Seclog (security logger) is a log auditing tool written in Perl. It will watch /var/log/messages for suspicious information, and notify you via email.
6ff068dc2ca20eeab510ba95aa37deebc0a7a6e10fec81337af9483f9213d07esamhain is a distributed host integrity monitoring system. It consists of monitoring agents running on individual hosts, and a central log server collecting reports from these agents via authenticated TCP/IP connections. On single hosts, it is possible to run a standalone monitoring agent. Currently, agents may monitor the integrity of files and directories, and watch for login/logout events. In addition to forwarding reports to the log server, other logging facilities (e-mail, console, tamper-resistant log file, and syslog) are available. samhain has been tested on Linux, AIX 4.1, HP-UX 10.20, Unixware 7.1.0, and Solaris 2.6.
c4bec6eae7b835c7924032b004d61e27b74c80010826672f9a8458c4206485d7StJude is an attempt to monitor the flow of privilege in my Solaris boxes. It tries to detect privilege violations or improper transitions (ie stack smashing, or other local root exploits) by watching audit trails.
dc6a5beb02c0c8dca44693e6f1c02adb9803e196194e4af0c5cf6345de7cddaeslipwire.pl is a filesystem integrity checker. It compares the SHA-1 hashes of files to an initial state and alerts the user of any changes. slipwire also records extensive file information such as inode number, last-modified date, filesize, uid, gid, etc, and can also report changes in any of these.
f5f0f6425b0170f2559bfbf787e7c68ef407709a2317154c9d078f67b06f59e6Whowatch is an interactive utility that displays information about the users currently on the machine in real time. Besides standard information (login name, tty, host, user's process) you can see the connection type (ie. telnet or ssh). You can also watch the process tree, navigate it, and send INT and KILL signals. Ncurses ascii graphics.
5250b61c95f715683cfa8b22cf987f0542a924c43c7c721bcc9186a9dd1a294fslipwire.pl is a filesystem integrity checker. It compares the SHA-1 hashes of files to an initial state and alerts the user of any changes. slipwire also records extensive file information such as inode number, last-modified date, filesize, uid, gid, etc, and can also report changes in any of these.
ec9858bdaf36e5e60ef17b7ed94935257559bad4767aa8e9115fdc554b149fceGrazer1's Bait System opens a specific port and logs connections to it. Simple and ghetto way to log Netbus requests.
4d1c34d8c7e1d3019ddb12e8da599860277edd1654a3828364909bb64b8eec09ViperDB was created as a smaller and faster option to Tripwire. ViperDB does not use a fancy all-in-one database to keep records. Instead it uses a plaintext db which is stored in each "watched" directory. By using this there is no real one attack point for an attacker to focus his attention on. This coupled with the running of ViperDB every 5 minutes (via cron root job) decreases that likelihood that an attacker will be able to modify your "watched" filesystem while ViperDB is monitoring your system.
488a3842de04fb92480a0e20d15a8bdd4795feaa15e66dc9d2a2d1c80a92712bslipwire.pl v1.1 is the first iteration of a filesystem integrity checker. It compares the MD5 hashes of files to an initial state and alerts the user of any changes.
dc845bdc2c286c64e4e25ef76ed2d31d286b284b13dafc146ad73c3ba66ee6e6slipwire.pl is a simple filesystem integrity checker. It compares the SHA-1 hashes of files to an initial state and alerts the user of any changes.
daaae031940c7c22dd5e6516ffd418ec4e9210a88aa495f534346ff76d915c43If you have an md5 checksumming utility on your system, you can use these scripts for a "poor man's tripwire". These do several quick checks for archiving and security purposes.
5105f0110153435688b633709392243a2b67d2f33b49e68780fa2df4ee6e043eLsof is a Unix-specific diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system. It is the single most powerful utility for inspecting running processes and determining which process is listening to which ports.
d60225fa124cdd5e89f69db74cb7a17ebebd9b8d0ebcca6988944be43f78512cRkdet is a small daemon intended to catch someone installing a rootkit or running a packet sniffer.
e8008ba28d4ac255b65b7ab99b581481df201d52e1578be0620312907e2fe7a3Watchfile will display a list of specified files on the screen, and continually update their stats. The stats displayed (i.e. file size, modified time, owner, etc.) can be configured on the command-line along with the update frequency.
a8ea9b641881807d8cdb00fbf65fb3f4b9658dd6106ec58aab8f0feea7de233cAIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire(tm). It generates a database that can be used to check the integrity of files on server. It uses regular expressions for determening which files get added to the database. You can use several message digest algorithms to ensure that the files have not been tampered with.
