< Prev 1 2 3 4 5 6 7 8 Next >
Category: Hostile Code » Detection
IRC administrators can now maintain their own definitions file. Help text has been cleaned up. Onjoin bots now have a random version reply to look more like real users, and onjoin bots will not check channels that are already monitored with a monbot. There is updated documentation and many bugfixes for existing code.
MydoomDeleter tries to identify email messages infected with the Mydoom(.B) worm in POP3 mailboxes. It deletes any infected message that it identifies while they are still on the server. In order to perform the identification, it applies some heuristics to the headers, the size of the messages, and name of the attachment. It thus avoids downloading the actual email, making retrievals less taxing. It has both interactive and nonstop modes.
Port Scan Attack Detector (psad)
Port Scan Attack Detector (psad) is a collection of three lightweight system daemons written in Perl and C that are designed to work with Linux iptables firewalling code to detect port scans and other suspect traffic. It features a set of highly configurable danger thresholds (with sensible defaults provided), verbose alert messages that include the source, destination, scanned port range, begin and end times, TCP flags and corresponding nmap options, email alerting, DShield reporting, and automatic blocking of offending IP addresses via dynamic configuration of iptables firewall rulesets. In addition, psad incorporates many of the TCP, UDP, and ICMP signatures included in Snort to detect highly suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (syn, fin, Xmas) which are easily leveraged against a machine via nmap. Psad also uses packet TTL, IP id, TOS, and TCP window sizes to passively fingerprint the remote operating system from which scans originate
ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding applications from attacks. ModSecurity supports Apache (both branches) today, with support for Java-based servers coming soon.
IDA Pro - Freeware Edition
The freeware version of the Interactive Disassembler Pro. Supports 80x86 binaries and FLIRT, a unique Fast Library Identification and Recognition Technology that automagically recognizes standard compiler library calls. Widely used in COTS validation and hostile code analysis.
KAVClient is a C language interface to the Kaspersky Anti-Virus daemon. It allows users to check files and memory for viruses.
The OpenAntivirus Project: Summary
Developing Open Source AntiVirus Solutions
Sophie is a daemon which uses 'libsavi' library from Sophos anti-virus vendor (http://www.sophos.com). On startup, Sophie initializes SAPI (Sophos Anti-Virus Interface), loads virus patterns into memory, opens local UNIX domain socket, and waits for someone to connect and instructs it which path to scan. Since the database is loaded in RAM, scanning is very fast. (Note: speed of scanning also depends on SAVI settings and size of the file.) It works on Linux, Solaris (Sparc/x86), HP-UX, and FreeBSD.
DansGuardian Anti-Virus Scanner
The DansGuardian Anti-Virus Scanner gives you the ability to virus-scan all content that passes through DansGuardian. It uses the scanning code from the MailScanner project to do the actual virus scanning, so it supports all the virus engines that the MailScanner project supports. The scanning is done as the file is being downloaded, so your current network apps don't have to be modified, etc. They just have to support using a proxy.
amavis-notify-parser analyzes hostmaster notifications from Amavis and writes a logfile which records the type and origin of the viruses detected. It requires only a piped mail alias, a PHP4 CGI binary, and Amavis. McAfee uvscan is supported as the virus scanner. The logfile may be output in qmail's logfile format.
Browse by category