Please click our sponsor
| UNIX Intrusion Detection Tools Section. | |
| Directory: L6 is a file data integrity checker using both the MD5 and SHA-1 hash algorithms. This tool can detect file tampering based on hashes generated by both algorithms and other inode information. It also provides a useful, lightweight and flexible interface (written in perl) to verify file data integrity, and the output and functionality resembles that of L5. By Programmaton, Gestion et Consultation, Informatique, INC.. | |
| Directory: Tool for checking network nterfaces in promisc mode. | |
| Directory: nidsbench is a network intrusion detection system test suite. nidsbench is being published in the hopes that a more precise testing methodology might be applied to network intrusion detection, which is still a black art at best. This release of nidsbench includes: fragrouter: Implement all IP fragmentation attacks outlined in T. Ptacek and T. Newsham's "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of January, 1998. tcpreplay: Replay saved tcpdump(8) dumpfiles at arbitrary speeds. nidsbench is published under a BSD-style license, and has been tested on the following platforms: OpenBSD 2.x, FreeBSD 3.x, BSD/OS 2.x, Linux (2.x kernels), Solaris 2.x (tcpreplay only). By Anzen Computing. | |
| Directory: The Sentinel project is designed to be a portable, accurate implementation of all publicly known promiscuous detection techniques. | |
| FCHECK is a very stable PERL script written to generate and comparatively monitor a UNIX system against its baseline for any file alterations and report them through syslog, console, or any log monitoring interface. Monitoring events can be done in as little as one minute intervals if a system's drive space is small enough, making it very difficult to circumvent. This is a freely-available open-source alternative to 'tripwire' that is time tested, and is easier to configure and use. Homepage here. By Mike Gumienny. | |
| FCHECK is a very stable PERL script written to generate and comparatively monitor a UNIX system against its baseline for any file alterations and report them through syslog, console, or any log monitoring interface. Monitoring events can be done in as little as one minute intervals if a system's drive space is small enough, making it very difficult to circumvent. This is a freely-available open-source alternative to 'tripwire' that is time tested, and is easier to configure and use. Changes: Fixes for the configuration files trailing space bug (fixed security hole), major bug fixes. Homepage here. By Mike Gumienny. | |
| Grazer1's Bait System opens a specific port and logs connections to it. Simple and ghetto way to log Netbus requests. By W. ter Maat | |
| The Monitor is a small file monitoring program. Can handle an unlimited number of files, and can be configured to timestamp each line displayed. It also supports basic parsing of syslogs (compressing the output). | |
| Draft paper concerning the ntop network usage tool. By Luca Deri and Stefano Suin. | |
| Traffic analysis and Intrusion Detection System developed by The SANS Institute, The Naval Surface Warfare Center, the Lawrence Berkeley Research Center, and the US Dept of Energy. This package includes tcpdump, tcpslice, libpcap, and the SHADOW code. Check out the Instruction file before you download it. Requires SSH and Apache web server. | |
| Safely monitor SNMP variables on the net. If there are changes, you can get a message on your cellular, by mail or on screen. Requires Scotty and Tcl/Tk. | |
| SNMP based network management program to alleviate certain problems of heterogeneous systems. Requires Scotty and Tcl/Tk. | |
| See above. | |
| ViperDB 0.7 - ViperDB was created as a smaller and faster option to Tripwire. ViperDB does not use a fancy all-in-one database to keep records. Instead it uses a plaintext db which is stored in each "watched" directory. By using this there is no real one attack point for an attacker to focus his attention on. This coupled with the running of ViperDB every 5 minutes (via cron root job) decreases the likelihood that an attacker will be able to modify your "watched" filesystem while ViperDB is monitoring your system. Changes: Now logs to a standard logging facility instead of an individual file. Added '-checkstrict' functionality which changes permissions/owner/group back to what they were before the change was made to the file. Added exception(s) to '-checkstrict' which removes all permissions from the changed file if the file originally was SUID/GUID. Changed way filesystem changes are seen by admin, now a change only sends an alert to the logs once instead of repeatedly. By J-Dog. | |
| Xwindows front end to tcpdump. Requires Tcl/Tk. | |
| AAFID is a distributed monitoring and intrusion detection system that employs small stand-alone programs/Agents to perform monitoring functions in the hosts of a network. AAFID uses a hierarchical structure to collect the information produced by each agent, by each host, and by each set of hosts, to be able to detect suspicious activity. This release is a prototype and does not implement full functionality. All modules of the system are written in Perl, and thus it is extremely portable. Although some of the Agents included with AAFID2 perform NIDS functionality, the system as a whole is a host-based intrusion detection system. Homepage here. | |
| Detailed descriptions of the PortSentry, HostSentry, and LogCheck tools included in the Abacus Project suite of Intrusion Detection tools. Abacus Project web site | |
| AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire(tm). It generates a database that can be used to check the integrity of files on server. It uses regular expressions for determening which files get added to the database. You can use several message digest algorithms to ensure that the files have not been tampered with. By Rami Lehti | |
| AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire(tm). It generates a database that can be used to check the integrity of files on server. It uses regular expressions for determening which files get added to the database. You can use several message digest algorithms to ensure that the files have not been tampered with. Changes: MD5 sums are now correct. Users must update their databases; they have false sums. With hash library support, you can have many more hash algorithms, and many bugfixes have been made. Note that the author's PGP keys have changed. Homepage here. By Rami Lehti | |
| AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire(tm). It generates a database that can be used to check the integrity of files on server. It uses regular expressions for determening which files get added to the database. You can use several message digest algorithms to ensure that the files have not been tampered with. Changes: A lot of bug fixes. MD-sums were again broken; please update. Homepage here. By Rami Lehti | |
| IDS Alert Script (ver 1.3) for Checkpoint Firewall-1 (Unix only). Build Intrustion Detection into your firewall. Features include: Automated alerting, logging, and archiving, Automated blocking of attacking source, Automated identification and email remote site, and Installation and test script. Ver 1.3 Optimized for performance, over 50% speed increase. Documentation here. Homepage here. By Lance Spitzner | |
| Angel is a simple yet useful tool to monitor the services on your network. Perl. | |
| See below. | |
| See below. | |
| See below. | |
| See below. | |
| IP network transaction auditing tool. Reads network datagrams promiscuously, and generates network traffic status records. | |
| Autobuse is Perl daemon which identifies probes and the like in logfiles and automatically reports them via email. Supports monitoring of Linux 2.0 ipfw and Apache logfiles. By Grant Taylor. | |
| Autobuse is a log-monitoring program which automatically reports script-kiddie probes to whomever you like. By Grant Taylor. | |
| Autobuse - snapshot918416038 - Autobuse is a log-monitoring program which automatically reports script-kiddie probes to whomever you like. By Grant Taylor. | |
| More detailed description of Autobuse. | |
| autostatus is yet another network monitoring program. Easy to use and configure, fast and efficient. It exploits maximum parallelism during its checking to speed up monitoring. By Dave Andersen. | |
| Big Brother System and Network Monitor. | |
| Big Brother System and Network Monitor. | |
| Big Brother Systems and Network Monitor. By The MacLawran Group Inc. | |
| Big Brother v.1.08b (source code for UNIX) - Big Brother is a combination of monitoring methods. Unlike SNMP where information is just collected and devices polled, Big Brother is designed in such a way that each local system broadcasts it's own information to a central location. Simultaneously, Big Brother also polls all networked systems from a central location. This creates a highly efficient and redundant method for proactive network monitoring. Features: Web-based status display, Configurable warning and panic levels, Notification via Pager or email, Support for grouping of machines, Support for modem monitoring, Selectable paging delays, Heterogeneous Network Support. Monitors: dns nntp ftp smtp and pop3 testing, connectivity via ping, http servers up and running, disk space usage, uptime and cpu usage, essential processes are still running, messages and warnings. By The MacLawran Group Inc. | |
| Big Brother v.1.09 (source code for UNIX) - Big Brother is a combination of monitoring methods. Unlike SNMP where information is just collected and devices polled, Big Brother is designed in such a way that each local system broadcasts it's own information to a central location. Simultaneously, Big Brother also polls all networked systems from a central location. This creates a highly efficient and redundant method for proactive network monitoring. Features: Web-based status display, Configurable warning and panic levels, Notification via Pager or email, Support for grouping of machines, Support for modem monitoring, Selectable paging delays, Heterogeneous Network Support. Monitors: dns nntp ftp smtp and pop3 testing, connectivity via ping, http servers up and running, disk space usage, uptime and cpu usage, essential processes are still running, messages and warnings. New with this release: notification acknowledgements, HTMLized status logs, configurable notification options, support for more OSes, better installation procedures, support for specific disk partition monitoring, support for compressed grouping output, full df and HTTP output, all internet services are paged now, noping option allows ping test to be disabled, Y2K compliant, touchtime completely replaces Unix touch command, support for dns server checking using the dns keyword, support for Display grouping of machines, ability to test web pages via proxy servers, improved security, much more. By The MacLawran Group Inc. | |
| See description above. | |
| See description above. | |
| Big Brother v1.09c for UNIX is a combination of monitoring methods. Unlike SNMP where information is just collected and devices polled, Big Brother is designed in such a way that each local system broadcasts it's own information to a central location. Simultaneously, Big Brother also polls all networked systems from a central location. This creates a highly efficient and redundant method for proactive network monitoring. Features: Web-based status display, Configurable warning and panic levels, Notification via Pager or email, Support for grouping of machines, Support for modem monitoring, Selectable paging delays, Heterogeneous Network Support. Monitors: dns nntp ftp smtp and pop3 testing, connectivity via ping, http servers up and running, disk space usage, uptime and cpu usage, essential processes are still running, messages and warnings. New with this release: notification acknowledgements, HTMLized status logs, configurable notification options, support for more OSes, better installation procedures, support for specific disk partition monitoring, support for compressed grouping output, full df and HTTP output, all internet services are paged now, noping option allows ping test to be disabled, Y2K compliant, touchtime completely replaces Unix touch command, support for dns server checking using the dns keyword, support for Display grouping of machines, ability to test web pages via proxy servers, improved security, bbnet may send arbitrary arguments to remote servers, much more. New with this release: History Graphs, HTMLized history logs, Notification acknowledgements, HTMLized status logs, Configurable notification options, Support for more OSes, Better installation procedures, Support for specific disk partition monitoring, Cleaner HTML code generated, bbnet may send arbitrary arguments to remote servers History files now kept. By The MacLawran Group Inc. | |
| Big Brother v1.09d for UNIX is a combination of monitoring methods. Unlike SNMP where information is just collected and devices polled, Big Brother is designed in such a way that each local system broadcasts it's own information to a central location. Simultaneously, Big Brother also polls all networked systems from a central location. This creates a highly efficient and redundant method for proactive network monitoring. Features: Web-based status display, Configurable warning and panic levels, Notification via Pager or email, Support for grouping of machines, Support for modem monitoring, Selectable paging delays, Heterogeneous Network Support. Monitors: dns nntp ftp smtp and pop3 testing, connectivity via ping, http servers up and running, disk space usage, uptime and cpu usage, essential processes are still running, messages and warnings. Changes: Fixed security problem with bb-hist.sh. By The MacLawran Group Inc. | |
| Big Brother 1.2 - Big Brother is a combination of monitoring methods. Unlike SNMP where information is just collected and devices polled, Big Brother is designed in such a way that each local system broadcasts it's own information to a central location. Simultaneously, Big Brother also polls all networked systems from a central location. This creates a highly efficient and redundant method for proactive network monitoring. It also has blinking lights that make it look really cool. Features: Web-based status display, Configurable warning and panic levels, Notification via Pager or email, Support for grouping of machines, Support for modem monitoring, Selectable paging delays, Heterogeneous Network Support. Monitors: dns nntp ftp smtp and pop3 testing, connectivity via ping, http servers up and running, disk space usage, uptime and cpu usage, essential processes are still running, messages and warnings. ChangeLog. By Sean MacGuire. | |
| See description above. Minor bugfix release. | |
| Big Brother is a combination of monitoring methods. Unlike SNMP where information is just collected and devices polled, Big Brother is designed in such a way that each local system broadcasts its own information to a central location. Simultaneously, Big Brother also polls all networked systems from a central location. This creates a highly efficient and redundant method for proactive network monitoring. Changes: Whole new look, very different config file formats in some cases. By Sean MacGuire. | |
| bgcheck 0.4 - bgcheck is a process monitor for Linux written in perl that can be used by administrators to limit the number of background processes that each user can run. Changes: Fixed major problems handling ftp processes and added exception list for programs. By blue. | |
| bgcheck 0.5 - bgcheck is a process monitor for Linux written in perl that can be used by administrators to limit the number of background processes that each user can run. Changes: added support for long usernames, fixed ftpd spawn detection to work with proftpd, possibly others. By blue. | |
| Remote promiscuous ethernet detector. By Richard W.M. Jones. | |
| BSB-Monitor is a very simple network monitor. It scans the network periodically and offers the result as an HTML page and an easily parseable status file. By Darko Krizic. | |
| Newest release of check-ps, a security alarm that kill scans rogue PIDs, acts as tripwire httpd with fake argument list. | |
| check-ps is a program that runs in the background, periodically executing the 'ps' program and checking its contents against the list of processes in a SysV-style /proc file system. Any processes that appear in /proc and do not appear in the information returned by 'ps' are logged and can even be killed. Any processes that appear in the output of 'ps' and not /proc are also reported (this might be done to give you the impression that syslogd is running when it is not, for example). Restriction: non-extant processes with non-fixed pids reported are not detected but easy for humans to detect. By Duncan Simpson | |
| Sorry, a description is unavailable. | |
| Checksums takes a file of predetermined MD5 checksums and compares with the current sum. It can be installed as a command line tool, or as a CGI which will allow you to upload the sums file remotely. In either case it is a useful tool to detect changes in your system files, such as a trojan. By Mike | |
| Analyze your syslogs for security or system problems by creating a list of normal behaviour to ignore; everything else is something you should be aware of. Requires perl 5. Homepage here. | |
| User/Resource Monitor. Used to keep tabs on users. By Jason Nunn. | |
| Sorry, a description is unavailable. | |
| CTM 1.0 is your basic SNMP Traffic Monitor. By CTM web site. | |
| CTM 1.1 is your basic SNMP Traffic Monitor. By CTM web site. | |
| ctm 1.2 - CTM is an SNMP interface statistics gatherer which works as a daemon and polls SNMP capable routers in regular intervals and puts the gathered information into a database. Information gathered includes operational status of the interface, octets and packets sent and received, line errors, and queue discards, but CTM can easily be changed to log any interface specific SNMP variable. CTM comes with an example report script which gives traffic and line error summaries for certain periods of time. Changes: Version 1.2 corrects delta counters accordingly when the router is rebooted. By Lars Fenneberg. | |
| dfingerd v0.6 takes the place of your original finger service, providing totally false information to clients. This can be useful to catch people trying to crack your server, or to just really confuse them. You can define output for individual users, empty requests, and forward requests to another system. By Jon Beaton. | |
| decfingerd 0.7: The Deception Finger Daemon. This program will take place of the original finger service, providing totally false information to clients. This can be useful to catch people trying to crack your server, or to just really confuse them. You can define output for individual users, empty requests, and forward requests to another system. Tested on: Linux 2.2.7 -- GCC 2.7.2.3, Solaris 2.7 -- EGCS 1.1.1, OpenBSD 2.5 -- GCC 2.8.1. By Jon Beaton. | |
| Sorry, a description is unavailable. | |
| Sorry, a description is unavailable. | |
| This logs and notifies you of portscans run against your host. Some kinds of D.o.S attacks might also get logged. | |
| dirwatch101 monitors a directory and all the files in it for any changes, any files that have new data added to them, that data logged to a file. By ajax. | |
| Packet filter that allows you to control IP packets going to and from your LAN and the Internet. | |
| Deception Toolkit v0.6 - Tools and tactics based on deception to counter hacking/cracking attacks. DTK Version 0.6 adds the 'slowly' pragma to 'orders'. V0.6 also adds logging of accesses by IP address and retrieval of roll-up information from these log files via the deception port in a manner similar to that of InfoCon information. V0.6 also adds time-based passwords (also can be used in a use-based mode if desired) and the utility program tbp.pl. TBP allows remote systems to authenticate themselves automatically over time without reuse of the same old passwords. Too many more features to list in this major release. 400k. By Fred Cohen & Associates. | |
| Deception Toolkit v0.7 - Tools and tactics based on deception to counter hacking/cracking attacks. Excellent collection of security-related perl scripts; if you're going to lose sleep worrying about the hackers and crackers, then at least have some fun with them too. DTK Version 0.7 adds improved deceptions for http attacks (port 80) including a nicer .phf form. UDP deception states added to all scripts also. By Fred Cohen & Associates. | |
| Deception Toolkit v0.8 - Too many new improvments and code optimizations in this release to list. Just get it. | |
| The Deception ToolKit (DTK) is a toolkit designed to give defenders a couple of orders of magnitude advantage over attackers. We use deception to counter attacks. In the case of DTK, the deception is intended to make it appear to attackers as if the system running DTK has a large number of widely known vulnerabilities. DTK's deception is programmable, but it is typically limited to producing output in response to attacker input in such a way as to simulate the behavior of a system which is vulnerable to the attackers method. V0.9 introduces the fake operating system name to the configure file and appropriate changes to deceptions to include this deception throughout the distribution. It also does automatic configuration of the secure Web server (thttpd) and generic.c and support for SCO Unix. 1.1MB. By Fred Cohen & Associates. | |
| Deception Toolkit v1999-01-07 - DTK simply listens for inputs and provides responses that seem normal (i.e., full of bugs). In the process, it logs what is being done, provides sensible (if not quite perfect) answers, and lulls the attacker into a false sense of (your) insecurity. Has too many great features to list here, so check out The Deception Toolkit Home Page. DTK v1999-01-07 makes several minor improvements and contains some minor bugfixes. By Fred Cohen & Associates. | |
| EARS (Emergency Audit Response System) v0.7 - EARS is a console tool designed to detect, monitor and respond to annomalies (such as intrusions) in real time. It offers complete control of the process table, filesystem(s) and network interface(s) maintained by the operating system. Autonomous functionality is optional as a separate module. By Tishina Syndicate. | |
| emonitor 0.6 is a notification, action-based system for network, system and application monitoring. emonitor includes the following tools: emsrvmsg (Event Monitor Server Message), emsrvcmd (Event Monitor Server Command), emtlog (Event Monitor Transaction Logger), emconsole (Event Monitor Console), emputcmd (Event Monitor Put Command), emputmsg (Event Monitor Put message). The Event Monitor Project. | |
| emonitor description. | |
| Eyes on Exec 2.32 is a set of tools which you can use to build your own host based IDS. It watches for programs getting exec'd and logs information about it to a file. Combined with perl this can be extremely powerful. Requires linux kernel 2.2. By S. Krahmer | |
| FileTraq is a shell script designed to be run periodically from the root crontab. Each time, it compares a list of system files with the copies that it keeps. Any changes are reported in diff or patchfile style, and dated backup copies are kept. It lets you keep an eye on intruders who might change system files, or other sysadmins who don't tell you about changes. It even helps you keep track of your own changes, along with dated backups. Homepage here. By Jeremy Weatherford | |
