Missing Open Source Security Tools?

Kinetic writes "There are many great open source security tools out there, Nmap, Nessus, and DSniff, just to name a few. However, with the world of security constantly changing, this begs the question, what open source security tools are missing? What commercial security tools have no viable open source alternatives? When securing/testing/exploring networks (home or enterprise), what security tools/applications/functionality are lacking (or non-existent) in the open source world?"

Oh great

Here comes the "THAT'S NOT THE PROPER USE OF BEGS THE QUESTION" people. Get over it. English changes.

Re:Oh great

Ya, but when I actually use beg the question properly people won't know wtf I'm talking about and think I'm an idiot when in fact they are the idiots!

But I let it go cause I hate those stupid losers still whining about how hacker used to mean a guy who played with model trains at MIT or something...

Re:Oh great

[computational+super]

Which begs the question as to its proper usage...

Re:Oh great

I bet a lot of people would have enjoyed using that excuse in English class. Can you imagine an editor at the NY Times letting this slip by? In a comment by somebody who doesn't know better, sure, let it go.

Languages evolve, but that fact is too often used as a cop-out for being too lazy to learn correct use of a language. As it is now, "begs the question" is used incorrectly on the front page of Slashdot, a large news site. The editors should know better and hopefully after being scolded, they learn. Unlike people who scoff at corrections because "English changes."

Re:Oh great

95% of the population doesn't know how to speak properly? whoa... you must live in America.

Re:Oh great

[Minwee]

I think that is a perfectly cromulent use of that phrase and it embiggens us all.

Now go marklar, marklar marklar.

Re:Oh great

[Kope]

I wonder how many of these people who complain about people correcting fairly major improper use of natural languages get a bit pissy when someone makes improper technical statements?

It is after all, an exactly equivillent gaff.

We bitch and moan when editors at the NY Times don't understand the relatively technical difference between free and open source software licenses, yet we aren't entitled to bitch and moan when the editors of slashdot don't understand the proper use of common phrases?

Re:Oh great

[TheLink]

Yah I think it's gay.

Re:Oh great

[happyfrogcow]

Hey, an AC bashing America... you must be American.

Security

Open source security tools are missing.. security holes?

Re:Security

[bgeer]

Um no. Ethereal was running about 1 remote-shell vuln a week for a long time. Snort has had a couple too. I guess you could argue that they're all fixed now, but you certainly can't be sure of that.

Re:Security

[daeley]

Bob: Looks like you've been missing a lot of security holes lately.

Peter: Well, I wouldn't exactly say I've been *missing* them, Bob.

Re:Security

[ron_ivi]

Sure...

facial-recognition & biometric stuff to identify suspects in your building

background-check software for individuals.

burglar alarm systems, for homes and businesses (requires some hardware)

timed-safe software (requires some hardware)

xray & metal-detectors & chemical-sniffers for airports (requires lotsa hardware)

Oh, you mean computer stuff. C'mon guys, just quit using outlook to browse prOn from computers inside your firewall; and close off ports you don't need.

Re:Security

[zonix]

Bob: Looks like you've been missing a lot of security holes lately.

For a second there, that looked like a Clippy joke.

z

Re:Security

[arivanov]

burglar alarm systems, for homes and businesses (requires some hardware)

Not really, most sensors are trivial to interface. Same for card readers, etc.

Been there done that.

Still, you are right on target - there is nothing to interface them to in terms of software. There are no libraries, no frameworks, nothing. Same for CCTV and surveylance systems (I ended up writing my own for some of the stuff I had to do last year).

Re:Security

[geordie_loz]

there are no libraries, no frameworks, nothing...... I ended up writing my own...

Maybe if you release your stuff under the GPL then there would be.

Re:Security

[NateTech]

Don't forget robotic automated anal probes.

Re:Security

[nick125]

or least the holes are buried very deep. least the holes are fixed. look at microsoft and the vulnerabilities from 4 years coming to bite them at the cost of the consumer that has to deal with security patches that just disable the problem instead of fixing it. and they call that fixing the problem. heh

Self Defending Networks?

[Neil+Blender]

Oh, wait, you probably mean stuff that actually works.

Re:Self Defending Networks?

[Master+of+Transhuman]

You think this is funny. Let me tell you a little story.

I just took this past spring a course in "Network Security". The teacher got hold of a DARPA video on computer security and played it for us at one class session.

You wouldn't believe this crap. The scenario was a country suspiciously similar to Iraq who set up a computer center with a bunch of Arab terrorist hackers and tried to drop America's infrastructure.

So, of course, the brilliant and utterly boring (all these people looked like crew-cutted Republicans, it was unbelievable) used all sort of "cutting-edge technology" (that doesn't exist and won't for another two or three decades) to defeat the evil Arabs. It ended with them tracking the evil Arabs to their lair and a bunch of Special Forces guys busting in and shooting up the place (DIE, EVIL HACKERS! DIE!).

The tech they showed involved a lot of voice-command and voice-response computer systems, all sorts of fancy graphics stuff, and of course something very much like Total Information Awareness that allowed them to know who everybody was no matter who the hell they were. They also had the ability to search out the source of any virus or hacker penetration in minutes and then commandeer the entire US infrastructure to repel the attack.

Utter bullshit - and I told the teacher so at the end of the video.

This was a DARPA "wish-list" video with absolutely no relevance to current computer security technology.

At the end of the semester, I demo'd the Knoppix STD (Security Tools Distribution) to the class. One student asked if this stuff was "all command line". I said, well, it's all servers, and the servers all run UNIX, and servers usually are administered from the command line, so, yes, most of the tools (except for stuff like Ethereal and Nessus) was command line.

It's a long way from there to DARPA's fantasy land.

Re:Self Defending Networks?

[110010001000]

Well DARPA is Defense ADVANCED RESEARCH Projects Agency, which means that they work on advanced research (or fantasy land as you call it). I'm not sure you know what DARPA has cooking in their labs, but it is light years beyond a simple Knoppix CD.

Re:Self Defending Networks?

[Jorgensen]

I dont know what I should find most worrying:
- the darpa fantasy land
- or using (what appears like) racism to argue for it?

Re:Self Defending Networks?

[justinmc]

That is one of the best posts that I have seen in years! I know it was DARPA, so it might have been a wish-list, but hell they may as well gone to Blockbusters for a video! Also I agree on the Command line stuff. The amount of people who are stunned by Command Line or even worse, think it is 'old' suprises me! Jay

Re:Self Defending Networks?

[stoborrobots]

One argument FOR the command line as a newbie interface is here on OSNews.

It just goes to show, it's not just us old hackers who prefer the CLI...

Re:Self Defending Networks?

[ScarKnee]

I wouldn't call it racism. I would call it a mostly-correct depiction of our real enemy. You don't see/hear about Catholics in the Vatican or Buddists in Japan plotting the demise of the USA or anything remotely western simply based upon our religion, manner of government, use of their oil (the money made from that can be used to better their circumstances), etc.

Should they have depicted the terrorists as little-old white ladies or even children? No, they should depict them as who they are most likely to be. I would like to see the statistics in plane hijackings, night club bombings, and car bombings worldwide... see who did it. Were they Muslim Extremists? I can think of 1 incident in the U.S.A. that wasn't a Muslim Extremist (Oklahoma City). I believe the vast majority would involve to Muslim Extremists.

I could be wrong, though.

Re:Self Defending Networks?

[Master+of+Transhuman]

Yeah, you could be wrong.

That would be bad, since it adds to stupidity as well.

Re:Self Defending Networks?

[ManxStef]

...And for those that are interested and would like to learn more, but are finding it hard to get started, check out these excellent CLI for Noobies articles by Joe Barr. (Scroll to the bottom, start at "CLI for noobies: alias cat and pipe meet grep " and work your way up.)

Just so no one else has to say it...

[Atario]

That's not how you use "begging the question"!

Thank you.

Re:Just so no one else has to say it...

[Atario]

Oh, and here's the obligatory link.

Re:Just so no one else has to say it...

[Atario]

Just in case you're not trolling (which I give about a 5% chance): you might try following the explanatory link.

Re:Just so no one else has to say it...

I guess you don't know the proper use of begs the question either, nor do the mods.

The question it begs is are open source security tools really great?

So....

[Dasein]

Are we searching around for a project to start? The best stuff comes when you're scratching your own itch.

Re:So....

[RealAlaskan]

The best stuff comes when you're scratching your own itch.

If you're a programmer with an itch, may I recommend a bath? Follow that up with a visit to a dermatologist, if necessary.

And for goodness sake, don't scratch other folk's itches! You'll spread all kinds of nasty stuff that way.

Re:So....

[b00m3rang]

And for goodness sake, don't scratch other folk's itches! You'll spread all kinds of nasty stuff that way.

Yeah, like Linux!

Re:So....

[robertjw]

The best stuff comes when you're scratching your own itch.

No, the best stuff comes when someone else scratches my itch...

Your favorite tools

[TLouden]

Also important, if you don't think anything is missing, or even if you do, what software do you use for security purposes? Anything obscure but useful or unusual uses of common software?

Re:Your favorite tools

I wrote this little app in C++ (so it's very efficient) that pops up a box every 5 minutes saying "all is well", regardless of what the relationship of that message to reality. Makes me feel very secure.

Re:Your favorite tools

[Lancer]

My favorite tool?

knoppix-std

Most every security tool a network admin (or script kiddie) could want in a convenient iso package.

Re:Your favorite tools

[tanguyr]

I wrote this little app in C++ (so it's very efficient) that pops up a box every 5 minutes saying "all is well", regardless of what the relationship of that message to reality. Makes me feel very secure.

Reeeeeeeeeeally? What license is it under?

Re:Your favorite tools

[graveyhead]

Interesting... Just sent this mail to the author of jailkit. Enjoy.

Thought I would share the fascinating setup I have managed to create using Jailkit.

As I mentioned before, I am creating a public development environment, and want my users to be highly isolated from each-other. Each user gets their own whole jail, complete with Java, Apache Tomcat, and Postgresql.

Outside the jail, Apache 2 and mod_jk2 forward requests to the Apache Tomcat container instance running inside the jail on a unique port. Web applications running under Tomcat connect to the user's unique database port. This means that each user can stop and restart Tomcat, or destroy their Postgres database without affecting any other user.

I've even given each jail it's own mini-init system, which executes start/stop/restart commands in an /etc/init.d directory.

This would not have been possible without Jailkit. Or, if it were, maintaining file permissions alone in such a system would have been a nightmare. Jailkit provides a partition that makes permissions management simple.

Cheers,

graveyhead

Re:Your favorite tools

[Pharmboy]

I wrote this little app in C++ (so it's very efficient) that pops up a box every 5 minutes saying "all is well", regardless of what the relationship of that message to reality. Makes me feel very secure.

Now THAT sounds like something you should port over to Windows. Then again if you sold it, MS would just include it free in their next version...

Re:Your favorite tools

[einhverfr]

Lets see:

Network Authentication and Secure Access
1) MIT Kerberos
2) OpenSSH
3) IPTables

Analysis:
1) Netfilter
2) FWReport
3) TCPDump
4) Unix command line text processing tools such as grep, wc, etc.

IDS's I recommend:
1) LaBrea
2) Snort

Re:Your favorite tools

[earthianonice]

Python + Scapy + Pcapy and Impacket have helped me in network security research ...

Re:Your favorite tools

[alecthomas]

A more appropriate tool might be linux-vserver, which lets you assign each virtual server its own disk quota, process space and IP addresses.

Re:Your favorite tools

[bdgregg]

Chaosreader is opensource!

It automates capturing application data, eg HTTP or FTP, and can replay data: eg telnet, X11 or VNC. plus lots more.
It's useful to highlight the need for encryption, or as a general networking tool.

Chaosreader is still beta (0.94) by the time it's more robust and optimised it will be released as 1.00.
http://chaosreader.sourceforge.net

Re:Your favorite tools

[Yer+Mom]

Does it occasionally go "TURN TAPE OVER" when you're least expecting it?

Re:Your favorite tools

[BlackHawk-666]

Careful, they probably already have submarine patents on this very app. I'd disappear if I were you, make a run for Mexico, it's cheaper than being sued by a company with $40billion in the bank.

