Section: .. / linux / security /
| /// File Name: |
psad-0.9.2.tar.gz |
Description:
|
Port Scan Attack Detector (psad) is a perl program that is designed to work with Linux firewalling code (iptables in the 2.4.x kernels, and ipchains in the 2.2.x kernels) to detect port scans. It features a set of highly configurable danger thresholds (with sensible defaults provided), verbose alert messages that include the source, destination, scanned port range, begin and end times, TCP flags and corresponding nmap options (Linux 2.4.x kernels only), email alerting, and automatic blocking of offending IP addresses via dynamic configuration of ipchains/iptables firewall rulesets. In addition, for the 2.4.x kernels psad incorporates many of the TCP signatures included in Snort to detect highly suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (syn, fin, Xmas) which are easily leveraged against a machine via nmap.
| | Homepage: | http://www.cipherdyne.com/psad | | Changes: | Filesystem Hierarchy Standard (FHS) support, Red Hat 7.0/7.1 support, a process management system which is used by the psad init script, and support for ipchains firewalls on the 2.4.x kernels. | | File Size: | 75038 | | Last Modified: | Oct 5 01:49:52 2001 |
| MD5 Checksum: | 7d85d3437d9bcb04bd793b553a65c43f |
|
| /// File Name: |
vma_rw_chk-1.0.tar.gz |
Description:
|
Vma_rw_chk is a small security module for Linux-2.2.19 which prevents most exploits from working by wrapping execve() and checking to see that the caller does not call from a writable memory segment. Since most local (and many remote) exploits call execve() or similar from the stack (and environment, which is also placed on the stack), which is writable, it prevents most standard exploits from working.
| | Author: | Proton | | Homepage: | http://www.energymech.net/users/proton | | File Size: | 2509 | | Last Modified: | Oct 4 02:31:32 2001 |
| MD5 Checksum: | a667768b03f30fbc2d1d31bd97eaecf0 |
|
| /// File Name: |
medusa-0.8.2.tar.gz |
Description:
|
Medusa DS9 is used to increase Linux's security. It consists of two major parts, Linux kernel changes and the user-space daemon. Kernel changes do the monitoring of syscalls, filesystem actions, and processes, and they implement the communication protocol. The security daemon communicates with the kernel using the character device to send and receive packets.
| | Author: | Marek Zelem and Martin Ockajak | | Homepage: | http://medusa.fornax.sk | | Changes: | Fixed a hard link bug in kernel v2.4. | | File Size: | 119805 | | Last Modified: | Sep 18 22:36:32 2001 |
| MD5 Checksum: | dd0ee6c3c66cd860779bbe488b8b9a63 |
|
| /// File Name: |
syscalltrack-0.60.tar.gz |
Description:
|
Syscall Tracker is a powerful tool for Linux 2.2 and 2.4 which allows you to write rules to track system calls. Currently only logging the invocation is supported, but in the future, you will be able to fail the system call (i.e. force it to return some error code), or suspend the process executing it. Allows you find out info that is hard to find, for instance to determine which process touched a certain file.
| | Homepage: | http://syscalltrack.sourceforge.net | | File Size: | 97246 | | Last Modified: | Sep 18 22:33:47 2001 |
| MD5 Checksum: | 8b677826ff04e2ccaf306387f3bcee6c |
|
| /// File Name: |
psad-0.9.1.tar.gz |
Description:
|
Port Scan Attack Detector (psad) is a perl program that is designed to work with Linux firewalling code (iptables in the 2.4.x kernels, and ipchains in the 2.2.x kernels) to detect port scans. It features a set of highly configurable danger thresholds (with sensible defaults provided), verbose alert messages that include the source, destination, scanned port range, begin and end times, TCP flags and corresponding nmap options (Linux 2.4.x kernels only), email alerting, and automatic blocking of offending IP addresses via dynamic configuration of ipchains/iptables firewall rulesets. In addition, for the 2.4.x kernels psad incorporates many of the TCP signatures included in Snort to detect highly suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (syn, fin, Xmas) which are easily leveraged against a machine via nmap.
