Missing Open Source Security Tools?

Kinetic writes "There are many great open source security tools out there, Nmap, Nessus, and DSniff, just to name a few. However, with the world of security constantly changing, this begs the question, what open source security tools are missing? What commercial security tools have no viable open source alternatives? When securing/testing/exploring networks (home or enterprise), what security tools/applications/functionality are lacking (or non-existent) in the open source world?"

Your favorite tools

[TLouden]

Also important, if you don't think anything is missing, or even if you do, what software do you use for security purposes? Anything obscure but useful or unusual uses of common software?

SIMS

[WwWonka]

...what security tools/applications/functionality are lacking (or non-existent) in the open source world?

How about an open source Security Information Management System (SIMS) Description, Article .

Something that lets us intergrate, collect, and correlate what the other great tools (Nessus, Snort, Nmap) find.

Re:SIMS

[gfunicus]

Have a look here... http://www.ossim.net/

An enterprise security console

[drinkypoo]

Companies like CA and IBM are working to develop (or struggling to implement) single interfaces that will let you control and/or monitor the security of hundreds of systems at once, and monitor aggregates of the data so you can get both an overview and a detail view of the security status of your organization.

These tools could "leverage" existing security tools which exist in the open source world (stuff like tripwire for example) to get cross-platform support.

You don't have to just look at security, either; A multiplatform enterprise management suite with plug-in modules for filesystem, printing, security, scheduling, and good old monitoring would be a great thing to do for free. Software that does all that costs millions of dollars, single installs for sufficiently large sites can run upwards of US$10M.

Re:An enterprise security console

[mo]

While I haven't had the pleasure of working with any of these $10M install of a network management suite, I've been able to accomplish much of what you talk about using an assortment of the following open source tools:

OpenNMS
cfengine
nagios

Granted, none of these have real slick guis, and there is a bit of a learning curve to get over before you master them. However, for somebody who knows how to use the above tools, it's amazing the number of machines can be administered by one person.

Open source virus scanners

[IamTheRealMike]

I'm talking about an open source equivalent to things like Norton AntiVirus - at some point, at some time desktop Linux will be hit by viruses/spyware/other undesireables. Current security technologies are purely focussed upon preventation and none upon cure.

Yes I know there are no viruses today. That's what wargaming is for. Be prepared. It's the only way.

Network Forensics

[mplex]

This probably is a very good project for the opensource community, but it sure would be cool. I want to see an opensource version of the old SilentRunner product, now carried by Computer Associates.

eTrustTM Network Forensics captures raw network data and uses advanced forensics analysis to identify how business assets are affected by network exploits, internal data theft, and security or HR policy violations. Its patented technology allows IT and security staff to visualize network activity, uncover anomalous traffic and investigate breaches with a single, convenient solution.

http://www3.ca.com/Solutions/Product.asp?ID=4856

Re:Network Forensics

[El+Volio]

There are actually a lot of good starts on that. tcpdump and tcpreplay, combined with etherape, are a good start to the old SilentRunner Collector. The Analyzer could be replicated with something based on graphviz. Some work has been done in this area. Granted, more is left (SilentRunner had an infrastructure to move packet data around from collectors to analyzers and such), and n-gram analysis would be useful (I just found a project, Text::Ngrams, that does it in Perl), but we're not actually that far away. SilentRunner might have been uber-cool before, but now it's actually well within the reach of the free software community. I've been thinking about this a lot for almost a year; if anyone's interested in working on this, let me know (my email address is on my website), this would be a great project (so would several of these listed, actually).

user

[scrotch]

Here's one I just thought of. Maybe it's been made, and maybe 16,000 people will point out why it isn't necessary or that it's built into find or emacs or something. Here goes anyway:

Write an app that takes a username as input and shows me all the files/directories that user can read or edit or execute. If I run it as root, it shows me All files. If run as me under my account, all of my files that that user could play with. For example:
shell% sudo fileSecurityCheck -www /
will show me all files that are deleted when my webserver gets hacked.

