Tools Developed, Supported, Sponsored and/or Released by KoreLogic
Below are some of the tools that KoreLogic staff have developed which we have released as open source (either GPLv2, BSD, or dual-license; contact us if you need clarification for any particular tool).
|
FTimes - A system baselining and evidence collection tool. The primary purpose of FTimes is to gather and/or develop topographical information and attributes about specified directories and files in a manner conducive to intrusion and analysis analysis. As a convenience for Windows users, a pre-compiled binary of the current version can be downloaded here [sign]. |
|
|
WebJob - WebJob downloads a program or script from a remote WebJob server and executes it in one unified operation. Any output produced by the program/script is packaged up and sent to a remote, possibly different, WebJob server. |
|
|
IDS Filters [sign] - A tool for creating and managing IDS filtering rules highly tailored to a given organization's network, installed services, etc. This allows tuning an IDS deployment to greatly reduce false-positives, raising the effectiveness of the deployment and the efficiency of the IDS analysts. Includes sample rules to eliminate the most common sources of false-positive noise in a typical internal network. Currently supports the Dragon IDS, but adaptable to support others if they have a sufficiently powerful filtering mechanism. |
|
|
HAP-Haqs - A collection of useful security patches and tools. The bits worthy of publication, such as Dragon IDS addons and signatures, log-summarizing tools, and others are available locally, down below. |
|
|
HAP-Linux - A collection of security-related Linux kernel patches for the 2.2 kernel series. These patches have been integrated into the GRSecurity project patch set for the 2.4 and 2.6 kernel series. KoreLogic supports, and highly recommends the GRSec patches. |
|
|
HashDig - A collection of utilities designed to help practitioners automate the process of resolving MD5 and SHA1 hashes. |
|
|
PaD - A Payload and Delivery (PaD) file is a self-extracting executable that can be packaged as either a script or a program. |
Miscellaneous Tools
ddp [md5] [sign] [sign-key] - DDP, short for Dd-Delta-Patch, is a tool for diffing and patching equal-sized dd(1) images. This tool was written as a companion to dd(1), and its purpose is to reduce the amount of storage required to maintain multiple snapshots of a given partition or disk image. Note: Version 1.0.0.ds29 is a development release.klogtail [md5] [sign] [sign-key] - KLogTail is a log file tailing program designed to work on UNIX and Win32 platforms. This tool was inspired by Craig Rowland's logtail.
probe_summ [sign] - A perl script to summarize Linux firewall logs--show the top N ports being scanned, the top destination IPs being scanned, the top source IPs sending traffic which is being blocked, and the hours during which the most packets were dropped. Should work for logs from both ipchains and iptables Linux boxes; you may have to tweak some of the tunables depending on how your firewall rules are set up.
tallyho [md5] [sign] [sign-key] - TallyHo is a libpcap-based sniffer program that counts (or tallies) various traffic attributes such as protocol/port/type distributions and byte counts.
weblogicdecode [sign] - WebLogic servers in Cluster mode leak the IP addresses of the backend servers in their session cookies. For some versions of WebLogic, you can manipulate this cookie and trick the webserver into port-scanning the backend network for you. This script decodes a number of different WebLogic cookie formats (they have changed with different WL versions).
www-version-harvest [sign] - Given a starting URL, this script finds/guesses all webservers linked off that page, and grabs Server: tokens from each (webserver software and version information). Useful for "taking the temperature" of a project's mirror servers--if a large percentage of them are running old, vulnerable webserver versions, you should be more suspicious of the software you download from any of them. Especially if the project does not PGP-sign their releases.yaas [sign] yaas.cfg.sample [sign] imap-login [sign] - Yet Another Auth-before-Something. Watches syslogs of imapd logins and dynamically adds/removes /etc/hosts.allow file entries to allow access to other services, such as smtp, sshd, etc. (You need to create /etc/hosts.deny entries with ALL for each service for which you are using yaas to build /etc/hosts.allow entries.) Also, a small shell script to manually log in over IMAP-SSL, if you want to "register" your IP in the hosts.allow file without actually using a mail client.
Dragon IDS Tools
check_dragon [sign] - A shell script that checks on the status of Dragon sensor, replicator, and policy-management processes and connections, and restarts Dragon if things do not look right. This has been sufficient to catch the error-states we've seen most often on our sensors. Suitable to be run from cron or via WebJob.dbcat [sign] - A perl script which reads a Dragon .db binary format log file and spit out a dragon.log style text output (suitable to feed to alarmtool, SQL-import tools, etc), or print out any readable packet data, suitable for doing tail -f dragon.db | dbgrep "something" | dbcat to watch sessions in real-time.
dbgrep [sign] - A perl script which reads a Dragon .db binary format log file, applies filters (similar to grep, or the Dragon 'drep' tool) and spits out a filtered .db binary format log file. Capable of filtering on source or dest IP or port, eventname, sensorname, or by regular expression in the bodies of captured packets. Supports following the TCP session of any event printed (such as following the session for all FTP:USER-ROOT events, rather than just one session at a time using Dragon's mksession tool). Supports negative filtering as well (-v, similar to grep). Since dbgrep's output is also a binary .db file, any number of dbgrep commands can be chained together to achieve an arbitrarily complex result.decode_contentidpost [sign] - A perl script which reads the uploads from MarketScore spyware and decodes the contents, so you can easily review what potentially sensitive information has been uploaded to the mothership. Usage details in the script; requires both dbgrep and dbcat.
extract_web-get-exes [sign] - A perl script which reads WEB:GET-EXE events (a signature looking for any GET of an .EXE file; see MISC_LIGHT.lib) and extracts the Host: header and the full file path being requested. This can be used to profile your network and look for anomalous downloads. Windows networks will make many WEB:GET-EXE requests to Microsoft Windows Update servers, and there will likely be some regular downloads from dell.com, antivirus updates, and other presumably legitemate, reputable sites. But the remainder is very likely to be malware or spyware-infected machines, phoning home, downloading additional malware, etc. Usage details in the script; requires both dbgrep and dbcat.Dragon IDS Signatures
IRCBDCHAN.lib [sign] - This group contains custom IRC-backdoor-trojan Dragon NIDS signatures. These signatures detect clients registering with a number of IRC channel names commonly used as the remote-control channel for trojans/worms which register themselves after infection to await further instruction, report on progress compromising more machines, etc. NOTE they currently use port 6667, the default IRC port. It would be better to define a local COMPLEX port entry, such as 'I', which listed a wider range of ports commonly used by IRC servers, such as perhaps 6666-7000.IRCBDCMDS.lib [sign] - This group contains custom IRC-backdoor-trojan Dragon NIDS signatures. These signatures detect the types of command strings, or phone-home reporting progress compromised machines, etc. NOTE they currently use port 6667, the default IRC port. It would be better to define a local COMPLEX port entry, such as 'I', which listed a wider range of ports commonly used by IRC servers, such as perhaps 6666-7000.
MISC_HUNGRY.lib [sign] - This group contains a few custom Dragon NIDS signatures which are known to be CPU-hungry. They should not be enabled on heavily loaded sensors if possible.MISC_LIGHT.lib [sign] - This group contains a few custom Dragon NIDS signatures which should be fairly low-CPU-cost, and high-value.
ORACLE.lib [sign] - These sigs detect unusual, possibly malicious Oracle database queries/traffic. NOTE they currently use port 1521. That is the default port for Oracle's main listener, but it might easily have been changed by local DBAs. It would be better to define a local COMPLEX port entry, such as 'O', which listed all ports used by Oracle servers within your organization.SPYWARE.lib [sign] - This group contains Dragon signatures for various known spyware / malware websites and tools.
SQL.lib [sign] - This group contains Dragon signatures for various SQL-injection attacks in HTTP requests, particularly in POST bodies. For the most part these should never triger on legitimate traffic, although handful of false-positives may be triggered by exceptionally insecure web applications.WEBLOGIC.lib [sign] - These sigs detect unusual, possibly malicious WebLogic application server queries/traffic. NOTE: This library currently uses the 'W' COMPLEX rule to watch for traffic on known Web ports. However, this is sub-optimal: often WebLogic servers run on alternate ports such as 5000, 7001, etc, so these signatures will not monitor the right traffic. Some of these signatures are likely to false-positive on generic Web traffic, whereas if they were watching purely WebLogic sessions, their false positive rate would be very low; those signatures are currently disabled (re-enable them only after assigning them to a WebLogic-specific COMPLEX rule).