to thwart script-kiddies, and is stable enough for everyday use.
Changes: Changed the LKMs license from GPL to a 3-clause BSD-style license in order to support the upcoming FreeBSD port. Changed the notion of "subject" to a process, instead of a process group. This means that Lomac now demotes individual processes within a process group independently. Although this change has little effect on Lomac's protection, it should be more efficient and cause less compatibility problems due to process demotions during boot and initialization. Reorganized the source tree to support builds with different kernel interfaces. The Linux 2.2 interface is still the only one supported by this distribution, but ports for Linux-2.4, Linux/RSBAC, Linux/LSM, and FreeBSD are all underway. Added controls on the LKM loading and unloading system calls to prevent remote agents from using them to install LKM-based rootkits. Added rule to PLM to put /var/lib/pcmcia into the high-level part of the system, to keep PCMCIA card management programs happy.
OpenCL 0.7.4 - Jack Lloyd
http://opencl.sourceforge.netOpenCL is a C++ cryptographic class library which aims for high portability and ease of use. It currently includes a wide selection of block and stream ciphers, hash functions, MACs, various utility functions and classes, and a high level filter interface.
Changes: New modules: Zlib, gettimeofday and x86 RTC timers, Unix I/O for Pipe. Fixed a vast number of errors in the config script/makefile/specfile. Pipe now has a stdio(3) interface as well as C++ iostreams. ARC4 supports skipping the first N bytes of the cipher stream (ala MARK4). Bzip2 supports decompressing multiple concatenated streams, and flushing. Added a simple 'overall average' score to the benchmarks. Fixed a small bug in the POSIX timer module. Removed a very-unlikely-to-occur bug in most of the hash functions. filtbase.h now includes <iosfwd>, not <iostream>. Minor documentation updates.
MaraDNS 0.8.05 - Sam Trenholme
http://www.maradns.orgMaraDNS is a DNS server that strives to be secure and fully open-sourced. This DNS server was developed using security-aware programming rules (the code uses a special string library which is resistant to buffer overflows and the code, if started as root, mandates running as an unprivileged user in a chroot() jail.) and it is open source and simple (this DNS server has the minimum number of features needed to correctly act as an authoritative and/or recursive name server for a domain).
Changes: Too many changes since the last version published in the Tools Digest (3/May/2001). Refer directly to the changelog for more information: http://www.maradns.org/changelog.html.
nPULSE 0.54 - Horsburgh.com
http://www.horsburgh.com/h_npulse.htmlnPULSE is a web-based network monitoring package for Unix-like operating systems. It can quickly monitor tens, hundreds, even thousands of sites/devices at a time on multiple ports. nPULSE is written in Perl and comes with its own (SSL optional) web server for extra security. nPULSE is currently running on networks with over 1,500 devices. nPULSE is entirely written in Perl and requires Perl 5.005 (or later) and Nmap 2.51 (or later). Optional software: OpenSSL 0.9.6 (or later) and Net::SSLeay 1.04 (or later). The current nPULSE version is a "standard" release. nPULSE Pro is not yet ready for public release (and will not be released as freeware).
Note: First time in the Tools Digest and looks interesting.
Inflex 1.0.8 - Paul L Daniels
http://www.inflex.co.zaInflex is a Linux email scanner which scans both incoming and outgoing email without altering your /etc/sendmail.cf file. It can scan for email viruses, unwanted file types (e.g., EXE, COM, BMP, MPEG) and file names (e.g., stages.exe). It can also be used to scan for text snippets within emails and supports Exim for delivery. Inflex can do this because it unpacks all email sent through it in such a way that normal Unix can be performed to determine the nature of the email.
Note: First time in the Tools Digest.
AntiVir Personal Edition 6.08.00.51 - H+BEDV Datentechnik GmbH
http://www.free-av.comAntiVir Personal Edition is an anti-virus software that is completely free of charge for private and individual use. AntiVir Personal Edition is available in German and English and runs under Windows 9x/ME/NT and 2000.
Changes: New version 6.08.01.53 of the software and new VDF file version 6.08.00.62. No information about the changes.
Mailscanner for Postfix 0.0.6 - Peter Turczak
http://www.securityfocus.com/tools/2069This program is invoked from the .forward file of a user and scans the incoming mails for .vbs .exe .com .bat, and similar attachments. If a message is clean, it is inserted into the users qmail-style Maildir. Otherwise, it is bounced. Mailscanner for Postfix runs under Windows 95/98 and Windows NT.
Changes: Added mbox-only support. This version includes exit codes and basic support for external scanners.
Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.
© Copyright 2001, SecurityPortal Inc. & Pascal Etienne, All Rights Reserved, Last Update: 18 juillet, 2001 |