ddos
Sponsored Links
Sponsored Links
Secleted [ 0 ] software to compare
Results 1 - 15 of about 6
Panoptis 0.1.4
Panoptis plans to create a network security tool (N-IDS) to detect and block DoS and DDoS attacks. more>>
Panoptis plans to create a network security tool (N-IDS) to detect and block DoS and DDoS attacks. The programming language is C++, and the input is being provided by routers.
First, you need a router that exports NetFlow(TM) data. Versions 1, 5 and 8 are supported, although version 8 has not been tested AT ALL. You also need a server for accepting data and processing it.
In order to compile the software you need a C++ compiler (tested only with g++ for the time being) and the CommonC++ library, found at http://www.gnu.org/software/commonc++/CommonC++.html At the moment the software has been linked against and tested with commoncpp2-1.0.9
YOU WILL ALSO NEED g++ VERSION 3.x!!! This is very important! Compiling with g++ 2.95.x or earlier versions causes segmantation faults in some cases. This has to do with CommonC++, not Panoptis.
Before you can use the software, you must also have read SNMP access to your router. That is only needed by the speeds.py script that collects some initial information (the .py extention should already make you think youll need the Python programming language installed -- thats true.
Enhancements:
- Update so that Panoptis compiles and runs on newer systems (GCC 3.3.5, CommonC++2 1.5.3).
- No new features, unfortunately.
<<lessFirst, you need a router that exports NetFlow(TM) data. Versions 1, 5 and 8 are supported, although version 8 has not been tested AT ALL. You also need a server for accepting data and processing it.
In order to compile the software you need a C++ compiler (tested only with g++ for the time being) and the CommonC++ library, found at http://www.gnu.org/software/commonc++/CommonC++.html At the moment the software has been linked against and tested with commoncpp2-1.0.9
YOU WILL ALSO NEED g++ VERSION 3.x!!! This is very important! Compiling with g++ 2.95.x or earlier versions causes segmantation faults in some cases. This has to do with CommonC++, not Panoptis.
Before you can use the software, you must also have read SNMP access to your router. That is only needed by the speeds.py script that collects some initial information (the .py extention should already make you think youll need the Python programming language installed -- thats true.
Enhancements:
- Update so that Panoptis compiles and runs on newer systems (GCC 3.3.5, CommonC++2 1.5.3).
- No new features, unfortunately.
Download (0.59MB)
Added: 2006-11-28 License: GPL (GNU General Public License) Price:
1063 downloads
psad 1.4.6
psad is a collection of three lightweight system daemons. more>>
psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze Netfilter log messages to detect port scans and other suspicious traffic.
psad incorporates many signatures from the Snort intrusion detection system to detect probes for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (FIN, NULL, XMAS) which are easily leveraged against a machine via nmap.
When combined with fwsnort, psad is capable of detecting approximately 50% of all Snort rules, including those that inspect the application portion of IP packets. In addition, psad makes use of various packet header fields associated with TCP SYN packets to passively fingerprint remote operating systems (in a manner similar to p0f) from which scans originate. For more information, see the complete list of features offered by psad.
psad is developed with three main principles in mind:
Good network security starts with a properly configured firewall.
A significant amount of intrusion detection data can be gleaned from firewalls logs, especially if the logs provide information on nearly every field of the network and transport headers (and even application layer signature matches as in Netfilters case).
Suspicious traffic should not be detected at the expense of trying to also block such traffic.
Enhancements:
- Added ENABLE_AUTO_IDS_REGEX and AUTO_BLOCK_REGEX to allow filtering on
- logging prefixes.
- Added code to save DShield email to a file.
- Added IPTABLES_PREREQ_CHECK to allow the administrator to control the frequency of Netfilter checks (for auto-block compatibility).
- Added IGNORE_LOG_PREFIXES to allow certain log prefixes to be completely
- ignored by psad.
- Added classification.config file from Snort-2.3.3 so that psad can assign danger levels based upon Snort rule class type. This is useful when also running fwsnort.
- Added snort_rule_dl to allow specific psad to assign specific danger level values to particular signatures. This is useful if you want to do define certain Snort rules as being particularly evil (or not).
- Running fwsnort is also necessary to take advantage of this feature.
- Added reference.config so that psad can include reference information in email alerts that are derived from attacks detected by fwsnort.
- Updated to Snort-2.3.3 signatures.
<<lesspsad incorporates many signatures from the Snort intrusion detection system to detect probes for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (FIN, NULL, XMAS) which are easily leveraged against a machine via nmap.
When combined with fwsnort, psad is capable of detecting approximately 50% of all Snort rules, including those that inspect the application portion of IP packets. In addition, psad makes use of various packet header fields associated with TCP SYN packets to passively fingerprint remote operating systems (in a manner similar to p0f) from which scans originate. For more information, see the complete list of features offered by psad.
psad is developed with three main principles in mind:
Good network security starts with a properly configured firewall.
A significant amount of intrusion detection data can be gleaned from firewalls logs, especially if the logs provide information on nearly every field of the network and transport headers (and even application layer signature matches as in Netfilters case).
Suspicious traffic should not be detected at the expense of trying to also block such traffic.
Enhancements:
- Added ENABLE_AUTO_IDS_REGEX and AUTO_BLOCK_REGEX to allow filtering on
- logging prefixes.
- Added code to save DShield email to a file.
- Added IPTABLES_PREREQ_CHECK to allow the administrator to control the frequency of Netfilter checks (for auto-block compatibility).
- Added IGNORE_LOG_PREFIXES to allow certain log prefixes to be completely
- ignored by psad.
- Added classification.config file from Snort-2.3.3 so that psad can assign danger levels based upon Snort rule class type. This is useful when also running fwsnort.
- Added snort_rule_dl to allow specific psad to assign specific danger level values to particular signatures. This is useful if you want to do define certain Snort rules as being particularly evil (or not).
- Running fwsnort is also necessary to take advantage of this feature.
- Added reference.config so that psad can include reference information in email alerts that are derived from attacks detected by fwsnort.
- Updated to Snort-2.3.3 signatures.
Download (0.46MB)
Added: 2006-07-13 License: GPL (GNU General Public License) Price:
1198 downloads
fwsnort 1.0
fwsnort translates snort rules into an equivalent iptables ruleset. more>>
fwsnort parses the rules files included in the snort intrusion detection system and builds an equivalent iptables ruleset for as many rules as possible.
fwsnort accepts command line arguments to restrict processing to any particular class of snort rules such as "ddos", "backdoor", or "web-attacks". Processing can even be restricted to a specific snort rule as identified by its "snort id" or "sid".
fwsnort utilizes the iptables string match module (together with a custom patch that adds a --hex-string option to the iptables user space code) to detect application level signatures.
fwsnort (optionally) makes use of the IPTables::Parse module (to be submitted to CPAN) to translate snort rules for which matching traffic could potentially be passed through the existing iptables ruleset.
Main features:
- Detection for tcp syn, fin, null, and xmas scans as well as udp scans.
- Detection of many signature rules from the snort intrusion detection system.
- Forensics mode iptables logfile analysis (useful as a forensics tool for extracting scan information from old iptables logfiles).
- Passive operating system fingerprinting via tcp syn packets. Two different fingerprinting strategies are supported; a re-implementation of p0f that strictly uses iptables log messages (requires the --log-tcp-options command line switch), and a TOS-based strategy.
- Email alerts that contain tcp/udp/icmp scan characteristics, reverse dns and whois information, snort rule matches, remote OS guess information, and more.
- Content-based alerts for buffer overflow attacks, suspicious application commands, and other suspect traffic through the use of the iptables string match extension and fwsnort.
- Icmp type and code header field validation.
- Configurable scan thresholds and danger level assignments.
- Iptables ruleset parsing to verify "default drop" policy stance.
- IP/network danger level auto-assignment (can be used to ignore or automatically escalate danger levels for certain networks).
- DShield alerts.
- Auto-blocking of scanning IP addresses via iptables and/or tcpwrappers based on scan danger level. (This is NOT enabled by default.)
- Status mode that displays a summary of current scan information with associated packet counts, iptables chains, and danger levels.
Enhancements:
- This is a major update to add the ability to send packets that match content or uricontent criteria to userspace via the iptables QUEUE or NFQUEUE targets.
- This can be used to speed up snort_inline IPS.
- A fwsnort mailing list was added.
- A bug was fixed to remove any existing jump rules from the built-in INPUT, OUTPUT, and FORWARD chains before creating a new jump rules.
- This allows the fwsnort.sh script to be executed multiple times without creating a new jump rule in the fwsnort chains for each execution.
<<lessfwsnort accepts command line arguments to restrict processing to any particular class of snort rules such as "ddos", "backdoor", or "web-attacks". Processing can even be restricted to a specific snort rule as identified by its "snort id" or "sid".
fwsnort utilizes the iptables string match module (together with a custom patch that adds a --hex-string option to the iptables user space code) to detect application level signatures.
fwsnort (optionally) makes use of the IPTables::Parse module (to be submitted to CPAN) to translate snort rules for which matching traffic could potentially be passed through the existing iptables ruleset.