| FileTraq is a shell script designed to be run periodically from the root crontab. Each time, it compares a list of system files with the copies that it keeps. Any changes are reported in diff or patchfile style, and dated backup copies are kept. It lets you keep an eye on intruders who might change system files, or other sysadmins who don't tell you about changes. It even helps you keep track of your own changes, along with dated backups. Changes: Comment lines are now permitted in the config file, wildcard matches are now possible, and entire directories can be checked. Homepage here. By Jeremy Weatherford | |
| firesoft is a collection of Perl scripts for viewing snort-generated logs and ipchains logs. The package includes a bar chart creator from ipchains logs, to quickly view who has been scanning you the most. By Angelos Karageorgiou | |
| Fragrouter v1.6 - Fragrouter is aimed at testing the correctness of a NIDS, according to the specific TCP/IP attacks listed in the Secure Networks NIDS evasion paper. Other NIDS evasion toolkits which implement these attacks are in circulation among hackers or publically available, and it is assumed that they are currently being used to bypass NIDSs. | |
| SATAN detector. | |
| Allows users to watch their accounting statistics and admins to watch general users statistics, terminal lines and other system wide statistics for any period of time. By Maxim Chirkov. | |
| Network sentry. | |
| Sorry, a description is unavailable. | |
| UNIX systems integrity monitor - highly configurable Bourne shell scripts that collect and analyze systems information, scanning for ANY irregularities or discrepancies. Designed with all major flavors of UNIX in mind. gogmagog-1.readme.txt. By cparisel@hotmail.com. | |
| Sorry, a description is unavailable. | |
| Sorry, a description is unavailable. | |
| Sorry, a description is unavailable. | |
| gog&magog v2.0 - Unix systems integrity monitor used to ensure core resources are left unaltered on a given host. gog&magog is composed of highly configurable Bourne shell scripts that collect and analyze systems information, scanning for ANY irregularities or discrepancies. Designed with all major flavors of UNIX in mind. This version has a GogView GUI that makes it much easier to monitor multiple hosts. gogmagog-2.README. By C. Parisel. | |
| Sorry, a description is unavailable. | |
| Sorry, a description is unavailable. | |
| Gog&Magog is a multiplatform sysadmin tool for monitoring the integrity of network-wide systems. Communication between the Magog server (ideally a PC running Linux) and the Gog hosts relies on FTP only, so it is pretty network architecture independant. Sysadmins monitor their machines at a glance, through a very simple WWW graphical interface on the server. By C.Parisel. | |
| gogmagog 4 - Gog&Magog is a multiplatform sysadmin tool for monitoring the integrity of networkwide systems. Communication between the Magog server (ideally a PC running Linux) and the Gog hosts relies on FTP only, so it is relatively network architecture independent. Sysadmins monitor their machines at a glance, through a very simple WWW graphical interface (named GogView) on the server. Gog&Magog works on Linux, AIX, HP-UX and Solaris. Changes: encrypted profiles, security improvements. By C. Parisel. | |
| Sniffer Detector Report, Diploma Thesis, June 1998. By Stephane Grundschober. | |
| This linux tool is more an early warning system than IDS. it scans system logs for signs of intrusion in real time. produces colored output on the tty, sends alerts and regular reports. Excellent database of suspicious logfile strings included. Homepage here. | |
| HostSentry v0.02 is a host based intrusion detection tool that performs Login Anomaly Detection (LAD), and is the most recent edition to the Abacus Project suite of security tools. This tool allows administrators to spot strange login behavior and quickly respond to compromised accounts and unusual behavior. HostSentry incorporates a dynamic database and actually "learns" the user login behavior. This behavior is then utilized by modular signatures to detect unusual events. Specifically, HostSentry monitors system login accounting records in real-time (wtmp/utmp). These records are used to build a dynamic database of active users and run a series of signature modules during the login and logout phases. The signature modules are pluggable and easily activated or deactivated by the admin. An example wrapper is included to allow administrators to add new signatures. The current list of signatures includes: moduleLoginLogout - Generic audit trail of all user login and logouts. moduleFirstLogin - Alerts administrators if this user is logging in for the first time. moduleForeignDomain - A login was detected from a domain not listed in the allowed domains file. moduleRhostCheck - A user's .rhosts file contains a wildcard or other dangerous modification. moduleHistoryTruncated - A user's .history file is missing, truncated to zero bytes, or symlinked (i.e. /dev/null). moduleOddDirnames - A user's directory contains suspicious directory names on logout (" ..", "...", etc.). moduleMultipleLogins - A single username has multiple concurrent logins from different domains. moduleOddLoginTime - A user is logging in at an odd hour for their usage pattern (not implemented yet). moduleInvalidUtmp - A corresponding utmp/wtmp entry for this login cannot be found (entry possibly removed) (not implemented yet). moduleHistorySuspicious - The user's history file contains suspicious commands (not implemented yet). moduleNetworkDaemon - The user logged out but left a listening network socket operating (private web server, IRC bot, etc.) (not implemented yet). moduleFileExists - A file was found in the user's directory that is listed in the banned/monitored list of the site (not implemented yet). First release. By Craig H. Rowland. | |
| HummingBird is a distributed component for any Intrusion Detection System. Features: Share security information with any Internet host, Powerful search-able database of security relevant data, Easy to use data visualization, Detects light but network wide attacks, Keeps historical data of system status, Hosts can be organized in a hierarchy for better management and information flow, Java interface for alert messages. By HummingBird Project. | |
| See above. | |
| See above. | |
| See above. | |
| IMON v0.9b is a powerful tool to monitor/analyze ICMP traffic on your LAN (includes LOKI backdoor detection). By Stealth. | |
| IMON is a powerful tool to monitor/analyze ICMP traffic on your LAN. With IMON you are able to analyze ICMP messages going through your network interface. By Stealth of KALUG. | |
| Tracks ICMP packets, allowing you to proactively watch for suspicious behaviour, mainly ICMP unreachables. | |
| icmpmon will show you all ICMP packets reaching your box, which could be useful in detecting attacks/portscans sometimes. By CyberPsychotic. | |
| Ifstatus checks all network interfaces on the system, and reports any that are in debug or promiscuous mode, which may be a sign of unauthorized access to the system. By David A. Curry. | |
| instmon is a shell script that monitors installations and detects the files that were added or modified. It can be very helpful for packages that only come in source form. It can be used by system administrators and simple users alike. instmon home page. | |
| instmon v1.3 - instmon is a shell script that monitors installations and detects the files that were added or modified. By Vasilis Vasaitis. | |
| instmon v1.4 - instmon is a shell script that monitors installations and detects the files that were added or modified. By Vasilis Vasaitis. | |
| instmon is a shell script that monitors installations and detects the files that were added or modified. Changes: Slightly changed the default search list (added /var/lib) and the default exclude list (added /root); instmon now uses $TMPDIR when set; Comparisons between version numbers are now done in a different way, which is more correct for the UN*X world; Fixed to work with RPM >= 2.5.0; Empty directories are now removed even more aggressively; Things are becoming complicated, so the awk command is now required, and instmon has to store some helper scripts (currently one) in /usr/local/lib/instmon. By Vasilis Vasaitis. | |
| SYSV.4 module that implements packet filtering within the kernel. | |
| IPLimit is a security tool to prevent some denial of services on common internet daemons. It will dynamically reject connections from hosts thatalready connected too many times on the same service or the same server. And only these strobe makers will be rejected, not trusted people. IPLimit is fully configurable : you can, for instance, allow 40 connections per second for SMTP, and only 1 per minute for Telnet. It needs the TCPREMOTEIP and TCPLOCALPORT environment variables, so that IPLimit has to be used with a super-server like G2S or TCPServer. You can also use any other inetd variant if you have the tcp-env program (from Qmail). IPLimit was tested on Linux but should work on any other Unix implementation with or without minor changes. | |
| IPTraf is an ncurses-based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors, and others. | |
| IPTraf is an ncurses-based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors, and others. | |
| IPTraf is an ncurses-based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors, and others. 217k. By Gerard Paul Java. | |
| IPTraf v1.4.1 - IPTraf is an ncurses-based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors, and others. By Gerard Paul Java. | |
| Fixed SEGV condition in this release. See above for program description. | |
| IPTraf is an ncurses-based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors, and others. By Gerard Paul Java. | |
| IPTraf 2.0.0.alpha-1 is an ncurses-based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors, and others. Changes: This is a new version designed for Linux 2.2. It corrects a few bugs in the previously released alpha version, and a puts in a few improvements. Tests are requested. By Gerard Paul Java. | |
| IPTraf 2.0.0.beta-1 is an ncurses-based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors, and others. Changes: This is a new version designed for Linux 2.2. It corrects a few bugs in the previously released alpha version, and a puts in a few improvements. Tests are requested. By Gerard Paul Java. | |
| Sorry, a description is unavailable. | |
| IPTraf 2.1.1 is an ncurses-based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors, and others. Changes: This is a maintenance release fixing a small bug in the packet size breakdown facility resulting in inaccurate counts, and some typographical cleanup. By Gerard Paul Java. | |
| A daemon which kills shells with idle time above a certain limit. By Martin Mares. | |
| Linux 2.0.x kernel patch that protects you from strobes. Detects all strobes, logs all strobe attempts, refuses connections after a strobe begins, logs ALL packets (tcp, icmp, udp). Basically, makes your Linux box appear to be a Macintosh. | |
| "The L0pht NFR Intrusion Detection System modules have been updated to cover some of the latest popular network attacks. Featured prominently in the update is a Back Orifice detection module which, we believe, is better than anything else on the market. Better than ISS's RealSecure BO detection as well as that of stand alone BO detectors that cost upwards of $5000. Do your network a favor and download our IDS modules (which are FREE) and NFR which is free for internal, non-commercial use." By L0pht Heavy Industries. | |
| Libnids is a library that provides a functionality of one of NIDS (Network Intrusion Detection System) components, namely E-component. It means that libnids code watches all local network traffic, cooks received datagrams a bit (quite a bit ;)), and provides convinient information on them to analyzing modules of NIDS. So, if you intend to develop a custom NIDS, you don't have to build low-level network code. If you decide to use libnids, you have got E-component ready - you can focus on implementing other parts of NIDS. Homepage here. By Nergal. | |