77e4b8084e2fccdce1f43a5b385cf99c249900d85677dc057eadaca54b1d0cafsherpa is a tool for configuring and then checking system security via the console. Written in perl, it allows an admin to maintain a custom database of file and directory permissions and ownership attributes as local needs dictate. Any changes from the prescribed layout will be detected each time sherpa is run. Also, sherpa does some basic system checks (world-writable files, .rhosts and hosts.equiv files, etc.) that help the busy admin keep on top of a system.
e515798bcd47e9b8b914d18cfb02dc464c8dcb97b3c6caff53e10bd472187c68Libnids is a library that provides a functionality of one of NIDS (Network Intrusion Detection System) components, namely E-component. It means that libnids code watches all local network traffic, cooks received datagrams a bit (quite a bit ;)), and provides convinient information on them to analyzing modules of NIDS. So, if you intend to develop a custom NIDS, you don't have to build low-level network code. If you decide to use libnids, you have got E-component ready - you can focus on implementing other parts of NIDS.
40a23d3e2bde94319ee12c160a56e1a67b8e69592cc10b92a4660d697a9a0749Swatch ("Simple WATCHdog") is a program for UNIX system logging, originally written to actively monitor messages as they are written to a log file via the UNIX syslog utility. Swatch was designed to keep system administrators from being overwhelmed by large quantities of log data. It monitors log files and acts to filter out unwanted data and take one or more simple user specified actions based upon patterns in the log. Swatch can monitor information as it is being appended to the log file and alert system administrators immediately to serious system problems as they occur.
c4ff2006f2a9142b2de844df66a0a81cd02b462916db92ee088ec284570352c9Tripwall is a Tripwire clone developed for use with the Linux Router Project.
8374e6dcde17b2a0fbbfb92e565552fe840c028047f48853f965ccf757f89d4eSentinel is a fast file/drive scanning utility similar to the Tripwire and Viper.pl utilities available. It uses a database similar to Tripwire, but uses a RIPEMD-160bit MAC checksumming algorithm (no patents) which is more secure than the patented MD5 128 bit checksum. It should run on most unixes (tested on redhat linux v6.0 & v5.2, slackware linux v3.x & 4.xb and IRIX (v5.2 and v6.x). Several other utilities which are used for Sentinel development are also posted here. Most utilities are included with the sentinel tarball. gSentinel is a graphical front-end to sentinel. Newbies should download gSentinel as it comes with a very simple rpm based installation and offers a friendly interface. Beware that gSentinel is currently under development and may be fairly crude compared to most GUI packages.
9f6315a4b007336f2bc225ce16208ad6f75590dbbc6f0a043a40652e4ee1b013Triplight 0.01 - Triplight is an intrusion detection, and integrity monitor system. It is a simpler version of tripwire, developed in perl. This release is rather unpolished (you need to hack up a crontab file, and to set a file path in the perl source), but fully functional. To accomplish it's design goals, it reads in a list of files stored in flat ASCII, and uses md5sum to check their integrity against that recorded earlier in a database. If the database is placed on a read-only medium such as a write-protected floppy, then it should provide an infallible record against remotely installed trojan horses. Thus by monitoring the integrity of the system, triplight will serve as an aid in intrusion detection.
baa51be89fc7c72738e393cfffa962c00a3b094149ca05f7e7fc58cf820b6ea7Watchfile will display a list of specified files on the screen, and continually update their stats. The stats displayed (i.e. file size, modified time, owner, etc.) can be configured on the command-line along with the update frequency.
ba0fd45f64df9c7832434769f98fae5f6cc552866915de5efc17504ab8d8b22cChecksums takes a file of predetermined MD5 checksums and compares with the current sum. It can be installed as a command line tool, or as a CGI which will allow you to upload the sums file remotely. In either case it is a useful tool to detect changes in your system files, such as a trojan.
96a42c4516d93a85f9e64561995083aa0404bd3dd489339bcc99aca203398fbeFileTraq is a shell script designed to be run periodically from the root crontab. Each time, it compares a list of system files with the copies that it keeps. Any changes are reported in diff or patchfile style, and dated backup copies are kept. It lets you keep an eye on intruders who might change system files, or other sysadmins who don't tell you about changes. It even helps you keep track of your own changes, along with dated backups.
f2a386b43c40c22d8549ec75a5d54013afc7341827cc5f1f0b0db2eb6989ed99AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire(tm). It generates a database that can be used to check the integrity of files on server. It uses regular expressions for determening which files get added to the database. You can use several message digest algorithms to ensure that the files have not been tampered with.
af2ff14b1282eb4eec684527efc80a5eed6d6aa593bc1deaf750c53c7e858ecf
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed