Missing Open Source Security Tools? 362
Kinetic writes "There are many great open source security tools out there, Nmap, Nessus, and DSniff, just to name a few. However, with the world of security constantly changing, this begs the question, what open source security tools are missing? What commercial security tools have no viable open source alternatives? When securing/testing/exploring networks (home or enterprise), what security tools/applications/functionality are lacking (or non-existent) in the open source world?"
Oh great (Score:3, Funny)
Re:Oh great (Score:2, Insightful)
But I let it go cause I hate those stupid losers still whining about how hacker used to mean a guy who played with model trains at MIT or something...
Re:Oh great (Score:3, Funny)
Which begs the question as to its proper usage...
Re:Oh great (Score:4, Insightful)
Languages evolve, but that fact is too often used as a cop-out for being too lazy to learn correct use of a language. As it is now, "begs the question" is used incorrectly on the front page of Slashdot, a large news site. The editors should know better and hopefully after being scolded, they learn. Unlike people who scoff at corrections because "English changes."
Security (Score:5, Funny)
Re:Security (Score:5, Informative)
Re:Security (Score:5, Funny)
Peter: Well, I wouldn't exactly say I've been *missing* them, Bob.
Re:Security (Score:4, Funny)
Bob: Looks like you've been missing a lot of security holes lately.
For a second there, that looked like a Clippy joke.
zRe:Security (Score:4, Insightful)
facial-recognition & biometric stuff to identify suspects in your building
background-check software for individuals.
burglar alarm systems, for homes and businesses (requires some hardware)
timed-safe software (requires some hardware)
xray & metal-detectors & chemical-sniffers for airports (requires lotsa hardware)
Oh, you mean computer stuff. C'mon guys, just quit using outlook to browse prOn from computers inside your firewall; and close off ports you don't need.
Self Defending Networks? (Score:5, Funny)
Re:Self Defending Networks? (Score:5, Interesting)
I just took this past spring a course in "Network Security". The teacher got hold of a DARPA video on computer security and played it for us at one class session.
You wouldn't believe this crap. The scenario was a country suspiciously similar to Iraq who set up a computer center with a bunch of Arab terrorist hackers and tried to drop America's infrastructure.
So, of course, the brilliant and utterly boring (all these people looked like crew-cutted Republicans, it was unbelievable) used all sort of "cutting-edge technology" (that doesn't exist and won't for another two or three decades) to defeat the evil Arabs. It ended with them tracking the evil Arabs to their lair and a bunch of Special Forces guys busting in and shooting up the place (DIE, EVIL HACKERS! DIE!).
The tech they showed involved a lot of voice-command and voice-response computer systems, all sorts of fancy graphics stuff, and of course something very much like Total Information Awareness that allowed them to know who everybody was no matter who the hell they were. They also had the ability to search out the source of any virus or hacker penetration in minutes and then commandeer the entire US infrastructure to repel the attack.
Utter bullshit - and I told the teacher so at the end of the video.
This was a DARPA "wish-list" video with absolutely no relevance to current computer security technology.
At the end of the semester, I demo'd the Knoppix STD (Security Tools Distribution) to the class. One student asked if this stuff was "all command line". I said, well, it's all servers, and the servers all run UNIX, and servers usually are administered from the command line, so, yes, most of the tools (except for stuff like Ethereal and Nessus) was command line.
It's a long way from there to DARPA's fantasy land.
Re:Self Defending Networks? (Score:5, Interesting)
It just goes to show, it's not just us old hackers who prefer the CLI...
So.... (Score:3, Insightful)
Re:So.... (Score:5, Funny)
If you're a programmer with an itch, may I recommend a bath? Follow that up with a visit to a dermatologist, if necessary.
And for goodness sake, don't scratch other folk's itches! You'll spread all kinds of nasty stuff that way.
Re:So.... (Score:4, Funny)
Your favorite tools (Score:5, Interesting)
Re:Your favorite tools (Score:5, Funny)
Re:Your favorite tools (Score:2)
Reeeeeeeeeeally? What license is it under?