| Libnids is a library that provides a functionality of one of NIDS (Network Intrusion Detection System) components, namely E-component. It means that libnids code watches all local network traffic, cooks received datagrams a bit (quite a bit ;)), and provides convinient information on them to analyzing modules of NIDS. So, if you intend to develop a custom NIDS, you don't have to build low-level network code. If you decide to use libnids, you have got E-component ready - you can focus on implementing other parts of NIDS. Changes: GNU autoconf support, code cleanup and new libnids(3) manpage, pcap_filter field in nids_params, bugfix in ip_check_ext(), Solaris support. Homepage here. By Nergal. | |
| Kernel module which logs specific system calls to a logfile. Tracks mkdir, rmdir, link, and open. Homepage here. By Pheisar | |
| Logcheck helps spot problems and security violations in your logfiles automatically and will send the results to you in e-mail. Homepage here. By Craig Rowland | |
| Logcheck will automatically monitor your system logs and mail security violations to you on a periodic basis. Freeware clone of the logcheck program shipped with the TIS Gauntlet Firewall system. | |
| Logcolorise is a PERL script to make your syslog generated log files much more legible by colourising them (context highlighting based on keywords). By Mike Babcock | |
| Tails the wtmp file and reports all logins to syslog. | |
| The purpose behind the log scanner is to enable a system administrator to set up a log parser that will contact them (or others) when predefined anomalies are discovered in a log file. web site. | |
| Log Scanner is an email sending, pager beeping (eventually), module using, log parsing, perl script. Log Scanner web site. | |
| logsurfer is a log checking/auditing tool similar to swatch and logcheck but with the capability of handling multi-line messages and dynamically adapting the ruleset. It is written in portable C, well documented, fast, and flexible. It works on any textfile or stdin, can be run at intervals or continuously, and has timeouts and resource limits. Homepage here. By Wolfgang Ley | |
| logsurfer is a log checking/auditing tool similar to swatch and logcheck but with the capability of handling multi-line messages and dynamically adapting the ruleset. It is written in portable C, well documented, fast, and flexible. It works on any textfile or stdin, can be run at intervals or continuously, and has timeouts and resource limits. Homepage here. | |
| Logwatch provides a client/server architecture for viewing logfiles on multiple machines on a network. With a single daemon process running on each participating computer, logfiles can be tailed from any authorized machine. Multiple logfiles on multiple machines can be followed with a single client process by specifying the machines and files to follow. By Jeremy Weatherford | |
| LogWatch is a customizable, pluggable log-monitoring system. Easy to use and highly configurable. Now analyzes samba logs! | |
| LogWatch is a customizable, pluggable log-monitoring system. Easy to use and highly configurable. Now analyzes samba logs! | |
| logwatch v1.6.1 - Analysis of and report on system logs - LogWatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Easy to use - works right out of the package on almost all systems. Now analyzes samba logs! By Kirk Bauer. | |
| See description above. | |
| See description above. | |
| LogWatch 1.6.6 is a customizable, pluggable log-monitoring system that analyzes and reports on system logs. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Easy to use - works right out of the package on almost all systems. Now analyzes samba logs. Changes: fewer unmatched entries in 'secure' service, ftp-messages module prettier, name-lookups now optional for named module, added and improved ProFTPd module, much more. By Kirk Bauer. | |
| Sorry, a description is unavailable. | |
| Lsof is a Unix-specific diagnostic tool. It lists information about any files that are open by processes currently running on the system. | |
| Lsof is a Unix-specific diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system. Changes: Corrected problems with large device number handling for 64 bit Solaris 7, added more /dev/kmem-based Linux glibc evasions and some bugs have been fixed. By Vic Abell. | |
| lsof 4.42 - Lsof is a Unix-specific diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system. Changes: Patched an x86 stack overflow exploit found in 4.40, updated VM support in Freebsd 4.0-CURRENT and added support for NetBSD's UVM as well as additional patches for HP-UX, Solaris 2.6, DU 4.0. and support for Digital Unix 5.0, OpenBSD 2.5. By Vic Abell. | |
| lsof 4.43 - Lsof is a Unix-specific diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system. Changes: Corrects a typo in the gcc commentary of 00FAQ, corrects TCP address reporting for Solaris 2.5[.1], enhances Tru64 UNIX IPv6 support, corrects an HP-UX 11 q4 usage error message, fixes a GlibC 2.1 confict in /proc-based Linux lsof, adds f_flag[s] as optional file structure output, improves the HP-UX 11 ipc_s patch test, fixes a real vnode to real inode bug in PTX and adds link count to the output as a filtered option. By Vic Abell. | |
| lsof 4.43 - Lsof is a Unix-specific diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system. Changes: Too many changes and bugfixes to mention here - read the 00DIST file for details. By Vic Abell. | |
| lsof 4.45 - Lsof is a Unix-specific diagnostic t ool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system. Changes: Too many changes and bugfixes to mention here - read the 00DIST file for details. By Vic Abell . | |
| Lsof is a Unix-specific diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system. Changes: Fixed compilation on Solaris, hacks for HP/UX, linux bugfixes. Homepage here. By Vic Abell | |
| Lsof is a Unix-specific diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system. It is the single most powerful utility for inspecting running processes and determining which process is listening to which ports. Changes: IPV4/IPV6 fixes, adjustments to Linux /proc-based processing of the TCP and UDP /proc/net files, compile and bug fixes. By Vic Abell | |
| MAT is a distributed monitoring and management tool for Linux, SunOS, and Solaris machines. | |
| MAT v0.18 - MAT is a distributed monitoring and management tool for Linux, SGI, SunOS, and Solaris machines. The tool provides an easy to use GUI interface from which the sysadmin, or designated user can administer many of the common UNIX configuration files. MAT can monitor many system parameters, producing usage graphs, and triggering alarms. The current release of the tool can add modify and delete: Users, Hosts, Groups, Mounts, Motd, DNS client config, Services, Aliases, Cron jobs, Syslog config, NFS exports, DNS records, and NIS maps. Monitoring functions allow you to inspect: Syslog files, Routing tables, disk space, exports and processes. MATd is a GUI configurable system monitoring daemon. It currently can monitor: Disk use, Network connectivity, CPU use, Run-queue, Logins, SMTP daemons, FTP servers and Required processes. On Linux machines it also produces graphs of memory and swap use. New to this release is the ability to discover all the parameters, memory, cpu, swap etc automatically. MATd can also run user provided scripts if a threshold is exceeded, notifing the administrator of potential problems. Key features: control many hosts from a single console, ability to deligate responsibility to others, monitor several system parameters for trend analysis, DNS, and NIS servers are easliy managed. New this release: hooks to allow users to extend the program, automatic discovery of parameters it can monitor, bug fixes, much more. 1727k. By S. Mark Black. | |
| Sorry, a description is unavailable. | |
| If you have an md5 checksumming utility on your system, you can use these scripts for a "poor man's tripwire". These do several quick checks for archiving and security purposes. Homepage here. By Simple Nomad | |
| System monitoring front end tool. By William Annis. | |
| mon is an extensible service monitoring daemon which can be used to monitor network or non-network resources. Service monitors that come with the distribution can test for ping, telnet, ftp, smtp, http, nntp, pop3, imap, disk space, and SNMP queries. | |
| mon 0.38pre12 - "mon" is an extensible fault detection package which can be used to monitor network and system resources. It is most useful for system and network administrators who are responsible for maintaining the operation of networks of hundreds or possibly thousands of nodes. Changes: Too many new feature, additions, code cleanups, and bugfixes to list; see the CHANGES file. mon-0.38.12.tar.gz.sign. By Jim Trocki. | |
| Sorry, a description is unavailable. | |
| mon 0.38pre7 - "mon" is an extensible fault detection package which can be used to monitor network and system resources. It is most useful for system and network administrators who are responsible for maintaining the operation of networks of hundreds or possibly thousands of nodes. Changes: Changes to period behavior, trap enhancements, basedir support, and more. mon-0.38pre7.tar.gz.sign. By Jim Trocki. | |
| PGP signature for mon 0.38pre7. | |
| Nannie's basic purpose is to watch system files that should not be changed, at least in theory. It monitors them for change in inode, size, etc notifies you if a change occurs. By Cole Tuininga. | |
| Nannie's basic purpose is to watch system files that should not be changed, at least in theory. It monitors them for change in inode, size, etc notifies you if a change occurs. New features: completely rewritten, now logs to syslog instead of sending email, can handle a directory in nannie.cfg (will parse all files in directory), MUCH more error checking. By Cole Tuininga. | |
| NCSfck v1.2.0 - NCSFCK creates a database of important files like "/bin/login". Run as a cronjob for maximum effectiveness. Monitors for backdoor(s) and other trojan(s). web site. | |
| Network Promiscuous Ethernet Detector, rewriten with Libnet/libpcap so it works on FreeBSD, OpenBSD, and linux, possibly more. neped scans your subnet and detects promiscuous boxes that might be running sniffers or similar applications, using hacked ARPs (non broadcast), only listened by promiscuous ethernets. By CyberPsychotic | |
| Network Promiscuous Ethernet Detector. neped scans your subnet and detects promiscuous linux boxes that might be running sniffers or similar applications, using hacked ARPs (non broadcast), only listened by promiscuous ethernets. The answer to hacked ARPs expose promiscuity (presume sniffer). Runs on Linux 2.x with GlibC or libc5. By Els Apostols. | |
| A UNIX clone of Netbuster for Windows 95. Logs people attempting to exploit netbus. By BigDawg. | |
| Network logger/sniffer suitable for TCP/IP over Ethernet and loopback. netl is capable of logging everything from pings to telnet, including low level IP like SYNs and RSTs. | |
| netl v1.01 is a network logger/sniffer suitable for TCP/IP over Ethernet and loopback. netl is capable of logging everything from pings to telnet, including low level IP like SYNs and RSTs. By Graham THE Ollis. | |
| Nettest is a program which monitors a network connection, and takes some action (either email, audible notification, syslog entries, or all of the above) if/when the connection goes down. Changes: Supports multiple connections with separate parameters for each connection, automatically forks into background, and a few rcfile parameters have been changed. By Rene Chaddock. | |
| nettest v1.0 is a program that monitors a network connection, and takes some action (either email, audible notification, syslog entries, or all of the above) if/when the connection goes down. Changes: Removed dependencies on external programs. More rcfile options for various configurable settings w/ almost foolproof defaults. More efficient ping code. Minor bug fixes. By Rene Chaddock. | |