Knopix STD all the security all the time

[phreak03]

Get Knopix STD (always a copy in my backpack) A live linux distro aimed at security with up to date packages for the following areas (From the Knopix STD site) http://www.knoppix-std.org/ * authentication * encryption * forensics * firewall * honeypot * ids * network utilities * password tools * servers * packet sniffers * tcp tools * tunnels * vulnerability assessment * wireless tools Turn it into a firewall, a web server, an IDS box, a honeypot. Use it to do data recovery on an dead or locked computer, perform a vulnerability assessment, a penetration test, perform an autopsy on a compromised machine, test your incident response team. Listen to your MP3 collection and play gnugo while waiting for that nessus scan to complete.

Encryption "Umbrella"

[macemoneta]

A tool for managing the various aspects of encryption on a system would be useful:

1- Setup and administration of VPNs (PPTP, IPSEC)
2- Administration of secure remote access (SSH)
3- Partition encryption
4- File encryption
5- Email encryption

YES there are bits and pieces, some distributions have more than others, but no control point for system-wide administration and enforcement that can be implemented across distributions.

A needed tool

[brennz]

I haven't heard of an open source tool with the same functionality as the former Raytheon SilentRunner, now CA eTrust Network Forensics
or the similar tool Niksun

An open source tool with similar capabilities would be an excellent project

monolithic network management tool

[bhsx]

Something that can premiscuously detail a LAN. It should use netcat, nmap, ethereal and the other standards to map, in real time, you LAN traffic. It should also have the ability to intercept and decode any stream on your network.
So, let's say Billy is reading Slashdot when he's supposed to be doing data entry. You see a red (for example) line leading from Billy's box to the firewall with the line labelled "slashdot.org" and the IP address. Click on Billy's box and "zoom" to focus the GUI to Billy and right click menu to "intercept and decode" to pop-up a konqueror window that follows Billy's URL jumps and shows you what he's reading. The same would be true of mpegs he's watching or mp3s he's downloading.

Other functions would be to show all nodes in the LAN as well as OS versions, all traffic in and out of each node, and any services running per node. Servers running things like ntlogon, apache or SMB would be marked as such. A "bookmarking" type feature could also be implemented as well as a sticky-note feature for notation and easy navigation.
You could call it knetsec, but I actually like a bastardization of that... Knutsac.

ZoneAlarm features

[mebon]

I would like to see a firewall with features like ZoneAlarm that has the ability to notifiy you when programs try to access the network and allows you to stop them.

Being notified that a program is trying to connect to the network can clue you in that you have been infected by a worm, virus, trojan, or spyware. Sure, Linux has relatively few malicious programs now but in the future it may become a bigger target.

Mebon

Re:tcpdump is great

[UnderLoK]

There are 3 things that piss me off to no end when using Ethereal.

1) I can't sort logs by date (this drives me insane)
2) I can't open more than one trace per session.
3) It doesn't put the trace into memory. Every time you apply a new filter it re-reads the damn file! :(

I've been using SnifferPro for about 4 years now and while it has its drawbacks I would say the inclusion of the above 3 options has more than paid for itself ;)

The one thing all sniffers lack that is needed is a quick and easy method to take notes. I'm constantly jotting down reminders, line #s, and ips on sticky notes. GIVE ME COPY & PASTE!

note: It's been called SnifferPro since I started using it.

Re:Self Defending Networks?

[Master+of+Transhuman]

You think this is funny. Let me tell you a little story.

I just took this past spring a course in "Network Security". The teacher got hold of a DARPA video on computer security and played it for us at one class session.

You wouldn't believe this crap. The scenario was a country suspiciously similar to Iraq who set up a computer center with a bunch of Arab terrorist hackers and tried to drop America's infrastructure.