Re:Your favorite tools

[_pi-away]

"This is my everything's OK alarm! This will sound every 4 seconds, as long as everything is OK!

It can't be turned off, but it does . . . uh, break easily."

Re:Your favorite tools

[ACPosterChild]

Don't forget User Mode Linux:
http://www.usermodelinux.org/

UML lets you run a whole virtual Linux machine as a process. It's typical to have 10 or more virtual machines running on one computer. After looking at Linux VServer, I'm not sure how the two are different.

SIMS

[WwWonka]

...what security tools/applications/functionality are lacking (or non-existent) in the open source world?

How about an open source Security Information Management System (SIMS) Description, Article .

Something that lets us intergrate, collect, and correlate what the other great tools (Nessus, Snort, Nmap) find.

Re:SIMS

[gfunicus]

Have a look here... http://www.ossim.net/

Re:SIMS

[kfg]

Something that lets us intergrate, collect, and correlate what the other great tools . . . find.

Pipes and regular expressions?

KFG

Re:SIMS

[WwWonka]

>> Something that lets us intergrate, collect, and correlate what the other great tools . . . find.

Pipes and regular expression.

Sure, that's like saying a magnifying glass can be used to find your lost class ring in the playground. Sure it will work, but extreme under-kill and a waste of time.

Obviously you don't do security for a large network.

Re:SIMS

[localareasecurity]

Ahhhh well there is a little thing called Prelude HyIDS. It has been narounnd since 1998 and has been mentioned on here: http://developers.slashdot.org/article.pl?sid=04/0 4/26/2133207&mode=thread&tid=126&tid=172&tid=1 85
Might be what you are looking for. . .

Re:SIMS

You know.. this is the main problem with open source.. just when you think you've got a new project to start on, someone comes up with a link showing it is already available.. So depressing! ;)

Re:SIMS

[kfg]

Obviously you don't do security for a large network.

No, no. That's not how it goes. If you take that approach people are likely to take it as a personal attack rather than a reasoned argument. To avoid such confusion it's best to proceed like this:

I ask, "Pipes and regular expressions?" (you dropped my question mark and replaced it with a period)

Then you say, "No, that won't do it, because. . . (and then you insert your argument here)

Otherwise people might think you're just being a jerk.

Now, I don't necessarily mind if people here and there think I'm being an intellectual jerk, or even an ignorant jerk (because, Lord knows, now and again I am an ignorant jerk), but I might feel bad if someone considered me just a jerk. So I can empathize with you being in a position where someone might think that of you.

Sure, that's like saying a magnifying glass can be used to find your lost class ring in the playground. Sure it will work, but extreme under-kill and a waste of time.

Wouldn't it be great if you could use pipes and regular expressions to find lost things? That would be sooooooooooo sweet, because (this is where I insert my argument) they're like a perfect multi-lens device of infinately variable focal length and aperature, hooked up to a spectrograph , a mass spectrograph, a lath, a mill, a tap and die set, a forge, a. . .

So there you are, in a playground in Central Park, NYC, and you suddenly realize your class ring is missing. You aren't sure where you lost it either. Let's say you know it had to be someplace on Manhatten. You zoom the lens out to encompass Manhatten, set the aperature appropriately, and turn on the spectrograph.

Then ask it to show you all the rings. And it does!

"Oh, shit," you say to yourself. "Look, only show me the rings with a garnet in them."

No, that didn't do it, there's still a pile of them too big to go through. Ok, how about all the gold rings with a garnet? Gold rings with a Garnet from the High School of the Performing Arts? Damn, that many? Ok, how about one of those ,but with that little scratch on the side with '58 Porsche grease in it?

Bingo! There it is in a cab up in East Harlem.

See? Not like a magnifying glass at all, but an entire suite of logical tools and set theory manipulators that can be combined in any way that suits your fancy to return any logical result you want.

I was once having dinner with some friends and one of them, who happens to be a network tech, asked one who happens to be a professor of Chemistry, "Why has Organic Chemistry effectively become a required course for a medical degree? Does a doctor really need to know Organic Chemistry? What would they possible actually use it for?"

The Chemistry professor responded, "Well, a biochemist would obviously need and use Organic Chemistry, but if you just mean a practicing medical doctor, no, they don't need it and will never use it."

"Well," asked the net tech, " why do you make them learn it then?"

"We don't make them learn it to learn Organic Chem." replied the professor. " We make them learn it to learn deductive reasoning in a domain of applied set theory. It's to teach them diagnosis."

And network security is a diagnostic field requiring deductive reasoning in a domain of applied set theory.

Maybe we should make CS majors take Organic Chemistry.

Or maybe we should just make them take math with a certain focus on logic and set theory and apply same against the computer (a mathmatical logic machine) network. Then maybe they could use general purpose logical tools to construct their own specific case tools, instead of being restricted to the domain of premade tools that often don't even fit their network situation (since every large network is unique in its structure and logic, and thus no outsider can know the sets, or the possible set of logical prepositions).

KFG

Re:SIMS

[stridebird]

That's one superb riposte of a post, oh yes. A sweet reply, my hat goes off in your general direction. Please write more, you improve this place.

Re:SIMS

[kfg]

Of course, large networks have large flows of data, and when dealing with security you often don't know what you're looking for until you see it. It may take deductive reasoning to track down a problem, but it often takes a fair dollop of inductive reasoning to determine you have one in the first place from some pattern or anomoly, such as the minor billing anomoly that sent Cliff Stoll on his epic chase.

To, if I may coin a term, "coagulate" the large quantity of data from your security tools a wee bit of Perl might well be in order to make life easier.

If Mr. Wonka had said this, or some other equally valid point, I would have been left to reply:

"Well. . . yeah."

KFG

Sniffer Pro

[Nonesuch]

Sniffer Pro has features which neither "ntop" nor "ethereal" come anywhere near, both in the realtime monitoring of traffic and also in some of the "expert" functionality.

I've yet to find an open source tool that can show a "matrix" graph of source and destination talkers by MAC/IP/IPX name in realtime as found in Sniffer. Other tools show some of this information, but do not render the same graphical display (chords of a circle) as Sniffer.

With ethereal there's to do this with snapshots using graphviz, but not realtime...

Re:Sniffer Pro

[np_bernstein]

I'm not sure if you can do it with MAC addresses, but acid, on top of snort will show to from. Also, it would be pretty easy to pull that data from the db, and graph it. Sure, it takes a litte glueware, but it shouldn't be too hard.

Re:Sniffer Pro

[pkey]

If I'm understanding what you're looking for (I've never seen Sniffer Pro in action), I think EtherApe might do it. It hasn't been updated since January of 2003, but the current version works fine for me.

Re:Sniffer Pro

[X.25]

I've yet to find an open source tool that can show a "matrix" graph of source and destination talkers by MAC/IP/IPX name in realtime as found in Sniffer.

Do you want a network monitoring system, or a sniffer?

Even if I needed such a feature, I'd never expect it to be in Ethereal (and I use tcpdump/Ethereal daily, but not for graphs).

If I needed (offline) graphs, I'd use netflow probes and collector. If I needed realtime stats, I'd use iptraf (well, I do use both of those anyway).

However, I never needed to have a realtime graph within a sniffer, and even if I am Ethereal developer, I'd tell you something nasty if you requested such feature, considering how many more things come before 'graph' in a sniffer.

Missing opensource security stuff - realtime graphs?

Sad...

Re:Sniffer Pro

[ralphus]

I find that sniffer pro's expert is no replacement for a real expert. On the numerous occasions I've used sniffer pro I've found that the experts are just annoying and i wrote them off as an attempt to just "wizardize" protcol analysis. It seems useful for someone who is a beginner at protocol analysis, but i've been doing it for years and haven't come across a better tool for me than Ethereal. Ethereal gives me a woody. I do agree that sniffer pro has more realtime monitoring capabilities than ethereal however. Also, etherape will show a matrix graph.

Re:Sniffer Pro

[Lancer]

Ethereal gives me a woody.

No, no, no, you must have that backwards... woody gives you Ethereal. I'm sure that's what you meant to type.

Right? Please?

Re:Sniffer Pro

[ralphus]

That's a good one, but I did actually mean that I have a strange fetish for protocol analysis. My court appointed therapist says it's abnormal, but I don't believe him.

Re:Sniffer Pro

[Grail]

Is there anything like Ether Ape that's text based? I'm going to have to install 40MB worth of gnome libraries and sound card drivers on my router in order to run Ether Ape - the sound stuff is useless since my workstation isn't within hearing distance of my desk...

Re:Sniffer Pro

[TBone]

I'm oging to guess no, there's no console version of an aplpication which graphically represents the state of your network traffic. Hence the reason you need to install 40MB of GNOME libraries :)

Re:Sniffer Pro

[utdpenguin]

1. Ask people what tools are missing.
2. When they answer, them they are stupid.
3. ??????
4. Profit!!

Sorry, but I couldn't resist and I do have the karma to burn

Re:Sniffer Pro

[macdaddy]

If you want a text only version of what's up on your interface then go with IPTraf. It's ncurses-based. I think that'll do what you want. I used to leave it up on my Linux firewall/router so I could see what I was pulling down at any given moment.

Re:Sniffer Pro

[it0]

As said before etherape has the functionality the poster requested. Sniffer pro is the mandatory tool we have to use here and I'm very impressed with it's easy to use and feature richness. The graph which he is talking about is an indispensible tool to filter out large amounts of uninteresting traffic. When you are sniffing you don't always know where to look and this tool can be very helpfull in this area.

Re:Sniffer Pro

[jacobb]

but acid, on top of snort will show to from...

Hell, a little acid and a snort or two of the finest white powders, and you dont even need a computer. The wires will speak to you.

Re:Sniffer Pro

[joshmccormack]

Just logging in a packet sniffer can slow things down. I can only imagine what real time graphical analysis of that traffic would do. Maybe you'd see, graphically, your network traffic nose dive.

We're missing a great test bed

[burgburgburg]

I've been working with a spectacular closed source test bed for viruses, trojans, worms and the like called "Windows". I'm able to explore and examine so much more of this malicious code as it really functions then I ever have with my OSS tools. It's like they were written for it.

When we can create a truly fertile environment for elements like this in OSS, then we'll have arrived.

Re:We're missing a great test bed

I've found this 'Windows' you talk of and it is as good as you say: I had barely finished installing it and I had contracted a worm. Excellent work indeed.

Unfortunately you fail to mention the license: it's awful. It appears to be a wierd GPL variant that forbids access to the source, the making of derivatives and redistribution. I must have misread it I think.

Re:We're missing a great test bed

[jon787]

When we can create a truly fertile environment for elements like this in OSS, then we'll have arrived.

You mean like this?

An enterprise security console

[drinkypoo]

Companies like CA and IBM are working to develop (or struggling to implement) single interfaces that will let you control and/or monitor the security of hundreds of systems at once, and monitor aggregates of the data so you can get both an overview and a detail view of the security status of your organization.

These tools could "leverage" existing security tools which exist in the open source world (stuff like tripwire for example) to get cross-platform support.

You don't have to just look at security, either; A multiplatform enterprise management suite with plug-in modules for filesystem, printing, security, scheduling, and good old monitoring would be a great thing to do for free. Software that does all that costs millions of dollars, single installs for sufficiently large sites can run upwards of US$10M.

Re:An enterprise security console

[ivanmarsh]

Isn't that what Unicenter TNG is supposed to do?

Re:An enterprise security console

[fahrvergnugen]

>Companies like CA and IBM are working to develop (or struggling to implement) single interfaces that will let you control and/or monitor the security of hundreds of systems at once, and monitor aggregates of the data so you can get both an overview and a detail view of the security status of your organization.

Badass, do they each come with their own clone of Penn Gillette to run them for me?

Re:An enterprise security console

[mo]

While I haven't had the pleasure of working with any of these $10M install of a network management suite, I've been able to accomplish much of what you talk about using an assortment of the following open source tools:

OpenNMS
cfengine
nagios

Granted, none of these have real slick guis, and there is a bit of a learning curve to get over before you master them. However, for somebody who knows how to use the above tools, it's amazing the number of machines can be administered by one person.

Re:An enterprise security console

[jschrod]

What these tools don't do is event correlation. Data warehouses and BI report tools are nice for this. And that's where the money comes in, such tools come bundled with Tivoli, Unicenter, and BMC Patrol.

In addition, they're much more scalable. We do Nagios deployments for a living; but we will not propose to use it for a network of 50,000 devices. For that, other tools are needed. These other tools are expensive to buy, and even more expensive to deploy. But with them and good people, you have a chance to succeed.

Of course, if one doesn't use the correlation and reporting facilities; and if one has only a few hundred or a few thousand systems to manage - then Open Source solutions are a real boost. But these are small- to mid-size installations, not big ones.

The sign of a good crafts man is that he knows when to select the right tools.

Re:An enterprise security console

[drinkypoo]

Unicenter TNG is supposed to be a complete enterprise management system. Not sure if they're calling it a framework these days, which is what Tivoli used to call TME10. (Now I believe it's called something slightly different, since there's more emphasis on IBM in the Tivoli brand.) I don't know much about TNG because I worked for Tivoli and CA is "the enemy". It does seem to be kind of windows-centric...

Anyway, CA has a security/IDS management package that "Works with" TNG, I don't know if it requires TNG or not. I believe it has a separate console, though, and its own agent.

Re:offtopic but...

[BinaryJono]

webspy is what you're looking for. urlsnarf can also be used to grab requested URLs but doesn't provide the fun "surfing-along" feature.

There are open security methodologies and tools!

[bandrzej]

Sheez, post something of importance, and get a bunch of smart ass flack.

If you are looking for a proven open standard methodology for performing security tests, then Open Source Security Testing Methodology Manual (OSSTMM) is the way to go.

In addition, there is the linux distro of Trinux, which includes most of the common linux open source security auditing tools.

Application Level Proxies

[eckes]

Ever since the FWTK offered a semi free toolset, the community failed to develop real free simple, stable and secure application level proxies.

There are some more now, but most have discovered bugs due to missing deffensive programming.

That was one of the reasons I started freefire.org, even when the mailing list currently is not used.

--
www.eckes.org

Let's discuss job security instead.

[Scoria]

I propose a fork of Apache that contains a complete implementation of all IIS functionality (circa 2001), preferably enabled by default. The application must operate as 'root'. This will ensure that certain IT positions will remain abundant for many decades.

Open source virus scanners

[IamTheRealMike]

I'm talking about an open source equivalent to things like Norton AntiVirus - at some point, at some time desktop Linux will be hit by viruses/spyware/other undesireables. Current security technologies are purely focussed upon preventation and none upon cure.

Yes I know there are no viruses today. That's what wargaming is for. Be prepared. It's the only way.

Re:Open source virus scanners

[Mc+Fly]

Duh.
Dude, you should see clamav, a full opensource antivirus for Linux, FreeBSD and even Windows, which integrates nicely with virtually every mailer out there.

Re:Open source virus scanners

[Albanach]

The problem here is open source is usually written by volunteers (a few notable exceptions of course). People tend to devote their time to solving problems that affect them. As they're not bothered by viruses there's little inclination to write anti-virus software.

That's why there's been so little progress with Open anti virus but you can bet your life that if/when viruses do start to strike, people will be willing to dedicate their time and a FOSS anti virus solution will be available.

Re:Open source virus scanners

[gmuslera]

What about ClamAV or OpenAntivirus or a lot in the same league?

There are also a lot of integrity checkings tools, that if well don't count as "antivirus", at least they report changes that could mean something nasty running, and not to forget things like chkrootkit.

Re:Open source virus scanners

[Scoria]

I'm talking about an open source equivalent to things like Norton AntiVirus - at some point, at some time desktop Linux will be hit by viruses/spyware/other undesireables. Current security technologies are purely focussed upon preventation and none upon cure.

I believe that Lindows (Linspire) is especially susceptible to this. After all, the user operates as 'root' by default, thus compromising many of the local security principles inherent to the Linux/Unix philosophy. Lindows and the other "easy-to-use" implementations of Linux haven't yet become ubiquitous enough to warrant the development of distribution-specific malware, but give it time. After all, we're already beginning to observe one-click malware intended for the Mozilla community in the wild.

Re:Open source virus scanners

[ajs]

Virus scanners are for people who want to leave security holes open and then get information about the damage.

No, they're for the people who don't trust that every security hole is known of first by the white-hats.

Is your system secure? Are you sure? What abotu 5 minutes before you applied that last ssh update? Wouldn't a virus / trojan / root kit scanner give you one more level of assurance?

Re:Open source virus scanners

[Cyno]

...at some point, at some time desktop Linux will be hit by viruses/spyware/other undesireables.

What makes you think its impossible to design a secure system? What if the goal of the people designing the system is to design a secure and stable system instead of making a profitable business out of selling software and competing for market dominance? Sure, everything can be insecure, but what matters is what you do after you discover that it was implemented improperly, no? Do you scrap the old code and redesign it to protect against those new vulnerabilities or pretend they're not a threat to your business?

Re:Open source virus scanners

[IamTheRealMike]

Actually, running as non-root provides almost no protection against viruses as most things they want to do can be done as user (send email, modify webpages using CSS/XBL, hijack programs etc). Root is a good security system on a server, but the security challenges facing the desktop are entirely different.

Re:Open source virus scanners

[ajs]

Yes, absolutely. I've written these before, but they're of limited usefulness unless you can keep up with them, and I had too much work to do. We still use one of my old ones here at work, though as a "something is better than nothing" approach.

You need a many-pronged approach, and ways to deal with the fact that a compromised UNIX or UNIX-like system is one of the most fearsome anti-security tools there are. You need to be able to establish the state of system security WITHOUT knowing that it was secure when you started running.

Tripwire or the like will tell you if anything changes, but what you really want to know is "what state is this box in now, BEFORE I install any security software.

One such tool was chkrootkit. It was ok for a pile of shell scripts (and a few small C programs), but really needed to be cleaned up and turned into something that could be configured remotely by config updates and find some way to ensure that the system wasn't lying to it.

Re:Open source virus scanners

[StraightTalkExpress]

The main challenge of writing good anti-virus software isn't coding - it's knowledge-gathering and timely releases. The open-source development model does not therefore buy you a lot of utility, and probably loses you some.

Re:Open source virus scanners

[Scoria]

You're right.

However, they also offer many daemons as "one-click downloads," and those were the subject of my response. They (did?) operate as root by default, too. Once they have been allowed to age sufficiently, these vulnerable daemons will become an excellent vector by which to propagate "auto-installing" malware.

Re:Open source virus scanners

[Theatetus]

As much as I admire the clam folks, it's just not there yet.

AV is something that could really benefit from an open, distributed development model if we could find the right precautions to take. If users could report and characterise malicious attacks as they happen, I think we could start to offer an alternative to the big AV company's virus dictionaries (sort of like wikipedia compared to britannica).

Obviously this would not be an easy thing to set up well (consider the. We would need some sort of "karma" like system that would reward reporting users for correctly identifying malicious software and punish them for incorrectly identifying it.

The other thing it would require is a client that could profile and find signatures for the malicious processes/files, and some trust mechanism for these signatures to be put into a central database. Again, this would lead to some interesting security dilemmas but I don't think it's anything insurmountable.

Re:Open source virus scanners

[deque_alpha]

Here's a question for you then, in the the context of a desktop system, how do you define "secure" and "security"? A big chunk of the problems that affect Windows users ( the viruses/spyware/other undesirables mentioned above) do so because of their own ignorance, not because of some "security flaw". They are caused by programs that the users _choose to run_. How does the OS know that the user doesn't want their actions tracked by third parties? How does it know that the user doesn't want to be sending out tons of malformed emails to random email addresses? Simple, it doesn't, and nothing in what you seem to think of as a "secure system" will address those issues. You could make it so that only Mail Application X can send/receive mail traffic, and only Web Browser Y can send/receive web traffic. How would we do that? Well, we'd have to have somebody cryptographically sign the executables, and then build a chip into the system that checks those and then either allows or denies them based on wheether or not they are approved... hmmm... this sounds a lot like Palladium, doesn't it? And I'm pretty sure that we all agree that is a Bad Idea.

As the parent said, at some point, Linux will be targetted by these undesirables. There are only two ways to combat them: Specific countermeasures (live AV software), and user education. Hopefully when Linux starts getting hit, the average users will be more clueful and it will be less of a problem, but I'm not holding my breath. Unless you want to totally hamstring the user and prevent them from being able to do anything, the kind of perfectly secure system you are talking about is impossible to create, and the sooner you accept that, the better off everyone will be.

Re:Open source virus scanners

[Pharmboy]

As much as I admire the clam folks, it's just not there yet.

I would agree. I use in on the mail server ( Fedora/MailScanner/Spamassassin/Squirrelmail box) and it lets a couple through a week. Its a great program, granted, and its about 95% effective, but not quite up to speed. Part of the problem with any free "as in beer" program will always be keeping up since you can't just sell a few more copies and hire someone else, and AV is one of those tasks that require a lot of keeping up.

I certainly don't bitch because its a great piece of software, but I realize its limitations. Even with the limitations, it still lets me sleep a little better at night. Now if I can get the damn users to understand to NOT open attachments that "sound cool", even tho they have been warned and punished many times over.

Re:Open source virus scanners

[anttix]

Isn't that exactly what SELinux folks are trying to do. If they finish their policy based X server I think we might see a significant leap in desktop security. The basic idea is very simple: Applications should have access only to the data that belongs to them and only some "special" apps have access to other.
FC2 with selinux on was a disaster for desktop mode though but as a server It's a really good idea. It's like chrooting all of Your services ;)

Re:Open source virus scanners

[juhaz]

What makes you think its impossible to design a secure system?

Well, that's quite simple. You can't make a perfect system. Even if your goal is security and you "scrap the old code and redesign" after you find a bug, there's always the time between finding the improper implementation and the fix, and the update.

Linux can be vastly better than Windows in security, but it, or anything else, can NOT be PERFECT in that, or any other sense. Thinking otherwise is just being self-delusional.

That, and then there's the more important part: people will be using that system. People are stupid.

You can't idiot proof something because nature will ALWAYS invent a better idiot.

Re:Open source virus scanners

[Kernel+Kurtz]

F-prot has a free version for Linux, BSD, and Solaris single-user workstations, which works very well and can be easily regularly updated via cron. You can find it here;

http://www.f-prot.com/download/home_user/

Re:Open source virus scanners

[ghakko]

Linux does not have the uniform, backward-compatible, robust binary compatibility that Windows has. This tends to complicate things both for virus/worm writers and ISVs trying to release binary builds of their software.

The target program may have been compiled with different gcc optimizations, or with -fomit-frame-pointer, which often rearranges things enough to foul up a stack-smashing exploit. They may be using a different compiler, or a different version of gcc. That's enough to break library linkage on many programs.

They may be linking against different libraries, or the people building those libraries may have opted to have different code compiled in. The libraries probably aren't going to be laid out in the same places in memory at runtime. The kernel ABI may be different (the module loading mechanism, for example, has changed on the 2.6.x kernels). They may be on a different architecture.

They may or may not be running the target program as root. They may be running it in a chroot. Or perhaps a helper program the virus depends on may not be installed.

Individually, none of these are particularly difficult to get around. In fact, it likely won't stop a determined cracker from breaking into one particular system similar enough to one he can test his custom-crafted exploit against.

But collectively, they fragment Linux systems and their vulnerabilities into so many little special cases that the virus/worm writer may not find the platform as a whole to be a worthwhile target.

Re:Open source virus scanners

[macdaddy]

The Clam is a great tool. Ignore the folks that are whining about it. I use it on multiple production mail servers and haven't seen a single virus get through since I installed it. Granted it's always a good idea to have more than one AV tool check your mail and you should have an end-to-end solution on all boxes. Still Clam is a damn fine tool.

Re:Open source virus scanners

[Grax]

Running as non-root has serious advantages though. A virus (as long as it doesn't become root due to a local exploit) can't take over the entire machine. If the virus can't replace system commands it can't hide itself. If it can't hide itself then you can just kill it by using the kill command.

Re:Open source virus scanners

[Mnemia]

I understand what you are saying and I mostly agree. However, do you think that the near-universal availability of gcc and other compilation/linking tools on Linux poses any sort of a threat? Couldn't viruses (or more likely, trojans) just set up a routine to compile themselves and thus skirt a lot of the binary compatibility issues? After all, you could argue that the availability of source code and compilers is what makes the lack of binary compatibility not too bad of a problem for Linux distributions. I know that a lot of people remove gcc from their "secure" production machines such as servers and routers in the belief that this increases security.

Maybe Linux viruses of the future will be able to run themselves using some sort of statically linked binary known to run on a wide variety of Linux installations, and then assess their environment and recompile themselves so that they are binary compatible with a set of target programs. They might even be able to probe such programs to try to determine the more obvious optimization settings (like fomit-frame-pointer). Usage of configure seems to be pretty widespread for Linux source packages; why would viruses/malware be any different?

Re:Open source virus scanners

[IamTheRealMike]

Yep, exactly. More importantly SELinux lets you set programs as suid root and then sandbox them down to less than root, so we can start doing away with the stupid root password prompts that pop up all the time (in a typical home user scenario). SELinux will also improve security on servers.

Don't be fooled though - SELinux is great but it's purely damage control. It's only useful once your system has already been compromised.

Re:Open source virus scanners

[IamTheRealMike]

Sure it can hide itself, just ptrace an already running program and inject some code into a well known process that way.

Re:Open source virus scanners

[schon]

No, they're for the people who don't trust that every security hole is known of first by the white-hats.

Your logic is backwards.

by definition, a virus scanner can't know about a virus until a white hat does.

Re:Open source virus scanners

[ajs]

You're thinking in terms of Windows.

Under Unix and Unix-like systems, the vector of attack and what you do with it are usually two different things (though, in reality, modern Windows attacks are starting to look more like this, as attackers are starting to get a bit more methodical).

Intrusion detection "scanners" under Unix have taken two forms: the signature scanner and the proactive snapshot.

The former is what I'm refering to (and chkrootkit was a good, if primative example). The latter would inlcude tools like tripwire.

So, while I might not trust that we know all of the holes in, say, my Web server, I do have a pretty good idea of the sorts of tools that an attacker would use once they got in, and I can look for those.

Perfect? No, nothing in the security business is. It's still good to look for what you know.

Security by Obscurity

[descil]

It seems to be that people who make security tools don't open source them on the normal channels because they don't want 5cr1p7 k1dd135 stealing them. For instance, I'm currently working on an SNMP scanner to analyze a fibre channel network - no way am I open sourcing it; it shows entirely too many holes. *shrugs*

*black hat on*
Besides, if the holes you find become fixed due to public notice, how are you going to exploit them in the future?
*black hat off*

Re:Security by Obscurity

http://www.wou.edu/~spowell/pictures/jedit.png

btw, there may be full of buffer overflow those sprintfs...

Re:Security by Obscurity

[descil]

LMAO good call ;) Fortunately for me, 'argument' is secured from the input end to a maximum length of MIL, and is also limited to pure ASCII. MSL is about 4*MIL. And the commands you see are trusted high-level operator commands anyway. The content itself could screw the code up with a lot less effort than a buffer overflow would take.

Did you really go looking through all my pictures for that? *LMAO*

BTW those are Max String Length and Max Input Length.

Re:Security by Obscurity

[descil]

For you, the problem is clear. However, since you want more detail:

argument = one_argument(argument, username);

This function takes 'argument' and cuts one word off - a bunch of letters followed by a space. Or nothing, if there's no word waiting. Then it returns the remainder - still using the original string space, not copying or anything.

Now, assuming 'argument' is 300 characters. The first word is say 6 characters. After one_argument, 'username' is six characters long, and 'argument' is 293. (The missing character is the space between the words.)

So now 'password' can only be a maximum of 293 letters. Let's say it is. 'argument' is now the string "". When you cat these values back together, you still end up with 300 letters. Unfortunately there's a superfluous 8 letter character sitting in there too. So there's technically a hole here, if the user knew about the code, knew what MIL was (you could test, of course, and... already... had... full access to this program. However, nobody has that access except me and two other people, and they all already have shell access.

Re:Security by Obscurity

[descil]

It is slop. It's old slop. *L* I guess you can't see the timestamp, but that code is probably four years old. It's not even part of the program anymore. Anyway, sloppy code may have made this program appear "alive" to the players, who're swearing it has a soul. Course, they -are- a little crazy.

Are you done being anonymous yet?

Re:Security by Obscurity

[descil]

C indentation colors? It's keyword hilighting. My tastes have since changed away from the garish. Definitely makes the code stand out tho P:

Re:Security by Obscurity

[descil]

It's old hat. My { are different now - I finally buckled.

while( descil.age < 20 ) {
descil.correct++;
world.astonished++;
}
while( descil.age >= 20 ) {
descil.stubborn--;
world.amused++;
}

mm. Indeed.

Re:Security by Obscurity

[macdaddy]

You think security through obscrutiny is bad? I used to work with some folks that thought security through obsolesence was the key. In a way I can see their point. After all, their DB software was older than most of the script kiddies attacking it. LOL

Re:Sigh

don't suggested

If you're going to be a grammar nazi, try to avoid stupid typos you dumb fuck.

tcpdump is great

[SquadBoy]

I use it every day all day long and could not do my job wihtout it. But I would really love a GUI better than ethereal for it. Something that implempents the more advanced features of Sniffer Pro or whatever they are calling it this week. Better searches, better ability to highlight and get data. Also the enahancement I would really like to see in tcpdump (and thus all the frontends for it) would be the ability to filter on x.x.x.x x.x.x.x in other words to be able to see traffic from or too a specific IP and another IP. This comes up in testing for me all the time. For example I want to see if a given packet is making it from my PC to a device somewhere. If that device happens to be chatty it would be nice to be able to filter it down to between it and my PC. Since I'm normally admining at least one of the devices between me and it from the same PC all the workarounds feel clunky. So not so much a new app but ways in which a good app can be improved. For example when the put the -packet_trace function in nmap it became much more useful for me than it had been and it was already da bomb.

Re:tcpdump is great

[SquadBoy]

/. took my arrow out it was supposed to be x.x.x.x -> x.x.x.x

Re:tcpdump is great

[OverlordQ]

like:

tcpdump (options) | grep | grep

It's a horrible kludge but it'd work.

Re:tcpdump is great

you mean something like . . .

tcpdump (src host a.b.c.d or src host 1.2.3.4) and (dst host a.b.c.d or dst host 1.2.3.4)

tpcdump has very powerful filtering - you just have to learn to use it.

Re:tcpdump is great

[Nothinman]

You could also look at ngrep, but learning tcpdump's filter syntax should probably be your first priority since you use it every day and it's available on just about every system.

Description: grep for network traffic ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

Re:tcpdump is great

[SquadBoy]

It would seem that I have a lot to learn. Thanks for the tips. :)

Re:tcpdump is great

[UnderLoK]

There are 3 things that piss me off to no end when using Ethereal.

1) I can't sort logs by date (this drives me insane)
2) I can't open more than one trace per session.
3) It doesn't put the trace into memory. Every time you apply a new filter it re-reads the damn file! :(

I've been using SnifferPro for about 4 years now and while it has its drawbacks I would say the inclusion of the above 3 options has more than paid for itself ;)

The one thing all sniffers lack that is needed is a quick and easy method to take notes. I'm constantly jotting down reminders, line #s, and ips on sticky notes. GIVE ME COPY & PASTE!

note: It's been called SnifferPro since I started using it.

Re:tcpdump is great

[Guy+Harris]

I can't sort logs by date (this drives me insane)

"Sort logs by date" in what sense? Presumably something other than sorting by clicking on the title of the "Time" column if it's configured to display absolute time or absolute date and time.

I can't open more than one trace per session.

Non-trivial to implement - doable, but we'd need to make a lot of state information per-trace (i.e., attach it to a capture file structure) rather than global.

It doesn't put the trace into memory. Every time you apply a new filter it re-reads the damn file!

Every time you apply a new filter it:

1. generates a complete protocol tree so that it can run the filter;
2. generates the column data so that it can add a row to the display;

and, as I remember from the last profiling runs done when running filters, that takes more time than does re-reading the raw packet data. A version of the Wiretap code to memory-map the capture file being read (with a mapping window so that files bigger than the amount of address space available for mapping can be read) might be interesting, although it wouldn't necessarily improve things much, as indicated. It'd also have to deal with gzipped capature files.

The one thing all sniffers lack that is needed is a quick and easy method to take notes. I'm constantly jotting down reminders, line #s, and ips on sticky notes. GIVE ME COPY & PASTE!

That's not "copy and paste"; "copy and paste" would be the ability to copy stuff from the capture dissection (some analyzers do that; Ethereal currently doesn't). That might let you copy line (packet?) numbers and IP addresses from captures into a text file, but not arbitrary notes.

What you're asking for sounds more like the ability to insert notes into the capture file itself. Some capture file formats support that, as do the analyzers using that format (I think Microsoft Network Monitor might). Ethereal's native format (libpcap) doesn't; the next generation of libpcap is intended to be extensible, and one extension would be comment records with arbitrary text in them.

Re:tcpdump is great

[Guy+Harris]

tpcdump[sic] has very powerful filtering - you just have to learn to use it.

And Ethereal has, of course, the exact same filtering for captures (because they both use libpcap for capturing and filtering of captures). Ethereal's display filtering can do the same sort of things, albeit with different syntax (tcpdump's syntax doesn't fit the "filter on arbitrary field" model Ethereal has; it might be nice to have Ethereal translate a smaller display-filter-like language into capture filters - the full display filter syntax isn't implementable with BPF-style capture filters - and that might happen at some point).

Re:tcpdump is great

[UnderLoK]

"Sort logs by date" in what sense? Presumably something other than sorting by clicking on the title of the "Time" column if it's configured to display absolute time or absolute date and time I was reffering to the actual OPEN process. ;)

Re:tcpdump is great

[Guy+Harris]

I was reffering[sic] to the actual OPEN process.

There's no sorting done when the file is opened; do you mean that if the packets are out of order by time stamp in the capture file (which would be the result of a bug in the underlying capture mechanism - it should be delivering packets in time-stamp order; when do you see out-of-order packets?), Ethereal should re-order them?

If Ethereal were to do that, note that Tethereal wouldn't be able to reorder them, as it is, by design and intent, a one-pass program.

Network mapping !

[dago]

See Lumeta and sourcefire products.

Bonus if it can be passive and list OS, services, ...

Re:offtopic but...

[mukund]

Does thee get tempted with EtherPEG or Driftnet?

Give me reporting tools!

[Bubblehead]

I am constantly trying to improve the security of my home network, and the available tools are pretty powerful. My biggest problem has been to find powerful reporting tools. I use iptables as a firewall, tripwire for intrusion detection, etc. But it's not always easy to see what's going on in the system. Tripwire produces decent reports; but there is no easy way (afaik) to get a list of intrusion attempts, network traffic, port scans, etc. Sure, the information is in the logs - but the log information is hard to parse and often not as complete as it should be.

Re:Give me reporting tools!

[proj_2501]

have you tried portsentry?

Re:Give me reporting tools!

Try installing snort and use ACID with it.

I have found this shows the infomation that you are looking for.

Re:Give me reporting tools!

[CyberVenom]

You also have to watch out for the weirdos who actually manage to get root on your box and then take it upon themselves to edit your logs. :-p It might be a good idea to report alerts to an external machine so that the record itself can't be compromised.

Suggestions:

syslog to remote logserver that has no open ports except syslog.

tail -f your logfile to a line printer with plenty of bannerfold paper. Lets see a hacker try to erase that log! (just make sure you don't leave the carrage on the same line as the entry about my intrusion or I may just run several hundred "X"s over the top of it before issuing an LF)

send email to an external email account when an incident is detected.

(I have phun with my friends' machines in the name of security. Can you tell?)

Re:Give me reporting tools!

[reallocate]

Line Printer? Now, that's a useful suggestion for a home network. Who needs a vacation this year? I'll buy a line printer! Everyone will understand.

Re:Give me reporting tools!

[CyberVenom]

lol.
You can get an old Panasonic or Epson dot-matrix for fairly cheap. (might even be able to find an IBM!) It's the ribbons and paper that will kill your budget. (although not as much as laser toner, drums, and quartz lamps.)

