[rescue] Rescue list: Security software
rescue at sunhelp.org
rescue at sunhelp.org
Fri Aug 8 13:34:39 CDT 2003
On Fri, Aug 08, 2003 at 12:27:58PM -0400, Michael A. Turner wrote:
> What I am trying to remember now is the other programs people have
> mentioned for doing security auditing. The subject has come up at work
> again and they are looking to hire a company monthly to do the
> auditing. I want to be able to cut them off at the pass by either A.
> Doing the job better than them saving us money, or B. Debunking them
> by calling shenanigans by recognizing the software that they are
> running. So can anyone though out any good software packages in this
> area? Also some good intrusion detection software wouldn't hurt also.
I'm a security person by trade, here's (some of) what I use:
Nessus - the best free scanner, and my default scanner by choice. Large
plug-in library, quick updates, client/server architecture, and reasonably
easy to use. We have a custom web front end to a Linux cluster to handle
large scale scans and scheduling, etc. Commercial versions of this sort of
system are also starting to appear. http://www.nessus.org/
LANguard - Excellent, cheap (30 day demoware version available) Windows
centric scanner. For quick snap scans and secondary analysis, I like to have
it in my toolkit. It's also usable for patch management and some other
functions for Windows systems. It does a decent job with Unix/Linux systems,
but isn't as full featured as other tools. http://www.gfi.com/languard/
ISS - expensive, but probably the best commercial scanner. Probably the
de-facto standard in the corporate world if they haven't gone OSS and
The rule with vulnerability scanners is to take their results with a very
large grain of salt. It's a rare scan that doesn't turn up at least one
false positive on any reasonably sized network.
Other useful free tools:
Nmap - port scanner, integrated into Nessus. *very* good
Amap - lets you prove IP ports for protocols, ignoring the port number.
Useful for finding services on non-standard ports. (hacked FTP and IRC bots
Netcat - quite useful for general network information
TCPDump - sniffer, Windows equivalent is Windump
Ethereal - sniffer, graphical vs. TCPDump's text output. Needs some
horsepower on a larger network.
Fport - used to identify open ports on a system and what opened it - *very*
useful on compromised systems.
Snort with Acid for analysis is our preferred tool. We run it on Linux and
OpenBSD systems for the most part, including a custom OpenBSD firewall/IDS
appliance setup made to run on standard x86 hardware.
Check out Fyodor's listing of tools from insecure.org:
Fyodor is the author of Nmap, and the tool list is a somewhat regular
compendium of preferred tools from all over.
I've completely skipped tools like Tripwire and a number of useful MD5 sum
comparison programs, as well as databases of known good files. They exist,
there's a number of them, and it'd take a much longer email to add those and
forensics tools in. :)
Now, to be completely forthright, I've been a security consultant in the
past, and I think I offered good value for the money. However, that means
more than running ISS or Nessus past your systems - a proper risk and
vulnerability assessment goes a lot deeper, means on-site time, and a lot of
work with people, networks, proceses, and systems.
Feel free to contact me off list if you have other questions.
dseidl at purdue.edu
More information about the rescue