Three new tools related to IDS, forensics, honeypots

From: SecurIT Informatique Inc. (securit_at_iquebec.com)
Date: 05/26/03

  • Next message: Stefano Zanero: "Re: IDS thoughts" 
    Date: Mon, 26 May 2003 16:47:55 -0400
To: focus-ids@securityfocus.com

    To moderators : I hope I have it right this time. Sorry for the flood...

    Hello lists. I'd like to annouce the release of my latests tools in the
    security game, and I think that the community will find them very
    interesting indeed. For article lenghts consideration, here is a short
    resume of these tools. The binaries and full documentation can be
    downloaded at http://securit.iquebec.com. All these tools are available in
    Open Source and Pro versions. Check the website for pricing.

    ComLog 1.05 : This tool is a command prompt (cmd.exe) logger, useful for
    generating intrusion evidence that was previously unavailable. With this
    tool, you can log command prompt sessions be it from the console, a
    compromised IIS system or through a netcat tunnel. This works a bit like a
    wrapper, ComLog taking the place of cmd.exe and passes the commands to be
    executed to the real cmd.exe which is renamed cm_.exe. Version 1.05 changes
    incude MS-DOS icon added to the executable, and better camouflage to avoid
    detection by the monitoree. Pro version allows you to choose the filename
    for cm_.exe to anything you like, to make it even harder to detect. It also
    allows you to specify pattern strings that you want obfuscated from the
    monitoree's output.

    LogAgent 4.0 : This tool is a log file monitoring and centralisation tool.
    You can use it to monitor the Event Viewer logs, and ASCII log files from
    just about any application, including, but limited to, antivirus, personal
    firewalls, ComLog, Snort, etc. LogAgent 4.0 also comes with 2 companion
    tools that are ADSScan and the combo HashGen and IntegCheck. ADSScan is an
    alternate data streams scanner, and HashGen/IntegCheck is a MD5-SHA1 file
    system integrity checker, or also known as a host-based intrusion detection
    system. The Pro version lets you run LogAgent as a service (registered
    only), and will start automatically ADSScan and IntegCheck for you each
    time it starts. LogAgent 4.0 Pro also generated data of its own, which is
    related to the Running Services, the Open Shares, and the StartUp
    configuration, which can later be used as forensics evidence of intrusions.
    LogAgent 4.0 Pro ships with a 5-machine evaluation license, no time-limit.

    LogIDS 1.0 : I think this tool will change the way people look at intrusion
    detection. LogIDS 1.0 is a real-time, log-analysis based intrusion
    detection system. As this description indicates, LogIDS 1.0 is able to
    analyze log files from various sources, and can be used with LogAgent 4.0
    to supply these log files. The strenght of LogIDS comes from the fact that
    it is very flexible and it gains from the capabilities of the various tools
    you use with it. You have the ability to tell LogIDS the format of each log
    file you supply it with, which then enables you to define rules for each of
    these log files, giving you one single interface to analyze and display all
    this data gathered from varied sources (Event Viewer, ComLog, antivirus
    logs, personal firewall logs, Snort logs, LogAgent 4.0 Pro Logs, ADSscan,
    IntegCheck, just to name a few examples). The interface is also pretty
    innovative, the GUI is a logical representation of your network
    architecture, where each node (machine or subnet) possess its own window
    where logs belonging to it are displayed. The GUI also sport several icons
    that can be used with the ruleset to graphically describe tha actions
    reported in the logs. Sounds can also be emitted for alerts and warnings.
    LogIDS 1.0 Pro contains built-in analysis for Snort, Event Viewer, and the
    data generated by LogAgent 4.0 Pro and its companion tools. Pro version
    ships with a 5-machines evaluation license, no time-limit. LogIDS 1.0 Pro
    licenses include a LogAgent 4.0 Pro license to allow it to run as a
    service. Screen captures available at
    http://iquebec.ifrance.com/securit/image/figure1.gif and
    http://iquebec.ifrance.com/securit/image/figure10.gif.

    I hope these tools will help improve the security of networks out there in
    the wild.

    Thank you for your time

    Adam Richard, aka Floydman
    SécurIT Informatique Inc.

    -------------------------------------------------------------------------------
    INTRUSION PREVENTION: READY FOR PRIME TIME?

    IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities
    - including intrusion identification, relevancy, direction, impact and analysis
    - enabling a path to prevention.

    Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at:
    http://www.securityfocus.com/IntruVert-focus-ids2
    -------------------------------------------------------------------------------

  • Next message: Stefano Zanero: "Re: IDS thoughts"
    • Quantcast