Section: .. / UNIX / IDS /
| /// File Name: |
hostsentry-0.02.tar.gz |
Description:
|
HostSentry v0.02 is a host based intrusion detection tool that performs Login Anomaly Detection (LAD), and is the most recent edition to the Abacus Project suite of security tools. This tool allows administrators to spot strange login behavior and quickly respond to compromised accounts and unusual behavior. HostSentry incorporates a dynamic database and actually "learns" the user login behavior. This behavior is then utilized by modular signatures to detect unusual events. Specifically, HostSentry monitors system login accounting records in real-time (wtmp/utmp). These records are used to build a dynamic database of active users and run a series of signature modules during the login and logout phases. The signature modules are pluggable and easily activated or deactivated by the admin. An example wrapper is included to allow administrators to add new signatures. The current list of signatures includes: moduleLoginLogout - Generic audit trail of all user login and logouts. moduleFirstLogin - Alerts administrators if this user is logging in for the first time. moduleForeignDomain - A login was detected from a domain not listed in the allowed domains file. moduleRhostCheck - A user's .rhosts file contains a wildcard or other dangerous modification. moduleHistoryTruncated - A user's .history file is missing, truncated to zero bytes, or symlinked (i.e. /dev/null). moduleOddDirnames - A user's directory contains suspicious directory names on logout (" ..", "...", etc.). moduleMultipleLogins - A single username has multiple concurrent logins from different domains. moduleOddLoginTime - A user is logging in at an odd hour for their usage pattern (not implemented yet). moduleInvalidUtmp - A corresponding utmp/wtmp entry for this login cannot be found (entry possibly removed) (not implemented yet). moduleHistorySuspicious - The user's history file contains suspicious commands (not implemented yet). moduleNetworkDaemon - The user logged out but left a listening network socket operating (private web server, IRC bot, etc.) (not implemented yet). moduleFileExists - A file was found in the user's directory that is listed in the banned/monitored list of the site (not implemented yet). First release.
| | Author: | Craig H. Rowland | | File Size: | 33983 | | Last Modified: | Aug 16 20:02:40 1999 |
| MD5 Checksum: | 3de0bbb7d456bb53683de56dfdf98362 |
|
| /// File Name: |
logwatch-1.6.1.tar.gz |
Description:
|
logwatch v1.6.1 - Analysis of and report on system logs - LogWatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Easy to use - works right out of the package on almost all systems. Now analyzes samba logs!
| | Author: | Kirk Bauer | | File Size: | 33968 | | Last Modified: | Aug 16 20:02:37 1999 |
| MD5 Checksum: | 6b08bbbe752310b702d3cd8e97ed8800 |
|
| /// File Name: |
logwatch-1.5.1.tar.gz |
Description:
|
LogWatch is a customizable, pluggable log-monitoring system. Easy to use and highly configurable. Now analyzes samba logs!
| | File Size: | 33556 | | Last Modified: | Aug 16 20:02:18 1999 |
| MD5 Checksum: | 04b491c5f2beb7fd1154eb347df1c972 |
|
| /// File Name: |
logwatch-1.5.0.tar.gz |
Description:
|
LogWatch is a customizable, pluggable log-monitoring system. Easy to use and highly configurable. Now analyzes samba logs!
| | File Size: | 33543 | | Last Modified: | Aug 16 20:02:17 1999 |
| MD5 Checksum: | 22ab55f71b4a44448d28a8868467b310 |
|
| /// File Name: |
FCheck_2.07.54.tar.gz |
Description:
|
FCheck is a very stable perl script written to generate and comparatively monitor a UNIX system against its baseline for any file alterations and report them through syslog, console, or any log monitoring interface. Monitoring events can be done very frequently if a system's drive space is small enough, making it more difficult to circumvent. This is a freely-available open-source alternative to 'tripwire' that is time tested, and is easier to configure and use.
| | Author: | Michael A. Gumienny | | Homepage: | http://sites.netscape.net/fcheck/fcheck.html | | Changes: | The output was streamlined to display only details of what has changed. Individual file checking was added, along with checking of UID, GID, and major/minor numbers of special files. The database is now maintained in one file, allowing easier support of distributed systems. | | File Size: | 32492 | | Last Modified: | Nov 15 00:32:29 2000 |
| MD5 Checksum: | bdbe23a165ef4d8b99689d01a264bb2e |
|
| /// File Name: |
monitord-3.5beta.tar.gz |
Description:
|
The Network Security Monitor Daemon is a lightweight network security monitor for TCP/IP LANs which will capture certain network events and record them in a relational database. The recorded data is then made available for analysis via a CGI-based interface.
| | Homepage: | http://sourceforge.net/projects/monitord | | File Size: | 32437 | | Last Modified: | Feb 8 18:26:38 2001 |
| MD5 Checksum: | 20a7943b800f42d9b43dc7611a2d243d |
|
| /// File Name: |
FCheck_2.7.55.tar.gz |
Description:
|
FCheck is a very stable perl script written to generate and comparatively monitor a UNIX system against its baseline for any file alterations and report them through syslog, console, or any log monitoring interface. Monitoring events can be done very frequently if a system's drive space is small enough, making it more difficult to circumvent. This is a freely-available open-source alternative to 'tripwire' that is time tested, and is easier to configure and use.
| | Author: | Michael A. Gumienny | | Homepage: | http://sites.netscape.net/fcheck/fcheck.html | | Changes: | Fixed bugs in the "Exclude" routine. | | File Size: | 32398 | | Last Modified: | Dec 11 22:01:49 2000 |
| MD5 Checksum: | 9920799b580d5d729c561a7d69abdcc8 |
|
| /// File Name: |
mod_id_1.0.tar.gz |
Description:
|
Mod_Id is an interesting Apache Module which is an IDS system watching for suspicious URL's.
| | Author: | Burak | | Homepage: | http://www.hacettepe.edu.tr/~burak | | File Size: | 31774 | | Last Modified: | Feb 27 02:19:40 2001 |
| MD5 Checksum: | 695e16ef65ffaf086eaca589a1f92212 |
|
| /// File Name: |
gogmagog-4.tar.gz |
Description:
|
gogmagog 4 - GogMagog is a multiplatform sysadmin tool for monitoring the integrity of networkwide systems. Communication between the Magog server (ideally a PC running Linux) and the Gog hosts relies on FTP only, so it is relatively network architecture independent. Sysadmins monitor their machines at a glance, through a very simple WWW graphical interface (named GogView) on the server. GogMagog works on Linux, AIX, HP-UX and Solaris.
| | Author: | C. Parisel | | Changes: | encrypted profiles, security improvements. | | File Size: | 31625 | | Last Modified: | Aug 16 20:02:47 1999 |
| MD5 Checksum: | 973b264138f4cc0f732242cd96f7d54c |
|
| /// File Name: |
ears-0.7.tar.gz |
Description:
|
EARS (Emergency Audit Response System) v0.7 - EARS is a console tool designed to detect, monitor and respond to annomalies (such as intrusions) in real time. It offers complete control of the process table, filesystem(s) and network interface(s) maintained by the operating system. Autonomous functionality is optional as a separate module.
| | Author: | Tishina Syndicate | | File Size: | 31272 | | Last Modified: | Aug 16 20:02:36 1999 |
| MD5 Checksum: | b930fa48b3ad122aeb0b95a61563e2a7 |
|
| /// File Name: |
spar-1.2.tar.gz |
Description:
|
'spar' is used to select records from a UNIX process accounting file. It is usually faster than most 'lastcomm's and significantly more flexible and powerful.
| | Homepage: | ftp://coast.cs.purdue.edu/pub/tools/unix/TAMU/ | | File Size: | 30489 | | Last Modified: | Jan 10 03:00:00 1994 |
| MD5 Checksum: | cb7c0b827c5642c3086d25e14fb5e1f6 |
|
| /// File Name: |
trojan.pl |
Description:
|
Perl script that searches for trojan horses installed on system.
| | File Size: | 30278 | | Last Modified: | Aug 16 20:02:16 1999 |
| MD5 Checksum: | 339cac93ec494932fb1440e199eaec77 |
|
| /// File Name: |
logcheck-1.1.1.tar.gz |
Description:
|
Logcheck helps spot problems and security violations in your logfiles automatically and will send the results to you in e-mail.
| | Author: | Craig Rowland | | Homepage: | http://www.psionic.com/ | | File Size: | 30267 | | Last Modified: | Dec 2 15:22:37 1999 |
| MD5 Checksum: | e97c2f096e219e20310c1b80e9e1bc29 |
|
| /// File Name: |
ctm-1.2.tar.gz |
Description:
|
ctm 1.2 - CTM is an SNMP interface statistics gatherer which works as a daemon and polls SNMP capable routers in regular intervals and puts the gathered information into a database. Information gathered includes operational status of the interface, octets and packets sent and received, line errors, and queue discards, but CTM can easily be changed to log any interface specific SNMP variable. CTM comes with an example report script which gives traffic and line error summaries for certain periods of time.
| | Author: | Lars Fenneberg | | Changes: | Version 1.2 corrects delta counters accordingly when the router is rebooted. | | File Size: | 29374 | | Last Modified: | Aug 16 20:02:47 1999 |
| MD5 Checksum: | 31d9138ff9dc261b78c50092649863e1 |
|
| /// File Name: |
ctm-1.1.tar.gz |
Description:
|
CTM 1.1 is your basic SNMP Traffic Monitor.
| | Author: | CTM web site | | File Size: | 29164 | | Last Modified: | Aug 16 20:02:46 1999 |
| MD5 Checksum: | 8904a579f247d4ee16a172c387e7d2c6 |
|
| /// File Name: |
ctm-1.0.tar.gz |
Description:
|
CTM 1.0 is your basic SNMP Traffic Monitor.
| | Author: | CTM web site | | File Size: | 28903 | | Last Modified: | Aug 16 20:02:46 1999 |
| MD5 Checksum: | 1ca5b5279411facaddef1fd5d002fdfe |
|
| /// File Name: |
mod_protection-0.0.1.tar.gz |
Description:
|
Mod_Protection is an apache module that integrate basic function of an IDS (intrusion detection system) and of a firewall (not yet). Your apache administrator have only to install mod_protection and define rules. When a malicious client sends a request that matches on your rules the administrator will be warned and the client gets a user defined page or a error or something that notifies that now he will be persecuted or ... The warning system just write on a socket, so you can put on the other side of the socket an application that send you a mail, an SMS, a message in your favorite IM or a notify in your IRC client.
| | Author: | Yaroze | | Homepage: | http://www.twlc.net | | File Size: | 26222 | | Last Modified: | Mar 6 12:33:27 2002 |
| MD5 Checksum: | 6fb1604b85b63660b43d0806103a3d84 |
|
| /// File Name: |
FCheck_2.07.51.tar.gz |
Description:
|
FCHECK is a very stable PERL script written to generate and comparatively monitor a UNIX system against its baseline for any file alterations and report them through syslog, console, or any log monitoring interface. Monitoring events can be done in as little as one minute intervals if a system's drive space is small enough, making it very difficult to circumvent. This is a freely-available open-source alternative to 'tripwire' that is time tested, and is easier to configure and use.
| | Author: | Mike Gumienny | | Homepage: | http://sites.netscape.net/fcheck/fcheck.html | | Changes: | Fixes for the configuration files trailing space bug (fixed security hole), major bug fixes. | | File Size: | 25612 | | Last Modified: | Apr 11 18:13:21 2000 |
| MD5 Checksum: | 5e475dbaa313aa77d94bc4756ace47c5 |
|
| /// File Name: |
covert-tcp-channels.zip |
Description:
|
Unavailable.
| | File Size: | 25179 | | Last Modified: | Aug 16 20:02:15 1999 |
| MD5 Checksum: | a3af54ba614e8cb5743f3850ef482124 |
|
| /// File Name: |
autostatus-1.1.tar.gz |
Description:
|
autostatus is yet another network monitoring program. Easy to use and configure, fast and efficient. It exploits maximum parallelism during its checking to speed up monitoring.
