Missing Open Source Security Tools?

Kinetic writes "There are many great open source security tools out there, Nmap, Nessus, and DSniff, just to name a few. However, with the world of security constantly changing, this begs the question, what open source security tools are missing? What commercial security tools have no viable open source alternatives? When securing/testing/exploring networks (home or enterprise), what security tools/applications/functionality are lacking (or non-existent) in the open source world?"

Security

Open source security tools are missing.. security holes?

Re:Security

[bgeer]

Um no. Ethereal was running about 1 remote-shell vuln a week for a long time. Snort has had a couple too. I guess you could argue that they're all fixed now, but you certainly can't be sure of that.

Re:Security

[daeley]

Bob: Looks like you've been missing a lot of security holes lately.

Peter: Well, I wouldn't exactly say I've been *missing* them, Bob.

Self Defending Networks?

[Neil+Blender]

Oh, wait, you probably mean stuff that actually works.

Re:Self Defending Networks?

[Master+of+Transhuman]

You think this is funny. Let me tell you a little story.

I just took this past spring a course in "Network Security". The teacher got hold of a DARPA video on computer security and played it for us at one class session.

You wouldn't believe this crap. The scenario was a country suspiciously similar to Iraq who set up a computer center with a bunch of Arab terrorist hackers and tried to drop America's infrastructure.

So, of course, the brilliant and utterly boring (all these people looked like crew-cutted Republicans, it was unbelievable) used all sort of "cutting-edge technology" (that doesn't exist and won't for another two or three decades) to defeat the evil Arabs. It ended with them tracking the evil Arabs to their lair and a bunch of Special Forces guys busting in and shooting up the place (DIE, EVIL HACKERS! DIE!).

The tech they showed involved a lot of voice-command and voice-response computer systems, all sorts of fancy graphics stuff, and of course something very much like Total Information Awareness that allowed them to know who everybody was no matter who the hell they were. They also had the ability to search out the source of any virus or hacker penetration in minutes and then commandeer the entire US infrastructure to repel the attack.

Utter bullshit - and I told the teacher so at the end of the video.

This was a DARPA "wish-list" video with absolutely no relevance to current computer security technology.

At the end of the semester, I demo'd the Knoppix STD (Security Tools Distribution) to the class. One student asked if this stuff was "all command line". I said, well, it's all servers, and the servers all run UNIX, and servers usually are administered from the command line, so, yes, most of the tools (except for stuff like Ethereal and Nessus) was command line.

It's a long way from there to DARPA's fantasy land.

Re:Self Defending Networks?

[stoborrobots]

One argument FOR the command line as a newbie interface is here on OSNews.

It just goes to show, it's not just us old hackers who prefer the CLI...

Your favorite tools

[TLouden]

Also important, if you don't think anything is missing, or even if you do, what software do you use for security purposes? Anything obscure but useful or unusual uses of common software?

Re:Your favorite tools

I wrote this little app in C++ (so it's very efficient) that pops up a box every 5 minutes saying "all is well", regardless of what the relationship of that message to reality. Makes me feel very secure.

Re:Your favorite tools

[Lancer]

My favorite tool?

knoppix-std

Most every security tool a network admin (or script kiddie) could want in a convenient iso package.

Re:Your favorite tools

[Pharmboy]

I wrote this little app in C++ (so it's very efficient) that pops up a box every 5 minutes saying "all is well", regardless of what the relationship of that message to reality. Makes me feel very secure.

Now THAT sounds like something you should port over to Windows. Then again if you sold it, MS would just include it free in their next version...

Re:Your favorite tools

[alecthomas]

A more appropriate tool might be linux-vserver, which lets you assign each virtual server its own disk quota, process space and IP addresses.

SIMS

[WwWonka]

...what security tools/applications/functionality are lacking (or non-existent) in the open source world?

How about an open source Security Information Management System (SIMS) Description, Article .

Something that lets us intergrate, collect, and correlate what the other great tools (Nessus, Snort, Nmap) find.

Re:SIMS

[gfunicus]

Have a look here... http://www.ossim.net/

Re:SIMS

[kfg]

Obviously you don't do security for a large network.

No, no. That's not how it goes. If you take that approach people are likely to take it as a personal attack rather than a reasoned argument. To avoid such confusion it's best to proceed like this:

I ask, "Pipes and regular expressions?" (you dropped my question mark and replaced it with a period)

Then you say, "No, that won't do it, because. . . (and then you insert your argument here)

Otherwise people might think you're just being a jerk.

Now, I don't necessarily mind if people here and there think I'm being an intellectual jerk, or even an ignorant jerk (because, Lord knows, now and again I am an ignorant jerk), but I might feel bad if someone considered me just a jerk. So I can empathize with you being in a position where someone might think that of you.

