Xplico, Internet Traffic Decoder. Network Forensic Analysis Tool (NFAT)

About

The goal of Xplico is extract from an internet traffic capture the applications data contained.
For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT).
Xplico is released under the GNU General Public License (see License for more details).
Features:

* Protocols supported: HTTP, SIP, IMAP, POP, SMTP, TCP, UDP, IPv6, …;
* Port Independent Protocol Identification (PIPI) for each application protocol;
* Multithreading;
* Output data and information in SQLite database or Mysql database and/or files;
* At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;
* Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer -RAM, CPU, HD access time, …-);
* TCP reassembly with ACK verification for any packet or soft ACK verification;
* Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;
* No size limit on data entry or the number of files entrance (the only limit is HD size);
* IPv4 and IPv6 support
* Modularity. Each Xplico component is modular. The input interface, the protocol decoder (Dissector) and the output interface (dispatcer) are all modules
* The ability to easily create any kind of dispatcer with which to organize the data extracted in the most appropriate and useful to you

Guardian Active Response for Snort IDS

Overview:
Guardian is a security program which works in conjunction with Snort to automaticly update firewall rules based on alerts generated by Snort.
The updated firewall rules block all incoming data from the IP address of the attacking machine (the machine which caused Snort to generate an alert.
There is also logic in place which pervents blocking important machines, such as DNS servers, gateways, and whatever else you want.

Here is a link you might want to read: http://online.securityfocus.com/infocus/1540 .. I found it very interesting on why you should use this software with great caution.
New Stuff/Changes

* New block/unblock scripts! Checkpoint firewall and Pix firewall scripts. Download them below. Thanks goes out to Markwalder Philip (pm at ibp.ch) and Roland Gafner (roland.gafner at gmx.net). Awesome work guys :)
* Better syslog parsing! Now guardian should work regardless of how your syslog/snortlib reports the attacks (as long as the attacker's IP address is first). The new code is much cleaner, and should be a bit faster as well.
* Added support for watching for more than one IP address. To do this, a new option has been added to the guardian.conf file:

TargetFile /etc/guardian.target

The file should contain a list of IP addresses which are local IP addresses. The format is the same as the IgnoreFile. This is useful for people who are hosting several IP addresses from one machine. It might also be useful for poeple who are running snort/guardian on a firewall.
This will also only place a block on the interface which is defined in the guardian.conf .. I should also add that this is experimental.
* Bug fix: guardian now catches portscans as reported by the portscan modules

Block/Unblock Scripts

* ipchains (Block / Unblock)
* iptables (Block / Unblock)
* ipfwadm (Block / Unblock)
* FreeBSD using IPFW (Block / Unblock)
* ipfilter (courtesy of Wes Sonnenreich (sonny at alum.mit.edu) (Block / Unblock)
* New! Null Route for Linux systems with no other packet filter software (Block / Unblock)
This is a hack. Please read the file.. It works by adding a route to your routing table when an attack is detected. The route is invalid, and specific to the attacker, so while the route exists, your machine won't send anything back to the attacker. I have no idea what this does to performace.
* Checkpoint Firewall (Thanks Markwalder Philip and Roland Gafner)(Block / Unblock)
* Pix Firewall (Thanks Markwalder Philip and Roland Gafner)(Block / Unblock / Required perl script (also requires ssh perl module))

Misc Stuff

* Here is a readme file that explains how to have guardian/snort running on one machine, and applying blocks to your firewall on a diffrent machine. This was written by Roland Gafner (roland.gafner at gmx.net)

Downloads

* Current Version: 1.7 (Download here)
o Better syslog parsing
o TargetFile to watch multiple IP addresses
o Bug Fix for catching portscans
* Version: 1.6.2 (Download here)
o Support added for syslog rotation. Previously, guardian would not reopen the syslog file if it got rotated. This does not mean that there is support for rotating the guardian log itself. This will be supported in a future version.
o Added block/unblock script for ipfwadm (useful for older linux kernels)
o Bug fixes. Thanks to brian at unearthed.org for pointing them out.
* Version: 1.6.1 (Download here)
o Bug fix for newer snortlibs and syslog
o Added block/unblock scripts for ipfwadm
* Version: 1.6 (Download here)
o Now calls an external script for blocking ip addresses.
o Added a timelimit feature.
o Removes all blocks upon exit
* Version: 1.5 beta (Download here)
Many bug fixes, FreeBSD support added, syslog support added, IPtables support added
* Original release: 1.0 (Download here)

TODO

* Support for other Network Intrusion Detection systems
* Write block/unblock scripts for other OSs
* Do something with the Priority codes that come with newer snort-libs
* Include changes from unofficial guardian releases..
* More stuff later on..

DRBD-data storage replication for HA clusters(useful for Disaster Recovery)

DRBD® refers to block devices designed as a building block to form high availability (HA) clusters. This is done by mirroring a whole block device via an assigned network. DRBD can be understood as network based raid-1.

In the illustration above, the two orange boxes represent two servers that form an HA cluster. The boxes contain the usual components of a Linux™ kernel: file system, buffer cache, disk scheduler, disk drivers, TCP/IP stack and network interface card (NIC) driver. The black arrows illustrate the flow of data between these components.

The orange arrows show the flow of data, as DRBD mirrors the data of a high availably service from the active node of the HA cluster to the standby node of the HA cluster.


The upper part of this picture shows a cluster where the left node is currently active, i.e., the service's IP address that the client machines are talking to is currently on the left node.

The service, including its IP address, can be migrated to the other node at any time, either due to a failure of the active node or as an administrative action. The lower part of the illustration shows a degraded cluster. In HA speak the migration of a service is called failover, the reverse process is called failback and when the migration is triggered by an administrator it is called switchover.


Feature List

* May be used to add redundancy to existing deployments
* Fully synchronous, memory synchronous or asynchronous modes of operation
* Masking of local IO errors
* Shared secret to authenticate the peer upon connect
* Bandwidth of background resynchronization tunable
* Automatic recovery after node, network, or disk failures
* Efficient resynchronization, only blocks that were modified during the outage of a node.
* Short resynchronization time after the crash of an active node, independent of the device size.
* Automatic detection of the most up-to-date data after complete failure
* Integration scripts for use with Heartbeat
* Dual primary support for use with GFS/OCFS2
* Configurable handler scripts for various DRBD events
* Online data verification
* Optional data digests to verify the data transfer over the network
* Integration scripts for use with Xen
* Usable on LVM's logical volumes. Usable as physical volume for LVM
* Integration scripts for LVM to automatically take a snapshot before a node becomes the target of a resynchronization
* Dependencies to serialize resynchronization, in case of default all devices in parallel
* Heartbeat integration to outdate peers with broken replication links, avoids switchovers to stale data
* Many tuning parameters allow to optimize DRBD for specific machines, networking hardware, and storage subsystem
* Integration scripts for use with RedHat Cluster (excl. the GUI tools)
* Existing file systems can be integrated into new DRBD setups without the need of copying
* Support for a third, off-site node for disaster recovery (since 8.3)
* Support for compression of the bitmap exchange (since 8.3.2, keyword: use-rle)
* Support for floating peers (since 8.3.2) in drbdadm
* Feature complete OCF Heartbeat/Pacemeker resource agent (since 8.3.2)
* Resource level fencing script, using Pacemaker's constraints (since 8.3.2)
* Supports TCP/IP over Ethernet, SuperSockets over Dolphin NICs (8.3.2) and SDP over Infiniband (8.3.3)

Network Intrusion Detection System (IDS) - Sax2

Ax3soft Sax2 is a professional intrusion detection and prevention system (IDS) used to detect intrusion and attacks, analyze and manage your network which excels at real-time packet capture, 24/7 network monitor, advanced protocol analysis and automatic expert detection.

With insight into all operations in your network, Sax2 makes it easy to isolate and solve your network security problems - detect network vulnerabilities, identify network security threats, catch actions against of security strategy and signs of been attacked. Finally, intercept and stop these connections.