Re:Give me reporting tools!

[macdaddy]

Since it's really hard to find now that Cisco bought Abacus I thought I should provide a link. I'm glad Craig put up the sentry family of tools again. I loved portsentry. I do wish it had a few more features. Perhaps I'll add them myself someday.

Re:Give me reporting tools!

[macdaddy]

Err, I said Abacus. I meant Psionic. My bad.

Re:Give me reporting tools!

[fredy]

logcheck, when tuned to match your system, does a nice job of reporting unusual log entries amidst all the normal cruft.

Re:Give me reporting tools!

[#undefined]

for viewing stats gleaned from your iptables entries in the syslog: fwanalog

fwanalog essentially rewrites your iptable syslog entries into a format similar to apache log files (can't remember the format name: common log?), and then calls analog to summarize the log (using tables, charts, graphs).

This Question should be reversed.

[Pros_n_Cons]

A ton of tools are available for nix boxes, take a look at the live cd security distros. Tons of perl scripts or .c files. infosec geeks don't need fancy GUI's we need little scripts that can be piped or molded for different needs. look at all the tools that have been ported to win32 from linux/bsd like hping, nmap, nessus, ethereal, netcat, nemesis, datapipe, fport, lcrzoex, snort, etc. It's the closed source guys who need to get cracking. Look at Foundstone all they do is port stuff cause the win32 crap sucks. OSS tools are the ones leading the pack on this front. That being said perhaps Snort could be a bit easier/less prone to false positives, I couldn't grasp it completly until getting a book on it.

Re:This Question should be reversed.

[CerebusUS]

I'm in agreement here. We've got a bunch of people running around trying to buy network security stuff and typically everytime they come up with something, it merely does what some other freely ported piece of software does.

And the Snort guys are working on your request, at least according to an older slashdot article.

tcpdump has src and dest filters

[rdunnell]

You can do stuff like tcpdump -i xl0 src 10.0.0.1 and dst 10.0.0.2 and stuff like that.

Re:tcpdump has src and dest filters

[caluml]

I was suprised when I told a guy that I thought was knowledgable about nix that -X -s 65535 showed the contents of the packets too. He thought tcpdump was just for looking at the types of packets.

Network Forensics

[mplex]

This probably is a very good project for the opensource community, but it sure would be cool. I want to see an opensource version of the old SilentRunner product, now carried by Computer Associates.

eTrustTM Network Forensics captures raw network data and uses advanced forensics analysis to identify how business assets are affected by network exploits, internal data theft, and security or HR policy violations. Its patented technology allows IT and security staff to visualize network activity, uncover anomalous traffic and investigate breaches with a single, convenient solution.

http://www3.ca.com/Solutions/Product.asp?ID=4856

Re:Network Forensics

[El+Volio]

There are actually a lot of good starts on that. tcpdump and tcpreplay, combined with etherape, are a good start to the old SilentRunner Collector. The Analyzer could be replicated with something based on graphviz. Some work has been done in this area. Granted, more is left (SilentRunner had an infrastructure to move packet data around from collectors to analyzers and such), and n-gram analysis would be useful (I just found a project, Text::Ngrams, that does it in Perl), but we're not actually that far away. SilentRunner might have been uber-cool before, but now it's actually well within the reach of the free software community. I've been thinking about this a lot for almost a year; if anyone's interested in working on this, let me know (my email address is on my website), this would be a great project (so would several of these listed, actually).

Etherape

[Effugas]

Does what you're describing.

WPA support

[FU_Fish]

To my knowledge there is no, or perhaps very limited, support for the WPA standard. Granted, this isn't a tool, but it's security related.

Re:WPA support

[bersl2]

The WPA branch of the MADWIFI drivers for Atheros chipset-based 802.11[abg] cards supports WPA-PSK and mostly WPA client-side. AP support is forthcoming.

Re:WPA support

[imroy]

Open1x
Haven't used it myself but I have looked at it. It uses FreeRADIUS, which authenticates against LDAP or various SQL databases.

Re:WPA support

[Aneurysm9]

I'm using the WPA supplicant and authenticator from hostap with FreeRADIUS and it's working beautifully. The setup is a little opaque, but once it's working it's very easy to maintain.

user

[scrotch]

Here's one I just thought of. Maybe it's been made, and maybe 16,000 people will point out why it isn't necessary or that it's built into find or emacs or something. Here goes anyway:

Write an app that takes a username as input and shows me all the files/directories that user can read or edit or execute. If I run it as root, it shows me All files. If run as me under my account, all of my files that that user could play with. For example:
shell% sudo fileSecurityCheck -www /
will show me all files that are deleted when my webserver gets hacked.

Re:user

[norkakn]

I remember having to change all files that I could write too when I was setting up my OSX box to access an AFS space, so I think the functionality is built in. If I get time tonight I'll see if I can find that script and I'll pass it on to you.

(So, I think it is possible, and this post is a reminder to me)

Re:user

[JAD+lifter]

Although not exactly what you are looking for, I often use AccessEnum by Sysinternals when I want to see who has access to a specific file.

Re:user

[DaveAtFraud]

find already does most of what you're looking for:

find . -perm u=xrw,g=xrw,o=xrw -print

finds all mode 777 files under the current directory (the initial ".", substitute a path like /var/www if that's where you want to look). If you run it as root (probably required for what you want to do), you can use -user or -uid to find all of the files owned by a particular user name or UID.

Play with the -perm or +perm flags if need be to refine the result.

Re:user

[bofkentucky]

man find
especially the -user, -group, and -perm flags
Writing the shell script around find that asks for the username, checks the users group memberships, and prints the matching lines is an exercise left to the reader.

Re:user

It's a little more complicated than that - keep in mind that you can unlink() files you don't own, so long as they're immediately inside of a directory you have write access to.

Re:user

[DaveAtFraud]

Yeah, but I figure if I get him into using find, he can figure out the details like that for himself. It may take a couple of passes (e.g., something like my initial post but with "-type d" to just check permissions on directories) with different passes applying different rules to determine which file or directory don't have the permissions he wants. I'd bet on three passes: regular files, directories, and executables will each have different "rules".

I like to give people enough information to get them started and let them figure out the details on their own. If you spoon feed too much, you end up with a script kiddie who doesn't know why what he's doing gives the right answer and then can't apply it anywhere else.

Gentoo Hardened -- need I say more?

[Hackeron]

http://www.gentoo.org/proj/en/hardened/

Re:Oh shut up

Who cares if it's common? Common people are stupid, cow-like beasts who couldn't entertain an original thought if their lives depended on it.

Enforcing proper usage keeps the language from degrading to a form where it can no longer express complex ideas, as common people are incapable of formulating such ideas.

Dude

Please capitalize the name properly. It's EtherApe.

Etherape looks rather nasty. Either that or it's just my filthy mind. (BTW who's Ethe?)

Knopix STD all the security all the time

[phreak03]

Get Knopix STD (always a copy in my backpack) A live linux distro aimed at security with up to date packages for the following areas (From the Knopix STD site) http://www.knoppix-std.org/ * authentication * encryption * forensics * firewall * honeypot * ids * network utilities * password tools * servers * packet sniffers * tcp tools * tunnels * vulnerability assessment * wireless tools Turn it into a firewall, a web server, an IDS box, a honeypot. Use it to do data recovery on an dead or locked computer, perform a vulnerability assessment, a penetration test, perform an autopsy on a compromised machine, test your incident response team. Listen to your MP3 collection and play gnugo while waiting for that nessus scan to complete.

Re:Knopix STD all the security all the time

[cant_get_a_good_nick]

There's something about seeing STD in a forum about viruses that doesn't quite look right...

sentinix is the siznit

and don't forget sentinix
http://sentinix.org

defiance

Re:Sigh

[Tarantolato]

"Begging the question" used to describe this alleged fallacy of reasoning is bad (modern) English. As a translation of "petitio principii" it probably made sense to 17th century British schoolboys, but "appeal to principle" is much better modern English.

A good reason to avoid the construction altogether is to avoid looking like one of the asshats who cites nizkor.org as an authority - or worse, drawing them out of their pedantic cubbyholes.

Well, duh

[jb.hl.com]

Ad-Aware and Spybot of course!

Encryption "Umbrella"

[macemoneta]

A tool for managing the various aspects of encryption on a system would be useful:

1- Setup and administration of VPNs (PPTP, IPSEC)
2- Administration of secure remote access (SSH)
3- Partition encryption
4- File encryption
5- Email encryption

YES there are bits and pieces, some distributions have more than others, but no control point for system-wide administration and enforcement that can be implemented across distributions.

Re:Encryption "Umbrella"

[Etyenne]

Ok, could you explain what does email encryption, ssh and VPN have in common (beside encryption) ? Why should they be administered within a single tools instead of many specialized (and probably better suited) tools ?

Personnally, I hate monolithic tools. You are stuck using sub-par components of the suite instead of picking best-of-breed specialized tools.

The user-friendly/visually appealing interface

[DeepDarkSky]

Most open source project focus on utility, not on appearance. The most powerful tools are often the simplest ones (in appearance). However, the ability to visualize and/or put a user-friendly interface is usually a good next step. Some may call this approach the "Microsoft dumbing down" approach, since it is Microsoft who usually put deceptively simple user-interface in front of a much more complex and powerful tool.

However, that doesn't mean these tools couldn't benefit from good visual front ends (and I'm sure people will point out there are plenty). Human's ability to make sense of well designed visual information (a la Edward Tufte) cannot be understated.

I also seem to recall reading a slashdot story a long while back about Infineon (I think) that had a hardware sniffer that is able to reconstruct TCP/IP traffic/session/connections that are captured, and it recognized hundreds of protocols/applications.

Bring all of that together: open source software being able to visually display security information in a meaningful way, using some kind of open standard like, say, OpenGL. Adding more to the existing foundation tools that we already have, that's where some contribution can be useful.

But that's just what I think, by no means do I think it's the best answer.

Re:The user-friendly/visually appealing interface

[cbreaker]

I think the "GUI is for dummies" mentality is slowly fading away. Anyone with half a brain can see the power in being able to visualize complex systems. At-a-glance monitoring is a wonderful thing.

The thing I like about Unix stuff is that when there is a good GUI interface for something, that usually doesn't mean you're locked out of the nitty gritty back-end as with some.. other GUI systems. I think a good GUI can compliment a system quite well and I enjoy using them when they are well constructed.

Re:The user-friendly/visually appealing interface

[Mad_Rain]

However, the ability to visualize and/or put a user-friendly interface is usually a good next step.

I'm glad you said that, 'cause I agree with you entirely. As a person who learned on Windows (and still has to use it at work), moved to Linux, and is gradually learning more and more text and CLI interfaces, I really appreciate having the GUI interfaces because they help reduce the learning curve. For example, I think nmap has got it right - the GUI interface shows you the command line version of what it's doing, and then displays the same information. So in addition to the GUI being able to present you with a large amount of information in a meaningful way, it can be an intermediary step into learning to interpret the raw data as it comes down the line.

A short list

[Theatetus]

1. Antivirus software (openav is getting there, but isn't there yet)
2. Antimalware software
3. Antivirus software
4. Activity auditing software for multiple LDAP/auth schemes
5. A firewall for windows
6. Antivirus software

#5 is a Windows-only deficiency, but the rest aren't. I mentioned Antivirus software 3 times because I think it's at least 3 times as important as the others. As more and more (read: dumber and dumber) people migrate to non-Windows platforms, viruses and malware are going to start to be more of a problem for those of us on Better Platforms.

Re:A short list

[zoloto]

This is true. If there was an anti-virus software built on a linux live iso for scanning Windows operating systems I would certianly love to pick that up b/c how can you really trust a service once your system gets infected?

That's what I thought. An antivirus scanner on a live iso kicks butt.

Re:A short list

[Sven+Tuerpe]

I mentioned Antivirus software 3 times because I think it's at least 3 times as important as the others.

