|
|
|
|
 |
Security Tools and Information Information Resources SANS (System Administration, Networking and Security) http://www.sans.org Incidents.org/Dshield (a child of SANS) http://www.incidents.org CERT Coordination Center A federally funded research and development center operated by Carnegie Mellon University. http://www.cert.org SecurityFocus Online A security administrator's morning newspaper. Also home of the BugTraq mailing list. http://securityfocus.com/online Regular Expressions (used with Procmail, grep, ngrep) Here is a great tutorial on using regular expressions. http://www.oreilly.com/catalog/regex/chapter/ch04.html SANS Security Policy Project A collection of security policy templates covering various aspects of computer and network security. http://www.sans.org/newlook/resources/policies/policies.htm Firewalls Netfilter (IPTables) Netfilter and IPTables are the framework inside the Linux 2.4.x kernel which enables packet filtering, network address translation (NAT) and other packet mangling. It is the re-designed and heavily improved successor of the previous 2.2.x ipchains and 2.0.x ipfwadm systems. Also allows stateful packet filtering. http://netfilter.samba.org Log Tools fwlogwatch A packet filter and firewall log analyzer. It works with Linux ipchains, Linux netfilter/iptables, Solaris/BSD/Irix/HP-UX ipfilter, Cisco IOS, Cisco PIX and Windows XP firewall. http://cert.uni-stuttgart.de/projects/fwlogwatch/ SnortSnarf SnortSnarf is a Perl program to take files of alerts from the free Snort Intrusion Detection System , and produce HTML output intended for diagnostic inspection and tracking down problems. The model is that one is using a cron job or similar to produce a daily/hourly/whatever file of snort alerts. This script can be run on each such file to produce a convenient HTML breakout of all the alerts. http://www.silicondefense.com/software/snortsnarf/ Psionic LogSentry LogSentry helps spot problems and security violations in your logfiles automatically and will send the results to you in e-mail. This program is free to use at any site. http://www.psionic.com/products/logsentry.html Swatch Swatch is designed to monitor system activity and log files. It uses a configuration file which contains patterns to look for and actions to take when those patterns are found, including email alerts. http://www.oit.ucsb.edu/~eta/swatch Security Tools Snort Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient. Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection system. Snort logs packets in either tcpdump binary format or in Snort's decoded ASCII format to logging directories that are named based on the IP address of the "foreign" host http://www.snort.org Tripwire Tripwire is a tool that checks to see what has changed on your system. The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc. The hard part is doing it the right way, balancing security, maintanence, and functionality. It is frequently used as a host-based intrusion detection system. http://www.tripwire.org Nessus The "Nessus" Project aims to provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner. A security scanner is software which will audit remotely a given network and determine whether bad guys (aka 'crackers') may break into it, or misuse it in some way. Unlike many other security scanners, Nessus does not take anything for granted. That is, it will not consider that a given service is running on a fixed port - that is, if you run your web server on port 1234, Nessus will detect it and test its security. It will not make its security tests regarding the version number of the remote services, but will really attempt to exploit the vulnerability. Nessus is very fast, reliable and has a modular architecture that allows you to fit it to your needs. http://www.nessus.org Nmap Nmap ("Network Mapper") is an open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (ports) they are offering, what operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers, and both console and graphical versions are available. Nmap is free software, available with full source code under the terms of the GNU GPL. http://www.insecure.org/nmap/ Ethereal Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. http://www.ethereal.com/ GnuPG GnuPG stands for GNU Privacy Guard and is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC 2440. As such, it is aimed to be compatible with PGP from NAI Inc. http://www.gnupg.org/ MIT's Publice Key Server is here Wiretapped.net Wiretapped.net is an archive of open source software, informational textfiles and radio/conference broadcasts covering the areas of network and information security, network operations, host integrity, cryptography and privacy, among others. http://www.wiretapped.net/ WinPcap WinPcap is an architecture for packet capture and network analysis for the Win32 platforms. It includes a kernel-level packet filter, a low-level dynamic link library (packet.dll), and a high-level and system-independent library (wpcap.dll, based on libpcap version 0.5). http://netgroup-serv.polito.it/winpcap/ Trinux Trinux is a ramdisk-based Linux distribution that boots from a single floppy or CD-ROM, loads its packages from an HTTP/FTP server, a FAT/NTFS/ISO filesystem, or additional floppies. Trinux contains the latest versions of popular Open Source network security tools for port scanning, packet sniffing, vulnerability scanning, sniffer detection, packet construction, active/passive OS fingerprinting, network monitoring, session-hijacking, backup/recovery, computer forensics, intrusion detection, and more. Trinux also provides support for Perl, PHP, and Python scripting languages. Trinux gives you the power of Linux security tools without requiring a full-blown Linux install or the need to download, compile, install, and update a complete suite of security tools that are typically not found in mainstream distributions. http://trinux.sourceforge.net ACID The Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools. It is especially useful with Snort. http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html Email/Antivirus Sophos Anti-Virus http://www.sophos.com MailScanner MailScanner is an Email virus scanner and spam tagger. It supports sendmail and Exim MTAs, and the Sophos, McAfee, F-Prot, F-Secure, CommandAV, InoculateIT and Kaspersky anti-virus scanners. It supports SpamAssassin for highly successful spam identification. It is specifically designed to handle Denial Of Service attacks. It is very easy to install, and requires no changes at all to your sendmail.cf file. It is designed to be lightweight, and so won't grind your mail system to a halt with its load. http://www.sng.ecs.soton.ac.uk/mailscanner/ Procmail Procmail can be used to create mail-servers, mailing lists, sort your incoming mail into separate folders/files (real convenient when subscribing to one or more mailing lists or for prioritising your mail), preprocess your mail, start any programs upon mail arrival (e.g. to generate different chimes on your workstation for different types of mail) or selectively forward certain incoming mail automatically to someone. It is used extensively as an email filter for spam and objectionable content. http://www.procmail.org/
© 2002 HALO Network Security, Inc. |