rootninja

While there are application groups for just about every category of software from graphics, software development, office productivity, multimedia, and others, there’s no specific group for security or auditing related packages. Here’s a list of the security and auditing related packages that are now available in the standard Fedora 12 repositories. From intrusion detection to data recovery, Fedora has come a long way in the last couple of years.

chkrootkit

chkrootkit is a tool to locally check for signs of a rootkit.
It contains:
* chkrootkit: shell script that checks system binaries for
rootkit modification.
* ifpromisc: checks if the network interface is in promiscuous
mode.
* chklastlog: checks for lastlog deletions.
* chkwtmp: checks for wtmp deletions.
* chkproc: checks for signs of LKM trojans.
* chkdirs: checks for signs of LKM trojans.
* strings: quick and dirty strings replacement.
* chkutmp: checks for utmp deletions.

dsniff

A collection of tools for network auditing and penetration testing.
Dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf and webspy allow
to passively monitor a network for interesting data (passwords,
e-mail, files). Arpspoof, dnsspoof and macof facilitate the
interception of network traffic normally unavailable to an attacker
(e.g, due to layer-2 switching). Sshmitm and webmitm implement
active monkey-in-the-middle attacks against redirected SSH and
HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

etherape

EtherApe is a graphical network monitor modeled after etherman.

etherbat

Etherbat performs Ethernet topology discovery between 3 hosts: the
machine running Etherbat and two other devices.

ethtool

This utility allows querying and changing settings such as speed,
port, autonegotiation, PCI locations and checksum offload on many
network devices, especially of ethernet devices.

foremost

Foremost recovers files files based on their headers, footers, and
internal data structures. This process is commonly referred to as
data carving. Foremost can work on a raw disk drive or image file
generated by dd. The headers and footers can be specified by a
configuration file or you can use command line switches to specify
built-in file types. These built-in types look at the data
structures of a given file format allowing for a more reliable and
faster recovery.

ncrack

Ncrack is a high-speed network authentication cracking tool. It was
built to help companies secure their networks by proactively
testing all their hosts and networking devices for poor passwords.
Security professionals also rely on Ncrack when auditing their
clients. Ncrack was designed using a modular approach, a
command-line syntax similar to Nmap and a dynamic engine that can
adapt its behaviour based on network feedback. It allows for rapid,
yet reliable large-scale auditing of multiple hosts.

nebula

Nebula is an intrusion signature generator. It can help securing a
network by automatically calculating filter rules from attack
traces. In a common setup nebula runs as a daemon and receives
attacks from honeypots.

nessus

Nessus is the world’s most popular vulnerability scanner used in
over 75,000 organizations world-wide. Many of the world’s largest
organizations are realizing significant cost savings by using
Nessus to audit business-critical enterprise devices and
applications.

nikto

Nikto is a web server scanner which performs comprehensive tests
against web servers for multiple items, including over 3300
potentially dangerous files/CGIs, versions on over 625 servers, and
version specific problems on over 230 servers. Scan items and
plugins are frequently updated and can be automatically updated (if
desired).

nmap

Nmap is a utility for network exploration or security auditing. It
supports ping scanning (determine which hosts are up), many port
scanning techniques (determine what services the hosts are
offering), and TCP/IP fingerprinting (remote host operating system
identification). Nmap also offers flexible target and port
specification, decoy scanning, determination of TCP sequence
predictability characteristics, reverse-identd scanning, and more.

pads

PADS is a libpcap based detection engine used to passively
detect network assets. It is designed to complement IDS
technology by providing context to IDS alerts. When new assets
are found, it can send IDMEF alerts via prelude.

prelude-lml

Prelude-LML is a log analyser that allows Prelude to collect and
analyze information from all kind of applications emitting logs or
syslog messages in order to detect suspicious activities and
transform them into Prelude-IDMEF alerts.

prewikka

Prewikka is the graphical front-end analysis console for the
Prelude Universal SIM. Providing numerous features, Prewikka
facilitates the work of users and analysts. It provides alert
aggregation and sensor and hearbeat views, and has user management
and configurable filters.Prewikka also provides access to external
tools such as whois and traceroute.

psad

Port Scan Attack Detector (psad) is a collection of three
lightweight system daemons written in Perl and in C that are
designed to work with Linux iptables firewalling code to detect
port scans and other suspect traffic. It features a set of highly
configurable danger thresholds (with sensible defaults provided),
verbose alert messages that include the source, destination,
scanned port range, begin and end times, tcp flags and
corresponding nmap options, reverse DNS info, email and syslog
alerting, automatic blocking of offending ip addresses via dynamic
configuration of iptables rulesets, and passive operating system
fingerprinting. In addition, psad incorporates many of the tcp,
udp, and icmp signatures included in the snort intrusion detection
system.

rats

RATS scans through code, finding potentially dangerous function
calls. The goal of this tool is not to definitively find bugs
(yet). The current goal is to provide a reasonable starting point
for performing manual security audits.

rear

Relax and Recover (abbreviated rear) is a highly modular disaster
recovery framework for GNU/Linux based systems, but can be easily
extended to other UNIX alike systems. The disaster recovery
information (and maybe the backups) can be stored via the network,
local on hard disks or USB devices, DVD/CD-R, tape, etc. The result
is also a bootable image that is capable of booting via PXE, DVD/CD
and USB media.

rkhunter

Rootkit Hunter (RKH) is an easy-to-use tool which checks computers running UNIX (clones) for the presence of rootkits and other unwanted tools.

sagator

Email antivirus/antispam gateway. It is an
interface to the postfix, sendmail, or any other smtpd, which runs
antivirus and/or spamchecker. Its modular architecture can use any
combination of antivirus/spamchecker according to configuration.

scanssh

ScanSSH supports scanning a list of addresses and networks for open
proxies, SSH protocol servers, Web and SMTP servers. Where possible
ScanSSH, displays the version number of the running services.
ScanSSH protocol scanner supports random selection of IP addresses
from large network ranges and is useful for gathering statistics on
the deployment of SSH protocol servers in a company or the Internet
as whole.

scapy

Scapy is a powerful interactive packet manipulation program built
on top of the Python interpreter. It can be used to forge or decode
packets of a wide number of protocols, send them over the wire,
capture them, match requests and replies, and much more.

scrub

Scrub writes patterns on files or disk devices to make
retrieving the data more difficult. It operates in one of three
modes: 1) the special file corresponding to an entire disk is
scrubbed and all data on it is destroyed; 2) a regular file is
scrubbed and only the data in the file (and optionally its name in
the directory entry) is destroyed; or 3) a regular file is created,
expanded until the file system is full, then scrubbed.

shorewall

Shorewall is an iptables-based firewall that can be used on a dedicated
firewall system, a multi-function gateway/ router/server or on a
standalone GNU/Linux system.

sleuthkit

The Sleuth Kit (TSK) is a collection of UNIX-based command line
tools that allow you to investigate a computer. The current focus
of the tools is the file and volume systems and TSK supports FAT,
Ext2/3, NTFS, UFS, and ISO 9660 file systems.

snort

Snort is a libpcap-based packet sniffer/logger which
can be used as a lightweight network intrusion detection system.
It features rules based logging and can perform protocol analysis,
content searching/matching and can be used to detect a variety of
attacks and probes, such as buffer overflows, stealth port scans,
CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
Snort has a real-time alerting capabilty, with alerts being sent to
syslog, a separate “alert” file, or as a WinPopup message via
Samba’s smbclient.

swatch

The Simple WATCHer is an automated monitoring tool that is capable
of alerting system administrators of anything that matches the
patterns described in the configuration file, whilst constantly
searching logfiles using perl.