Three new tools related to IDS, forensics, honeypots

To moderators : I hope I have it right this time. Sorry for the flood...

Hello lists. I'd like to annouce the release of my latests tools in the security game, and I think that the community will find them very interesting indeed. For article lenghts consideration, here is a short resume of these tools. The binaries and full documentation can be downloaded at http://securit.iquebec.com. All these tools are available in Open Source and Pro versions. Check the website for pricing.

ComLog 1.05 : This tool is a command prompt (cmd.exe) logger, useful for generating intrusion evidence that was previously unavailable. With this tool, you can log command prompt sessions be it from the console, a compromised IIS system or through a netcat tunnel. This works a bit like a wrapper, ComLog taking the place of cmd.exe and passes the commands to be executed to the real cmd.exe which is renamed cm_.exe. Version 1.05 changes incude MS-DOS icon added to the executable, and better camouflage to avoid detection by the monitoree. Pro version allows you to choose the filename for cm_.exe to anything you like, to make it even harder to detect. It also allows you to specify pattern strings that you want obfuscated from the monitoree's output.

LogAgent 4.0 : This tool is a log file monitoring and centralisation tool. You can use it to monitor the Event Viewer logs, and ASCII log files from just about any application, including, but limited to, antivirus, personal firewalls, ComLog, Snort, etc. LogAgent 4.0 also comes with 2 companion tools that are ADSScan and the combo HashGen and IntegCheck. ADSScan is an alternate data streams scanner, and HashGen/IntegCheck is a MD5-SHA1 file system integrity checker, or also known as a host-based intrusion detection system. The Pro version lets you run LogAgent as a service (registered only), and will start automatically ADSScan and IntegCheck for you each time it starts. LogAgent 4.0 Pro also generated data of its own, which is related to the Running Services, the Open Shares, and the StartUp configuration, which can later be used as forensics evidence of intrusions. LogAgent 4.0 Pro ships with a 5-machine evaluation license, no time-limit.

LogIDS 1.0 : I think this tool will change the way people look at intrusion detection. LogIDS 1.0 is a real-time, log-analysis based intrusion detection system. As this description indicates, LogIDS 1.0 is able to analyze log files from various sources, and can be used with LogAgent 4.0 to supply these log files. The strenght of LogIDS comes from the fact that it is very flexible and it gains from the capabilities of the various tools you use with it. You have the ability to tell LogIDS the format of each log file you supply it with, which then enables you to define rules for each of these log files, giving you one single interface to analyze and display all this data gathered from varied sources (Event Viewer, ComLog, antivirus logs, personal firewall logs, Snort logs, LogAgent 4.0 Pro Logs, ADSscan, IntegCheck, just to name a few examples). The interface is also pretty innovative, the GUI is a logical representation of your network architecture, where each node (machine or subnet) possess its own window where logs belonging to it are displayed. The GUI also sport several icons that can be used with the ruleset to graphically describe tha actions reported in the logs. Sounds can also be emitted for alerts and warnings. LogIDS 1.0 Pro contains built-in analysis for Snort, Event Viewer, and the data generated by LogAgent 4.0 Pro and its companion tools. Pro version ships with a 5-machines evaluation license, no time-limit. LogIDS 1.0 Pro licenses include a LogAgent 4.0 Pro license to allow it to run as a service. Screen captures available at
http://iquebec.ifrance.com/securit/image/figure1.gif and http://iquebec.ifrance.com/securit/image/figure10.gif.

I hope these tools will help improve the security of networks out there in the wild.

Thank you for your time

Adam Richard, aka Floydman
SécurIT Informatique Inc. Received on Mon May 26 16:55:01 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek