Slashdot Mirror
Missing Open Source Security Tools?
Kinetic writes "There are many great open source security tools out there, Nmap, Nessus, and DSniff, just to name a few. However, with the world of security constantly changing, this begs the question, what open source security tools are missing? What commercial security tools have no viable open source alternatives? When securing/testing/exploring networks (home or enterprise), what security tools/applications/functionality are lacking (or non-existent) in the open source world?"
Here comes the "THAT'S NOT THE PROPER USE OF BEGS THE QUESTION" people. Get over it. English changes.
Open source security tools are missing.. security holes?
Oh, wait, you probably mean stuff that actually works.
Also important, if you don't think anything is missing, or even if you do, what software do you use for security purposes? Anything obscure but useful or unusual uses of common software?
-Tim Louden
...what security tools/applications/functionality are lacking (or non-existent) in the open source world?
How about an open source Security Information Management System (SIMS) Description, Article .
Something that lets us intergrate, collect, and correlate what the other great tools (Nessus, Snort, Nmap) find.
I've yet to find an open source tool that can show a "matrix" graph of source and destination talkers by MAC/IP/IPX name in realtime as found in Sniffer. Other tools show some of this information, but do not render the same graphical display (chords of a circle) as Sniffer.
With ethereal there's to do this with snapshots using graphviz, but not realtime...
I do not deploy Linux. Ever.
When we can create a truly fertile environment for elements like this in OSS, then we'll have arrived.
These tools could "leverage" existing security tools which exist in the open source world (stuff like tripwire for example) to get cross-platform support.
You don't have to just look at security, either; A multiplatform enterprise management suite with plug-in modules for filesystem, printing, security, scheduling, and good old monitoring would be a great thing to do for free. Software that does all that costs millions of dollars, single installs for sufficiently large sites can run upwards of US$10M.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If you're a programmer with an itch, may I recommend a bath? Follow that up with a visit to a dermatologist, if necessary.
And for goodness sake, don't scratch other folk's itches! You'll spread all kinds of nasty stuff that way.
See what I've been reading.
If you are looking for a proven open standard methodology for performing security tests, then Open Source Security Testing Methodology Manual (OSSTMM) is the way to go.
In addition, there is the linux distro of Trinux, which includes most of the common linux open source security auditing tools.
LainTheWired = isgod( int Lain, int denial, float truth)
I propose a fork of Apache that contains a complete implementation of all IIS functionality (circa 2001), preferably enabled by default. The application must operate as 'root'. This will ensure that certain IT positions will remain abundant for many decades.
Do you like German cars?
Yes I know there are no viruses today. That's what wargaming is for. Be prepared. It's the only way.
It seems to be that people who make security tools don't open source them on the normal channels because they don't want 5cr1p7 k1dd135 stealing them. For instance, I'm currently working on an SNMP scanner to analyze a fibre channel network - no way am I open sourcing it; it shows entirely too many holes. *shrugs*
*black hat on*
Besides, if the holes you find become fixed due to public notice, how are you going to exploit them in the future?
*black hat off*
I am constantly trying to improve the security of my home network, and the available tools are pretty powerful. My biggest problem has been to find powerful reporting tools. I use iptables as a firewall, tripwire for intrusion detection, etc. But it's not always easy to see what's going on in the system. Tripwire produces decent reports; but there is no easy way (afaik) to get a list of intrusion attempts, network traffic, port scans, etc. Sure, the information is in the logs - but the log information is hard to parse and often not as complete as it should be.
Under capitalism man exploits man. Under communism it's the other way around.
A ton of tools are available for nix boxes, take a look at the live cd security distros. Tons of perl scripts or .c files. infosec geeks don't need fancy GUI's we need little scripts that can be piped or molded for different needs. look at all the tools that have been ported to win32 from linux/bsd like hping, nmap, nessus, ethereal, netcat, nemesis, datapipe, fport, lcrzoex, snort, etc. It's the closed source guys who need to get cracking. Look at Foundstone all they do is port stuff cause the win32 crap sucks. OSS tools are the ones leading the pack on this front. That being said perhaps Snort could be a bit easier/less prone to false positives, I couldn't grasp it completly until getting a book on it.
-- "of course thats just my opinion, I could be wrong." --Dennis Miller
You can do stuff like tcpdump -i xl0 src 10.0.0.1 and dst 10.0.0.2 and stuff like that.
http://www3.ca.com/Solutions/Product.asp?ID=4856
To my knowledge there is no, or perhaps very limited, support for the WPA standard. Granted, this isn't a tool, but it's security related.
Here's one I just thought of. Maybe it's been made, and maybe 16,000 people will point out why it isn't necessary or that it's built into find or emacs or something. Here goes anyway:
/
Write an app that takes a username as input and shows me all the files/directories that user can read or edit or execute. If I run it as root, it shows me All files. If run as me under my account, all of my files that that user could play with. For example:
shell% sudo fileSecurityCheck -www
will show me all files that are deleted when my webserver gets hacked.
Get Knopix STD (always a copy in my backpack) A live linux distro aimed at security with up to date packages for the following areas (From the Knopix STD site) http://www.knoppix-std.org/ * authentication * encryption * forensics * firewall * honeypot * ids * network utilities * password tools * servers * packet sniffers * tcp tools * tunnels * vulnerability assessment * wireless tools Turn it into a firewall, a web server, an IDS box, a honeypot. Use it to do data recovery on an dead or locked computer, perform a vulnerability assessment, a penetration test, perform an autopsy on a compromised machine, test your incident response team. Listen to your MP3 collection and play gnugo while waiting for that nessus scan to complete.
come comment on the madness at http://slashdot.org/~phreak03/journal/
A tool for managing the various aspects of encryption on a system would be useful:
1- Setup and administration of VPNs (PPTP, IPSEC)
2- Administration of secure remote access (SSH)
3- Partition encryption
4- File encryption
5- Email encryption
YES there are bits and pieces, some distributions have more than others, but no control point for system-wide administration and enforcement that can be implemented across distributions.
Can You Say Linux? I Knew That You Could.
Description: grep for network traffic ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.
Most open source project focus on utility, not on appearance. The most powerful tools are often the simplest ones (in appearance). However, the ability to visualize and/or put a user-friendly interface is usually a good next step. Some may call this approach the "Microsoft dumbing down" approach, since it is Microsoft who usually put deceptively simple user-interface in front of a much more complex and powerful tool.
However, that doesn't mean these tools couldn't benefit from good visual front ends (and I'm sure people will point out there are plenty). Human's ability to make sense of well designed visual information (a la Edward Tufte) cannot be understated.
I also seem to recall reading a slashdot story a long while back about Infineon (I think) that had a hardware sniffer that is able to reconstruct TCP/IP traffic/session/connections that are captured, and it recognized hundreds of protocols/applications.
Bring all of that together: open source software being able to visually display security information in a meaningful way, using some kind of open standard like, say, OpenGL. Adding more to the existing foundation tools that we already have, that's where some contribution can be useful.
But that's just what I think, by no means do I think it's the best answer.
I am unaware of open source software that meets the functionality of PWSEX or LC5.
I haven't heard of an open source tool with the same functionality as the former Raytheon SilentRunner, now CA eTrust Network Forensics
or the similar tool Niksun
An open source tool with similar capabilities would be an excellent project
Something that can premiscuously detail a LAN. It should use netcat, nmap, ethereal and the other standards to map, in real time, you LAN traffic. It should also have the ability to intercept and decode any stream on your network.
So, let's say Billy is reading Slashdot when he's supposed to be doing data entry. You see a red (for example) line leading from Billy's box to the firewall with the line labelled "slashdot.org" and the IP address. Click on Billy's box and "zoom" to focus the GUI to Billy and right click menu to "intercept and decode" to pop-up a konqueror window that follows Billy's URL jumps and shows you what he's reading. The same would be true of mpegs he's watching or mp3s he's downloading.
Other functions would be to show all nodes in the LAN as well as OS versions, all traffic in and out of each node, and any services running per node. Servers running things like ntlogon, apache or SMB would be marked as such. A "bookmarking" type feature could also be implemented as well as a sticky-note feature for notation and easy navigation.
You could call it knetsec, but I actually like a bastardization of that... Knutsac.
put the what in the where?
Being notified that a program is trying to connect to the network can clue you in that you have been infected by a worm, virus, trojan, or spyware. Sure, Linux has relatively few malicious programs now but in the future it may become a bigger target.
Mebon
There are 3 things that piss me off to no end when using Ethereal.
:(
;)
1) I can't sort logs by date (this drives me insane)
2) I can't open more than one trace per session.
3) It doesn't put the trace into memory. Every time you apply a new filter it re-reads the damn file!
I've been using SnifferPro for about 4 years now and while it has its drawbacks I would say the inclusion of the above 3 options has more than paid for itself
The one thing all sniffers lack that is needed is a quick and easy method to take notes. I'm constantly jotting down reminders, line #s, and ips on sticky notes. GIVE ME COPY & PASTE!
note: It's been called SnifferPro since I started using it.
"Sort logs by date" in what sense? Presumably something other than sorting by clicking on the title of the "Time" column if it's configured to display absolute time or absolute date and time.
Non-trivial to implement - doable, but we'd need to make a lot of state information per-trace (i.e., attach it to a capture file structure) rather than global.
Every time you apply a new filter it:
and, as I remember from the last profiling runs done when running filters, that takes more time than does re-reading the raw packet data. A version of the Wiretap code to memory-map the capture file being read (with a mapping window so that files bigger than the amount of address space available for mapping can be read) might be interesting, although it wouldn't necessarily improve things much, as indicated. It'd also have to deal with gzipped capature files.
That's not "copy and paste"; "copy and paste" would be the ability to copy stuff from the capture dissection (some analyzers do that; Ethereal currently doesn't). That might let you copy line (packet?) numbers and IP addresses from captures into a text file, but not arbitrary notes.
What you're asking for sounds more like the ability to insert notes into the capture file itself. Some capture file formats support that, as do the analyzers using that format (I think Microsoft Network Monitor might). Ethereal's native format (libpcap) doesn't; the next generation of libpcap is intended to be extensible, and one extension would be comment records with arbitrary text in them.
.. ask if its virus patterns are.
A few friday nights back, our ClamAV started catching a little worm called W32/Zafi.b.
McAfee's DAT files to catch this one came out 2 1/2 days later, on the Monday morning (UK time).
Apart from the Nimda outbreak of 2001, this year is the only time I've seen viruses arrive at our email gateway (thanks ClamAV) before our official antivirus software updates catch them. Netsky, Bagle, and Zafi.b were all caught by ClamAV before McAfee had released DAT files for them.
I'd recommend defense in depth, using multiple virus scanners. We scan all incoming (and outgoing) emails with ClamAV, Bitdefender (free for Linux boxes), and McAfee's uvscan.
It's way too easy to fall into the mindset which says "we have antivirus software everywhere so we're safe". There will ALWAYS be a window of vulnerability between the release of a new virus and the availability of detection patterns. And don't forget that a lot of Windows viruses/worms disable any antivirus software they find running.
Phil