Main features:
- Detection for tcp syn, fin, null, and xmas scans as well as udp scans.
- Detection of many signature rules from the snort intrusion detection system.
- Forensics mode iptables logfile analysis (useful as a forensics tool for extracting scan information from old iptables logfiles).
- Passive operating system fingerprinting via tcp syn packets. Two different fingerprinting strategies are supported; a re-implementation of p0f that strictly uses iptables log messages (requires the --log-tcp-options command line switch), and a TOS-based strategy.
- Email alerts that contain tcp/udp/icmp scan characteristics, reverse dns and whois information, snort rule matches, remote OS guess information, and more.
- Content-based alerts for buffer overflow attacks, suspicious application commands, and other suspect traffic through the use of the iptables string match extension and fwsnort.
- Icmp type and code header field validation.
- Configurable scan thresholds and danger level assignments.
- Iptables ruleset parsing to verify "default drop" policy stance.
- IP/network danger level auto-assignment (can be used to ignore or automatically escalate danger levels for certain networks).
- DShield alerts.
- Auto-blocking of scanning IP addresses via iptables and/or tcpwrappers based on scan danger level. (This is NOT enabled by default.)
- Status mode that displays a summary of current scan information with associated packet counts, iptables chains, and danger levels.
Enhancements:
- This is a major update to add the ability to send packets that match content or uricontent criteria to userspace via the iptables QUEUE or NFQUEUE targets.
- This can be used to speed up snort_inline IPS.
- A fwsnort mailing list was added.
- A bug was fixed to remove any existing jump rules from the built-in INPUT, OUTPUT, and FORWARD chains before creating a new jump rules.
- This allows the fwsnort.sh script to be executed multiple times without creating a new jump rule in the fwsnort chains for each execution.
Download (0.28MB)
Added: 2007-04-22 License: GPL (GNU General Public License) Price:
915 downloads
XSS Shell 0.3.9
XSS Shell script is a powerful XSS backdoor. more>>
XSS Shell script is a powerful XSS backdoor. XSS Shell allows interactively getting control over a Cross-site Scripting (XSS) vulnerability in a web application.
It demonstrates the real power and damage of Cross-site Scripting attacks.
Enhancements:
Regenerating Pages
- This is one of the key and advanced features of XSS Shell. XSS Shell re-renders the infected page and keep user in virtual environment. Thus even user click any links in the infected page he or she will be still under control! (within cross-domain restrictions) In normal XSS attacks when user leaves the page you cant do anything.
- Secondly this feature keeps the session open so even victim follow an outside link from infected page session is not going to timeout and you will be still in charge.
Keylogger
- Mouse Logger (click points + current DOM)
Built-in Commands:
- Get Keylogger Data
- Get Current Page (Current rendered DOM / like screenshot)
- Get Cookie
- Execute supplied javaScript (eval)
- Get Clipboard (IE only)
- Get internal IP address (Firefox + JVM only)
- Check victims visited URL history
- DDoS
- Force to Crash victims browser
Version restrictions:
- Keylogger is not working on IE
- Possibly not going to work for framed pages because of frame regeneration.
- Not working on Konqueror
Enhancements:
- Connection drop timeout check. If your XSS Shell server is down or connection dropped because of victim itll try to repair itself.
- DoS and Crash commands added
<<lessIt demonstrates the real power and damage of Cross-site Scripting attacks.
Enhancements:
Regenerating Pages
- This is one of the key and advanced features of XSS Shell. XSS Shell re-renders the infected page and keep user in virtual environment. Thus even user click any links in the infected page he or she will be still under control! (within cross-domain restrictions) In normal XSS attacks when user leaves the page you cant do anything.
- Secondly this feature keeps the session open so even victim follow an outside link from infected page session is not going to timeout and you will be still in charge.
Keylogger
- Mouse Logger (click points + current DOM)
Built-in Commands:
- Get Keylogger Data
- Get Current Page (Current rendered DOM / like screenshot)
- Get Cookie
- Execute supplied javaScript (eval)
- Get Clipboard (IE only)
- Get internal IP address (Firefox + JVM only)
- Check victims visited URL history
- DDoS
- Force to Crash victims browser
Version restrictions:
- Keylogger is not working on IE
- Possibly not going to work for framed pages because of frame regeneration.
- Not working on Konqueror
Enhancements:
- Connection drop timeout check. If your XSS Shell server is down or connection dropped because of victim itll try to repair itself.