Sax2 offers many kinds of intrusion analysis reports, such as events, type, source address and destination address of attacks, and many crossover reports and compositive reports. Furthermore, sax2 allows customize the time range which administrator will flexible monitor and evaluate the network security.

Sax2, enhanced detection, analysis, response and management features, supports almost all common used protocols, self-contained and high speed update event database. It will compose an active detection as the core of dynamic Security Defense System with other network security software, such as Firewall and anti-virus.

Key Features:

Intrusion Detection and Prevention

Detects variety of complex attacks in your network, including pre-attack detection, password guessing, denial of service attacks (DoS/DDoS), buffer overflow attacks, CGI/WWW attacks, windows vulnerabilities attacks, Unix vulnerabilities attacks, unauthorized access, SQL inject attacks, worms, backdoor Trojans, ARP spoof, and so on. And then, Sax2 intrusion detection system will initiatively stop the dangerous behavior to prevent your whole network.
Real-Time Alert and Response.

Multiple response modes - send console message, logs, e-mail inform, real-time cut off the connection, flexible logs.
Stable performance.
Sax2 works in 7/24/365 with stable performance.
Real-time monitor analyze and alarm.
Besides real-time monitor network communication, Sax2 also offers analyze and alarm in real time to protect your network security.
Huge data storage.

Sax2 supports many database, such as SQL Server, Access and so on, which let user to store the huge data flexibly.
Plenty reports

With the plenty reports, administrator will easily to monitor attacks and evaluate network security with Sax2.
Customize Security Policy
According to your own network, IT professional may customize the security policy to improve the accuracy of intrusion detection.
Network Based
Sax2 intrusion detection system is a network-based IDS. It collects, filters, and analyzes traffic that passes through a specific network location. A single Sax2 monitor, strategically placed at a key network junction, can be used to monitor all incoming and outgoing traffic for the entire site. Sax2 does not use or require installation of client software on each individual, networked computer.
Other Features
Name Table

The name table allows you to make or edit alias for addresses, ports and protocols, you may also specify the text color for a selected item. This useful feature can make packet-related information familiar and intelligible.
support multi-adapters..

If you have more than one adapters installed on the local machine, Sax2 intrusion detection system can capture the traffic on all the adapters.
In-depth Packet Decoding

Provides detail packet decoding information.
Conversation & Packet Stream.

Monitor all conversations and reconstruct packet stream.
Logs of Events
Records the actions and sensitive events in whole network, including the WEB browse, Email transmission, FTP transfers and instant message - MSN to help network administrators identify potential threats.

Who Needs Intrusion Detection Systems (IDS) - Sax2?

Want to monitor and prevent hacker attacks, Protect network & business from internal threats!
Wanted to log the websites that your users were visiting.
Needed to monitor corporate communications, both in email messages and on instant messaging platforms.
Wanted a network monitoring solution that did not require client installation at individual workstations.

Gpg4win

Gpg4win

The Gpg4win initiative aims to provide a current Gpg4win Windows installation package including the GnuPG encryption tool and associated applications. The documentation ("Gpg4win Compendium" and "Novices") is directly maintained as part of the Gpg4win project.

Another goal is to support both relevant cryptographic standards, OpenPGP and S/MIME in a unified way.

Gpg4win is an international effort. Due to the origin of the project and many members, there is a full German translation. Additional translators are welcome!

The main difference compared to all similar approaches (mainly GnuPP, GnuPT, Windows Privacy Tools and GnuPG-Basics) is that the first piece developed was the Gpg4win-Builder. This builder allows to easily create new gpg4win.exe installers with updated components. It runs best on a GNU/Linux system. Almost all products are even automatically cross-compiled for integration into the installer.

This concept raises hope to practically prevent quick aging of the installer package because updating is easier and does not depend on a single person.

You can choose all or some of the following modules during installation:

GnuPG: The core; this is the actual encryption tool.
Kleopatra: A certificate manager for OpenPGP and X.509 (S/MIME) and common crypto dialogs.
GPA: Another certificate manager for OpenPGP and X.509 (S/MIME).
GpgOL: A plugin for Microsoft Outlook 2003 and 2007 (email encryption).
GpgEX: A plugin for Microsoft Explorer (file encryption).
Claws Mail: A complete email program including the plugin for GnuPG.
Gpg4win Compendium: The new (German!) documentation about Gpg4win2 (translation already scheduled).
Gpg4win for Novices: The old English handbook about Gpg4win1 (for newbies).

Gpg4win can be installed and tested with just a few mouse clicks. Of course you should be administrator of your system or have administration rights.

Waht is CrypTool ?

CrypTool Introduction

The application CrypTool is a free e-learning application for Windows. You can use it to apply and analyze cryptographic algorithms. The current version of CrypTool (Download) is used all over the world. It supports both contemporary teaching methods at schools and universities as well as awareness training for employees and civil servants.
The current version offers beside others the following highlights:
Numerous classic and modern cryptographic algorithms (encryption and decryption, key generation, secure passwords, authentication, secure protocols, ...)
Visualisation of several methods (e.g. Caesar, Enigma, RSA, Diffie-Hellman, digital signatures, AES)
Cryptanalysis of certain algorithms (e.g. Vigenère, RSA, AES)
Crypt-analytical measuring methods (e.g. entropy, n-grams, autocorrelation)
Auxiliary methods (e.g. primality tests, factorisation, base64 coding)
Tutorial about number theory
Comprehensive online help
Supportive script with further information about cryptology
From its original use of information security training for a company, CrypTool has developed into an outstanding open source project for cryptology related topics.
Since spring 2008, the CrypTool project has been operating the Crypto Portal for Teachers. Thus far, the portal is only available in German and is intended to act as a platform for teachers to share teaching materials about cryptology and related links.
Since spring 2009, the CrypTool project has also been operating the webseite CrypTool-Online. This portal gives people interested in cryptology the possiblity to try out a variety of ciphers and encryption methods in their own browser without downloading and installing any kind of software. On this website for first-time users and young people we provide cryptology in an appealing and easy way. For advanced tasks and problems there is still the offline version of CrypTool which can be downloaded and installed.
Currently the CrypTool team is working on two projects intended to become the successors of the current release version CrypTool 1.4.x which has been written in C++. Both follow-up projects use state-of-the-art standards of software development, but are still in beta status:
CrypTool 2.0 is developed in C# with Visual Studio 2008 (Express Edition) and WPF. In July 2008 the first beta version (for developers and end users) has been released. It is continuously updated. CrypTool 2.0 provides a fully developed architecture and usable cryptographic functionality combined with a pathbreaking drag-and-drop GUI.
JCrypTool is developed in Java and based on Eclipse RCP. The current beta version (called milestone 5, intended for developers and users) has been released in September 2009. JCrypTool is platform independent (Windows, Linux, Mac) and makes use of the FlexiProvider (a powerful toolkit developed by the TU Darmstadt) and BouncyCastle for the Java Cryptography Architecture JCA.

Microsoft Security Essentials Antiviruse

About Microsoft Security Essentials

Microsoft Security Essentials provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
Microsoft Security Essentials is a free* download from Microsoft that is simple to install, easy to use, and always kept up to date so you can be assured your PC is protected by the latest technology. It’s easy to tell if your PC is secure — when you’re green, you’re good. It’s that simple.
Microsoft Security Essentials runs quietly and efficiently in the background so that you are free to use your Windows-based PC the way you want—without interruptions or long computer wait times.
Learn more at the Microsoft Malware Protection Center
Find information, definitions, and analyses of all the latest threats that Microsoft Security Essentials can help protect you against in the Microsoft Malware Protection Center
Need security for your business? Protect your computers with Microsoft Forefront Client Security
*Your PC must run genuine Windows to install Microsoft Security Essentials. Learn more about genuine