Re:Your favorite tools (Score:5, Funny)
Now THAT sounds like something you should port over to Windows. Then again if you sold it, MS would just include it free in their next version...
Re:Your favorite tools (Score:5, Informative)
knoppix-std [knoppix-std.org]
Most every security tool a network admin (or script kiddie) could want in a convenient iso package.
Re:Your favorite tools (Score:3, Interesting)
Re:Your favorite tools (Score:5, Informative)
SIMS (Score:5, Interesting)
How about an open source Security Information Management System (SIMS) Description, Article [securitypipeline.com].
Something that lets us intergrate, collect, and correlate what the other great tools (Nessus, Snort, Nmap) find.
Re:SIMS (Score:5, Interesting)
sentinix is the siznit (Score:2, Informative)
http://sentinix.org
defiance
Re:SIMS (Score:2, Insightful)
Pipes and regular expressions?
KFG
Re:SIMS (Score:5, Insightful)
No, no. That's not how it goes. If you take that approach people are likely to take it as a personal attack rather than a reasoned argument. To avoid such confusion it's best to proceed like this:
I ask, "Pipes and regular expressions?" (you dropped my question mark and replaced it with a period)
Then you say, "No, that won't do it, because. . . (and then you insert your argument here)
Otherwise people might think you're just being a jerk.
Now, I don't necessarily mind if people here and there think I'm being an intellectual jerk, or even an ignorant jerk (because, Lord knows, now and again I am an ignorant jerk), but I might feel bad if someone considered me just a jerk. So I can empathize with you being in a position where someone might think that of you.
Sure, that's like saying a magnifying glass can be used to find your lost class ring in the playground. Sure it will work, but extreme under-kill and a waste of time.
Wouldn't it be great if you could use pipes and regular expressions to find lost things? That would be sooooooooooo sweet, because (this is where I insert my argument) they're like a perfect multi-lens device of infinately variable focal length and aperature, hooked up to a spectrograph , a mass spectrograph, a lath, a mill, a tap and die set, a forge, a. .
So there you are, in a playground in Central Park, NYC, and you suddenly realize your class ring is missing. You aren't sure where you lost it either. Let's say you know it had to be someplace on Manhatten. You zoom the lens out to encompass Manhatten, set the aperature appropriately, and turn on the spectrograph.
Then ask it to show you all the rings. And it does!
"Oh, shit," you say to yourself. "Look, only show me the rings with a garnet in them."
No, that didn't do it, there's still a pile of them too big to go through. Ok, how about all the gold rings with a garnet? Gold rings with a Garnet from the High School of the Performing Arts? Damn, that many? Ok, how about one of those
Bingo! There it is in a cab up in East Harlem.
See? Not like a magnifying glass at all, but an entire suite of logical tools and set theory manipulators that can be combined in any way that suits your fancy to return any logical result you want.
I was once having dinner with some friends and one of them, who happens to be a network tech, asked one who happens to be a professor of Chemistry, "Why has Organic Chemistry effectively become a required course for a medical degree? Does a doctor really need to know Organic Chemistry? What would they possible actually use it for?"
The Chemistry professor responded, "Well, a biochemist would obviously need and use Organic Chemistry, but if you just mean a practicing medical doctor, no, they don't need it and will never use it."
"Well," asked the net tech, " why do you make them learn it then?"
"We don't make them learn it to learn Organic Chem." replied the professor. " We make them learn it to learn deductive reasoning in a domain of applied set theory. It's to teach them diagnosis."
And network security is a diagnostic field requiring deductive reasoning in a domain of applied set theory.
Maybe we should make CS majors take Organic Chemistry.
Or maybe we should just make them take math with a certain focus on logic and set theory and apply same against the computer (a mathmatical logic machine) network. Then maybe they could use general purpose logical tools to construct their own specific case tools, instead of being restricted to the domain of premade tools that often don't even fit their network situation (since every large network is unique in its structure and logic, and thus no outsider can know the sets, or the possible set of logical prepositions).
