Open Source Security tools

Security monitoring, intrusion detection/prevention

  • Suricata – intrusion detection system
  • Snort – intrusion detection system
  • Zeek – network security monitoring
  • OSSEC – host-based intrusion detection system
  • Wazuh – a more active fork of OSSEC
  • Velociraptor – endpoint visibility and response
  • OSSIM – open source SIEM, at the core of AlienVault
  • SecurityOnion – security monitoring and log management
  • Elastic SIEM – SIEM functionality by Elasticsearch
  • Mozdef – SIEM-like layer ontop of
    Elasticsearch
  • Sagan – log analytics and correlation
  • Apache Metron – (retired) network security monitoring, evolved from Cisco OpenSOC
  • Arkime – packet capture and search tool (formerly Moloch)
  • PRADAS – real-time asset detection
  • BloodHound – ActiveDirectory relationship detection

Threat intelligence

  • MISP – threat intelligence platform
  • SpiderFoot – threat intelligence aggregation
  • OpenCTI – threat intelligence platform
  • OpenDXL – open source tools for security intelligence sharing
  • Sigma – Generic Signature Format for SIEM Systems

Incident response

Vulnerability assessment

  • OpenVAS – very popular vulnerability assessment
  • ZAProxy – web vulnerability scanner by OWASP
  • WebScarab – (obsolete) web vulnerability scanner by OWASP
  • w3af – web vulnerability scanner
  • Loki – IoC scanner
  • CVE Search – set of tools for search in CVE data

Firewall

Antivirus / endpoint protection

  • ClamAV – open source antivirus angine
  • Armadito AV – open source AV (retired)
  • YARA – The pattern matching swiss knife for malware researchers

Email security

PowerShell for penetration testers – Introduction

Small compilation of interesting sites related with IT Security

I am not checking them at regular intervals but i hope they still work and are relevant.

Please provide me some feedback if for some reason they are not relevant or working anymore.

CVE-2019-0232

New vulnerability that requires attention from the users that run the apache / tomcat from windows machines.

source:

http://mail-archives.us.apache.org/mod_mbox/www-announce/201904.mbox/%3C13d878ec-5d49-c348-48d4-25a6c81b9605%40apache.org%3E

“When running on Windows with enableCmdLineArguments enabled, the CGI
Servlet is vulnerable to Remote Code Execution due to a bug in the way
the JRE passes command line arguments to Windows. The CGI Servlet is
disabled by default. The CGI option enableCmdLineArguments is disabled
by default in Tomcat 9.0.x (and will be disabled by default in all
versions in response to this vulnerability)”

Configure Static IP Address on Linux

It is possible to configure a Linux network interface in multiple ways.

This is the one that might be simpler for beginners.

sudo ifconfig eth0 192.168.1.10 netmask 255.255.255.0;
sudo route add default gw 192.168.1.1 eth0;

ifconfig is an application that allows to configure a network interface.

In the above example sudo is the command that allows us to elevate the user privileges to configure the network interface.

eth0 is the available interface, the list of available interfaces can be listed using the command ifconfig.

192.168.1.10 is an example of a IP address it can be what you require to configure your network.

netmask identifies the subnet mask for the network that you are configuring. If you not sure what should be check the configuration settings of your router.

the second configuration line is the configuration of the default gateway. To achieve efficiency in getting out of the local network it is required to provide that information to the computer.

The gateway setting is the exit point of the local network to other networks. Route add is the command that it is used to add the route.

Default identifies that this is a default route. If no other route is inserted in the routing table the computer will use this route to speak with the remaining networks.

The address 192.168.1.1 is the ip address of the gateway normally the address of the router in a local network.

The eth0 is the local interface that will be used to reach the gateway.

How to Find Files With setuid Permissions

find directory -user root -perm -4000 -exec ls -ldb {} \; >/tmp/filename
  • find directory -> Checks all mounted paths starting at the specified directory, which can be root (/), sys, bin, or mail.
  • -user root -> Displays files owned only by root.
  • -perm -4000 -> Displays files only with permissions set to 4000.
  • -exec ls -ldb -> Displays the output of the find command in ls -ldb format.
  • >/tmp/filename -> Writes results to this file.

Difference between Filtered vs Closed Ports

During nmap scans we found several times responses that say port closed and port filtered.

Example:

PORT      STATE    SERVICE
22/tcp    open     ssh
443/tcp   open     https
1024/tcp  filtered kdm
1084/tcp  filtered ansoft-lm-2
1863/tcp  filtered msnp
3128/tcp  open     squid-http
3333/tcp  filtered dec-notes
4900/tcp  filtered hfcs
9943/tcp  filtered unknown
30000/tcp open     unknown
38292/tcp filtered landesk-cba
40911/tcp filtered unknown
52673/tcp filtered unknown

If you get a response closed it means that the scanner is receiving a TCP reset packet.

If you do not get any response it means that the port is not available and thus changing the scan time that is required to fulfill the scan as the scanner needs to do more tests to make sure that there is no service available in the scanned port.

The best way to remove this information from your scan results is to use the option –open in the nmap. If we use it we will only get the results for open ports.