Re: Windows Open source/Freeware security tools

["SecurIT Informatique Inc." <securit () iquebec com>]

At 11:03 PM 21/07/2003, Will Schmied wrote:

> All,
>
> Trying to collect some ideas here...
>
> What do you all consider to be the best open source/freeware tools for
> Windows in the following areas?

Well, my opinion of the following software as being "the best" is somewhat 
biased, since I wrote them, and they are not as well known as nmap or snort 
since they haven't been around for so long, but here is my shot.  Please 
bear in mind that these are the current versions, but I am actually 
redesigning the internal architecture of how they work together, which will 
improve the model.  They are available both in Open Source and commercial 
versions at my website http://securit.iquebec.com.

Now, that being said...

> Honeypots
Not a honeypot per se, but more of a honeypot tool, ComLog is a command 
prompt logger which (at last) enables you to keep a track of commands 
issued to cmd.exe, either directly or by abusing a vulnerable service or 
through a netcat or crypcat session.

> Log collection/archiving
My first security program, LogAgent, now in version 4.0, is a logfile 
monitoring and centralising software that works for just about any ASCII 
log file (except for IIS logs) and the events from the Event Viewer (which 
in turns get converted to ascii).  Registered version (very affordable) 
lets you run LogAgent as a service.  Next version will include the ability 
to analyze these logs before taking action.

> File monitoring (like tripwire)
I recently released two tools in this regard (more to come soon) that can 
fit in this category, AdsScan (not to be confused with ScanAds from Tiago 
Halm) whoch scans for Alternate Data Streams, and the combo 
Hashgen/Integcheck (they will be combined into a single file in next 
release) which is a MD5-SHA1 file system integrity checker (ie. like Tripwire).

> IDS

Finally, I released a couple of months ago LogIDS 1.0, which is an 
intrusion detection console based on real-time analysis of log files 
gathered from various applications from accross the network.  You can see 
it as the "top layer" for all the other tools, but also for any other kind 
of security tools which logs can be fed to LogIDS.  Comes to mind, but not 
limited to, antivirus software, personnal firewalls, NIDS (ie Snort), main 
firewall logs (in this regard, Torsten Fellhauer recently released a 
Windows binary of FW1-Loggrabber 1.8, which lets you fetch your CheckPoint 
FW-1 logs), etc...

During version 4.0, LogAgent Pro also included some Intrusion detection 
features that combined pretty well with LogIDS 1.0, but as I mentionned, 
the internal architecture is a bit clumsy.  I am in the process of 
rewriting these tools (and add a couple more) which will improve both the 
model of log-analysis IDS and the performance of the console.  First of 
all, LogAgent will recover its initial mission of log 
monitoring/centralising, but with analysis capabilities built-in.  The 
intrusion detection modules have been taken out as individual modules, 
which can then be launched using the LogAgent service stub.  Also, these 
modules will be built in order to send less non-necessary data to the 
console, which will help improve the performance (some of the analysis that 
was performed by LogIDS will be done by the modules themselves).  Still, 
despite these small shortcomings, you could be interested in looking at 
these tools right now, while waiting for the next releases that will come 
out sometime this fall, since they are quite unique in what they do, and 
they try to solve some particularly difficult problems of the security game.

I hope you will find these tools worthy to make your list.

Adam Richard, aka Floydman
SecurIT Informatique Inc.