[rescue] Rescue list: Security software

rescue at sunhelp.org rescue at sunhelp.org
Fri Aug 8 13:34:39 CDT 2003

On Fri, Aug 08, 2003 at 12:27:58PM -0400, Michael A. Turner wrote:
> 	What I am trying to remember now is the other programs people have 
> mentioned for doing security auditing. The subject has come up at work 
> again and they are looking to hire a company monthly to do the 
> auditing. I want to be able to cut them off at the pass by either A. 
> Doing the job better than them saving us money, or B. Debunking them 
> by calling shenanigans by recognizing the software that they are 
> running. So can anyone though out any good software packages in this 
> area? Also some good intrusion detection software wouldn't hurt also.


I'm a security person by trade, here's (some of) what I use:

Vulnerability scanners:

Nessus - the best free scanner, and my default scanner by choice. Large
plug-in library, quick updates, client/server architecture, and reasonably
easy to use. We have a custom web front end to a Linux cluster to handle
large scale scans and scheduling, etc. Commercial versions of this sort of
system are also starting to appear. http://www.nessus.org/

LANguard - Excellent, cheap (30 day demoware version available) Windows
centric scanner. For quick snap scans and secondary analysis, I like to have
it in my toolkit. It's also usable for patch management and some other
functions for Windows systems. It does a decent job with Unix/Linux systems,
but isn't as full featured as other tools. http://www.gfi.com/languard/

ISS - expensive, but probably the best commercial scanner. Probably the
de-facto standard in the corporate world if they haven't gone OSS and
Nessus. http://www.iss.net/

The rule with vulnerability scanners is to take their results with a very
large grain of salt. It's a rare scan that doesn't turn up at least one
false positive on any reasonably sized network.

Other useful free tools:

Nmap - port scanner, integrated into Nessus. *very* good
Amap - lets you prove IP ports for protocols, ignoring the port number.
Useful for finding services on non-standard ports. (hacked FTP and IRC bots
for example)
Netcat - quite useful for general network information
TCPDump - sniffer, Windows equivalent is Windump
Ethereal - sniffer, graphical vs. TCPDump's text output. Needs some
horsepower on a larger network.
Fport - used to identify open ports on a system and what opened it - *very*
useful on compromised systems.


Snort with Acid for analysis is our preferred tool. We run it on Linux and
OpenBSD systems for the most part, including a custom OpenBSD firewall/IDS
appliance setup made to run on standard x86 hardware. 

Check out Fyodor's listing of tools from insecure.org:
Fyodor is the author of Nmap, and the tool list is a somewhat regular
compendium of preferred tools from all over. 

I've completely skipped tools like Tripwire and a number of useful MD5 sum
comparison programs, as well as databases of known good files. They exist,
there's a number of them, and it'd take a much longer email to add those and
forensics tools in. :)

Now, to be completely forthright, I've been a security consultant in the
past, and I think I offered good value for the money. However, that means
more than running ISS or Nessus past your systems - a proper risk and
vulnerability assessment goes a lot deeper, means on-site time, and a lot of
work with people, networks, proceses, and systems.

Feel free to contact me off list if you have other questions.

David Seidl
dseidl at purdue.edu

More information about the rescue mailing list