- DoS and Crash commands added
Download (0.83MB)
Added: 2007-04-05 License: GPL (GNU General Public License) Price:
956 downloads
Alfandega Firewall 2.2.2
Alfandega is a strong and Modular IpTables Firewall. more>>
Alfandega is a strong and Modular IpTables Firewall. With Alfendanga you can provide NAT, port-forwarding, spoofing list, blacklist of crackers and spywares sites, protection for tcp/udp scans, DOS/DDOS and Smurf attacks, TCP tuning, DHCP and PPP support and much more (this will depends on your imagination).
To view the install instructions read the ./INSTALL file.
To read the terms of licence Alfandega released under see ./COPYING.
To know what other software Alfandega requires proceed to ./REQUIRES reading.
Note: Slackware and other non-rpm distros users must read carrefully the
./INSTALL file. Debian packages not supported yet.
Enhancements:
- Added Configurator
- Moved chains.conf, modules.conf and run-scripts.conf
- acl.conf and interfaces.conf concatened with alfandega.conf
- ACLs is now called as NVLs (because confusion with filesystem ACLs)
- Some changes in addons engine
<<lessTo view the install instructions read the ./INSTALL file.
To read the terms of licence Alfandega released under see ./COPYING.
To know what other software Alfandega requires proceed to ./REQUIRES reading.
Note: Slackware and other non-rpm distros users must read carrefully the
./INSTALL file. Debian packages not supported yet.
Enhancements:
- Added Configurator
- Moved chains.conf, modules.conf and run-scripts.conf
- acl.conf and interfaces.conf concatened with alfandega.conf
- ACLs is now called as NVLs (because confusion with filesystem ACLs)
- Some changes in addons engine
Download (0.063MB)
Added: 2006-06-21 License: GPL (GNU General Public License) Price:
1223 downloads
Script for a multi-homed firewall 1.2b2
Script for a multi-homed firewall is an example IPTables 1.2.1 script for a dual-homed firewall. more>>
Script for a multi-homed firewall is an example IPTables 1.2.1 script for a dual-homed firewall.
This script has not yet been tested thoroughly on a dual-homed firewall. If you find any problems, please drop me an email.
Current versions and documentation are available at http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/
## User-defined Chains ##
Chain KEEP_STATE
The KEEP_STATE chain holds a few rules for generic stateful packet filtering.
This chain is called from many of the INPUT/OUTPUT chains to DROP "INVALID"
and perhaps "UNCLEAN" packets and allow other packets from "RELATED" or
"ESTABLISHED" connections.
CHECK_FLAGS
The CHECK_FLAGS chain contains a few rules to filter based on TCP flags.
These rules do indeed filter mainly bogus/malicious traffic(scans, etc). It
would be a good idea to keep an eye on what these rules send to the logs.
Null scans are also logged and dropped, in the mangle table.
DENY_PORTS
The DENY_PORTS chains contains a few rules to DROP and/or LOG packets based
on the source and/or destination port number of the packet.
Packets destined to/from the following ports are dropped by default in the script. These are just some examples of some commonly used ports that certain daemons/trojans/DDoS agents may utilize.
## TCP ##
137:139 SMB
2049 NFS
6000:6063 X
20034 Netbus 2 Pro
12345:12346 Netbus
27374 SubSeven
27665,27444,31335 Trinoo
10498,12754 Mstream
## UDP ##
2049 NFS
31337 BO2k
27444,31335 Trinoo
10498 mstream
These are just examples to stare at. They guarantee no real protection against the associated trojans.
For more common port numbers check out:
http://www.sans.org/newlook/resources/IDFAQ/oddports.htm
ALLOW_PORTS
The ALLOW_PORTS chain simply ACCEPTs packets based on port number. If you have
a default FORWARD policy of DROP, then you would need to utilize a chain like
this if you are DNATing/routing connections behind the firewall or perhaps
running services on(!!!) the firewall.
ALLOW_ICMP
The ALLOW_ICMP chains simply allows packets based on ICMP type. Currently
the firewall allows the flow of the following ICMP types:
Echo Reply (pong)
Destination Unreachable
Echo Request (ping)
TTL Exceeded (traceroute)
SRC_EGRESS && DST_EGRESS
The SRC_EGRESS and DST_EGRESS chains filter packets that have a source or
destination IP address matching an array of private or reserved subnets.
TOS_OUTPUT
The TOS_OUTPUT chain exists in the mangle table and mangles the TOS(Type
of Service) field in the IP header of locally generated, outgoing packets.
TOS_PREROUTING
The TOS_PREROUTING chain exists in the mangle table and mangles the TOS(Type
of Service) field in the IP header of packets being routed through the firewall.
The following user-defined chains are pretty obvious. The firewall script is designed to have a user-defined INPUT and OUTPUT chain for every available interface. From these user-defined chains are called the user-defined chains
mentioned above, which I call "Special Chains". The chains below are then called by the built-in INPUT/OUTPUT/FORWARD chains. This isnt really the rule, of course, alot of the user-defined chains mentioned above are called directly from the built-in INPUT/OUTPUT/FORWARD chains. This is done to assure proper flow of the packets through the filters.
EXTERNAL_INPUT
INTERNAL_INPUT
DMZ_INPUT
LO_INPUT
EXTERNAL_OUTPUT
INTERNAL_OUTPUT
DMZ_OUTPUT
LO_OUTPUT
<<lessThis script has not yet been tested thoroughly on a dual-homed firewall. If you find any problems, please drop me an email.
Current versions and documentation are available at http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/
## User-defined Chains ##
Chain KEEP_STATE
The KEEP_STATE chain holds a few rules for generic stateful packet filtering.
This chain is called from many of the INPUT/OUTPUT chains to DROP "INVALID"
and perhaps "UNCLEAN" packets and allow other packets from "RELATED" or
"ESTABLISHED" connections.
CHECK_FLAGS
The CHECK_FLAGS chain contains a few rules to filter based on TCP flags.
These rules do indeed filter mainly bogus/malicious traffic(scans, etc). It
would be a good idea to keep an eye on what these rules send to the logs.
Null scans are also logged and dropped, in the mangle table.
DENY_PORTS
The DENY_PORTS chains contains a few rules to DROP and/or LOG packets based
on the source and/or destination port number of the packet.
Packets destined to/from the following ports are dropped by default in the script. These are just some examples of some commonly used ports that certain daemons/trojans/DDoS agents may utilize.
## TCP ##
137:139 SMB
2049 NFS
6000:6063 X
20034 Netbus 2 Pro
12345:12346 Netbus
27374 SubSeven
27665,27444,31335 Trinoo
10498,12754 Mstream
## UDP ##
2049 NFS
31337 BO2k
27444,31335 Trinoo
10498 mstream
These are just examples to stare at. They guarantee no real protection against the associated trojans.
For more common port numbers check out:
http://www.sans.org/newlook/resources/IDFAQ/oddports.htm
ALLOW_PORTS
The ALLOW_PORTS chain simply ACCEPTs packets based on port number. If you have
a default FORWARD policy of DROP, then you would need to utilize a chain like
this if you are DNATing/routing connections behind the firewall or perhaps
running services on(!!!) the firewall.
ALLOW_ICMP
The ALLOW_ICMP chains simply allows packets based on ICMP type. Currently
the firewall allows the flow of the following ICMP types:
Echo Reply (pong)
Destination Unreachable
Echo Request (ping)
TTL Exceeded (traceroute)
SRC_EGRESS && DST_EGRESS
The SRC_EGRESS and DST_EGRESS chains filter packets that have a source or
destination IP address matching an array of private or reserved subnets.
TOS_OUTPUT
The TOS_OUTPUT chain exists in the mangle table and mangles the TOS(Type
of Service) field in the IP header of locally generated, outgoing packets.
TOS_PREROUTING
The TOS_PREROUTING chain exists in the mangle table and mangles the TOS(Type
of Service) field in the IP header of packets being routed through the firewall.
The following user-defined chains are pretty obvious. The firewall script is designed to have a user-defined INPUT and OUTPUT chain for every available interface. From these user-defined chains are called the user-defined chains
mentioned above, which I call "Special Chains". The chains below are then called by the built-in INPUT/OUTPUT/FORWARD chains. This isnt really the rule, of course, alot of the user-defined chains mentioned above are called directly from the built-in INPUT/OUTPUT/FORWARD chains. This is done to assure proper flow of the packets through the filters.
EXTERNAL_INPUT
INTERNAL_INPUT
DMZ_INPUT
LO_INPUT
EXTERNAL_OUTPUT
INTERNAL_OUTPUT
DMZ_OUTPUT
LO_OUTPUT
Download (MB)
Added: 2007-02-13 License: GPL (GNU General Public License) Price:
992 downloads
Secleted [ 0 ] software to compare
- Page: 1 of 1
- 1
Copyright Notice:
Software piracy is theft, Using crack, password, serial numbers, registration codes, key generators is illegal and prevent future software development. The above ddos search only lists software in full, demo and trial versions for free download. Download links are directly from our mirror sites or publisher sites, torrent files or links from rapidshare.com, yousendit.com or megaupload.com are not allowed