It is also 3 times as unlikely to be available as high quality OSS as the others. Antivirus software is not so much about software, it's about services. The software is almost trivial; what matters is the patterns it is scanning for, the virus signatures. For antivirus software to be of any use, someone has to analyze worms and viruses and update signatures to look for. I don't see how those could be produced by the OSS community, for two reasons:

• No fun. Why should an OSS developer want to analyze worms and viruses? I guess it would be more rewarding to write something new, or do some debugging.
• There is no point:
  • For Windows viruses, why the fsck should OSS people try to solve someone else's problem?
  • For OSS viruses, why produce a fscking workaround if one could fix the problem right away with half the effort?

I don't think we are going to see much OSS antivirus software.

Password auditing

[siliconjunkie]

I am unaware of open source software that meets the functionality of PWSEX or LC5.

Re:Password auditing

[pegr]

I am unaware of open source software that meets the functionality of PWSEX or LC5.

Then you're gonna love this. Why brute LM hashes when you can precompute password/hash pairs then look them up from a database? Initial db generation takes a while, but you can customize the keyspace to whatever you want. When you're done, query a hash, get a password. This stuff works extremely well...

Re:Password auditing

[Clover_Kicker]

Nifty.

How big do the hashes get? Could I comfortably fit rainbowcrack+database on a bootable CDROM?

Re:Password auditing

[pegr]

Nifty.

How big do the hashes get? Could I comfortably fit rainbowcrack+database on a bootable CDROM?

Well, likely not, but you can generate a db for all hashes for passwords using any alpha or numeric character and fit the works on a DVD. The entire keyspace (i.e. alphas, numerics, and symbols) takes 180gb, as well as 200 days to generate. Will crack any LM password, though. And unlike LC5 or any other brute forcer, it's instant (almost).

Re:Password auditing

[Clover_Kicker]

I took a closer look at the examples on the website. The database for [A-Z] is 610MB, which would leave lots of room for boot sector + freebie NTFSDOS.

A boot CD checking only alpha characters would still catch a surprising # of accounts, I bet.

Re:Password auditing

[siliconjunkie]

Very interesting! Thanks for the link, chacking out the software now.

Re:Password auditing

[pegr]

I took a closer look at the examples on the website. The database for [A-Z] is 610MB, which would leave lots of room for boot sector + freebie NTFSDOS.

Source compiles under Linux just fine. NTFS read support is built in.

If you crack passwords from read-only media, where do you put the results?

Re:Password auditing

[Clover_Kicker]

Source compiles under Linux just fine. NTFS read support is built in.

Good point, thx.

If you crack passwords from read-only media, where do you put the results?

/dev/tty

Or you could optionally output to a floppy.

The USB keychain drives are getting amazingly cheap. In a year, a 1GB keychain will probably be <$50. In 3 years, maybe I'll be able to keep the whole 180GB keyspace in my pocket :)

Re:Password auditing

[pegr]

LC5 uses precomputed dictionaries just like RainbowCrack.

Dictionaries are not hash tables. LC5 dictionaries are not precomputed. Rainbow Crack does not use dictionaries. Strike three, you're out.

Re:Password auditing

[pegr]

Damn, LC5 (some editions) uses precomputed dictionaries. Looks like I'm the goat. Sorry about that.

Re:Password auditing

[pegr]

I took a closer look at the examples on the website. The database for [A-Z] is 610MB, which would leave lots of room for boot sector + freebie NTFSDOS.

Look again... You need multiple files. They are just split that way to facilitate CD burning. You will not have enough data space on a single CD for effective pw cracking.

Re:Password auditing

[Clover_Kicker]

Over the 2 days we've been having this discussion, I generated the A-Z keyspace.

F:\bin\rainbowcrack-1.2-win>dir *.rt
Volume in drive F has no label.
Volume Serial Number is 2D6A-1AF0

Directory of F:\bin\rainbowcrack\rainbowcrack-1.2-win

06/30/ 2004 08:58p 128,000,000 lm_alpha#1-7_0_2100x8000000_all.rt
06/30/2004&nbs p; 09:10p 128,000,000 lm_alpha#1-7_1_2100x8000000_all.rt
06/30/2004&nbs p; 09:11p 128,000,000 lm_alpha#1-7_2_2100x8000000_all.rt
06/30/2004&nbs p; 09:12p 128,000,000 lm_alpha#1-7_3_2100x8000000_all.rt
06/30/2004&nbs p; 09:12p 128,000,000 lm_alpha#1-7_4_2100x8000000_all.rt
5 File(s) 640,000,000 bytes
0 Dir(s) 645,947,392 bytes free

They're split into multiple files, but the A-Z keyspace will actually fit on 1 CD.

I just did a run off the CD, here's some of the output:

plaintext found: 4 of 5 (80.00%)
total disk access time: 144.03 s
total cryptanalysis time: 81.53 s
total chain walk step: 31417316
total false alarm: 30646
total chain walk step due to false alarm: 22102890

The 52x CDROM is ~2 minutes slower then running from my HD, or about ~700% slower.

You could certainly argue that [A-Z] is not an effective crack, but it's so fast that I'm gonna keep that CD around :)

Re:Password auditing

[pegr]

Well, if you're successful with just a CD's worth, I may have to eat my own words! (Wouldn't be the first time, I'm afraid...) If you are interested in colaborating on generating larger keyspaces, I would be happy to have someone else to work with. I have the complete alpha-numeric space already generated. I am working on the complete keyspace. If we could muster 20 or so like-minded individuals to help generate the needed files, we could all benefit from the exercise fairly quickly.

I sent an email to your listed address. If you wish to participate, send a reply with your thoughts, etc. and we'll work something out. (I don't have gmail yet, so pitching large files around will require a solution.) If I get really motivated, I may write up a journal entry to solicit more participants.

What tools are missing?

We need security/monitoring tools which our Mom's can operate and understand.

Re:What tools are missing?

[NuclearDog]

What, so she can figure out which porn sites I'm on?

I don't think so...

Re:What tools are missing?

[lachlan76]

Zonealarm comes close, with the what does this mean button.

The only problem is that even after 10 alerts come up withing a few seconds on port 445, it still said that turning down the firewall settings was an option to stop this from happening.

A needed tool

[brennz]

I haven't heard of an open source tool with the same functionality as the former Raytheon SilentRunner, now CA eTrust Network Forensics
or the similar tool Niksun

An open source tool with similar capabilities would be an excellent project

Re:A needed tool

[keefus_a]

I second that motion.

Granted Niksun's NetVCR is basically a glorified tcpdump with a pretty interface, but it's also a functional interface. Sure you can preach "use the command line" all you want but you'd be underestimating the value of being able to present simplified data to the rest of the IT department that usually rings your phone, or visits your cubicle, or sends you and email every time some site can't do their work because their circuit is too slow.

Sure, give me an open source tool that I can put on an OC3, with a simple interface, that offers easy-to-interpret data for the non-network crew, but also has the ability to dump all the traffic for {some IP} at midnight a week ago....and I'll be a happy man!

monolithic network management tool

[bhsx]

Something that can premiscuously detail a LAN. It should use netcat, nmap, ethereal and the other standards to map, in real time, you LAN traffic. It should also have the ability to intercept and decode any stream on your network.
So, let's say Billy is reading Slashdot when he's supposed to be doing data entry. You see a red (for example) line leading from Billy's box to the firewall with the line labelled "slashdot.org" and the IP address. Click on Billy's box and "zoom" to focus the GUI to Billy and right click menu to "intercept and decode" to pop-up a konqueror window that follows Billy's URL jumps and shows you what he's reading. The same would be true of mpegs he's watching or mp3s he's downloading.

Other functions would be to show all nodes in the LAN as well as OS versions, all traffic in and out of each node, and any services running per node. Servers running things like ntlogon, apache or SMB would be marked as such. A "bookmarking" type feature could also be implemented as well as a sticky-note feature for notation and easy navigation.
You could call it knetsec, but I actually like a bastardization of that... Knutsac.

Re:monolithic network management tool

[NuclearDog]

"It should also have the ability to intercept and decode any stream on your network."

One thing I have always wondered, but have never taken the time to figure out, is why can you not retrieve plain text data from a SSH session? You have all the information (keys, etc) travelling between the two hosts from the sniffing, can you not then use that to decode the data?

If this is possible, a feature to do this would be nice. If not, oh well.

ND

Re:monolithic network management tool

[automatix]

SSH uses an algorithm called RSA to protect the keys used for encrypting data. Each party has a private key and a public key (a key pair). Anyone can get the public keys.

If data is encrypted with a private key, it can only be decrypted using the public key from the same key pair. Likewise if it is encrypted with the public key, it can only be decrypted with the matching private key.

if A wants to send data to B, it first is encrypted with B's public key, then with A's private key.

B uses A's public key to decrypt it (guaranteeing it is from A) and then uses its own private key to decrypt it back to the original message.

Because it's a slow and complex process RSA is usually only used to exchange and agree on keys for a normal symetric encryption method (eg 3DES).

Read more here

Rob :)

Re:monolithic network management tool

[NuclearDog]

Mmm, forgot about that one small detail :) (public/private key encryption)

Anyways, thank you.

ND

Host-based tools ... sudo is my favorite

[xmas2003]

Don't forget host-based tools - one of my favorite that will help keep you OUT of trouble is sudo which is a way of controlling and logging root access. Been around forever - tastes great AND less filling! ;-)

Re:Host-based tools ... sudo is my favorite

sudo is probably the weakest link in all your setuid binaries. It has the newest code and he adds silly things to it.

Did sudo really need a customizable password prompt that led to a heap overflow?

ah, now some programmers, they get it.

Is this sarcasm?

Statement: "There are many great open source security tools out there, Nmap, Nessus, and DSniff, just to name a few."

The above statement begs the question: "...what open source security tools are missing?"

No, it doesn't.

The truth of that statement does not depend on the fact that some open source tools missing. Therefore it is not an example of "question begging" (taking for granted exactly what you are trying to prove) at all.

Two good things about being a programmer

It couldn't be jock itch.

It couldn't be an std.

Number One Missing Security Tool

[craXORjack]

However, with the world of security constantly changing, this begs the question, what open source security tools are missing?

It would solve 99.9% of security problems: The MS-Windows-to-Linux-Upgrade-Wizard

Re:Number One Missing Security Tool

[craXORjack]

So anyway, i think that the number one *NEW* missing tool for windows users has got to be the WU website (Microsoft Windows Update.) Now stick with me for a moment.

If you can't run IE cause activeX exploits, how can you get to the WU website (Microsoft Windows Update) when it *REQUIRES* IE?

Time to go back to ftp. or something. Cause that crap is Fsckd

True enough. But ftp could get hosed too. A few viruses do infect the winsock library directly. What about a CD that boots to MS Windows and then lets you detect and disinfect and patch whatever is on your hard disk?

Re:Number One Missing Security Tool

[man_ls]

BartPE.

'nuff said.

Anti-virus and Good Disassembly (anti-DRM)

[mark99]

For MS software for example. A good anti-virus with an up-to-date library. This might actually be too much work for unpaid volunteers.

And a good disassembly program. Like IDA Pro. This is what the pros use to analyze viruses and the like.

Something like a kick-ass OSS IDA Pro will be needed in the upcoming OSS-DRM wars.

Pardon the spelling. It was never my strong suite:)

ZoneAlarm features

[mebon]

I would like to see a firewall with features like ZoneAlarm that has the ability to notifiy you when programs try to access the network and allows you to stop them.

Being notified that a program is trying to connect to the network can clue you in that you have been infected by a worm, virus, trojan, or spyware. Sure, Linux has relatively few malicious programs now but in the future it may become a bigger target.

Mebon

Not hard - use find

[ReKleSS]

I've thought about this, and figured it was easy enough to do with the find utility. Man page is here. It's not difficult to do, I'll leave it up to you to figure out the specifics.
-ReK

Penetration testing...

[alexandre]

We need more of metasploit like project...
We need a core impact clone!

EtherPEG for Windows

[rman666]

How about EtherPEG for Windows so I can see what kinda smut people are viewing? AFAIK there is no open source version available.

hardware, meatware

[tverbeek]

What commercial security tools have no viable open source alternatives?

The United States military.

EnCase and Eyelook

Forensics is still shrouded in mysticism and secret handshakes in the both the open and closed source worlds. EnCase is fantastic, but the cost is prohibitive, the other commercial products cater to law enforcement, efectively killing the divorce investigators and legal business use. The ones who will sell to anyone are not worth their exorbitant prices.

Autopsy/Penguin Sleuth Kit is great, but it has a long way to go to match the ease of use and reporting capabilities of EnCase.

The OS Forensic packages are labors of love to fix short commings or customize the tools for specific tasks. We need a OS Forensics Army Knife.

I want to be able to know what the recently fired employee was doing so I can make a case to the Legal Dept. There are many reasons to terminate an employee that do not "rise to the level" of prosecution, but certainly can result in Civil proceedings. I don't want to have to have a Windows box laying around for the eventuality of digging into ex-employee misdeeds.

I can also think of instances when "trusted" people jump ship unexpectedly, like when a senior developer resigns to take a position at a competitor. Wouldn't you like to be able to dig deep into the unallocated clusters of his HD?

Re:EnCase and Eyelook

[GuyFawkes]

dunno about eyelook but encase is a steaming pile of shite....

[OT] Looking for the image sniffing screensaver

[Alan]

Not exactly a security tool per-se, but some friends mentioned a screensaver that ran on linux and used etherreal or something similar to look for image files flowing by on the network, capture them and display them as a screensaver. A nice tool for a sysadmin to see what their users are looking at.

Anyone know the name/URL of such a beast?

Thanks!

Re:[OT] Looking for the image sniffing screensaver

[stevey]

That would be driftnet - it displays images in a window, and the site mentions that there is a screensaver derived from it.

I run it every now and again when I'm bored on the proxy server I maintain. Fun to see random imagees mixed together..

Re:[OT] Looking for the image sniffing screensaver

[Alan]

Awsome, many thanks!

Vulnerability/Asset Management tools

[harikiri]

Something I've started to see appearing are vulnerability management tools which combine asset/vulnerability management with workflow systems.

What does this mean in english?

Today, you scan your various class A/B/C's (with Nessus) within your company, and discover 300 vulnerable systems. You can generate a nice report, but not do much else without a lot of manual calling up of people and forwarding the report.

Instead, there are commercial tools available now that do a few things:
1) Classify IT assets and assign them to different groups (desktop team, unix team, database team) and how critical they are (carrying customer traffic, development servers, etc).
2) Individuals within each group can run ad-hoc scans of their team's systems, or alternatively await reports generated from scheduled scans.
3) Once vulnerabilities are discovered on each team's systems, they are notified and provided with a web-based system to update and close off vulnerabilities when patched. It is then possible to see from a high level, which teams have the most vulnerable systems, and how effective they are in managing security on their part of the network.

Those are the kind of products that the company I work for are now investigating, as for once, they provide solid metrics to demonstrate to management that we're doing our job.

Re:That's not begging the question...

[tomblackwell]

You aren't a pedant. There are just lots of people who like making themselves look stupid while trying to look smart.

Event correlation tools

[MeAtHereDotCom]

A tool that takes virtually any input (Windows Event Viewer thingies, Unix Syslogs, Router Syslogs, Squid logs), and can correlate all of the events.

I know there's a Cisco-ish product that you can do this, and it monitors for certian 'bad' things happening on your network, and can send emails to a certian person or whatever.

Although, given the state of things, the ability to look back and see the state of the network at a given point to track down a user would be mighty handy as well. (When a user logged on, which URL's they accessed, when, what else they did, and so on)

Java Application Security Tool

[dilettante]

Though it's more mundane than all of these protocol sniffers and vulnerability assessment tools, what i could use is a free/cheap tool that combines identity management and policy management in Java/J2EE environments.

Certain of the app server vendors provide functionality through their console products, but it would be nice to have a vendor neutral product that would let me browse/edit identity data regardless of the source (LDAP, the OS, whatever), let me map application roles to the environment, and let me examine and interchange various policy files, maybe using XACML as the lingua franca. Maybe also something that would keep track of JAAS login modules and JAAS config files.

Like is said, a bit boring, but it'd make it easier to assemble and deploy applications, and to move applications between app servers.

Re:That's not begging the question...

[greenhide]

Yeah, hi.

The use of "begs the question" that is correct sounds stupid.

The incorrect use of "begs the question" sounds good.

And, as a poster above pointed out, language changes.

Until someone gives me a good example of the phrase "begging the question" that doesn't sound totally idiotic, then I'm not going to respect you people.

It's like the people who insist that everyone is using the word "Hopefully" incorrectly, as it is an adverb. Stephen Pinker gives this example of its "correct" usage as an adverb:

Hopefully, Jim reached his arm over Sarah's shoulder.

(Okay, that's not the exact sentence, just a paraphrase).

"Nice" used to mean exact. It doesn't mean that anymore, and no amount of trying to "share knowledge" with others about its "correct" meaning is going to make you any less of a pedant.

Also, just out of curiosity cuz I don't get it, in the phrase "begging the question", who/what is doing the begging, and what exactly is the question?

Fluke Network Analysis

[Linegod]

I was blown away by the Fluke Network Analysis Tools.
Given enough time, everything could be replicated with FLOSS, but nobody has. Somebody should....

Re:That's not begging the question...

[meowsqueak]

> There are just lots of people who like making
> themselves look stupid while trying to look smart.

Are you referring to me or people who use the phrase incorrectly? (Sorry - hard to tell on /. between insults and observations sometimes)

OS-independent thumb-drive encryption

[CurbyKirby]

NOT PGP/GPG!
NOT PGP/GPG!
NOT PGP/GPG!

I am looking for a tool that supports both Windows 2000/XP and Mac OS X that does on the fly encryption for removable USB memory sticks.

I know of platform-independent tools like PGP, but after decrypting, unencrypted data would sit on the thumb drive. If I was interrupted after decrypting or (more likely) forgot to encrypt the file again, unencrypted data would sit on the drive.

I know of Mac OS X's encrypted dmg files, but Windows has no way of accessing them. I would use one of the countless number of Windows-, Mac-, or Linux-proprietary third party "put your passwords here" tools for doing encrypted files, but all that I know of are platform-specific.

So what am I looking for? Something that has Windows and OS X clients that I could put on the thumb drive, along with a file of arbitrary size containing the encrypted data. After authenticating with the software, one of the following would happen:

(1) either the software mounts the encrypted file as a disk drive just like daemon-tools mounts a CD image in Windows, or OS X mounts a dmg file
(2) or the software includes a 'secure' text editor that can edit the encrypted file.

Either way, the software (1) sits on the thumb drive and (2) provides on-the-fly encryption so the data on the thumb drive is never unencrypted.

I'm willing for this to be horrifically slow as I would be storing mostly text on such a system, but supporting at least recent Windows and Mac OS X is important to me. I run Linux on servers/gateways but prefer Windows or OS X for my primary desktop/laptop machines.

I would be willing to pay for such a product, but I don't trust closed-source encryption products. Please let me know if you have heard of such a product!

Incidentally, PQI makes very very small thumb drives. Froogle for 'PQI intelligent stick.' Their USB1 model has a write-protect switch, but their USB2 model does not. (I am not affiliated but have bought, used, and liked their product.)

Re:OS-independent thumb-drive encryption

[HateCrime]

Well, there is bestcrypt which will do that for Windows and Linux. Source available for Linux but not free. http://www.jetico.com/download.htm

You'll Get My ATTENTION ...

[not_hylas(+)]

... when you write an OpenSource application such as this:

http://www.forescout.com/activescout.html

Until then.

Re:That's not begging the question...

[meowsqueak]

Well, I wasn't completely correct either it seems, according to these. It's all about assuming something is true without validating it:

http://www.wsu.edu:8080/~brians/errors/begs.html
http://skepdic.com/begging.html
http://alt-usag e-english.org/excerpts/fxbegthe.htm l

Google.com has lots more.

Oh, and just because lots of people do something doesn't make it right. Although I'm constantly surprised how many people subscribe to this world view.

I'd like an understandable firewall interface.

[MickLinux]

When I was setting up my Debian box, before, I was offered the option of a firewall based upon a text interface.

In the end, I couldn't understand it well enough to activate it. What I'd really like, then, is a nice interface similar to Zone Alarm, but with lots of documentation (help files) written, as well.

That way, I can get the firewall up and running with a minimum of experience, and then can tweak it to my hearts content.

Bonus brownie points, if the documentation leads me into being able to understand the command-line text program's interface, as well, or [better yet] help me be able to read the logs and the /etc files directly.

Sorry about this -- I hope I don't sound too stupid to use Linux (I'm not: I've set up everything from an appletalk server to a recording and mixing setup, and even programmed a little) -- but this was just too hard for me to use correctly, and be sure I was using it correctly.

Re:I'd like an understandable firewall interface.

[Cinquero]

I agree. We should also have a configuration abstraction layer standard for configuring system services and firewalls. Software updates should be possible without reconfiguration.

Re:I'd like an understandable firewall interface.

Not completely what you're asking for, but you might take a look at fwbuilder ( www.fwbuilder.org ). Not exactly plug and play, but at least it's drag and drop...

Re:I'd like an understandable firewall interface.

[TiggsPanther]

I definitely agree. The firewalling commands are too complicated for me to figure out on my own. Especially seeing that a decent firewall with all the required options tends to be rather long. Trying to write your first ruleset without leaving your box wide open to attack is just too hard.
Heck, the reason my Linux box (sits between Windows and the 'Net) is only running a 2.2-kernel Mandrake distro is 'cos I've not (yet) found anything that suits me better than PMFirewall - and that still hadn't been updated to iptables last I checked. (Though I am considering giving FreeBSD a try at some point. I've been told its firewalling is configured at install-time and is good)

What I'd like in a firewalling interface is something somewhat akin to Samba's Swat tool. A tool that would provide all of the most common basic options, and advanced options. Creating a clearly structured standard file would be useful - as those of us who are still lacking in the firewalling skills can then go through and see exactly what's doing what. Dropping in comments would be nice, too, at the least adding in the section notes from the interface. (i.e. "Ports blocked by default" or "Protocols allowed by default")

One feature that just occured to me (no idea if it'd be trivial or impossible to implement though) would be to take in a pre-existing ruleset, list what is allowed and disallowed, and also scan for screw-ups.
The ability to edit generated rulesets, or create my own frmo scratch, and then run it through to see what I got right/wrong would be so useful. I like having the choice to set it up myself, but lack the confidence to give it a try. I'd hate to get my box rooted due to a trivial mistake.

Tiggs

Re:That's not begging the question...

[greenhide]

Oh, and just because lots of people do something doesn't make it right. Although I'm constantly surprised how many people subscribe to this world view.

Yes, it does, when it's language. With a lot of behaviors, it's what the minority does that's examplary. In language, what the majority does defines the language, for better or worse.

User-configurable...

[Cinquero]

... application policies. Example: set a maximum security policy for each app and, if the app tries to break it, let the user decide what to do. Example: web browser. Tries to connect to the web: user selects to always allow that or to enter more specific rules. Tries to read from disk other files than those which are its own: user selects what to do. You could restrict browser access to a download directory. No viruses may get in and no browser bug may generate a security hole.

A bit like Symantec's firewall (as far as I can remember, but not limited to network access).

I should also be able to set up a special security directory where I store secret information. Any app access files in that directory, will, during their session, not be allowed to write any data or access the network or other data ports.

Just let each app run under its own policy. That would make Linux even more insensitive in regard to viruses and other malicious things like backdoors.

As far as I know SELinux is some sort of that. But as far as I know there are nice user interfaces missing that allow to interactively (and on demand) change the policies.

NFR - Network Flight Recorder

[wiggling]

I played with an old-old-old demo version of NFR years ago and wanted a similar after-the-fact investigative tool, so I wrote my own. I record data about every single packet going to or from the Internet and feed it into a MySQL database. A web front-end supports queries against the DB, I can do more complex ad hoc queries from the MySQL prompt, and I have oodles of perl scripts that run analyses against the flat log files it generates. I've thought about asking my employer, on whose time I more-or-less developed it, about making it Open Source, but haven't had the impetus to actually do it. It's a great tool, and I'd be interested if there's something similar that's farther along.

A great open source database scanner...

[bingbong]

www.metacoretex.com has easily the best database scanner out there. (no offense mr Klaus). It's fully modular and written in java - so you can run it anywhere.

to the best of my knowledge, is it the only db scanner tool out there.

(and yes it's a bit of a plug cause i know the guy who wrote it - but it still smokes...

An easy-to-configure SSL VPN application

[rjbrown99]

All of the tools to build an open-source SSL VPN exist, but nobody has put them together.

Apache
Apache_SSL/Mod_SSL
Apache proxy module
mod_security
LDAP (for tie-in with active directory)
Java-based SSH and telnet clients

Write a PHP based access control and management interface for the thing and voila! you have a hot new open source project.

If a few people had the time, they could give Juniper/Nokia/etc a run for their money.

Anothing thing we need is good metrics

[bingbong]

a good metrics tool that can show the PHBs in semi-real time the security posture of their enterprise would be a good thing. it would also help identify weak areas, good areas, and actually quantify the money spent in IT security.

dr martin carmichael's doctoral thesis proposed a method to do this, but alas i cannot find a link.

Re:That's not begging the question...

[Grail]

The phrase "which begs the question" has always - in my Australian vocabulary - meant, "makes obvious and unsupported assumptions," or "leaves obvious questions to be asked."

For example, if someone is demonstrating a new space-alien repellant, the demonstration itself would beg the question, "which space aliens?"

Or someone proclaiming that a particular person is an "unlawful combatant" begs the question of what exactly defines a "lawful combatant"?

Ultimately, to "beg the question" means that you leave obvious questions unanswered. Sometimes this is the aim - make people ask a question that your political opponents don't want asked.

This will be my favourite quote for a while...

[greppling]

You might consider me as a pedant - but you would be wrong (look up pedant). I would argue I am not being pedantic.

What a pedant I am that I do consider you a pedant without even looking up "pedant" in a dictionary...

ISS Internet Scanner (better than Nessus?)

[microTodd]

Its probably too late for this post to get modded up enough for anyone to see it, but I've been at home sick so I didn't check Slashdot every 20 minutes like I usually do.

Based upon marketing hype, my management chain insists on using ISS's Internet Scanner (www.iss.net) to perform site-wide security scans and do vulnerability assessments. Nessus just simply isn't as feature rich as Internet Scanner. IS searches for thousands of vulnerabilities, and they are constantly adding new checks that can be dynamically loaded into the scan tool. The scans are highly customizable. The only problems are the tool can only run on a Windows server (i.e it can scan any network device including unix, printers, and Cisco), its a huge resource hog, and GUI only.

I'd love a nice, easy command-line based unix based system that has all the functionality of ISS, including the nice HTML output. The problem is, of course, that ISS has a huge head start.

Re:That's not begging the question...

[meowsqueak]

yes, I agree completely. I revised my opinion in a later post after doing some more digging. Thanks for clarifying.

Metasploit

Metasploit (http://www.metasploit.com) has a real neat project going. I know I use it.

Operator-Facing Front-Ends

[rtp]

We need more open source tools that act as front-ends to monitoring and operations applications, glue to sit between the 24x7 security/network operations staff and highly advanced applications and devices which are designed for engineers and architects to manage.

Your typical 24x7 staff aren't experts - so we need expert systems to make them more effective.

An example is IP Blocker where you get a system set of Perl scripts that front-end changing the border router access control list.

Many of the procedures and functions we perform to ensure security across our networks can be automated, and it is these areas that need the most work today. Another example would be a script that checks an IP address on your network against your inventory records, vulnerability databases, and other criteria to display an exhaustive history for the device as known by your organization. How many times have you got a Snort or other alert for an IP on your network which you have no idea who owns or what it does

Slightly OT: RECOVERY

[fractaltiger]

I have seen plenty of security tools.

However, I have failed to find data recovery tools. Does anyone out there know of Open Source Floppy recovery?

Seeing how so many pay-for products like Norton Utilities and other near-nameless closed source internet-based companies sell you this stuff, I'd like to see a free implementation I can use at my IT job

a good network discovery application

[detritus.]

One thing I see missing is a good network / host discovery tools with a rich feature set. Like being able to automagically map out a TCP/IP network via SNMP querying "seed" routers, and/or by passively observing network traffic, then being able to collect further information on each host through port scanning or SNMP walking. The biggest problem I see is there's alot of great tools out there, just none of them that does everything without having to jump between multiple programs. And of course, it would be with a curses based gui :)

Solarwinds has a tool called Sonar which does the "seed" router snmp-based discovery. They have some other nice tools too, but it still takes alot of tedious switching between applications to get all the information i'm looking for.

Re:a good network discovery application

[lhand]

How about Cheops-ng? Or even the original Cheops?

It would be a Tech Itch, obviously

[b00m3rang]

clue:(Tech Itch is the name of a drum n bass producer)

Easy with debian...

[csirac]

Easy with Debian... check out http://www.debian.org/security/

Add the line

deb http://security.debian.org/ stable/updates main contrib non-free

... to your /etc/apt/sources.list file.

Put:

apt-get update && apt-get -y -d -f dselect-upgrade

in a script for a cron job run every week or whenever. Or do it manually. Or craft your own script that doesn't actually perform the upgrade but emails you when something can be updated. The output of a cron job gets mailed to the user's account (in this case root).

Re:That's not begging the question...

[tomblackwell]

That would be the people who use the phrase incorrectly.

Bath party in Iraq

[RedLaggedTeut]

If you're a programmer with an itch, may I recommend a bath?

We had a bath party in Iraq, but the bush made us end it, so now we side with the programmers who scratch their itches.

Re:Bath party in Iraq

[drik00]

...yeah, but if you ain't Muslim, you ain't Shiite.

--J

Ask not whether it's there yet...

[prandal]

.. ask if its virus patterns are.

A few friday nights back, our ClamAV started catching a little worm called W32/Zafi.b.

McAfee's DAT files to catch this one came out 2 1/2 days later, on the Monday morning (UK time).

Apart from the Nimda outbreak of 2001, this year is the only time I've seen viruses arrive at our email gateway (thanks ClamAV) before our official antivirus software updates catch them. Netsky, Bagle, and Zafi.b were all caught by ClamAV before McAfee had released DAT files for them.

I'd recommend defense in depth, using multiple virus scanners. We scan all incoming (and outgoing) emails with ClamAV, Bitdefender (free for Linux boxes), and McAfee's uvscan.

It's way too easy to fall into the mindset which says "we have antivirus software everywhere so we're safe". There will ALWAYS be a window of vulnerability between the release of a new virus and the availability of detection patterns. And don't forget that a lot of Windows viruses/worms disable any antivirus software they find running.

Phil

You're focusing too much on security holes

[Theatetus]

If all viruses were based on security holes in software, you would have a point. But they aren't.

Many (most?) malicious programs do not exploit any software security holes; they just rely on stupid or careless users. The point of something like Norton Antivirus is not to make up for security holes in Windows/Office/whatever, it's mostly to mitigate users' carelessness or naivete.

And against known attacks? That's what yum and apt are for. If a virus is unable to affect your computer, then what is anti-virus good for?

Can your user account on your computer send mail? Connect to an arbitrary Internet host? Hell, spawn a process? If so, congratulations! you have just become a potential target of malicious software. Proprietary AV software doesn't particularly look for holes in OS's and applications, it looks at files and running processes for A) known signatures and B) known malicious behavior. I think an open source AV solution could potentially do that better.

Apriori-based protocol detectors

[Dark+Coder]

I know ethereal has a leg up on APriori-based protocol detector but I sure like to see that extended to other forms of Layer 2 (other than Ethernet DIX version 2).

Re:Application Level Proxies

[NicolaiBSD]

Yes! We have some arcane ATM switches that cannot comply with our access policies (use tacacs, radius or ldap). They need static user accounts.

I've been trying to find an authenticating/logging telnet proxy to work around this, but it's impossible to find, so I'm facing writing one myself.

Re:vbs

[NaDrew]

Hmm... wscript.exe seems to be consuming 99% of my CPU usage... perhaps something more along the lines of:

while 1
MsgBox "All Is Well!",,"Hi"
WScript.Sleep(300000) ' five minutes
wend

Note that you'll still have to "End Task" wscript.exe to kill it, but at least it goes to sleep and doesn't use any CPU in between times.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:vbs

[stoborrobots]

That's two people so far who seem to have *.vbs associated with wscript.exe ... Slashdotters, no less...

Here, see, I have a lovely picture for you...

firewall log interface

[jschrod]

I'm missing a good firewall log interface, both to create logs and to view them. I want to be able to

1. configure what fields are logged,
2. configure what fields are shown to me,
3. configure what records are shown to me,
4. configure if conversion from raw to symbolic values happen or not (e.g., hostname lookup, services lookup, etc.),
5. save those view configurations and be able to reuse them later
6. auto update with new log entries (like less -F, but with the above features)

Checkpoint's FW-1/VPN-1 is a dubious product in terms of security and licensing woes, but SmartTracker is an interesting log viewer.

Anybody got similar functionality for iptables? I've looked around, but found nothing. I'm even now hacking new ulogd plugin to give me at least feature (1).

Re:firewall log interface

[t1101]

I'm using ulog for this very thing, it's pretty neat. It logs the packets into a mysql (or PostgreSQL) database and then uses a php interface to display the info a very friendly way. The problem of course, is that if you are not already running a mysql server and an apache server, you have to start them up. Running these two servers just for this program does seem to a little silly. Still I've been really happy with the ease that I can view my logs. Beats the heck outa looking through the text log!
Here are some links to check out:
ulog-php
ulogd

Re:firewall log interface

[jschrod]

As I wrote, I know ulogd and hack on it myself. ulog-php is not able to create views on the logs, and is not configurable. That's the real advantage of SmartTracker.

Rubbish.

[brunes69]

Real students of linguistics and languages do not take issues with things like this, only elitists and grammar Nazis do.

The statement "Languages evolve, but that fact is too often used as a cop-out for being too lazy to learn correct use of a language." is utterly nonsensical, because there *is* no correct use of a language. A language is a construct to serve the people, and as people change, so must the language. Languages evolve over time, and should be treated more like a living organism than a rulebook. The only "correct use of a language", by definition, is the way the majority of the populace is using it. In this case, the majority of the populace uses "begs the question" in this sense, so it is perfectly valid, and is not any less so than any other commonly used phrase.

Re:Rubbish.

[_pi-away]

The only "correct use of a language", by definition, is the way the majority of the populace is using it.

Umm, no, that's simply not true. The majority of the populace mix up ensure, assure, and insure. That doesn't make them interchangable.

There is correct use of language, and there is incorrect; popular misunderstanding doesn't make it right.

On Ethereal

[ripcrd]

Oddly enough I know the guy that wrote Ethereal, even though I don't use the program. He's in my Linux User Group. Great guy, he has helped me w/ numerous problems as I switch to Debian.

Anyway, have you asked for these features? Ethereal is under constant development. I think that as long as the new features don't slow the program down and they add necessary functions, they might get added.

Re:Sigh

[StrongAxe]

If you're going to be a grammar nazi, try to avoid stupid typos you dumb fuck.

If you're going to flame somebody else for posting a grammar flame with incorrect grammar, please make sure your own grammar is correct. In particular, 'nazi' should be capitalized, and there should be a comma after 'typos'.

save a few dozen steps

[Clover_Kicker]

Just write your virus in Perl - portability problems greatly reduced.

Re:vbs

[NaDrew]

That's two people so far who seem to have *.vbs associated with wscript.exe

You have a better way to run WSH scripts? Personally I have "Edit" as the default action for *.vbs, but with a decent AV product installed (one that does heuristic scanning and monitors executing scripts) you shouldn't have anything to worry about with the default association.
Windows Installer (MSI) packages use WSH scripts extensively. Disabling them completely will remove some fairly well-needed functionality from the OS.

Re:vbs

[stoborrobots]

I don't know... I have WSH disabled here...

Actually I don't know whether my XP install has it on, since I don't use it on the network (1% XP, 99% Linux, last XP boot back in April...) and while I vaguely remember turning WSH off via some checkbox some time back, I don't remember if it was this laptop, or my 98 box under the desk... So I don't know if disabling WSH cripples MSI... But I thought that I had, and without issues...

Doesn't MSI parse the scripts directly? I'm sure I installed office on a machine with Scripting Host disabled once... I must doublecheck this sometime...

Oh well, you learn something new every day...