Software Map

Kernel Security Therapy Anti-Trolls (KSTAT) is a
very powerful security tool to detect many kinds
of rogue kernel rootkits. It analyzes the kernel
through /dev/kmem and detects modified syscalls as
well as various other problems. This version runs
on 2.4.x only, and can assist in finding and
removing trojan LKMs. It sports network socket
dumps, sys_call fingerprinting, stealth module
scanning, and more. This is not a
'signature-tool'; it requires a bit of expertise
and knowledge of what is going on.

The Autopsy Forensics Browser is a graphical
interface to The Sleuth Kit (TASK). Autopsy allows
one to view allocated and deleted file system
content in a "File Manager" style interface,
create timelines of file activity, sort files by
type, and perform key word searches.

libnetfilter_xtables provides an API for the Netlink transport that is used for Xtables2. Xtables2 is one of the prospective replacement candidates for the aged iptables-arptables-ebtables Linux packet filters.

mpscan is a parallel network scanner that checks
for open ports. It uses select() to increase its
speed and was designed for rapidly scanning
large networks, but also works with a single IP.

Lutz is a fast and small stealth port scanner,
similar to nmap. It has the most popular scanning
options (SYN, FIN, XMAS Scan, PROTO Scan, etc.)
and simple OS detection. It supports some very
beta idle scanning and several other options. It
can also scan subnets, or scan a list of hosts
specified in a file.

shash is a program which produces message digests for files, and checks whether the digest remains the same (i.e., whether the files changed). Since anyone can generate the message digest, it may not be suitable for some security-related applications. Because of this, shash also supports HMAC (rfc2104), which is a mechanism for message authentication using cryptographic hash functions. shash can use a key with a hash algorithm to produce hashes that can only be verified with the same key. This way, you can securely check whether files in a filesystem were altered.

Come And Go Encryption (CAG) is a simple program
to encrypt files with a special key. This key is
a random garbage file, and it is XOR-ed with the
file to render it unusable by normal methods. It
uses the principle of the one-time pad, but it is
not unbreakable. It can stream the decrypted file
to STDOUT for use in pipes (i.e., mplayer movie
viewing, xv image viewing, etc.).

SAM Jr is a real-time analysis tool for Snort
data. It can easily be extended using plugins.

Link-n-Log is a software package to view and store the
logs produced by Linksys routers/firewalls. Logs are
presented in a GUI which allows sorting the alerts and
performing DNS and port lookups on the data. Alerts
are stored in a standard SQL database.