Lsof is a Unix-specific diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system.
78fa7d515c0fec04c226609c590bba0b6806da8612b1609d77d70ddb0db9adf3
Samhain is a tool for monitoring the integrity of files on a single machine as well as on a network. It is easy to configure and maintains a single database (per host) for storing the signatures of files. Samhain is designed to be run as a background process, checking files periodically against the database. Reports can be written to a signed, tamper-resistant log file, and/or sent offsite by e-mail. To monitor several machines and collect data by a central log server, samhain may be used as a client/server application. For the paranoid, a 'stealth' option is available.
7e6a44873d79298b027d90259ecc248e8b444f798ef7d93fc219650ce7306cc7
logsurfer is a log checking/auditing tool similar to swatch and logcheck but with the capability of handling multi-line messages and dynamically adapting the ruleset. It is written in portable C, well documented, fast, and flexible. It works on any textfile or stdin, can be run at intervals or continuously, and has timeouts and resource limits.
21fea4e03efe6f7b0246e5cbaf9b643e3c5d2c9a8e3c0eab39498b35004142a8
TTYSnoop allows you to snoop on login tty's through another tty-device or pseudo-tty. The snoop-tty becomes a 'clone' of the original tty, redirecting both input and output from/to it.
645f9c174f2d1785a2f333a585175212ba3e8911c69e62d555fc2ab92dd815d8
Network Promiscuous Ethernet Detector, rewriten with Libnet/libpcap so it works on FreeBSD, OpenBSD, and linux, possibly more. neped scans your subnet and detects promiscuous boxes that might be running sniffers or similar applications, using hacked ARPs (non broadcast), only listened by promiscuous ethernets.
13ae8d3a11fae60402ab6957375f70e36f63594d0a78cf2adabdb15ea22ae9fb
Analyze your syslogs for security or system problems by creating a list of normal behaviour to ignore; everything else is something you should be aware of. Requires perl 5.
a4626676b5ffe216cedb28247dbad441c03e97009db3d8215c2b82542511f0da
toscin is a basic IDS system that uses packet filtering to warn against possible attacks against specified services. It basically watches the local network for SYN connections to certain services, and sends notification. Solaris 2.x possibly others.
06069c45e5ec8ef33117592147cdfc24c37a3cc99b890a120d02decafdc6d6fc
This linux tool is more an early warning system than IDS. it scans system logs for signs of intrusion in real time. produces colored output on the tty, sends alerts and regular reports. Excellent database of suspicious logfile strings included.
991fee1240493841d942a05ffab5ef5d95051155144bbcb9dbabe4e3ff1352a8
Whowatch is a ncurses who-like utility that displays information about the users currently logged on to the machine, in real-time. Besides standard information (login name, tty, host, user's process), the type of the connection (ie. telnet or ssh) is shown. You can toggle display between users' command or idle time. You can also view processes tree and send INT and KILL signals.
c0305ae9774f9652325025084821d5835882589cf2b3ebf3c0143089435bfc71
Kernel module which logs specific system calls to a logfile. Tracks mkdir, rmdir, link, and open.
739466ea19f402e721ecc39d1bd57cc11892e68417801d26674508300c43c177
Logcheck helps spot problems and security violations in your logfiles automatically and will send the results to you in e-mail.
dfe4cb29305c619dc0a0aca5b11b2bd397baccf3076b48f03457f66f299ab42e
logsurfer is a log checking/auditing tool similar to swatch and logcheck but with the capability of handling multi-line messages and dynamically adapting the ruleset. It is written in portable C, well documented, fast, and flexible. It works on any textfile or stdin, can be run at intervals or continuously, and has timeouts and resource limits.
544d9a0a79ddca06aa9c17d04f98e8f51ea727e3420c9328c79cdd428d89689e
PortSentry is part of the Abacus Project suite of security tools. It is a program designed to detect and respond to port scans against a target host in real-time. It runs on TCP and UDP sockets and works on most UNIX systems. Advanced stealth detection modes are available under Linux only and detect SYN, FIN, NULL, XMAS, and Oddball packet scans. All modes support real-time blocking and reporting of violations.
dcd261b2ed7cb1fc2b602b0b94fa7d47cfbbfaf03a0fb3d92ce243e2f647588d
IDS Alert Script (ver 1.3) for Checkpoint Firewall-1 (Unix only). Build Intrustion Detection into your firewall. Features include: Automated alerting, logging, and archiving, Automated blocking of attacking source, Automated identification and email remote site, and Installation and test script. Ver 1.3 Optimized for performance, over 50% speed increase. Documentation here.
10f4b8a670367efd29cc6f1e2b1080b57abab5342acc80ce9ffe06156a3179e0
Samhain is a tool for verifying the integrity of files. It uses the TIGER message digest algorithm to generate a database for files and directories listed in the configuration file. After initializing the database, samhain can run as a background process, performing checks at user-defined intervals. Results can be written to a log file and/or forwarded to another host by e-mail. Log file entries are signed to prevent tampering. The current version is tested on Linux only.
1505f8f9c2445ed1a8767f0ce6bdd68622d0740af23fed22db953ce348336066
Eyes on Exec 2.32 is a set of tools which you can use to build your own host based IDS. It watches for programs getting exec'd and logs information about it to a file. Combined with perl this can be extremely powerful. Requires linux kernel 2.2.
721aa1dc02e15a1fb8384fa30f37cc22af65e7cc1755e2bc04a94eaffd14de73
Logwatch provides a client/server architecture for viewing logfiles on multiple machines on a network. With a single daemon process running on each participating computer, logfiles can be tailed from any authorized machine. Multiple logfiles on multiple machines can be followed with a single client process by specifying the machines and files to follow.
39583b7bcfa05e6bac8964d2e2ed38b98707b722312bb43babd2ca27f6bad959
firesoft is a collection of Perl scripts for viewing snort-generated logs and ipchains logs. The package includes a bar chart creator from ipchains logs, to quickly view who has been scanning you the most.
4fb6ac3726d2ee46e1eed632e9031387e99c60694386b203fba668c5142b6c47
Tailbeep opens a file (-f), seeks to the end, and watches for a string (-s). If the string is found, a beep is sent to the specified tty (-t) device. You can also daemonize (-d) it. I wrote it so I could watch /var/log/messages for the DENY string (so I can tell if someone is trying to break into the firewall).
f48d24516c0e62148cbb782e1cb62c1b16b0c0a4f5d49100f27fe7568d015b5a
suidshow.c is a linux lkm that will log any non-root user doing a setuid(0) or a setreuid(0,0) system call. CyberPsychotic
5089cc902d75283bd99aa843ad384439e5b1b862509c70dfa40b9ccae967e300
Logcolorise is a PERL script to make your syslog generated log files much more legible by colourising them (context highlighting based on keywords).
c63321d7d299bfb4acc2b06a4c5e8179a58c46288c934847e20ecb25751c7ee1
Tailbeep opens a file (-f), seeks to the end, and watches for a string (-s). If the string is found, a beep is sent to the specified tty (-t) device. You can also daemonize (-d) it. I wrote it so I could watch /var/log/messages for the DENY string (so I can tell if someone is trying to break into the firewall.)
0011bf9bb3235b1f12a7a203cf243e8db9ffb91b311a8147d9873a667d78fb33
Libnids is a library that provides a functionality of one of NIDS (Network Intrusion Detection System) components, namely E-component. It means that libnids code watches all local network traffic, cooks received datagrams a bit (quite a bit ;)), and provides convinient information on them to analyzing modules of NIDS. So, if you intend to develop a custom NIDS, you don't have to build low-level network code. If you decide to use libnids, you have got E-component ready - you can focus on implementing other parts of NIDS.
37aab0e12817880ae502de7bec0810e0df2e1c6ee7cd328e933f0bca7751c656
Tailbeep opens a file (-f), seeks to the end, and watches for a string (-s). If the string is found, a beep is sent to the specified tty (-t) device. You can also daemonize (-d) it. I wrote it so I could watch /var/log/messages for the DENY string (so I can tell if someone is trying to break into the firewall.)
44c568b15d10d6153f5b49137e01ff1d3ba63549b16e672d0a3990bf420a5186
Rpc_Gotcha is a network based intrusion detection tool for detecting rpc based scans and attacks (buffer overflows). The program will passively sit on the network perimeter and process packets while analyzing the rpc message data payload looking for signs of a possible attack. Rpc_Gotcha will log all rpc calls made to the network and display payload data for possible attacks. Changes : This version has some major bug fixes , memory leaks and signature issues. It will also read tcpdump capture files in a batch mode.
47e916295ba31b13f5d2c3e1ee1298ccbaa67084f08de4d1c4ed07f5a57002d2