| | Homepage: | http://www.cipherdyne.com/psad | | Changes: | A security bugfix was made in config file processing. Deep scans are now detected properly. A man page and a set of benchmarks was added. | | File Size: | 64551 | | Last Modified: | Sep 5 02:12:59 2001 |
| MD5 Checksum: | 3608f0e66ea8244b793d8bbd367087a7 |
|
| /// File Name: |
medusa-0.8.1.tar.gz |
Description:
|
Medusa DS9 is used to increase Linux's security. It consists of two major parts, Linux kernel changes and the user-space daemon. Kernel changes do the monitoring of syscalls, filesystem actions, and processes, and they implement the communication protocol. The security daemon communicates with the kernel using the character device to send and receive packets.
| | Author: | Marek Zelem and Martin Ockajak | | Homepage: | http://medusa.fornax.sk | | Changes: | This version contains Constable and the VS monitor (kernel patch) for Linux 2.2.19 and 2.4.7, along with several bugs found in the alpha which were fixed. | | File Size: | 119746 | | Last Modified: | Aug 10 16:38:08 2001 |
| MD5 Checksum: | 110d536f9f29999d0427ec9637b62270 |
|
| /// File Name: |
psad-0.9.0.tar.gz |
Description:
|
Port Scan Attack Detector (psad) is a perl program that is designed to work with Linux firewalling code (iptables in the 2.4.x kernels, and ipchains in the 2.2.x kernels) to detect port scans. It features a set of highly configurable danger thresholds (with sensible defaults provided), verbose alert messages that include the source, destination, scanned port range, begin and end times, TCP flags and corresponding nmap options (Linux 2.4.x kernels only), email alerting, and automatic blocking of offending IP addresses via dynamic configuration of ipchains/iptables firewall rulesets. In addition, for the 2.4.x kernels psad incorporates many of the TCP signatures included in Snort to detect highly suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (syn, fin, Xmas) which are easily leveraged against a machine via nmap.
| | Homepage: | http://www.cipherdyne.com/psad | | Changes: | Support has been added for UDP scan detection along with a few UDP scan signatures, a new verbose mode is included in install.pl, improved check_flags() for better TCP flag recognition (nmap NULL scans are supported), and a fix for psadwatchd not parsing ps output correctly. | | File Size: | 57114 | | Last Modified: | Aug 4 08:24:31 2001 |
| MD5 Checksum: | 9ac41fc3e1b1a038c9b5d5a5e351687c |
|
| /// File Name: |
medusa-0.8.1-alpha.tar.gz |
Description:
|
Medusa DS9 is used to increase Linux's security. It consists of two major parts, Linux kernel changes and the user-space daemon. Kernel changes do the monitoring of syscalls, filesystem actions, and processes, and they implement the communication protocol. The security daemon communicates with the kernel using the character device to send and receive packets.
| | Author: | Marek Zelem and Martin Ockajak | | Homepage: | http://medusa.fornax.sk | | Changes: | Improved code that handles privilege elevation during execve(), added several missing permission checks to System V IPC code, fixed some missing dputs() in VFS code, and included alpha support for 2.4.x kernels. | | File Size: | 125604 | | Last Modified: | Aug 4 07:28:11 2001 |
| MD5 Checksum: | cfbcaca932c36688c54ab63434c57ef2 |
|
| /// File Name: |
ippersonality-20010724-2.4.7.tar.gz |
Description:
|
The IP Personality project is a patch to Linux 2.4 kernels that adds netfilter features: it enables the emulation of other OSes at network level, thus fooling remote OS detection tools such as nmap that rely on network fingerprinting. The characteristics that can be changed are TCP Initial Sequence Number (ISN), TCP initial window size, TCP options (their types, values and order in the packet), IP ID numbers, answers to some pathological TCP packets, and answers to some UDP packets.
| | Author: | Gael Roualland and Jean-Marc Saffroy | | Homepage: | http://ippersonality.sourceforge.net | | Changes: | This release adds new manglings to fool latest versions of nmap (2.54BETA), and has lots of code improvement. Ported to kernel v2.4.7. | | File Size: | 150069 | | Last Modified: | Jul 29 05:22:40 2001 |
| MD5 Checksum: | 47004368805cffd9ff53ac4079961c9b |
|
| /// File Name: |
psad-0.8.9.tar.gz |
Description:
|
Port Scan Attack Detector (psad) is a perl program that is designed to work with Linux firewalling code (iptables in the 2.4.x kernels, and ipchains in the 2.2.x kernels) to detect port scans. It features a set of highly configurable danger thresholds (with sensible defaults provided), verbose alert messages that include the source, destination, scanned port range, begin and end times, TCP flags and corresponding nmap options (Linux 2.4.x kernels only), email alerting, and automatic blocking of offending IP addresses via dynamic configuration of ipchains/iptables firewall rulesets. In addition, for the 2.4.x kernels psad incorporates many of the TCP signatures included in Snort to detect highly suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (syn, fin, Xmas) which are easily leveraged against a machine via nmap.
| | Homepage: | http://www.cipherdyne.com/psad | | Changes: | A seperate monitoring daemon, psadwatchd has been added which watches both psad and kmsgsd, support for multiple email address reporting, and a debugging mode for psad have all been added. Some bugs have been fixed. | | File Size: | 53255 | | Last Modified: | Jul 23 19:43:36 2001 |
| MD5 Checksum: | 8e3f0ec1dd35f1bf3386b8c268eed5f9 |
|
| /// File Name: |
arpwrap.linux.180701.tgz |
Description:
|
Arpwarp is a tool which attempts to detect ARP spoofing attacks before executing a unix command (such as SSH or Telnet). This is the linux version - The solaris version is available here.
| | Author: | Nicolas Monier | | File Size: | 11577 | | Last Modified: | Jul 19 20:00:26 2001 |
| MD5 Checksum: | 3561bd69e316cea6392f2ee4250bf40e |
|
| /// File Name: |
lomac-v1.1.1.tar.gz |
Description:
|
LOMAC is a dynamically-loadable security module for Free UNIX kernels that uses Low Water-Mark Mandatory Access Control (MAC) to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users, and compromised network server daemons. The LOMAC loadable kernel module can be used to harden Linux systems without any changes to existing kernels, applications, or configuration files. Due to its simplicity, LOMAC itself requires no configuration, regardless of the users and applications present on the system. Whitepapers available here and here.. Manual available here.
| | Homepage: | http://www.pgp.com/research/nailabs/secure-execution/lomac.asp | | Changes: | Capability and protection improvements. Changelog available | | File Size: | 156911 | | Last Modified: | Jul 17 18:05:34 2001 |
| MD5 Checksum: | 803f7faeb797ea4816478c29a335107d |
|
| /// File Name: |
StMichael_LKM-0.05.tar.gz |
Description:
|
StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. Detects most modern LKM's, including KIS.
| | Author: | Tim Lawless | | Homepage: | http://www.sourceforge.net/projects/stjude | | Changes: | Added Checks to Detect modules hiding their presence, Added Read-Only /dev/kmem, and Added VFS checking. | | File Size: | 23606 | | Last Modified: | Jul 12 04:16:03 2001 |
| MD5 Checksum: | fda543690273352eaa367dd9d0fbdb92 |
|
| /// File Name: |
StMichael_LKM-0.04.tar.gz |
Description:
|
StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. This is a experimental version, and a spin off from the Saint Jude Project.
| | Author: | Tim Lawless | | Homepage: | http://www.sourceforge.net/projects/stjude | | Changes: | Added the SHA1 checksum to complement the md5's, added timers to periodically revalidate the kernel, added a configuration script, and added some demos which will trigger StMichael. | | File Size: | 18715 | | Last Modified: | Jul 11 05:01:54 2001 |
| MD5 Checksum: | 617e56ab882299f50e8b27bf0fd267f4 |
|
| /// File Name: |
rsx.tar.gz |
Description:
|
RSX is a Linux LKM which stops most buffer overflow attacks. It is a Runtime addressSpace eXtender providing on the fly code remapping of existing Linux binaries in order to implement non-executable stack as well as non-exec short/long heap areas. RSX targets common buffer-overflow problems preventing code execution in mapped data-only areas. Currently a 2.4.x version of the kernel module is available.
| | Author: | Paul Starzetz | | Homepage: | http://www.ihaquer.com/software/rsx | | File Size: | 25284 | | Last Modified: | Jun 6 18:58:13 2001 |
| MD5 Checksum: | ca73f0cf8a75d55e1c127d88b96e0f8c |
|
| /// File Name: |
StMichael_LKM-0.03.tar.gz |
Description:
|
StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. This is a experimental version, and a spin off from the Saint Jude Project.
| | Author: | Tim Lawless | | Homepage: | http://www.sourceforge.net/projects/stjude | | Changes: | Added md5 checksums to the contents of system calls, added cloaking to hide the presence of StMichael, and its symbols. Since StMichael cause the rootkits to not work as expected, we do not want to give away any useful debugging information. | | File Size: | 9494 | | Last Modified: | Jun 5 18:53:13 2001 |
| MD5 Checksum: | 5b4c791c22c5fa58c904835a96f0389e |
|
| /// File Name: |
tcpspy-1.7.tar.gz |
Description:
|
tcpspy is a linux administrator's tool that logs information about incoming and outgoing TCP/IP connections: local address, remote address and, probably the most useful feature, the user name. The current version allows you to include and exclude certain users from logging - this may be useful if you suspect one of the users on your system is up to no good but do not want to violate the privacy of the other users.
| | Author: | Tim J Robbins | | Homepage: | http://box3n.gumbynet.org/~fyre/software | | Changes: | The syslog facility is no longer hardcoded, warnings are issued when running slowly, documentation updates, and a few minor bugfixes. | | File Size: | 14813 | | Last Modified: | Jun 1 19:55:18 2001 |
| MD5 Checksum: | 8bd8f850057990aacf105ae3b5b20127 |
|
| /// File Name: |
lomac-v1.1.0.tar.gz |
Description:
|
LOMAC is a security enhancement for Linux that uses Low Water-Mark Mandatory Access Control to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users, and compromised root daemons. LOMAC is implemented as a loadable kernel module - no kernel recompilations or changes to existing applications are required. Although not all the planned features are currently implemented, it presently provides sufficient protection to thwart script-kiddies, and is stable enough for everyday use. Whitepaper available here. Manual available here.
| | Homepage: | http://www.pgp.com/research/nailabs/secure-execution/lomac.asp | | Changes: | Added mediation of directory modification operations, improving protection. | | File Size: | 114458 | | Last Modified: | May 11 20:00:13 2001 |
| MD5 Checksum: | 84d56b8af44184a4e7a5616c42c4b842 |
|
| /// File Name: |
StMichael_LKM-0.02.tar.gz |
Description:
|
StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. This is a experimental version, and a spin off from the Saint Jude Project.
| | Author: | Tim Lawless | | Homepage: | http://www.sourceforge.net/projects/stjude | | Changes: | Fixed an inverted match which could cause kernel to hang on attempt to unload StMichael. | | File Size: | 3769 | | Last Modified: | May 9 20:35:42 2001 |
| MD5 Checksum: | 531d16989e7b893bef78cffdbf033f81 |
|
| /// File Name: |
psad-0.8.8.tar.gz |
Description:
|
Port Scan Attack Detector (psad) is a perl program that is designed to work with Linux firewalling code (iptables in the 2.4.x kernels, and ipchains in the 2.2.x kernels) to detect port scans. It features a set of highly configurable danger thresholds (with sensible defaults provided), verbose alert messages that include the source, destination, scanned port range, begin and end times, TCP flags and corresponding nmap options (Linux 2.4.x kernels only), email alerting, and automatic blocking of offending IP addresses via dynamic configuration of ipchains/iptables firewall rulesets. In addition, for the 2.4.x kernels psad incorporates many of the TCP signatures included in Snort to detect highly suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (syn, fin, Xmas) which are easily leveraged against a machine via nmap.