So, of course, the brilliant and utterly boring (all these people looked like crew-cutted Republicans, it was unbelievable) used all sort of "cutting-edge technology" (that doesn't exist and won't for another two or three decades) to defeat the evil Arabs. It ended with them tracking the evil Arabs to their lair and a bunch of Special Forces guys busting in and shooting up the place (DIE, EVIL HACKERS! DIE!).

The tech they showed involved a lot of voice-command and voice-response computer systems, all sorts of fancy graphics stuff, and of course something very much like Total Information Awareness that allowed them to know who everybody was no matter who the hell they were. They also had the ability to search out the source of any virus or hacker penetration in minutes and then commandeer the entire US infrastructure to repel the attack.

Utter bullshit - and I told the teacher so at the end of the video.

This was a DARPA "wish-list" video with absolutely no relevance to current computer security technology.

At the end of the semester, I demo'd the Knoppix STD (Security Tools Distribution) to the class. One student asked if this stuff was "all command line". I said, well, it's all servers, and the servers all run UNIX, and servers usually are administered from the command line, so, yes, most of the tools (except for stuff like Ethereal and Nessus) was command line.

It's a long way from there to DARPA's fantasy land.

Re:tcpdump is great

[Guy+Harris]

I can't sort logs by date (this drives me insane)

"Sort logs by date" in what sense? Presumably something other than sorting by clicking on the title of the "Time" column if it's configured to display absolute time or absolute date and time.

I can't open more than one trace per session.

Non-trivial to implement - doable, but we'd need to make a lot of state information per-trace (i.e., attach it to a capture file structure) rather than global.

It doesn't put the trace into memory. Every time you apply a new filter it re-reads the damn file!

Every time you apply a new filter it:

1. generates a complete protocol tree so that it can run the filter;
2. generates the column data so that it can add a row to the display;

and, as I remember from the last profiling runs done when running filters, that takes more time than does re-reading the raw packet data. A version of the Wiretap code to memory-map the capture file being read (with a mapping window so that files bigger than the amount of address space available for mapping can be read) might be interesting, although it wouldn't necessarily improve things much, as indicated. It'd also have to deal with gzipped capature files.

The one thing all sniffers lack that is needed is a quick and easy method to take notes. I'm constantly jotting down reminders, line #s, and ips on sticky notes. GIVE ME COPY & PASTE!

That's not "copy and paste"; "copy and paste" would be the ability to copy stuff from the capture dissection (some analyzers do that; Ethereal currently doesn't). That might let you copy line (packet?) numbers and IP addresses from captures into a text file, but not arbitrary notes.

What you're asking for sounds more like the ability to insert notes into the capture file itself. Some capture file formats support that, as do the analyzers using that format (I think Microsoft Network Monitor might). Ethereal's native format (libpcap) doesn't; the next generation of libpcap is intended to be extensible, and one extension would be comment records with arbitrary text in them.

Ask not whether it's there yet...

[prandal]

.. ask if its virus patterns are.

A few friday nights back, our ClamAV started catching a little worm called W32/Zafi.b.

McAfee's DAT files to catch this one came out 2 1/2 days later, on the Monday morning (UK time).

Apart from the Nimda outbreak of 2001, this year is the only time I've seen viruses arrive at our email gateway (thanks ClamAV) before our official antivirus software updates catch them. Netsky, Bagle, and Zafi.b were all caught by ClamAV before McAfee had released DAT files for them.

I'd recommend defense in depth, using multiple virus scanners. We scan all incoming (and outgoing) emails with ClamAV, Bitdefender (free for Linux boxes), and McAfee's uvscan.

It's way too easy to fall into the mindset which says "we have antivirus software everywhere so we're safe". There will ALWAYS be a window of vulnerability between the release of a new virus and the availability of detection patterns. And don't forget that a lot of Windows viruses/worms disable any antivirus software they find running.

Phil

Re:Self Defending Networks?

[stoborrobots]

One argument FOR the command line as a newbie interface is here on OSNews.

It just goes to show, it's not just us old hackers who prefer the CLI...