Tools Developed, Supported, Sponsored and/or Released by KoreLogic
In keeping with our philosophy of sharing useful resources with our clients and the security community, KoreLogic releases software under various open source licensing agreements.
Below are some of the open source tools that KoreLogic staff have developed, released under various open source licenses. See also our public Git repositories here.
In addition to development of open source tools, KoreLogic also works with clients to aid in the customization and implementation of existing open source tools (i.e. Request Tracker (RT) for use in Vulnerability Management and Request Tracker Incident Response RTIR). Please contact us if you need clarification for any particular tool.
FTimes - A system baselining and evidence collection tool.
The primary purpose of FTimes is to gather and/or develop topographical information and attributes about specified directories and files in a manner conducive to intrusion and forensic analysis. FTimes is a lightweight tool in the sense that it doesn't need to be "installed" on a given system to work on that system, it has a small footprint, and it provides only a command line interface. FTimes implements two general capabilities: file topography and string search. File topography is the process of mapping key file attributes and metadata for a given set of files and directories. String search is the process of digging through a set of files while looking for specific sequences of bytes. Respectively, these capabilities are referred to as map mode and dig mode. FTimes is written in C and ported to many popular platforms (e.g., FreeBSD, Linux, MacOS, and Windows) including some mobile platforms (e.g., Android and iOS).
Giles - A production rule system compiler.
A production rule system (or "engine" in Giles parlance) is a program that is typically used to provide some sort of artificial intelligence. Giles engines are particularly well-suited to being expert systems, multi-log analyzers, and behavior-detection systems.
Existing production rule systems are often expensive, difficult to use, and accessible only through custom interfaces that require additional programmer effort and may be available only for one or a few languages.
Giles takes a novel approach: it compiles a description of an engine into a schema for a database system. Databases created using this schema become complete, self-contained production rule systems.
This approach has a number of benefits:
Programmers can use existing, ubiquitous database access libraries, available in essentially any language, to work with these engines.
For products that already use a supported database, a Giles engine adds no new software dependencies.
By using a SQLite engine, it becomes easy to embed a production rule system inside a larger product.
The engines can use the underlying database's data safety guarantees, including transactions and data durability guarantees.
The engines can handle large amounts of data over long periods of time.
Download the current stable release here [sign], or visit the Giles Git page. Questions or comments on the project may be directed to email@example.com. [key]
KL-EL - A lightweight, embeddable expression language.
The KoreLogic Expression Language Library (libklel) is a C library that provides a simple expression language that can be embedded in other programs. It does not implement a full programming language, but rather a simpler expression language called KL-EL that is designed to provide arithmetic and logic operations in situations where embedding a full programming language would be overkill. KL-EL can access functions and variables exported from the embedding program, and is statically and strongly typed, which helps ensure that expressions are valid before they are executed. The embedding API is easy to use, and the library itself is very small.
Download the current stable release here [sign], or visit the SourceForge project page. Questions or comments on the project may be directed to firstname.lastname@example.org. [key]
KLogTail [sign] [sign-key] - A log file tailing program.
KLogTail was inspired by Craig Rowland's logtail, and it was designed to work on a number of platforms (e.g., FreeBSD, Linux, MacOS, and Windows).
MASTIFF - A static analysis framework that automates the process of extracting key characteristics from a number of different file formats.
To ensure the framework remains flexible and extensible, a community-driven set of plug-ins is used to perform file analysis and data extraction. While originally designed to support malware, intrusion, and forensic analysis, the framework is well-suited to support a broader range of analytic needs. In a nutshell, MASTIFF allows analysts to focus on analysis rather than figuring out how to parse files.
Download the current stable release here [sign], or visit the MASTIFF Git page to access the development code tree. Questions or comments on the project may be directed to email@example.com. [key]
LibPathWell - A PAM module and library for auditing/enforcing Password Topology Histogram Wear-Leveling.
PathWell (Password Topology Histogram Wear-Leveling) is a new approach to measuring and enforcing password complexity, focusing on the uniqueness of each user password's topology.
A password's "topology" is its "shape", such as "Uppercase letter, followed by several lowercase letters, several numbers, and then a special character". When many users are required to create passwords fitting some conventional strength rules (such as minimum length, minimum number of character sets), they tend to gravitate towards common topologies. Password cracking tools incorporate this (called "masks" in oclHashcat, for example). A set of password hashes with a slow (difficult) cipher, or a set of very long (14-character or more) passwords may be infeasible to blindly crack, but by focusing on only 1-5 most popular topologies, an attacker might crack 5-10% or more of an enterprise's user passwords in hours or days instead of years of effort.
Password crackers would have a far lower success rate if topologies could not be reused by multiple users. PathWell provides tools to measure the bias in a user population (how overused the most popular topologies are), allow an administrator to disallow the most universally common topologies (blacklists), and/or disallow any user from re-using a topology that is in use by other users of the same system (wear-level enforcement).
Download the current stable release here [sign], or visit the LibPathWell Git page to access the development code tree. Questions or comments on the project may be directed to firstname.lastname@example.org. [key]
WebJob - A secure automation framework that can be used support an arbitrary number of "jobs".
WebJob supports highly distributed and/or repetitious activities (e.g., evidence collection, integrity monitoring, enterprise search, configuration management, compliance verification, automated analysis, password cracking, testing, etc.) using a secure client-server, pull-based model. WebJob clients periodically download one or more jobs (in the form of pre-compiled programs or scripts) and execute them. Any output produced by these jobs is automatically packaged up and sent to the WebJob server for archival and/or further processing.
John the Ripper Tools :
rockyou.chr[sign] rockyou-lanman.chr[sign] README
- Updated .chr files for use with the John the Ripper password cracking tool. John uses .chr files to inform its "smart brute force" mode, generating password candidates using the most frequent characters first (rather than "aaaaaaa", "aaaaaab", "aaaaaac", etc). A large online database was recently compromised and passwords leaked; these .chr files are built using this large, current sample. See the README for more information and usage notes.
Miscellaneous Tools :
ddp [md5] [sign] [sign-key]
- DDP, short for Dd-Delta-Patch, is a tool for diffing and patching equal-sized dd(1) images. This tool was written as a companion to dd(1), and its purpose is to reduce the amount of storage required to maintain multiple snapshots of a given partition or disk image. Note: Version 1.0.0.ds29 is a development release.
- Given a starting URL, this script finds/guesses all webservers linked off that page, and grabs Server: tokens from each (webserver software and version information). Useful for "taking the temperature" of a project's mirror servers--if a large percentage of them are running old, vulnerable webserver versions, you should be more suspicious of the software you download from any of them. Especially if the project does not PGP-sign their releases.
LoadLimit.pm [sign] - A proof-of-concept perl module to mitigate application-level denial of service attacks for perl CGIs. Call from within perl CGIs (with or without mod_perl) to check the system load against configurable thresholds, and returns an error if the server is overloaded, short-circuiting potentially expensive operations.