| | Author: | Dave Andersen | | File Size: | 24943 | | Last Modified: | Aug 16 20:02:32 1999 |
| MD5 Checksum: | 134f76a43a3f0397f856250dd9e8e900 |
|
| /// File Name: |
logcheck-1.1.tar.gz |
Description:
|
Logcheck will automatically monitor your system logs and mail security violations to you on a periodic basis. Freeware clone of the logcheck program shipped with the TIS Gauntlet Firewall system
| | File Size: | 24367 | | Last Modified: | Aug 16 20:02:15 1999 |
| MD5 Checksum: | c53a0753db4763b533511150c9584fa9 |
|
| /// File Name: |
swatch-3.0.2.tar.gz |
Description:
|
Swatch, the Simple Watch Daemon is a program for UNIX system logging, originally written to actively monitor messages as they are written to a log file via the UNIX syslog utility. Swatch was designed to keep system administrators from being overwhelmed by large quantities of log data. It monitors log files and acts to filter out unwanted data and take one or more simple user specified actions based upon patterns in the log. Swatch can monitor information as it is being appended to the log file and alert system administrators immediately to serious system problems as they occur.
| | Author: | Todd Atkins | | Homepage: | http://oit.ucsb.edu/~eta/swatch | | Changes: | Defaults to /var/adm/messages now. Lots of bugs were fixed. | | File Size: | 24250 | | Last Modified: | Sep 6 01:46:02 2001 |
| MD5 Checksum: | 609a50a2c089417f76a6d13635407463 |
|
| /// File Name: |
swatch-3.0.4.tar.gz |
Description:
|
Swatch, the Simple Watch Daemon is a program for UNIX system logging, originally written to actively monitor messages as they are written to a log file via the UNIX syslog utility. Swatch was designed to keep system administrators from being overwhelmed by large quantities of log data. It monitors log files and acts to filter out unwanted data and take one or more simple user specified actions based upon patterns in the log. Swatch can monitor information as it is being appended to the log file and alert system administrators immediately to serious system problems as they occur.
| | Author: | Todd Atkins | | Homepage: | http://www.stanford.edu/~atkins/swatch/ | | Changes: | Fixed a big bug involving key value assignment when throttling. | | File Size: | 24157 | | Last Modified: | Nov 14 03:00:20 2001 |
| MD5 Checksum: | ce290dd2cae6ce834f59e24d97a30d3b |
|
| /// File Name: |
FCheck_2.07.45.tar.gz |
Description:
|
FCHECK is a very stable PERL script written to generate and comparatively monitor a UNIX system against its baseline for any file alterations and report them through syslog, console, or any log monitoring interface. Monitoring events can be done in as little as one minute intervals if a system's drive space is small enough, making it very difficult to circumvent. This is a freely-available open-source alternative to 'tripwire' that is time tested, and is easier to configure and use.
| | Author: | Mike Gumienny | | Homepage: | http://sites.netscape.net/fcheck/fcheck.html | | File Size: | 23899 | | Last Modified: | Oct 20 14:50:02 1999 |
| MD5 Checksum: | 88d587fa9a0254f370db3c4d569dc4bb |
|
| /// File Name: |
LaBrea.tgz |
Description:
|
LaBrea v2.0 is a program that creates a tarpit or, as some have called it, a "sticky honeypot". LaBrea takes over unused IP addresses on a network and creates "virtual machines" that answer to connection attempts. LaBrea answers those connection attempts in a way that causes the machine at the other end to get "stuck", sometimes for a very long time.
| | Author: | Tom Liston | | Homepage: | http://www.hackbusters.net/LaBrea | | Changes: | New command line option -p to keep tcp connections in the "persist" state, which can hold on to threads for a long time. | | File Size: | 23860 | | Last Modified: | Sep 18 23:23:53 2001 |
| MD5 Checksum: | 7365fb2beff6fa486908a1419e0de0ae |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