| nettest 1.1 - Nettest is a program which monitors a network connection, and takes some action (either email, audible notification, syslog entries, or all of the above) if/when the connection goes down. It's great for xDSL/Cable/Mission Critical Network Connections. Changes: Fixed bug where pingnumber exibited other (unwanted) behaviour, fixed bug which caused nettest to crash under certain situations, more reliable email-sending code, added retrytime variable which allows nettest to try connection more frequently when connection is actually down. By Rene Chaddock. | |
| nettest v0.8 - Nettest is a program that monitors a network connection, and takes some action (either email, audible notification, syslog entries, or all of the above) if/when the connection goes down. 14k. By Rene Chaddock. | |
| nettest v0.81 - Nettest is a program that monitors a network connection, and takes some action (either email, audible notification, syslog entries, or all of the above) if/when the connection goes down. By Rene Chaddock. | |
| monitor an ETHERNET and examine activity on the network. | |
| L0pht NFR IDS Modules - examples of how to implement IDS functionality with NFR. By L0pht Heavy Industries. Get your copy of Network Flight Recorder at Network Flight Recorder, Inc.. | |
| ng.sh (netgaurd v1a1) uses tcpdump monitor for common attacks and then activates ipfwadm. By ben-z. | |
| NOCOL(Network Operation Center On-Line)/SNIPS is a system and network monitoring software that runs on Unix systems and can poll network and system devices. It is capable of monitoring nameservers, web ports, host performance, syslogs, radius servers, BGP peers, etc. New monitors can be added easily (via a C or Perl API). By Netplex Technologies. | |
| NodeWatch is an open source TCP/IP network monitoring tool written in Perl for UNIX. | |
| ntop is a tool that shows the network usage, similar to top. ntop has optional web interface, supports many protocols, has log capability. ntop web site. | |
| Sorry, a description is unavailable. | |
| ntop v1.1 is a Unix tool that shows the network usage, similar to what the popular top Unix command does. Has an interactive mode and a web mode for greater functionality and options, shows network traffic sorted according to various criteria, displays traffic statistics, shows IP traffic distribution among the various protocols, analyses IP traffic and sorts it according to the source/destination, displays IP Traffic Subnet matrix (who's talking to who?), reports IP protocol usage sorted by protocol type. Protocols recognized: TCP, UDP, ICMP, IPX, Decnet, AppleTalk, FTP, HTTP-IC (Internet Cache a.k.a. squid), DNS, Telnet, Netbios (including Netbios-over-IP), POP, SNMP, NFS, X11, DLC, RARP/ARP. Changes: numerous bugfixes, improved Linux support, ntop can now be run as daemon, many other enhancements. By Luca Deri and Stefano Suin. | |
| ntop snapshot 1.1a4 - see description above. | |
| ntop snapshot 1.1a5 - see description above. | |
| ntop is a Unix tool that shows the network usage, similar to what the popular top Unix command does. Latest snapshot. By Luca Deri and Stefano Suin. | |
| See description above. | |
| ntop v1.1a9 snapshot - ntop is a Unix tool that shows the network usage, similar to what the popular top Unix command does. Has an interactive mode and a web mode for greater functionality and options, shows network traffic sorted according to various criteria, displays traffic statistics, shows IP traffic distribution among the various protocols, analyses IP traffic and sorts it according to the source/destination, displays IP Traffic Subnet matrix (who's talking to who?), reports IP protocol usage sorted by protocol type. Protocols recognized: TCP, UDP, ICMP, IPX, Decnet, AppleTalk, FTP, HTTP-IC (Internet Cache a.k.a. squid), DNS, Telnet, Netbios (including Netbios-over-IP), POP, SNMP, NFS, X11, DLC, RARP/ARP. Latest snapshot. By Luca Deri and Stefano Suin. | |
| ntop v1.1cr0 [Candidate Release #0] - ntop is a Unix tool that shows the network usage, similar to what the popular top Unix command does. Has an interactive mode and a web mode for greater functionality and options, shows network traffic sorted according to various criteria, displays traffic statistics, shows IP traffic distribution among the various protocols, analyses IP traffic and sorts it according to the source/destination, displays IP Traffic Subnet matrix (who's talking to who?), reports IP protocol usage sorted by protocol type. Protocols recognized: TCP, UDP, ICMP, IPX, Decnet, AppleTalk, FTP, HTTP-IC (Internet Cache a.k.a. squid), DNS, Telnet, Netbios (including Netbios-over-IP), POP, SNMP, NFS, X11, DLC, RARP/ARP. Latest snapshot, completely multi-threaded, symaphore utilization, asynchronous address resolution, bugfixes. By Luca Deri and Stefano Suin. | |
| ntop v1.1cr0 [Candidate Release #1] - ntop is a Unix tool that shows the network usage, similar to what the popular top Unix command does. Has an interactive mode and a web mode for greater functionality and options, shows network traffic sorted according to various criteria, displays traffic statistics, shows IP traffic distribution among the various protocols, analyses IP traffic and sorts it according to the source/destination, displays IP Traffic Subnet matrix (who's talking to who?), reports IP protocol usage sorted by protocol type. Protocols recognized: TCP, UDP, ICMP, IPX, Decnet, AppleTalk, FTP, HTTP-IC (Internet Cache a.k.a. squid), DNS, Telnet, Netbios (including Netbios-over-IP), POP, SNMP, NFS, X11, DLC, RARP/ARP. Latest snapshot, completely multi-threaded, symaphore utilization, asynchronous address resolution, bugfixes. 224k. By Luca Deri and Stefano Suin. | |
| See decription above. | |
| ntop v1.1cr2 [Candidate Release #3] - ntop is a Unix tool that shows the network usage, similar to what the popular top Unix command does. Has an interactive mode and a web mode for greater functionality and options, shows network traffic sorted according to various criteria, displays traffic statistics, shows IP traffic distribution among the various protocols, analyses IP traffic and sorts it according to the source/destination, displays IP Traffic Subnet matrix (who's talking to who?), reports IP protocol usage sorted by protocol type. Protocols recognized: TCP, UDP, ICMP, IPX, Decnet, AppleTalk, FTP, HTTP-IC (Internet Cache a.k.a. squid), DNS, Telnet, Netbios (including Netbios-over-IP), POP, SNMP, NFS, X11, DLC, RARP/ARP. Latest snapshot, completely multi-threaded, symaphore utilization, asynchronous address resolution, bugfixes. By Luca Deri and Stefano Suin. | |
| See description above. | |
| Sorry, a description is unavailable. | |
| ntop v1.1pre2 is a Unix tool that shows the network usage, similar to what the popular top Unix command does. Has an interactive mode and a web mode for greater functionality and options, shows network traffic sorted according to various criteria, displays traffic statistics, shows IP traffic distribution among the various protocols, analyses IP traffic and sorts it according to the source/destination, displays IP Traffic Subnet matrix (who's talking to who?), reports IP protocol usage sorted by protocol type. Protocols recognized: TCP, UDP, ICMP, IPX, Decnet, AppleTalk, FTP, HTTP-IC (Internet Cache a.k.a. squid), DNS, Telnet, Netbios (including Netbios-over-IP), POP, SNMP, NFS, X11, DLC, RARP/ARP. By Luca Deri and Stefano Suin. | |
| ntop v1.2a0 is a Unix tool that shows the network usage, similar to what the popular top Unix command does. Has an interactive mode and a web mode for greater functionality and options, shows network traffic sorted according to various criteria, displays traffic statistics, shows IP traffic distribution among the various protocols, analyses IP traffic and sorts it according to the source/destination, displays IP Traffic Subnet matrix (who's talking to who?), reports IP protocol usage sorted by protocol type. Protocols recognized: TCP, UDP, ICMP, IPX, Decnet, AppleTalk, FTP, HTTP-IC (Internet Cache a.k.a. squid), DNS, Telnet, Netbios (including Netbios-over-IP), POP, SNMP, NFS, X11, DLC, RARP/ARP. Changes: Added queso (http://www.apostols.org/) support. Now each host lists the OS that's *supposed* to run; Porting to Digital Unix OSF/1; Added support for RedHat 6.0 libpcap package; Added address cache (ntop.cache) for better performance; bugfixes and changes to html output. By Luca Deri and Stefano Suin. | |
| ntop v1.2a1 is a Unix tool that shows the network usage, similar to what the popular top Unix command does. Has an interactive mode and a web mode for greater functionality and options, shows network traffic sorted according to various criteria, displays traffic statistics, shows IP traffic distribution among the various protocols, analyses IP traffic and sorts it according to the source/destination, displays IP Traffic Subnet matrix (who's talking to who?), reports IP protocol usage sorted by protocol type. Protocols recognized: TCP, UDP, ICMP, IPX, Decnet, AppleTalk, FTP, HTTP-IC (Internet Cache a.k.a. squid), DNS, Telnet, Netbios (including Netbios-over-IP), POP, SNMP, NFS, X11, DLC, RARP/ARP. Changes: the list of MAC vendors is now based on http://standards.ieee.org/regauth/oui/oui.txt; added support for 'special' (e.g multicast/vendors specific) MAC addresses; peer hosts now show up; traffic Thpt is now sorted properly; fixed compatibility glitches with SunOS 4; fixed bug that prevented the 'Last Contacted Peers' table to show up on hosts that have received but not sent any packet. By Luca Deri and Stefano Suin. | |
| ntop is a tool that shows the network usage, similar to what the popular Unix command top does. ntop can be used in both interactive or web mode. In the first case, ntop displays the network status on the user's terminal whereas in web mode a web browser (e.g. netscape) can attach to ntop (that acts as a web server) and get a dump of the network status. In the latter case, ntop can be seen as a simple RMON-like agent with an embedded web interface. Changes: A fix for a buffer overflow caused by long URL requests, and many new enhancements. Homepage here. By Luca Deri | |
| Draft paper concerning the ntop network usage tool. By Luca Deri and Stefano Suin. | |
| nwho and integrated rwho with GUI to help monitor who is logged in and verify that they are who they should be. By James Wilson. | |
| Osirus file integrity checker, Unix version. Osiris catalogs specified directories of files, including MD5 hashes, modification dates, and file attributes into a specified database and/or to STDOUT as directed. The second program, scale, compares two such databases against each other. It will output, either to a file or STDOUT, any differences it finds between the two catalogs including missing or additional files, differing MD5 hashes, modification dates, and file attributes. Together, the two programs give an administrator the tools to follow changes in files on a server or workstation. This keeps an administrator apprised of possible attacks and/or nasty little trojans. Changes: The new version has a 50% increase in speed due to code optimization. 1.2.0 logs all SUID/SGID files and notes any changes in SUID/SGID status from previous indices. A few miscellaneous flags have been added to make Osiris cron-friendly. Homepage here. By The Schmoo Group | |
| Osiris catalogs specified directories of files, including MD5 hashes, modification dates, and file attributes into a specified database and/or to STDOUT as directed. The second program, scale, compares two such databases against each other. It will output, either to a file or STDOUT, any differences it finds between the two catalogs including missing or additional files, differing MD5 hashes, modification dates, and file attributes. Together, the two programs give an administrator the tools to follow changes in files on a server or workstation. This keeps an administrator apprised of possible attacks and/or nasty little trojans. Changes: MacOSX support, addition of Haval and SHA hashes, a counter to let you know how far along osiris is when indexing files. Homepage here. By The Schmoo Group | |
| OverCR 1.49.01 - OverCR is a simple system monitoring tool that utilizes a simple language for queries. It is designed as a GPL'd program similar to the popular (and non-GPL) Big Brother Monitoring system. Changes: First 1.50 beta featuring new config file based configuration. "System Monitoring is an important and expensive task. Fortunately free tools such as Big Brother have become available. Unfortunately these tools are not free in the GNU sense. In addition the shell script format of Big Brother leaves something to be desired in my opinion. Therefore I've started writing Over-CR, a GPL Network Monitoring software."--Eric Molitor By Eric Molitor. | |
| OverCR 1.49.02 - OverCR is a remote systems monitoring tool that utilizes a simple language for queries. It is designed as a GPL'd program similar to the popular (and non-GPL) Big Brother Monitoring system. Changes: Configuration file support completed, minor documentation fixes, minor cleaning and formating of source. By Eric Molitor. | |
| Replacement portmapper with access control. Makes it somewhat harder to attack your RPC daemons, for example to steal YP password maps or NFS file handles. Must be linked against a library produced with a recent tcp wrapper release (see above). Tested with SunOS 4.1.x. Also supports HP-UX 9.0, AIX 3.x (bsdcc compiler with -D_SUN), AIX 4.x and Digital UNIX (OSF/1). If you run SunOS 4, the securelib library (see above) is better because it can also cope wit h direct attacks on your RPC daemons (i.e. attacks without assistance from portmap). | |
| See above. | |
| PortSentry v0.61beta is part of the Abacus Project suite of security tools. It is a program designed to detect and respond to port scans against a target host in real-time. There are other port scan detectors that perform similar detection of scans, but PortSentry has some unique features that may make it worth looking into: Runs on TCP and UDP sockets to detect port scans against your system. PortSentry is configurable to run on multiple sockets at the same time so you only need to start one copy to cover dozens of tripwired services. Stealth scan detection (Linux only right now). PortSentry will now detect SYN/half-open, FIN, NULL, X-MAS and oddball packet stealth scans. Four new stealth scan operation modes have been added to greatly increase the power of this package. PortSentry will react to a port scan attempt by blocking the host in real-time. This is done through configured options of either dropping the local route back to the attacker, using the Linux ipfwadm command, *BSD ipfw command, and/or dropping the attacker host IP into a TCP Wrappers host.deny file automatically. PortSentry has an internal state engine to remember hosts that connected previously. This allows the setting of a trigger value to prevent false alarms and detect "random" port probing. PortSentry will report all violations to the local or remote syslog daemons indicating the system name, time of attack, attacking host IP and the TCP or UDP port a connection attempt was made to. When used in conjunction with Logcheck it will provide an alert to administrators through e-mail. By Craig H. Rowland. | |
| PortSentry 0.90 - PortSentry is part of the Abacus Project suite of security tools. It is a program designed to detect and respond to port scans against a target host in real-time. It runs on TCP and UDP sockets and works on most UNIX systems. Advanced stealth detection modes are available under Linux only and detect SYN, FIN, NULL, XMAS, and Oddball packet scans. All modes support real-time blocking and reporting of violations. Changes: Renamed from Abacus Sentry to PortSentry, lots of internal code clean up and optimizations, Docs updated and it now works under Solaris, Linux, BSD variants and others. portsentry.sample.txt. By Craig Rowland. | |
| PortSentry is part of the Abacus Project suite of security tools. It is a program designed to detect and respond to port scans against a target host in real-time. It runs on TCP and UDP sockets and works on most UNIX systems. Advanced stealth detection modes are available under Linux only and detect SYN, FIN, NULL, XMAS, and Oddball packet scans. All modes support real-time blocking and reporting of violations. Changes: Correct ignoring of hosts, and a Y2K fix for log file output, using a four-digit year. This doesn't affect PortSentry, but may affect programs that look at the log files it generates. Homepage here. By Craig Rowland | |
| Sorry, a description is unavailable. | |
| Qps - Visual Process Manager. X11 version of "top" or "ps" that displays processes in a window and lets you sort and manipulate them. | |
| Qps v1.5 - Qps is a visual process manager, an X11 version of "top" or "ps" that displays processes in a window and lets you sort and manipulate them. Qps can: change nice value of a process, alter the scheduling policy and soft realtime priority of a process, display the TCP/UDP sockets used by a process, and names of the connected hosts, display the memory mappings of the process (which files and shared libraries are loaded where), display the open files of a process, kill or send any other signal to selected processes, display the load average as a graph, and use this as its icon when iconified, show (as graph or numbers) current CPU, memory and swap usage, sort the process table on any attribute (size, cpu usage, owner etc), and does much, much more. UNIX domain sockets are visible in the Files table, SMP support. Very nice GUI. Requires Qt library 1.40 or later and Linux 2.0 or later, or Solaris 2.5.x. By Mattias Engdegard. | |
| See description above. | |
| qps v1.6.3-static: Qps is a visual process manager, an X11 version of "top" or "ps" that displays processes in a window and lets you sort and manipulate them. Static binary of alpha code. By Mattias Engdegard. | |
| See description above. | |
| qps 1.6.4 - Qps is a visual process manager, an X11 version of "top" or "ps" that displays processes in a window and lets you sort and manipulate them. Changes: Compile error fixed and tiny tweak in proc.C (skip unused fields). Source code. Requires Qt library 1.40 or later. By Mattias Engdegard. | |
| qps 1.6.6 - Qps is a visual process manager, an X11 version of "top" or "ps" that displays processes in a window and lets you sort and manipulate them. Changes: Limited Solaris 2.6 support (no sockets listing; several fields missing). Source code. Requires Qt library 1.40 or later. By Mattias Engdegard. | |
| qps 1.6.7 - Qps is a visual process manager, an X11 version of "top" or "ps" that displays processes in a window and lets you sort and manipulate them. Changes: replaced delete with delete[] in proc.C and fixed another Linux segfault. Source code. Requires Qt library 1.40 or later. By Mattias Engdegard. | |
| qps 1.6.8 - Qps is a visual process manager, an X11 version of "top" or "ps" that displays processes in a window and lets you sort and manipulate them. Changes: TTY field width made variable (mostly for Solaris) and Linux cpu usage bug fixed. Source code. Requires Qt library 1.40 or later. By Mattias Engdegard. | |
| Qps v1.6 - See description above. | |
| See description above. | |
| Sorry, a description is unavailable. | |
| Rkdet is a small daemon intended to catch someone installing a rootkit or running a packet sniffer. Homepage here. By Andrew Daviel | |
| Rpc_Gotcha is a network based intrusion detection tool for detecting rpc based scans and attacks (buffer overflows). The program will passively sit on the network perimeter and process packets while analyzing the rpc message data payload looking for signs of a possible attack. Rpc_Gotcha will log all rpc calls made to the network and display payload data for possible attacks. By Chad Renfro. | |
| Rpc_Gotcha is a network based intrusion detection tool for detecting rpc based scans and attacks (buffer overflows). The program will passively sit on the network perimeter and process packets while analyzing the rpc message data payload looking for signs of a possible attack. Rpc_Gotcha will log all rpc calls made to the network and display payload data for possible attacks. Changes : This version has some major bug fixes , memory leaks and signature issues. It will also read tcpdump capture files in a batch mode. Homepage here. By Chad Renfro. | |
| Replacement rpcbind program that disallows bypassing of NFS export restrictions. | |
| Samhain is a tool for verifying the integrity of files. It uses the TIGER message digest algorithm to generate a database for files and directories listed in the configuration file. After initializing the database, samhain can run as a background process, performing checks at user-defined intervals. Results can be written to a log file and/or forwarded to another host by e-mail. Log file entries are signed to prevent tampering. The current version is tested on Linux only. Homepage here. By Rainer Wichmann | |
| Samhain is a tool for monitoring the integrity of files on a single machine as well as on a network. It is easy to configure and maintains a single database (per host) for storing the signatures of files. Samhain is designed to be run as a background process, checking files periodically against the database. Reports can be written to a signed, tamper-resistant log file, and/or sent offsite by e-mail. To monitor several machines and collect data by a central log server, samhain may be used as a client/server application. For the paranoid, a 'stealth' option is available. Changes: Added a client/server mode and a stealth option. Fixed several bugs and portability fixes. Homepage here. By Rainer Wichmann | |
| samhain is a distributed host integrity monitoring system. It consists of monitoring agents running on individual hosts, and a central log server collecting reports from these agents via authenticated TCP/IP connections. On single hosts, it is possible to run a standalone monitoring agent. Currently, agents may monitor the integrity of files and directories, and watch for login/logout events. In addition to forwarding reports to the log server, other logging facilities (e-mail, console, tamper-resistant log file, and syslog) are available. samhain has been tested on Linux, AIX 4.1, HP-UX 10.20, Unixware 7.1.0, and Solaris 2.6. Changes: A module to watch for login/logout events has been added, deleted files are recognized now, a race condition has been fixed, write permission to critical files is checked more strictly, logging thresholds have a more syslogish syntax, messages are queued for delivery during temporary mail delivery failures and log server downtimes, some minor bugs have been fixed, and a test script has been added for better testing. New DB format. Homepage here. By Rainer Wichmann | |
| Example port scan detection tool. Pseudo code. | |
| REMOTE promiscuous ethernet detector. For Red Hat 5.x. By Savage of El Apostols. | |
| Powerful network editor/monitor that can understand SNMP, ICMP, DNS, HTTP, SUN RPC, NTP and UDP protocols. Tcl/Tk. | |
| Seclog (security logger) is a log auditing tool written in Perl. It will watch /var/log/messages for suspicious information and notify you via email. Changes: Major rewrite, all system calls have been removed, works much faster now, more secure, saves backups of the reports/mails it creates. Homepage here. By Dilusi0n | |
| Protect your RPC daemons against unauthorized access. Shared library for SunOS 4.1 and later. | |
| Secure Worx (TM) Network Intrusion Detection System - The intrusion detection system is a network based system that performs high-speed traffic analysis of the content and context of a network packet to detect unauthorized traffic in real-time. It has inexpensive hardware and OS requirements. The intrusion detection system runs on a Intel Pentium class compatible processor with a 10/100 Ethernet card running the Linux OS with kernel 2.2 and above with a configured TCP/IP stack. The installation process involves running an installation script that asks a few simple questions. It is then a simple matter of starting the software and your network is then searched for anomalous activity. Homepage here. By Secure Worx | |