Sure, that's like saying a magnifying glass can be used to find your lost class ring in the playground. Sure it will work, but extreme under-kill and a waste of time.

Wouldn't it be great if you could use pipes and regular expressions to find lost things? That would be sooooooooooo sweet, because (this is where I insert my argument) they're like a perfect multi-lens device of infinately variable focal length and aperature, hooked up to a spectrograph , a mass spectrograph, a lath, a mill, a tap and die set, a forge, a. . .

So there you are, in a playground in Central Park, NYC, and you suddenly realize your class ring is missing. You aren't sure where you lost it either. Let's say you know it had to be someplace on Manhatten. You zoom the lens out to encompass Manhatten, set the aperature appropriately, and turn on the spectrograph.

Then ask it to show you all the rings. And it does!

"Oh, shit," you say to yourself. "Look, only show me the rings with a garnet in them."

No, that didn't do it, there's still a pile of them too big to go through. Ok, how about all the gold rings with a garnet? Gold rings with a Garnet from the High School of the Performing Arts? Damn, that many? Ok, how about one of those ,but with that little scratch on the side with '58 Porsche grease in it?

Bingo! There it is in a cab up in East Harlem.

See? Not like a magnifying glass at all, but an entire suite of logical tools and set theory manipulators that can be combined in any way that suits your fancy to return any logical result you want.

I was once having dinner with some friends and one of them, who happens to be a network tech, asked one who happens to be a professor of Chemistry, "Why has Organic Chemistry effectively become a required course for a medical degree? Does a doctor really need to know Organic Chemistry? What would they possible actually use it for?"

The Chemistry professor responded, "Well, a biochemist would obviously need and use Organic Chemistry, but if you just mean a practicing medical doctor, no, they don't need it and will never use it."

"Well," asked the net tech, " why do you make them learn it then?"

"We don't make them learn it to learn Organic Chem." replied the professor. " We make them learn it to learn deductive reasoning in a domain of applied set theory. It's to teach them diagnosis."

And network security is a diagnostic field requiring deductive reasoning in a domain of applied set theory.

Maybe we should make CS majors take Organic Chemistry.

Or maybe we should just make them take math with a certain focus on logic and set theory and apply same against the computer (a mathmatical logic machine) network. Then maybe they could use general purpose logical tools to construct their own specific case tools, instead of being restricted to the domain of premade tools that often don't even fit their network situation (since every large network is unique in its structure and logic, and thus no outsider can know the sets, or the possible set of logical prepositions).

KFG

Sniffer Pro

[Nonesuch]

Sniffer Pro has features which neither "ntop" nor "ethereal" come anywhere near, both in the realtime monitoring of traffic and also in some of the "expert" functionality.

I've yet to find an open source tool that can show a "matrix" graph of source and destination talkers by MAC/IP/IPX name in realtime as found in Sniffer. Other tools show some of this information, but do not render the same graphical display (chords of a circle) as Sniffer.

With ethereal there's to do this with snapshots using graphviz, but not realtime...

Re:Sniffer Pro

[pkey]

If I'm understanding what you're looking for (I've never seen Sniffer Pro in action), I think EtherApe might do it. It hasn't been updated since January of 2003, but the current version works fine for me.

We're missing a great test bed

[burgburgburg]

I've been working with a spectacular closed source test bed for viruses, trojans, worms and the like called "Windows". I'm able to explore and examine so much more of this malicious code as it really functions then I ever have with my OSS tools. It's like they were written for it.

When we can create a truly fertile environment for elements like this in OSS, then we'll have arrived.

An enterprise security console

[drinkypoo]

Companies like CA and IBM are working to develop (or struggling to implement) single interfaces that will let you control and/or monitor the security of hundreds of systems at once, and monitor aggregates of the data so you can get both an overview and a detail view of the security status of your organization.

These tools could "leverage" existing security tools which exist in the open source world (stuff like tripwire for example) to get cross-platform support.

You don't have to just look at security, either; A multiplatform enterprise management suite with plug-in modules for filesystem, printing, security, scheduling, and good old monitoring would be a great thing to do for free. Software that does all that costs millions of dollars, single installs for sufficiently large sites can run upwards of US$10M.

Re:An enterprise security console

[mo]

While I haven't had the pleasure of working with any of these $10M install of a network management suite, I've been able to accomplish much of what you talk about using an assortment of the following open source tools:

OpenNMS
cfengine
nagios

Granted, none of these have real slick guis, and there is a bit of a learning curve to get over before you master them. However, for somebody who knows how to use the above tools, it's amazing the number of machines can be administered by one person.

Re:So....

[RealAlaskan]

The best stuff comes when you're scratching your own itch.

If you're a programmer with an itch, may I recommend a bath? Follow that up with a visit to a dermatologist, if necessary.

And for goodness sake, don't scratch other folk's itches! You'll spread all kinds of nasty stuff that way.

There are open security methodologies and tools!

[bandrzej]

Sheez, post something of importance, and get a bunch of smart ass flack.

If you are looking for a proven open standard methodology for performing security tests, then Open Source Security Testing Methodology Manual (OSSTMM) is the way to go.

In addition, there is the linux distro of Trinux, which includes most of the common linux open source security auditing tools.

Let's discuss job security instead.

[Scoria]

I propose a fork of Apache that contains a complete implementation of all IIS functionality (circa 2001), preferably enabled by default. The application must operate as 'root'. This will ensure that certain IT positions will remain abundant for many decades.

Open source virus scanners

[IamTheRealMike]

I'm talking about an open source equivalent to things like Norton AntiVirus - at some point, at some time desktop Linux will be hit by viruses/spyware/other undesireables. Current security technologies are purely focussed upon preventation and none upon cure.

Yes I know there are no viruses today. That's what wargaming is for. Be prepared. It's the only way.

Re:Open source virus scanners

[Mc+Fly]

Duh.
Dude, you should see clamav, a full opensource antivirus for Linux, FreeBSD and even Windows, which integrates nicely with virtually every mailer out there.

Re:Open source virus scanners

[gmuslera]

What about ClamAV or OpenAntivirus or a lot in the same league?

There are also a lot of integrity checkings tools, that if well don't count as "antivirus", at least they report changes that could mean something nasty running, and not to forget things like chkrootkit.

Re:Open source virus scanners

[ajs]

Virus scanners are for people who want to leave security holes open and then get information about the damage.

No, they're for the people who don't trust that every security hole is known of first by the white-hats.

Is your system secure? Are you sure? What abotu 5 minutes before you applied that last ssh update? Wouldn't a virus / trojan / root kit scanner give you one more level of assurance?

Give me reporting tools!

[Bubblehead]

I am constantly trying to improve the security of my home network, and the available tools are pretty powerful. My biggest problem has been to find powerful reporting tools. I use iptables as a firewall, tripwire for intrusion detection, etc. But it's not always easy to see what's going on in the system. Tripwire produces decent reports; but there is no easy way (afaik) to get a list of intrusion attempts, network traffic, port scans, etc. Sure, the information is in the logs - but the log information is hard to parse and often not as complete as it should be.

Network Forensics

[mplex]

This probably is a very good project for the opensource community, but it sure would be cool. I want to see an opensource version of the old SilentRunner product, now carried by Computer Associates.

eTrustTM Network Forensics captures raw network data and uses advanced forensics analysis to identify how business assets are affected by network exploits, internal data theft, and security or HR policy violations. Its patented technology allows IT and security staff to visualize network activity, uncover anomalous traffic and investigate breaches with a single, convenient solution.

http://www3.ca.com/Solutions/Product.asp?ID=4856

user

[scrotch]

Here's one I just thought of. Maybe it's been made, and maybe 16,000 people will point out why it isn't necessary or that it's built into find or emacs or something. Here goes anyway:

Write an app that takes a username as input and shows me all the files/directories that user can read or edit or execute. If I run it as root, it shows me All files. If run as me under my account, all of my files that that user could play with. For example:
shell% sudo fileSecurityCheck -www /
will show me all files that are deleted when my webserver gets hacked.

Re:user

[DaveAtFraud]

find already does most of what you're looking for:

find . -perm u=xrw,g=xrw,o=xrw -print

finds all mode 777 files under the current directory (the initial ".", substitute a path like /var/www if that's where you want to look). If you run it as root (probably required for what you want to do), you can use -user or -uid to find all of the files owned by a particular user name or UID.

Play with the -perm or +perm flags if need be to refine the result.

Knopix STD all the security all the time

[phreak03]

Get Knopix STD (always a copy in my backpack) A live linux distro aimed at security with up to date packages for the following areas (From the Knopix STD site) http://www.knoppix-std.org/ * authentication * encryption * forensics * firewall * honeypot * ids * network utilities * password tools * servers * packet sniffers * tcp tools * tunnels * vulnerability assessment * wireless tools Turn it into a firewall, a web server, an IDS box, a honeypot. Use it to do data recovery on an dead or locked computer, perform a vulnerability assessment, a penetration test, perform an autopsy on a compromised machine, test your incident response team. Listen to your MP3 collection and play gnugo while waiting for that nessus scan to complete.

Encryption "Umbrella"

[macemoneta]

A tool for managing the various aspects of encryption on a system would be useful:

1- Setup and administration of VPNs (PPTP, IPSEC)
2- Administration of secure remote access (SSH)
3- Partition encryption
4- File encryption
5- Email encryption

YES there are bits and pieces, some distributions have more than others, but no control point for system-wide administration and enforcement that can be implemented across distributions.

The user-friendly/visually appealing interface

[DeepDarkSky]

Most open source project focus on utility, not on appearance. The most powerful tools are often the simplest ones (in appearance). However, the ability to visualize and/or put a user-friendly interface is usually a good next step. Some may call this approach the "Microsoft dumbing down" approach, since it is Microsoft who usually put deceptively simple user-interface in front of a much more complex and powerful tool.

However, that doesn't mean these tools couldn't benefit from good visual front ends (and I'm sure people will point out there are plenty). Human's ability to make sense of well designed visual information (a la Edward Tufte) cannot be understated.

I also seem to recall reading a slashdot story a long while back about Infineon (I think) that had a hardware sniffer that is able to reconstruct TCP/IP traffic/session/connections that are captured, and it recognized hundreds of protocols/applications.

Bring all of that together: open source software being able to visually display security information in a meaningful way, using some kind of open standard like, say, OpenGL. Adding more to the existing foundation tools that we already have, that's where some contribution can be useful.

But that's just what I think, by no means do I think it's the best answer.

Password auditing

[siliconjunkie]

I am unaware of open source software that meets the functionality of PWSEX or LC5.

monolithic network management tool

[bhsx]

Something that can premiscuously detail a LAN. It should use netcat, nmap, ethereal and the other standards to map, in real time, you LAN traffic. It should also have the ability to intercept and decode any stream on your network.
So, let's say Billy is reading Slashdot when he's supposed to be doing data entry. You see a red (for example) line leading from Billy's box to the firewall with the line labelled "slashdot.org" and the IP address. Click on Billy's box and "zoom" to focus the GUI to Billy and right click menu to "intercept and decode" to pop-up a konqueror window that follows Billy's URL jumps and shows you what he's reading. The same would be true of mpegs he's watching or mp3s he's downloading.

Other functions would be to show all nodes in the LAN as well as OS versions, all traffic in and out of each node, and any services running per node. Servers running things like ntlogon, apache or SMB would be marked as such. A "bookmarking" type feature could also be implemented as well as a sticky-note feature for notation and easy navigation.
You could call it knetsec, but I actually like a bastardization of that... Knutsac.

Re:Oh great

I bet a lot of people would have enjoyed using that excuse in English class. Can you imagine an editor at the NY Times letting this slip by? In a comment by somebody who doesn't know better, sure, let it go.

Languages evolve, but that fact is too often used as a cop-out for being too lazy to learn correct use of a language. As it is now, "begs the question" is used incorrectly on the front page of Slashdot, a large news site. The editors should know better and hopefully after being scolded, they learn. Unlike people who scoff at corrections because "English changes."

Re:tcpdump is great

[UnderLoK]

There are 3 things that piss me off to no end when using Ethereal.

1) I can't sort logs by date (this drives me insane)
2) I can't open more than one trace per session.
3) It doesn't put the trace into memory. Every time you apply a new filter it re-reads the damn file! :(

I've been using SnifferPro for about 4 years now and while it has its drawbacks I would say the inclusion of the above 3 options has more than paid for itself ;)

The one thing all sniffers lack that is needed is a quick and easy method to take notes. I'm constantly jotting down reminders, line #s, and ips on sticky notes. GIVE ME COPY & PASTE!

note: It's been called SnifferPro since I started using it.

Ask not whether it's there yet...

[prandal]

.. ask if its virus patterns are.

A few friday nights back, our ClamAV started catching a little worm called W32/Zafi.b.

McAfee's DAT files to catch this one came out 2 1/2 days later, on the Monday morning (UK time).

Apart from the Nimda outbreak of 2001, this year is the only time I've seen viruses arrive at our email gateway (thanks ClamAV) before our official antivirus software updates catch them. Netsky, Bagle, and Zafi.b were all caught by ClamAV before McAfee had released DAT files for them.

I'd recommend defense in depth, using multiple virus scanners. We scan all incoming (and outgoing) emails with ClamAV, Bitdefender (free for Linux boxes), and McAfee's uvscan.

It's way too easy to fall into the mindset which says "we have antivirus software everywhere so we're safe". There will ALWAYS be a window of vulnerability between the release of a new virus and the availability of detection patterns. And don't forget that a lot of Windows viruses/worms disable any antivirus software they find running.

Phil