KFG
Sniffer Pro (Score:5, Informative)
I've yet to find an open source tool that can show a "matrix" graph of source and destination talkers by MAC/IP/IPX name in realtime as found in Sniffer. Other tools show some of this information, but do not render the same graphical display (chords of a circle) as Sniffer.
With ethereal there's to do this with snapshots using [ethereal.com] graphviz [att.com], but not realtime...
Etherape (Score:3, Informative)
Re:Sniffer Pro (Score:5, Informative)
Re:Sniffer Pro (Score:3, Interesting)
Re:Sniffer Pro (Score:3, Insightful)
Do you want a network monitoring system, or a sniffer?
Even if I needed such a feature, I'd never expect it to be in Ethereal (and I use tcpdump/Ethereal daily, but not for graphs).
If I needed (offline) graphs, I'd use netflow probes and collector. If I needed realtime stats, I'd use iptraf (well, I do use both of those anyway).
However, I never needed t
Re:Sniffer Pro (Score:3, Interesting)
Re:Sniffer Pro (Score:4, Funny)
No, no, no, you must have that backwards... woody [debian.org] gives you Ethereal [backports.org]. I'm sure that's what you meant to type.
Right? Please?
Re:Sniffer Pro (Score:4, Funny)
We're missing a great test bed (Score:5, Funny)
When we can create a truly fertile environment for elements like this in OSS, then we'll have arrived.
Re:We're missing a great test bed (Score:2, Funny)
Unfortunately you fail to mention the license: it's awful. It appears to be a wierd GPL variant that forbids access to the source, the making of derivatives and redistribution. I must have misread it I think.
Re:We're missing a great test bed (Score:2)
You mean like this? [winehq.com]
An enterprise security console (Score:5, Interesting)
These tools could "leverage" existing security tools which exist in the open source world (stuff like tripwire for example) to get cross-platform support.
You don't have to just look at security, either; A multiplatform enterprise management suite with plug-in modules for filesystem, printing, security, scheduling, and good old monitoring would be a great thing to do for free. Software that does all that costs millions of dollars, single installs for sufficiently large sites can run upwards of US$10M.
Re:An enterprise security console (Score:2)
Re:An enterprise security console (Score:2)
Badass, do they each come with their own clone of Penn Gillette to run them for me?
Re:An enterprise security console (Score:5, Interesting)
OpenNMS [opennms.org]
cfengine [cfengine.org]
nagios [nagios.org]
Granted, none of these have real slick guis, and there is a bit of a learning curve to get over before you master them. However, for somebody who knows how to use the above tools, it's amazing the number of machines can be administered by one person.
There are open security methodologies and tools! (Score:5, Informative)
If you are looking for a proven open standard methodology for performing security tests, then Open Source Security Testing Methodology Manual (OSSTMM) [isecom.org] is the way to go.
In addition, there is the linux distro of Trinux [sourceforge.net], which includes most of the common linux open source security auditing tools.
Application Level Proxies (Score:2, Interesting)
There are some more now, but most have discovered bugs due to missing deffensive programming.
That was one of the reasons I started freefire.org, even when the mailing list currently is not used.
--
www.eckes.org
Let's discuss job security instead. (Score:5, Funny)
Open source virus scanners (Score:5, Interesting)
Yes I know there are no viruses today. That's what wargaming is for. Be prepared. It's the only way.
Re:Open source virus scanners (Score:5, Informative)
Dude, you should see clamav [clamav.net], a full opensource antivirus for Linux, FreeBSD and even Windows, which integrates nicely with virtually every mailer out there.
Re:Open source virus scanners (Score:3, Insightful)
As much as I admire the clam folks, it's just not there yet.
AV is something that could really benefit from an open, distributed development model if we could find the right precautions to take. If users could report and characterise malicious attacks as they happen, I think we could start to offer an alternative to the big AV company's virus dictionaries (sort of like wikipedia compared to britannica).