| Sentinel is a fast file/drive scanning utility similar to the Tripwire and Viper.pl utilities available. It uses a database similar to Tripwire, but uses a RIPEMD-160bit MAC checksumming algorithm (no patents) which is more secure than the patented MD5 128 bit checksum. It should run on most unixes (tested on redhat linux v6.0 & v5.2, slackware linux v3.x & 4.xb and IRIX (v5.2 and v6.x). Several other utilities which are used for Sentinel development are also posted here. Most utilities are included with the sentinel tarball. gSentinel is a graphical front-end to sentinel. Newbies should download gSentinel as it comes with a very simple rpm based installation and offers a friendly interface. Beware that gSentinel is currently under development and may be fairly crude compared to most GUI packages. Homepage here. | |
| Sfck is a program that locates file changes on your linux system. It keeps a database which you can put on a read-only disk to make sure no changes take place from a hacker/intruder. When a file change is detected it mails root. By Vision. | |
| SHADOW setup and intro file. | |
| sherpa is a tool for configuring and then checking system security via the console. Written in perl, it allows an admin to maintain a custom database of file and directory permissions and ownership attributes as local needs dictate. Any changes from the prescribed layout will be detected each time sherpa is run. Also, sherpa does some basic system checks (world-writable files, .rhosts and hosts.equiv files, etc.) that help the busy admin keep on top of a system. Homepage here. By Rick Crelia. | |
| sherpa is a tool for configuring and then checking system security via the console. Written in perl, it allows an admin to maintain a custom database of file and directory permissions and ownership attributes as local needs dictate. Any changes from the prescribed layout will be detected each time sherpa is run. Also, sherpa does some basic system checks (world-writable files, .rhosts and hosts.equiv files, etc.) that help the busy admin keep on top of a system. Changes: Sherpa now checks for shadow passwords, parses inetd.conf to look for use of tcp_wrappers, and verifies perms.lst for RedHat 6.1. Homepage here. By Rick Crelia. | |
| slipwire.pl is a filesystem integrity checker. It compares the SHA-1 hashes of files to an initial state and alerts the user of any changes. slipwire also records extensive file information such as inode number, last-modified date, filesize, uid, gid, etc, and can also report changes in any of these. Changes: SHA hash of file database is returned when database is created, Quiet output by default, md5's are in the readme. Homepage here. By James Quinby | |
| slipwire.pl is a simple filesystem integrity checker. It compares the SHA-1 hashes of files to an initial state and alerts the user of any changes. Changes: A fix for a bug in the iteration count when comparing files to hashes, a quick reader script for dumping the contents of the DBM file, an example file list, and a tidied-up README. Homepage here. By James Quinby | |
| slipwire.pl is a filesystem integrity checker. It compares the SHA-1 hashes of files to an initial state and alerts the user of any changes. slipwire also records extensive file information such as inode number, last-modified date, filesize, uid, gid, etc, and can also report changes in any of these. Changes: Extension of information gathered on indexed files, comparisons made to inode, last-modified, etc in addition to SHA signatures, tightening up of the Perl code, and elimination of calls to the shell. Homepage here. By James Quinby | |
| Indexes files and keeps record of permissions, ownership, location. By Kevin Lindsay. | |
| Secure Locate 1.5 - Secure locate provides a secure way to index and quickly search for files on your system. It uses incremental encoding just like GNU locate to compress its database to make searching faster, but it will also store file permissions and ownership so that users will not see files they do not have access to. It is a bit slower than the GNU locate, but thats the price for security. Changes: A couple of bug fixes but mostly new features. You can now search using basic POSIX regular expressions. It should also be noted that Redhat 6.0 has switched from GNU Locate to Secure Locate as the default filesystem indexing/searching mechanism. By Kevin Lindsay. | |
| Secure Locate 1.6 - Secure locate provides a secure way to index and quickly search for files on your system. It uses incremental encoding just like GNU locate to compress its database to make searching faster, but it will also store file permissions and ownership so that users will not see files they do not have access to. It is a bit slower than the GNU locate, but thats the price for security. Changes: Optimized some code to make updating the database much faster, patched to allow smoother installation on FreeBSD, and some other minor bug fixes. By Kevin Lindsay. | |
| Whitepaper by IBM that discusses basic sniffer detector concepts. IBM Security ITS '98. | |
| SocketStat v1.0 - by Richard Steenbergen and Drago. Inspired by dreams, coded by nightmares. Nifty way to find which processes are using what sockets, Can be used to detect users who clone on irc, connect where they shouldn't (bots on non-bot servers), are running hidden servers, etc. | |
| 'spar' is used to select records from a UNIX process accounting file. It is usually faster than most 'lastcomm's and significantly more flexible and powerful. Homepage here. | |
| System monitoring package coded in perl. Monitors clients, networks, host groups, and displays info via web interface. | |
| Eight Steps to A Working Intrusion Detection System - The SANS Institute. Preface and instructions for STEP package below. | |
| SHADOW: comprehensive network monitoring/analysis/intrusion detection software. 4.2MB. For UNIX. By SANS' Cooperative Intrusion Detection Evaluation and Response (CIDER) Project. | |
| StJude is an attempt to monitor the flow of privilege in my Solaris boxes. It tries to detect privilege violations or improper transitions (ie stack smashing, or other local root exploits) by watching audit trails. By Tim Lawless | |
| suidshow.c is a linux lkm that will log any non-root user doing a setuid(0) or a setreuid(0,0) system call. CyberPsychotic, K.A.L.U.G. | |
| Monitor logfiles, scan for specific entries in the log file, and take the action you have determined. Use with tcp_wrappers for excellent monitoring system. | |
| See above. | |
| Sorry, a description is unavailable. | |
| Swatch ("Simple WATCHdog") is a program for UNIX system logging, originally written to actively monitor messages as they are written to a log file via the UNIX syslog utility. Swatch was designed to keep system administrators from being overwhelmed by large quantities of log data. It monitors log files and acts to filter out unwanted data and take one or more simple user specified actions based upon patterns in the log. Swatch can monitor information as it is being appended to the log file and alert system administrators immediately to serious system problems as they occur. Changes: Fixed the examine switch, added continue and quit actions, Fixed parsing of "throttle" setting, bug fixes. Homepage here. By Todd Atkins | |
| sXid Secure is an all in one suid/sgid monitoring script written in perl. By Ben Collins. | |
| sXid 3.2.4 - sXid is an all in one suid/sgid monitoring program designed to be run from cron on a regular basis. Basically it tracks any changes in your s[ug]id files and folders. If there are any new ones, ones that aren't set any more, or they have changed bits or other modes then it reports the changes in an easy to read format via email or on the command line. Changes: Minor bugfixes and a new IGNORE_DIRS option. By Ben Collins. | |
| sXid 3.2.5 - sXid is an all in one suid/sgid monitoring program designed to be run from cron on a regular basis. Basically it tracks any changes in your s[ug]id files and folders. If there are any new ones, ones that aren't set any more, or they have changed bits or other modes then it reports the changes in an easy to read format via email or on the command line. Changes: added option to specify other than the default mail program, patch to make use of TMPDIR if set. By Ben Collins. | |
| sXid 4.0.0 - sXid is an all in one suid/sgid monitoring program designed to be run from cron on a regular basis. Basically it tracks any changes in your s[ug]id files and folders. If there are any new ones, ones that aren't set any more, or they have changed bits or other modes then it reports the changes in an easy to read format via email or on the command line. Changes: numerous - see the changelog file. By Ben Collins. | |
| tcpdump script which detects network activity - designed specifically to detect new "stealth and undetectable" nmap v2.00-2.01 scans (TCP, SYN, FIN, Frag, Xmas, Null, and UDP, etc...). By Programmaton, Gestion et Consultation, Informatique, INC.. | |
| This script, run on a regular (daily) basis, keeps tabs on root accounts and set[ug]id root files. | |
| This script, run on a regular (daily) basis, keeps tabs on root accounts and set[ug]id root files. | |
| Tailbeep opens a file (-f), seeks to the end, and watches for a string (-s). If the string is found, a beep is sent to the specified tty (-t) device. You can also daemonize (-d) it. I wrote it so I could watch /var/log/messages for the DENY string (so I can tell if someone is trying to break into the firewall.) Homepage. By Tommy. | |
| Tailbeep opens a file (-f), seeks to the end, and watches for a string (-s). If the string is found, a beep is sent to the specified tty (-t) device. You can also daemonize (-d) it. I wrote it so I could watch /var/log/messages for the DENY string (so I can tell if someone is trying to break into the firewall.) Changes: Speech (through speechd) and a debug option. Homepage here. By Tommy. | |
| Tailbeep opens a file (-f), seeks to the end, and watches for a string (-s). If the string is found, a beep is sent to the specified tty (-t) device. You can also daemonize (-d) it. I wrote it so I could watch /var/log/messages for the DENY string (so I can tell if someone is trying to break into the firewall.) Changes: The Ability to specify a message to speak instead of the line in the watched file (using -p), the old -p has been moved to -P to speak the line in the file, and the -V (version) and -S (sleep time) options have been added. Homepage here. By Tommy. | |
| Tailbeep opens a file (-f), seeks to the end, and watches for a string (-s). If the string is found, a beep is sent to the specified tty (-t) device. You can also daemonize (-d) it. I wrote it so I could watch /var/log/messages for the DENY string (so I can tell if someone is trying to break into the firewall). Changes: Added -F (frequency) and -M (milliseconds) option, added -x "command" option, cleaned up the help screen, and you can use -p and -P at the same time now if you want both the entire line and a predefined message. Homepage here. By Tommy. | |
| Blurb for tcp_wrappers_7.6.tar.gz | |
| Wietse Venema's tcp wrapper. The package provides tiny daemon wrapper programs that can be installed without any changes to existing software or to existing configuration files. The wrappers report the name of the client host and of the requested service; the wrappers do not exchange information with the client or server applications, and impose no overhead on the actual conversation between the client and server applications. | |
| Tcprelay v1.0.1 - Tcpreplay is aimed at testing the performance of a NIDS by replaying real background network traffic in which to hide attacks. Tcpreplay allows you to control the speed at which the traffic is replayed, and can replay arbitrary tcpdump traces. Unlike programmatically-generated artificial traffic which doesn't exercise the application/protocol inspection that a NIDS performs, and doesn't reproduce the real-world anomalies that appear on production networks (asymmetric routes, traffic bursts/lulls, fragmentation, retransmissions, etc.), tcpreplay allows for exact replication of real traffic seen on real networks. | |
| thor.pl 1.0 - thor.pl keeps tabs on suid and sgid files on your file system. It also keeps track of the checksums of your binaries and the root accounts on the system as well as a few other things. It's a handy script that helps you find possible security risks, or breakins. By Jerry Kilpatrick. | |
| tmp-audit is a simple tool designed to monitor a directory and log changes (i.e /tmp). New file size, variable refresh, and header beep options in this release. By Proof Of Concept. | |
| tmp-audit is a simple tool designed to monitor a directory and log changes (i.e /tmp). Changes: added -w option (dump file content), fixed some stuff in tmp-audit.h. By Proof Of Concept. | |
| tmp-audit is a tool designed to log directory changes (i.e /tmp). This release includes a signal-oriented interface instead sleep(). By Proof Of Concept. | |
| toscin is a basic IDS system that uses packet filtering to warn against possible attacks against specified services. It basically watches the local network for SYN connections to certain services, and sends notification. Solaris 2.x possibly others. Homepage here. | |
| A Top-CPU Usage Display. By William LeFebvre. | |
| Top - A Top-CPU Usage Display provides a rolling display of top-CPU using processes on a Unix system. It also displays other information about the overall health of the system, including load averages and memory utilization. Numerous portability patches and optimizations in this release. By William LeFebvre. | |
| traffic-vis v0.30 - traffic-vis is a network monitoring/auditing tool that can plot communications between hosts on a TCP/IP network, and quickly answer questions such as Who is saturating your Internet link. This version is a major rewrite, splitting the program up into several smaller tools. 40k. By Damien Miller. | |
| Sorry, a description is unavailable. | |
| See description above. | |
| See description above. | |
| Ncurses based IP traffic monitoring software. | |
| treeps 1.1.0 - Treeps is a X/Motif program for Unix/Linux that is designed to make monitoring and interacting with the running programs on your system easy and intuative. A "real time" tree view shows the relationships between the processes and is color coded to provide easy interpretation of various values. The process tree displays any combination of users/groups and can be used to drill down into process details and then extract key fields for continous monitoring. Changes: Process Activity "LED's" to show state/load/priority, leader bars to show /group/session leaders, process tips for mouseover glances at key process info, many icon bar changes, color icons, larger and more icons, much more linux info, better user/group selection from group/user tree dialog, std. usage of colors, better auto sizing of window, many layout changes (esp star layout), RPM packages, KDE install script, man/strace/renice processes, renice subtree, single click kill, and many bug fixes. By George MacDonald. | |
| Triplight 0.01 - Triplight is an intrusion detection, and integrity monitor system. It is a simpler version of tripwire, developed in perl. This release is rather unpolished (you need to hack up a crontab file, and to set a file path in the perl source), but fully functional. To accomplish it's design goals, it reads in a list of files stored in flat ASCII, and uses md5sum to check their integrity against that recorded earlier in a database. If the database is placed on a read-only medium such as a write-protected floppy, then it should provide an infallible record against remotely installed trojan horses. Thus by monitoring the integrity of the system, triplight will serve as an aid in intrusion detection. Homepage here. By Snupe | |
| Tripwall is a Tripwire clone developed for use with the Linux Router Project. Homepage here. By Colin Lee | |
| Tripwire creates a signature of binary files, and then checks to see if these files have been modified. Track binary file mods. | |
| Tripwire v1.30-1 for Linux - Tripwire detects any variance in file integrity. This version has been "optimized" for Linux. By Tripwire Security Systems. | |
| Tripwire v1.30-1 - Intrusion Detection Security Tool for UNIX platforms. | |
| Perl script that searches for trojan horses installed on system. | |
| Sorry, a description is unavailable. | |
| The package allows you to snoop on login tty's through another tty-device or pseudo-tty. The snoop-tty becomes a 'clone' of the original tty, redirecting both input and output from/to it. | |
| TTYSnoop allows you to snoop on login tty's through another tty-device or pseudo-tty. The snoop-tty becomes a 'clone' of the original tty, redirecting both input and output from/to it. Changes: Cleanups/updates for compilation on newer Linux systems, such as RH5. By Carl Declerck | |
| Patches to run Tripwire 1.2 on Linux. Tripwire 1.2. By CERIAS/COAST. | |
| Sorry, a description is unavailable. | |
| ViperDB was created
as a smaller and faster option to Tripwire. ViperDB does not use a fancy
all-in-one database to keep records. Instead it uses a plaintext db which
is stored in each "watched" directory. By using this there is no real one
attack point for an attacker to focus his attention on. This coupled with
the running of ViperDB every 5 minutes (via cron root job) decreases that
likelihood that an attacker will be able to modify your "watched" filesystem
while ViperDB is monitoring your system. Changes: Ignore file functionality
which allows user to specify files to ignore added. Updated code works better
on solaris, updated ls options to lAcr for solaris instead of standard laAs.
Splitting permissions code cleaned out into owner, group, all perms. Homepage
here. By J-Dog Sorry, a description is unavailable. |
|
| A software watchdog (i.e. Automatic reboot daemon). | |
| A software watchdog (i.e. Automatic reboot daemon). | |
| watchdog is a daemon that monitors systems processes and loads, and will automatically reboot a server if the load rises above a defined level. Very useful tool. 98k. By Michael Meskes. | |
| See description above. | |
| watchdog is a daemon that monitors systems processes and loads, and will automatically reboot a server if the load rises above a defined level. Very useful tool. By Michael Meskes. | |
| watchdog is a daemon that monitors systems processes and loads, and will automatically reboot a server if the load rises above a defined level. Very useful tool. By Michael Meskes. | |
| Network monitoring tool - detect rogue incoming packets indicative of potential attacks. | |
| Watchfile will display a list of specified files on the screen, and continually update their stats. The stats displayed (i.e. file size, modified time, owner, etc.) can be configured on the command-line along with the update frequency. Homepage here. By Nick 'Zaf' Clifford | |
| Watchfile will display a list of specified files on the screen, and continually update their stats. The stats displayed (i.e. file size, modified time, owner, etc.) can be configured on the command-line along with the update frequency. Changes: Finally out of beta. The ability to change the order of columns displayed has been added. Many bugs fixed. Homepage here. By Nick 'Zaf' Clifford | |
| Web Secretary is a web page monitoring software. By Homemade Software. | |
| whowatch 1.0.5 - Whowatch is an ncurses who-like utility which displays informations about the users currently on the machine in real time. Besides standard information (login name, tty, host, user's process) you can see the connection type (ie. telnet or ssh). Changes: Added ability to toggle display between processes and users' idle time, added 'local' type of login, better response for key pressing, and several bugfixes. By Michal Suszycki. | |
| whowatch v1.0 is an ncurses who-like utility that displays informations about the users currently on the machine in real time. Besides standard information (login name, tty, host, user's process) you can see the connection type (ie. telnet or ssh). Initial release. 4k. By Michal Suszycki. | |
| Whowatch is an interactive utility that displays information about the users currently on the machine in real time. Besides standard information (login name, tty, host, user's process) you can see the connection type (ie. telnet or ssh). You can also watch the process tree, navigate it, and send INT and KILL signals. Ncurses ascii graphics. Changes: Man page update, rpm package available, small bug fixes. Homepage here. By Michal Suszycki | |
| Whowatch is a ncurses who-like utility that displays information about the users currently logged on to the machine, in real-time. Besides standard information (login name, tty, host, user's process), the type of the connection (ie. telnet or ssh) is shown. You can toggle display between users' command or idle time. You can also view processes tree and send INT and KILL signals. | |
| wipl v990104 - The wipl program package is able to make statistics about which network cards transfer how much on a LAN segment or through certain routers or servers. The program package contains a daemon program which collects and processes the information for network monitoring and realtime statistics. By Christian Worm Mortensen. | |
| See description above. | |
| WSM: Web based System Monitor v0.9.5 is a Web accessible System Monitor for Linux featuring: Kernel (uname,lsmod,cpuinfo,free), Syslog (syslog, messages), Users (who), Jobs (ps -axjf), Disks (mount, df), Network (netstat -n), Routes (route -n), ISDN (imontty), VBox (vboxadm), IP Accounting (acct). By Dirk G.K. Mueller. | |
| Xlogmaster is a program that lets you monitor an almost infinite number of logfiles and all devices that can be read via "cat" like the /proc ones. | |
| Xlogmaster 1.6.0 is a program that lets you monitor everything that's going on on your system in a very quick and comfortable way. It allows reading logfiles, devices or running status-gathering programs, translating all data (if wished) and displaying it with filters for highlithing / lowlighting / hiding lines or taking actions upon user-defined events. Filters allow to raise/lower/hide lines. Due to usage of the GTK+ toolkit and full runtime configurability the user can modify the appearance of the xlogmaster to whatever fits his desktop best. Changes: Complete "Customize" Menu rewrite, Plugin support, GTK+ 1.2.0 compliant, the EXEC lines now allow pipes, keyboard accelerators for entries and for menu, support for a system wide entry database and for personal entry database, now catches logfile rotation and a new mode (RUN) that allows execution of any program to gather information about the system and evaluate it's stdout and stderr. Excellent program! Compiles and runs on just about every flavor of UNIX/Linux. Too many features to list here, so check out the Xlogmaster web site. By Georg C. F. Greve. | |
| Network sentry tool; uses libpcap. | |
| Network sentry tool; uses libpcap. | |
| Network monitoring tool in perl. By Pierre David. | |
| Xwatch is a tool to monitor one or several files (especially syslogs), optionally parsing the output, and displaying it in an X window. Requires GTK+. | |
| ywho v1.9 is a who-type utility displaying not only who is logged in, but also general system information and commands run by the users. Includes a rwhod replacement with central server, allowing user information to be gathered across routers. By Martin Mares. |