Re: [SAGE] Security Tools..

["Richard Johnson" <rdump@river.com>]

At 14:51 -0800 on 2005-12-30, Jennifer Davis wrote:
> or what tool that you couldn't survive
> without when it comes to security?


I think these are crucial for any organization with more than a few
systems.  They're what I use, or want to use, both for daily
maintenance/monitoring, and during incident response:

sleuthkit	http://www.sleuthkit.org/
	filesystem analysis for investigation

cfengine	http://www.cfengine.org/
	configuration management, AKA avoiding forgetting to patch
	some systems...

osiris		http://www.hostintegrity.com/
samhain		http://la-samhna.de/samhain/
	host integrity monitoring for detection/investigation

syslog-ng	http://www.balabit.com/products/syslog_ng/
snare		http://www.intersectalliance.com/projects/SnareWindows/
sec		http://kodu.neti.ee/~risto/sec/
		and
		http://www.cs.umb.edu/~rouilj/sec/
	central syslogging for detection/investigation [1]

argus		http://www.qosient.com/argus/
	network flow logging for detection/investigation, AKA "who
	else talked to the bad guy, and for how many bytes?"

snort		http://www.snort.org/
	intrusion detection, optional inline blocking

ethereal	http://www.ethereal.com/
	network traffic analysis (-avoid- sniffing with ethereal
	itself, as it has frequent security holes in its protocol
	decoders)

sguil		http://sguil.sourceforge.net/
	network security monitoring console


Richard

-------
[1] For more central logging tools and ideas, see
http://www.loganalysis.org/ , the SAGE guide
http://www.SAGE.ORG/pubs/12_logging/ , and Abe Singer's forthcoming
O'Reilly book)