Obviously this would not be an easy thing to set up well (consider the. We would need some sort of "karma
Re:Open source virus scanners (Score:2)
I would agree. I use in on the mail server ( Fedora/MailScanner/Spamassassin/Squirrelmail box) and it lets a couple through a week. Its a great program, granted, and its about 95% effective, but not quite up to speed. Part of the problem with any free "as in beer" program will always be keeping up since you can't just sell a few more copies and hire someone else, and AV is one of those tasks that require a lot of keeping up.
I certainly don't
Ask not whether it's there yet... (Score:5, Interesting)
A few friday nights back, our ClamAV started catching a little worm called W32/Zafi.b.
McAfee's DAT files to catch this one came out 2 1/2 days later, on the Monday morning (UK time).
Apart from the Nimda outbreak of 2001, this year is the only time I've seen viruses arrive at our email gateway (thanks ClamAV) before our official antivirus software updates catch them. Netsky, Bagle, and Zafi.b were all caught by ClamAV before McAfee had released DAT files for them.
I'd recommend defense in depth, using multiple virus scanners. We scan all incoming (and outgoing) emails with ClamAV, Bitdefender (free for Linux boxes), and McAfee's uvscan.
It's way too easy to fall into the mindset which says "we have antivirus software everywhere so we're safe". There will ALWAYS be a window of vulnerability between the release of a new virus and the availability of detection patterns. And don't forget that a lot of Windows viruses/worms disable any antivirus software they find running.
Phil
Re:Open source virus scanners (Score:2)
That's why there's been so little progress with Open anti virus [openantivirus.org] but you can bet your life that if/when viruses do start to strike, people will be willing to dedicate their time and a FOSS anti virus solution will be available.
Re:Open source virus scanners (Score:5, Informative)
There are also a lot of integrity checkings tools, that if well don't count as "antivirus", at least they report changes that could mean something nasty running, and not to forget things like chkrootkit.
Re:Open source virus scanners (Score:2)
I believe that Lindows (Linspire) is especially susceptible to this. After all, the user operates as 'root' by default, thus compromising many of the local security principles inherent to the Linux/Unix philosophy. Lindows and the other "easy-to-use"
Re:Open source virus scanners (Score:3)
Re:Open source virus scanners (Score:3)
However, they also offer many daemons as "one-click downloads," and those were the subject of my response. They (did?) operate as root by default, too. Once they have been allowed to age sufficiently, these vulnerable daemons will become an excellent vector by which to propagate "auto-installing" malware.
Re:Open source virus scanners (Score:2)
What makes you think its impossible to design a secure system? What if the goal of the people designing the system is to design a secure and stable system instead of making a profitable business out of selling software and competing for market dominance? Sure, everything can be insecure, but what matters is what you do after you discover that it was implemented improperly, no? Do you scrap the old code and r
Re:Open source virus scanners (Score:2)
Re:Open source virus scanners (Score:2)
You need a many-pronged approach, and ways to deal with the fact that a compromised UNIX or UNIX-like system is one of the most fearsome anti-security tools there are. You need to be able to establish the state of system security WITHOUT knowing that it was secure w
Re:Open source virus scanners (Score:5, Insightful)
No, they're for the people who don't trust that every security hole is known of first by the white-hats.
Is your system secure? Are you sure? What abotu 5 minutes before you applied that last ssh update? Wouldn't a virus / trojan / root kit scanner give you one more level of assurance?
Security by Obscurity (Score:4, Funny)
*black hat on*
Besides, if the holes you find become fixed due to public notice, how are you going to exploit them in the future?
*black hat off*
tcpdump is great (Score:2, Interesting)
Re:tcpdump is great (Score:2)
tcpdump (options) | grep | grep
It's a horrible kludge but it'd work.
tcpdump has src and dest filters (Score:3, Informative)
Re:tcpdump is great (Score:4, Informative)
Description: grep for network traffic ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.
Re:tcpdump is great (Score:4, Interesting)
1) I can't sort logs by date (this drives me insane)
2) I can't open more than one trace per session.
3) It doesn't put the trace into memory. Every time you apply a new filter it re-reads the damn file!
I've been using SnifferPro for about 4 years now and while it has its drawbacks I would say the inclusion of the above 3 options has more than paid for itself
The one thing all sniffers lack that is needed is a quick and easy method to take notes. I'm constantly jotting down reminders, line #s, and ips on sticky notes. GIVE ME COPY & PASTE!
note: It's been called SnifferPro since I started using it.
Re:tcpdump is great (Score:4, Interesting)
"Sort logs by date" in what sense? Presumably something other than sorting by clicking on the title of the "Time" column if it's configured to display absolute time or absolute date and time.
Non-trivial to implement - doable, but we'd need to make a lot of state information per-trace (i.e., attach it to a capture file structure) rather than global.
Every time you apply a new filter it:
and, as I remember from the last profiling runs done when running filters, that takes more time than does re-reading the raw packet data. A version of the Wiretap code to memory-map the capture file being read (with a mapping window so that files bigger than the amount of address space available for mapping can be read) might be interesting, although it wouldn't necessarily improve things much, as indicated. It'd also have to deal with gzipped capature files.
That's not "copy and paste"; "copy and paste" would be the ability to copy stuff from the capture dissection (some analyzers do that; Ethereal currently doesn't). That might let you copy line (packet?) numbers and IP addresses from captures into a text file, but not arbitrary notes.
What you're asking for sounds more like the ability to insert notes into the capture file itself. Some capture file formats support that, as do the analyzers using that format (I think Microsoft Network Monitor might). Ethereal's native format (libpcap) doesn't; the next generation of libpcap is intended to be extensible, and one extension would be comment records with arbitrary text in them.
Network mapping ! (Score:2)
Bonus if it can be passive and list OS, services,
Give me reporting tools! (Score:5, Insightful)
Re:Give me reporting tools! (Score:3, Informative)
This Question should be reversed. (Score:4, Insightful)
Network Forensics (Score:5, Interesting)
http://www3.ca.com/Solutions/Product.asp?ID=4856 [ca.com]
Re:Network Forensics (Score:4, Interesting)
WPA support (Score:3, Insightful)
Re:WPA support (Score:2)
Re:WPA support (Score:2)
Haven't used it myself but I have looked at it. It uses FreeRADIUS [freeradius.org], which authenticates against LDAP or various SQL databases.
user (Score:5, Interesting)
Write an app that takes a username as input and shows me all the files/directories that user can read or edit or execute. If I run it as root, it shows me All files. If run as me under my account, all of my files that that user could play with. For example:
shell% sudo fileSecurityCheck -www
will show me all files that are deleted when my webserver gets hacked.
Re:user (Score:5, Informative)
find . -perm u=xrw,g=xrw,o=xrw -print
finds all mode 777 files under the current directory (the initial ".", substitute a path like
Play with the -perm or +perm flags if need be to refine the result.
Re:user (Score:2)
especially the -user, -group, and -perm flags
Writing the shell script around find that asks for the username, checks the users group memberships, and prints the matching lines is an exercise left to the reader.
Gentoo Hardened -- need I say more? (Score:2, Insightful)
Knopix STD all the security all the time (Score:5, Interesting)
Well, duh (Score:2)
Encryption "Umbrella" (Score:5, Interesting)
1- Setup and administration of VPNs (PPTP, IPSEC)
2- Administration of secure remote access (SSH)
3- Partition encryption
4- File encryption
5- Email encryption
YES there are bits and pieces, some distributions have more than others, but no control point for system-wide administration and enforcement that can be implemented across distributions.
The user-friendly/visually appealing interface (Score:5, Insightful)
However, that doesn't mean these tools couldn't benefit from good visual front ends (and I'm sure people will point out there are plenty). Human's ability to make sense of well designed visual information (a la Edward Tufte) cannot be understated.
I also seem to recall reading a slashdot story a long while back about Infineon (I think) that had a hardware sniffer that is able to reconstruct TCP/IP traffic/session/connections that are captured, and it recognized hundreds of protocols/applications.
Bring all of that together: open source software being able to visually display security information in a meaningful way, using some kind of open standard like, say, OpenGL. Adding more to the existing foundation tools that we already have, that's where some contribution can be useful.
But that's just what I think, by no means do I think it's the best answer.
Re:The user-friendly/visually appealing interface (Score:4, Insightful)
The thing I like about Unix stuff is that when there is a good GUI interface for something, that usually doesn't mean you're locked out of the nitty gritty back-end as with some.. other GUI systems. I think a good GUI can compliment a system quite well and I enjoy using them when they are well constructed.
A short list (Score:3, Insightful)
#5 is a Windows-only deficiency, but the rest aren't. I mentioned Antivirus software 3 times because I think it's at least 3 times as important as the others. As more and more (read: dumber and dumber) people migrate to non-Windows platforms, viruses and malware are going to start to be more of a problem for those of us on Better Platforms.
Password auditing (Score:4, Informative)
Re:Password auditing (Score:3, Informative)
Then you're gonna love this [antsight.com]. Why brute LM hashes when you can precompute password/hash pairs then look them up from a database? Initial db generation takes a while, but you can customize the keyspace to whatever you want. When you're done, query a hash, get a password. This stuff works extremely well...
A needed tool (Score:3, Interesting)
or the similar tool Niksun [niksun.com]
An open source tool with similar capabilities would be an excellent project
Re:A needed tool (Score:3, Insightful)
Granted Niksun's NetVCR is basically a glorified tcpdump with a pretty interface, but it's also a functional interface. Sure you can preach "use the command line" all you want but you'd be underestimating the value of being able to present simplified data to the rest of the IT department that usually rings your phone, or visits your cubicle, or sends you and email every time some site can't do their work because their circuit is too slow.
Sure, give me an open source tool that I can p
monolithic network management tool (Score:5, Interesting)
So, let's say Billy is reading Slashdot when he's supposed to be doing data entry. You see a red (for example) line leading from Billy's box to the firewall with the line labelled "slashdot.org" and the IP address. Click on Billy's box and "zoom" to focus the GUI to Billy and right click menu to "intercept and decode" to pop-up a konqueror window that follows Billy's URL jumps and shows you what he's reading. The same would be true of mpegs he's watching or mp3s he's downloading.
Other functions would be to show all nodes in the LAN as well as OS versions, all traffic in and out of each node, and any services running per node. Servers running things like ntlogon, apache or SMB would be marked as such. A "bookmarking" type feature could also be implemented as well as a sticky-note feature for notation and easy navigation.
You could call it knetsec, but I actually like a bastardization of that... Knutsac.
Host-based tools ... sudo is my favorite (Score:2)
Number One Missing Security Tool (Score:3, Funny)
It would solve 99.9% of security problems: The MS-Windows-to-Linux-Upgrade-Wizard
ZoneAlarm features (Score:3, Interesting)
Being notified that a program is trying to connect to the network can clue you in that you have been infected by a worm, virus, trojan, or spyware. Sure, Linux has relatively few malicious programs now but in the future it may become a bigger target.
Mebon
Fluke Network Analysis (Score:3, Insightful)
Given enough time, everything could be replicated with FLOSS, but nobody has. Somebody should....
Re:Just so no one else has to say it... (Score:2)
Re:Oh shut up (Score:2, Insightful)
Enforcing proper usage keeps the language from degrading to a form where it can no longer express complex ideas, as common people are incapable of formulating such ideas.
Re:Just so no one else has to say it... (Score:2, Informative)
Re:Sigh (Score:2, Funny)
don't suggested
If you're going to be a grammar nazi, try to avoid stupid typos you dumb fuck.
Re:Sigh (Score:2, Redundant)
A good reason to avoid the construction altogether is to avoid looking like one of the asshats who cites nizkor.org as an authority - or worse, drawing them out of their pedantic cubbyholes.
Re:offtopic but... (Score:3, Interesting)