security

Snort – the de facto standard for intrusion detection/prevention

0
3 years ago
by admin in

What is Snort?

Snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba’s smbclient.

Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump(1), a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion prevention system.

The Power of Open Source Development

The roots of Snort’s development methodology hail from the Open Source movement, a movement pioneered by Richard Stallman at MIT during the 1980′s. The idea behind Open Source is that all software should have source code available and be developed by communities of interested developers. This ideology and the power that it unleashes to develop superior software was further explained and highlighted in what is considered to be the seminal treatise on Open Source development, “The Cathedral and the Bazaar” by Eric S. Raymond. In “The Cathedral and the Bazaar”, Raymond outlines how the Open Source development methodology can be leveraged to create superior software compared to traditional proprietary methods. The Snort project relies on this ideology heavily and it’s impact shows, in test after test Snort has come out at or near the top of the heap when compared head to head with other sensor technologies.

The Snort Community

The power and reach of Snort is due in large part to the power and reach of the Snort user community. Aside from the seasoned developers at Sourcefire, there are literally thousands of experienced programmers reviewing and testing the functionality and rule sets. By leveraging the “many eyeballs” theory that was popularized by Eric Raymond and used to launch Linux to success in the operating systems market, people in the open source Snort community worldwide can detect and respond to bugs and other security threats more quickly and efficiently than in a “closed” environment.

To help foster this sense of community and provide a platform for users to share their ideas and experiences, local Snort User Groups have been formed throughout the world. To find a user group in your area, click here.

Ref: http://www.snort.org/about_snort/

Burp intruder

1
3 years ago
by admin in

Burp intruder is a tool to facilitate automated attacks against web-enabled applications. It is not a point-and-click tool: using burp intruder effectively requires a detailed knowledge of the target application, and an understanding of the HTTP protocol.

Burp intruder is highly configurable and can be used to automate a wide range of attacks against applications, including testing for common web application vulnerabilities such as SQL injection, cross-site scripting, buffer overflows and directory traversal; brute force attacks against authentication schemes; enumeration; parameter manipulation; trawling for hidden content and functionality; session token sequencing and session hijacking; data mining; concurrency attacks; and application-layer denial-of-service attacks.

Key features include:

  • Highly configurable algorithms for generating malicious HTTP requests.
  • Large number of built-in attack “payloads”.
  • Tools for generating customised attack vectors, based on character sequences, substitution, malformed encoding, brute forcing, enumerated tokens, etc.
  • Full integration with other Burp Suite tools.
  • Customisable tests for anomalous or interesting server responses.
  • Detailed capture of results.
  • Ability to follow 3xx redirects during an attack.
  • IDS evasion and DoS mode.
  • Support for proxy servers, and authentication using basic, NTLM and digest types.
  • Runs in both Linux and Windows.

Ref : http://portswigger.net/intruder/

Share

Nikto – web server scanner | find exploits :)

1
3 years ago
by admin in

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Basically -Nikto (a PERL software) is a web server assessment tool and It is designed to find various default and insecure files, configurations and programs on any type of web server.

Nikto is built on LibWhisker and can run any platform which has a PERL runtime, and supports SSL, proxies, host authentication, IDS evasion and more. It can be updated automatically from the command-line, and supports the optional submission of updated version data back to the maintainers.

Interesting :) :-

The name “Nikto” is taken from the movie “The Day the Earth Stood Still”, and of course subsequent abuse by Bruce Campbell in “Army of Darkness”. More information on the pop-culture popularity of Nikto can be found at http://www.blather.net/blather/2005/10/klaatu_barada_nikto_the_day_th.html

Ref: http://www.cirt.net/nikto2

Share
Go to Top