| | Homepage: | http://www.cipherdyne.com/psad | | Changes: | Whois lookups against scanning IPs were added. An uninstall option was added to install.pl. A bug in the 'stop' routine in psad-init was fixed. A bug in the syslog restart system call in install.pl was fixed. | | File Size: | 51593 | | Last Modified: | May 8 20:06:01 2001 |
| MD5 Checksum: | 280a7905ddcba14ed03ae517eb8be7a3 |
|
| /// File Name: |
StMichael_LKM-0.01.tar.gz |
Description:
|
StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. This is a experimental version, and a spin off from the Saint Jude Project.
| | Author: | Tim Lawless | | Homepage: | http://www.sourceforge.net/projects/stjude | | File Size: | 3656 | | Last Modified: | May 8 18:47:08 2001 |
| MD5 Checksum: | caa99d3b4772a1cc15352b72f6680686 |
|
| /// File Name: |
iptrap-0.3.tar.gz |
Description:
|
IPtrap listens to several TCP ports to simulate fake services (X11, Netbios, DNS, etc) . When a remote client connects to one of these ports, his IP address gets immediately firewalled and an alert is logged. It runs with iptables and ipchains, but any external script can also be launched. IPv6 is supported.
| | Homepage: | http://www.jedi.claranet.fr | | Changes: | Logging the scanned port, and no more iptables/ipchains zombies. | | File Size: | 86155 | | Last Modified: | May 3 17:38:22 2001 |
| MD5 Checksum: | 5581b89f08d851939c9cbdd38f3358eb |
|
| /// File Name: |
psad-0.8.7.tar.gz |
Description:
|
Port Scan Attack Detector (psad) is a perl program that is designed to work with Linux firewalling code (iptables in the 2.4.x kernels, and ipchains in the 2.2.x kernels) to detect port scans. It features a set of highly configurable danger thresholds (with sensible defaults provided), verbose alert messages that include the source, destination, scanned port range, begin and end times, TCP flags and corresponding nmap options (Linux 2.4.x kernels only), email alerting, and automatic blocking of offending IP addresses via dynamic configuration of ipchains/iptables firewall rulesets. In addition, for the 2.4.x kernels psad incorporates many of the TCP signatures included in Snort to detect highly suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (syn, fin, Xmas) which are easily leveraged against a machine via nmap.
| | Homepage: | http://www.cipherdyne.com/psad | | Changes: | New automatic danger level assigned for known trouble IPs, signature checking and updating done on the fly, and improvements to the install.pl script to parse ipchains rulesets better. | | File Size: | 24631 | | Last Modified: | May 2 23:10:37 2001 |
| MD5 Checksum: | 0c8959af19da07c0bd496241ac1f4e92 |
|
| /// File Name: |
lsm.tar.gz |
Description:
|
LSM (Loadable Security Module) is a simple but effective intrusion prevention loadable kernel module. Currently it protects extended file attributes on ext2 from being modified by the super user and the module from being removed and other modules from being loaded. This basic protection also prevents access to raw devices, so debugfs can not be used on a disk partition nor can a change to the boot process occur. Loading this module prevents lilo configuration.
| | Author: | Paul | | File Size: | 6526 | | Last Modified: | May 2 22:56:38 2001 |
| MD5 Checksum: | 9e72f64953cdc92114114db0cd1b0607 |
|
| /// File Name: |
iptrap-0.2.tar.gz |
Description:
|
IPtrap listens to several TCP ports to simulate fake services (X11, Netbios, DNS, etc) . When a remote client connects to one of these ports, his IP address gets immediately firewalled and an alert is logged. It runs with iptables and ipchains, but any external script can also be launched. IPv6 is supported.
| | Homepage: | http://www.jedi.claranet.fr | | File Size: | 85904 | | Last Modified: | May 2 22:30:16 2001 |
| MD5 Checksum: | c22367c11e2ee3494b468bb59acd0b0d |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
