Security Tools

Autobuse
A Perl daemon which identifies probes and the likes in the log files and automatically reports them via email.

Download:
http://www.picante.com/~gtaylor/autobuse/

Clog
Another network monitor.

Download:
ftp://ftp.cerias.purdue.edu/pub/tools/unix/logutils/clog

Courtney versions 1.2 and 1.3
Courtney is a program that monitors the network and identifies the source machines of SATAN probes/attacks. Courtney requires that Perl v.5, libpcap, and tcpdump be installed.

Download:
ftp://ciac.llnl.gov/pub/ciac/sectools/unix/courtney

fakebo.tgz
FakeBO 0.3.3 fakes trojan server responses (BO, Netbus, etc) and logs every attempt to a log file or stdout. It is able to send fake pings and replies back to the client trying to access your system.

Download:
http://yi.com/home/KosturjakVlatko/fakebo.htm

Gabriel
Gabriel gives the system administrator an early warning of possible network intrusions by detecting and identifying network probing.

Download:
ftp://www.lat.com

IP Filter version 3.2.10
IP Filter is a TCP/IP packet filter, suitable for use in a firewall environment. It operates as a module within the UNIX kernel.

Download:
ftp://coombs.anu.edu.au/pub/net/ip-filter

Logcheck
Logcheck is part of the Abacus Project of security tools. It is a program created to help in the processing of UNIX system logfiles generated by the various Abacus Project tools, system daemons, Wietse Venema's TCP wrapper and Log Daemon packages, and the Firewall Toolkit� by Trusted Information Systems Inc.(TIS) Logcheck helps spot problems and security violations in your logfiles automatically and will send the results to you in e-mail

Download:
http://www.psionic.com/abacus/abacus_logcheck.html

logdaemon versions 5.0, 5.1, 5.2, 5.3, 5.5 and 5.6
This archive contains; Rlogin and rsh daemons that log the remote user name as well as the remote host name, with tcp_wrapper access control Login replacement supporting S/Key one-time passwords, SecureNet keycard one-time passwords, per-user/host/terminal access control, and with fascist login failure logging, Ftp daemon that supports S/Key one-time passwords, SecureNet keycard one-time passwords, fascist login failure logging, and logging of anonymous FTP xfers Rexec daemon that supports S/Key one-time passwords, fascist login failure logging, and that blocks access to the root account.

Download:
ftp://ftp.porcupine.org/pub/security/ as logdaemon_*.tar.gz

Loginlog
A small program that watches the wtmp file and reports all logins to the syslogd.

Download:
ftp://ftp.win.tue.nl/pub/security/

logsurfer version 1.41
The logsurfer program is a tool to monitor arbitrary logfiles (for example syslog-messages), automatically anaylse them and invoke actions.

Download:
ftp://ftp.cert.dfn.de/pub/tools/audit/logsurfer

NfsWatch
NFSWatch lets you monitor NFS requests to any given machine, or the entire local network. It mostly monitors NFS client (NFS requests); it also monitors the NFS reply traffic from a server in order to measure the response time for each RPC.

Download:
ftp://coast.cs.purdue.edu/pub/tools/unix/nfswatch

Network Intrusion Detector version 2.0.3
Network Intrusion Detector (NID) is a suite of software tools that helpsi detect, analyze, and gather evidence of intrusive behavior occurring on an Ethernet or Fiber Distributed Data Interface (FDDI) network using the Internet Protocol (IP). NID operates passively on a stand-alone host (rather than residing on the hosts it is monitoring), and is responsible for collecting data and/or statistics about network traffic.

Download:
ftp://ciac.llnl.gov/pub/nid

NOCOL version 4.01
NOCOL/NetConsole (Network Operation Center On-Line) is a network monitoring package that runs on Unix platforms and capable of monitoring network and system variables such as ICMP or RPC reachability, RMON variables, nameservers, ethernet load, port reachability, host performance, SNMP traps, modem line usage, appletalk & novell routes/services, BGP peers, etc. The software is extensible and new monitors can be added easily.

Download:
ftp://ftp.navya.com/pub/vikas/

NoShell
This program is designed to provide the system administrator with additional information about who is logging into disabled accounts. Traditionally, accounts have been disabled by changing the shell field of the password entry to "/bin/sync" or some other benign program. Noshell provides an informative alternative to this method by specifying the noshell program as the login shell in the password entry for any account which has been disabled.

Download:
ftp://coast.cs.purdue.edu/pub/tools/unix/noshell

ntlast15.exe
A Win32 command line security audit tool.

Download:
http://www.ntobjectives.com/

SABERNET NTsyslog
This program runs as a service under Windows NT 4.0. It formats all System, Security, and Application events into a single line and sends them to a syslog(3) host (centralised logs).

Download:
http://www.sabernet.net/software/ntsyslog.html

Psionic PortSentry
PortSentry is part of the Abacus Project suite of security tools. It is a program designed to detect and respond to port scans against a target host in real-time. Most known port-scan methods are detected, including SYN/half-open, DIN, NULL, X-MAS, and oddball packet scans.

Download:
http://www.psionic.com/abacus/portsentry/

scan-detector
Scan-detector is a simple detector for automated scans of TCP/UDP ports on a host (written in Perl v5).

Download:
http://www.ja.net/CERT/Software/scan-detector/

scanlogd-v1.3.c.gz
A very effective port scan detector.

Download:
ftp://ftp.false.com/security/scanlogd/

Sentry version 0.61
Sentry will detect any connection made to a TCP or UDP port on your host that you tell it to listen to. A configuration file can be made to have it listen to dozens of ports at once to detect anything from a full-fledged sequential port sweep to a random port probing. Because it covers the UDP spectrum as well it will alert you to people probing for RPC services surreptitiously as well as TFTP, SNMP, etc.

Download:
http://www.psionic.com/abacus/abacus_sentry.html

SWATCH version 2.2
SWATCH (The Simple WATCHer and filter) monitors log files such as syslog which allows an administrator to take specific actions, such as sending an email warning, in response to logged events.

Download:
http://www.ja.net/CERT/Software/SWATCH/

TCP wrapper latest version 7.6
TCP Wrapper provides monitoring of incoming connections to various network services (started by the inetd program or similar). It also provides access control to limit the address of machines that can connect to the system, remote username lookup (using RFC 931 protocol), and protection against machines that pretend to have someone else's host name.

Download:
ftp://ftp.porcupine.org/pub/security/ as tcp_wrappers_*.tar.gz

TIS Firewall Toolkit version 1.3
The TIS Firewall Toolkit, a software kit for building and maintaining internetwork Firewalls. It is distributed in source code form, with all modules written in the C programming language and runs on many BSD UNIX derived platforms.

Download:
ftp://ftp.tis.com/pub/firewalls/toolkit

ttywatcher
TTY-Watcher is a utility to monitor and control users on a single system. It is based on our IP-Watcher utility, which can be used to monitor and control users on an entire network (For more information about this utility, see http://nad.infostructure.com/watcher.html). TTY-Watcher is similar to advise or tap, but with many more advanced features and a user friendly (either X-Windows or text) interface.

Download:
http://nad.infostructure.com/watcher.html

WDEvt201.zip
WDumpEvt is an administration tool that makes it easy to manage all the information from Windows NT logs.

Download:
http://www.wdumpevt.com/

Disclaimers and copyright information
Last Update March 11, 2001