LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-04-2012, 08:09 AM   #1
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
Useful open source incident related projects


Here are some useful open source projects for detecting and investigating incidents. A couple of them I just found out about today.

1) A while ago Mandiant released a free tool called IOC-Editor to create Indicator Of Compromise (IOC) signatures. So if you investigate an attack you can create IOCs from your analysis, which can be used to check other computers on your network for specific criteria such as a file name, MD5 hash, process, open port, registry key, etc., that indicate other computers have been compromised as well.

Now there is a new Python project called PyIOC that allows you to push out a client program to computers on your network, which will run and download .ioc files from a server and check to see if any other computers are showing signs they have been compromised. It apparently has both a Windows and Linux client.

List of current checks it's capable of:

Quote:
ProcessItem/PortList/PortItem/localPort
ProcessItem/PortList/PortItem/remoteIP
ProcessItem/PortList/PortItem/remotePort
ProcessItem/Username
ProcessItem/name
ProcessItem/pid

FileItem/FileName
FileItem/FullPath
FileItem/Md5sum

RegistryItem/path
RegistryItem/value
RegistryItem/valuename

PortItem/localport
PortItem/remoteport
PortItem/remoteip
2) Security Onion makes Network Security Monitoring way easier than it is now. It includes everything you need to investigate IDS alerts. With a couple clicks you can drill down from a Snort alert and get easy access full content PCAPs, http logs, session logs, syslogs, OSSEC logs, run a database query, etc.

The latest version that's going to be released shortly includes an easy installer where you can install a sensor in around 10 minutes.

Presentation video: Security Onion Network Security Monitoring in minutes

3) Volatility 2.2 is written in Python and can analyze memory images and has been beyond awesome on Windows. How analysts have gone so long without memory analysis like this is amazing. It now officially supports both 32 and 64 bit versions of Linux. You can see in the above link there are all kinds of plugins, and people are continually coming up with new ones. I just saw a plugin yesterday that can even get a screenshot of the Windows desktop from a memory image, and I'm sure equally cool Linux plugins will follow.

The really cool thing is that just like malware has problems hiding on a dead hard drive, it also has problems hiding from a memory image loaded in Volatility.

4) I just discovered Enterprise Log Search and Archive (ELSA), which is basically an open source alternative to Splunk. It acts as kind of a Google for your logs by normalizing various logs, and allowing you to easily run fairly complex queries: Example It's also going to be included in the 12.04 release of Security Onion, which is currently in Beta, but due for official release soon.

5) Analysts used to create timelines solely based on the MAC times of files. Now they're creating "supertimelines" that incorporate not just MAC times from files, but logs, browser history, and all kinds of other sources of evidence that have a timestamp associated with them using Log2Timeline. Being able to see a timeline that contains evidence other than just MAC times allows analysts to have more context, and a better understanding of what happened.

6) There is BackTrack for pentesting, there is Security Onion for NSM, and there is SANS Investigate Forensic Toolkit (SIFT) Workstation for digital forensics. It contains Log2Timeline, Volatility, The Sleuth Kit, and a heck of a lot more tools to perform digital forensics, and is updated with the latest tools fairly often.

7) Google Rapid Response (GRR) is a Python framework for live remote forensics. You can connect to remote computers and run Volatility plugins, The Sleuth Kit, create timelines, get running processes, network connections, retrieve files, run commands, browse the file system, etc. Unfortunately, it's currently in Alpha stage, and has been for a while, but does seem to be updated every so often. User Manual and Demo, but it's not a complete demo... Search for computer "domU".

We have all kinds of useful (and free) tools for detecting and investigating attacks right now. I'm sure there are more new projects coming up, so if you know of any, let me know.
 
Old 10-06-2012, 07:21 PM   #2
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Original Poster
Rep: Reputation: 86
Some more projects I forgot, and a couple new ones that just came out...

8) There is a new Virtual Machine called TAPEWORM which is used to automate some open source forensics software. From the site:

Quote:
TAPEWORM (TASC Pre-processing Exploitation & Workflow Management system) is a 64 bit Xubuntu based Virtual Machine designed to automate a number of open source tools. TAPEWORM uses a custom GUI as well as underlying python scripts to automate the following open source tools:

log2timeline
bulk_extractor
regripper
exiftool
volatility
Anti-Virus Scanning
Find Files of Interest
9) Remnux is another Linux OS like BackTrack, Security Onion, etc., that is loaded with tools, but is specifically for reverse engineering malware. It contains software you can use to analyze malicious executeables, documents, javascript, web sites, etc. The list of specific software is included is in the link.

10) OSSEC is a host-based IDS, which has IPS capabilities. It's been around a long time and monitors logs, file integrity, and checks for root kits. Like Snort, you can create your own rules with various priorities. It doesn't necessarily need to be installed on the host (can be agentless), and is able to login to network devices, such as from Cisco, and alert to changes in their configs. Another nice thing is you can simply install it on a syslog server and it will automatically monitor the logs. You can also recieve OSSEC alerts in Sguil using Security Onion.

11) Digital Forensics Framework (DFF) is a cross-platform Python framework that's scriptable so you can add new features or automate specific tasks. It has a GUI and CLI, and seems to be pretty well supported.

12) The Sleuth Kit was just updated to version 4.0 on Oct 2, 2012. TSK has been the open source software of choice when it comes to analyzing storage devices for a long time now. TSK 4.0 has a number of improvements such as the plug-in framework so people can create modules to automate tasks. Unfortuantely, this feature, and the Autopsy 3.0, aren't yet supported on Linux, but can at least be used on Windows to analyze Linux images if needed.

13) Computer Aided INvestigative Environment (CAINE) is an Ubuntu 12.04 Live CD which appears to be an open source alternative to Helix, which went commercial a while ago. You can put the CAINE CD in your computer and reboot. It won't automatically mount any drives, and provides you with open source forensics software to investigate a storage device. Like Helix, it apparently allows you to run Windows tools for live response during Windows incidents.

Last edited by OlRoy; 10-06-2012 at 10:04 PM.
 
  


Reply

Tags
forensics, incident, open source


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Open source projects for VB.net davholla Programming 6 07-26-2011 04:03 PM
CCTV Open Source Projects skydiverscott Linux - Software 0 12-16-2009 07:49 PM
Open source projects who need help?! itz2000 Linux - General 5 03-21-2009 08:12 PM
open source projects jaymoney Programming 1 02-04-2007 05:57 PM
LXer: Open Source Vendors and Projects Unite to Form Open Management ... LXer Syndicated Linux News 0 05-09-2006 11:12 PM


All times are GMT -5. The time now is 08:45 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration