Free detecting software for linux

arpdetect is a perl script to detect when the network youre connected to changes, and run some commands when that happens. It does this by detecting a MAC address of some host you specify (usually a router). Actions can be re-run at a predetermined period with crond.


I needed something that detected when I was on a new network and did some stuff. Like, if I was at work, I wanted to rsync some pictures to my server there, or if I was at home, I wanted to backup my mail. Things like that. I figured the easiest way was to arping for a box I knew would always be there (like the router) and run commands at that time. Of course, you may need to re-run these commands every once and a while, so it has that support as well. Take it for a spin, let me know what you think.

Install should be pretty easy; download and install the perl modules required:
Getopt::Long
XML::Simple
Proc::Daemon
and copy the program to where you like it to be (I recommend /usr/local/bin). Config the thing to do stuff the way you like it in some config file (I like putting it in /usr/local/etc/arpdetect.xml) and run it! You can do that w/ the included init.d script for RedHat, or by typing a command similar to the following:
/usr/local/bin/arpdetect -c /usr/local/etc/arpdetect.xml
If somethings not quite what you expect, or need something else, or it just plain works, let me know!

VulnDetector is a project aimed to scan a website and detect various web based security vulnerabilities in the website.

Currently, VulnDetector can detect Cross Site Scripting (XSS) and SQL Injection (SQLI) vulnerabilities on a web based script, but has no easy to use interface. You must edit the script itself to change the settings at the top, and run the program.

VulnDetector is in the experimental stages, with a planned user interface and the debug displays taken out of it.

AddressTangler is a PHP function that helps you protect email addresses that you need to add to a web page from spam bots.
The project uses a simple HTML/CSS trick: The email address is divided into groups of letters, then each group is placed on a table cell, but not sequentially. If a bot browses the HTML code or strips out all the tags from it, it wont find the email address (which is shown correctly when the browser displays the page) but instead a mixed set of groups of letters.
The address, even if correctly displayed, cannot be selected nor copied/pasted. It must be manually typed.
How to use it
It is quite easy to use this function. You only need to give it the email address as a parameter, and it will return the HTML TABLE code.
Remember to copy the at.php file to your webpage folder and add a line like this to the beginning of your PHP code:
require "at.php";
Also remember to add the CSS definition for the table cells to the page with class "at_r1" as follows:
TD.at_r1 {vertical-align:bottom;}
(Note: since the result is a simple HTML table, you dont need to use this function if your page is made with just HTML. You can simply copy the HTML code written on this page and correct it according to the email address that you need to display.)
Version restrictions:
- Keep in mind that not only spam bots will have trouble detecting the email address: the text-to-speech software used by blind users will likely also be affected.
- So, if you plan to make your email address accessible to them, you must provide a second way to publish it. At the present time, this is out of the scope of this project. (perhaps in the future...)
- A possible solution could be to try to describe the address. But even if this results in a high security level, it would be hard to implement it into an automatic function. Also, it could be annoying to hear and complex to understand when used with addresses that make use of many random numbers and letters.

devialog project is a syslog anomaly detection.
Main features:
- Is a behavior/anomaly/signature-based syslog intrusion detection system
- Detects new unknown attacks via anomalies in syslog
- Fits comfortably in heterogeneous Unix/Linux/*BSD environments at the core of a central syslog server
- Generates its own signatures
- Can email anomalies with included generated signatures in to administrators to ignore future similar events
Present log-based IDS:
Nearly all present log-based intrusion detection systems operate using a pre-defined known signature base, usually painstakingly created by hand. They can work well if the creator knows exactly all error and informational messages the software on a system(s) will write to syslog. Most overworked administrators wish there was an easier way to handle system logfiles in a sane, time-saving fashion. Present log-based intrusion detection systems have difficulty in detecting new attacks.
How devialog Differs:
devialog makes syslog parsing far less of a chore than it previously has been. It is functionally the inverse of standard log monitoring software. devialog, by default, reports on what is not know in its signature base, i.e. anomalous. This type of intrusion detection system is considered behavior-based, or anomaly detection. Reporting can be in the form of an email for each anomalous log, or an email for all the logs sent within a pre-defined time window. devialog can also execute commands, or simply write all anomalies to a file for periodical review.
Signature Creation:
For log-based anomaly detection to operate effectively, one must create an extremely large signature base. With an included utility, devialogsig, the signatures are created automatically. Future signature additions are as simple as a cut and paste from the alert email.
Usage: devialog.pl [-OPTIONS [-MORE_OPTIONS]] [--] [PROGRAM_ARG1 ...]
The following single-character options are accepted:
With arguments: -c
Boolean (without arguments): -d -h -v
Enhancements:
- Bug fixes include better handling of lines with some special characters.
- A timing error was fixed within alert generation: sometimes alerts would be sent inadvertently based on the timing of a new log arriving as an alert was sent out in specific high-volume log situations.
- Altered signature generation creates more exact regular expressions.

devmon is a daemon that monitors sys-fs files in order to detect plugs of usb storage devices (ie : flash cards).

When a device is detected, devmon mounts it and start a dockapp that allows to launch your favorite filemanager (left click) or unmount the device (right click).

For 2.6 kernel users only!

Motion is a program that monitors the video signal from one or more cameras and is able to detect if a significant part of the picture has changed. Or in other words, it can detect motion.
The program is written in C and is made for the Linux operating system.
Motion is a command line based tool. It has absolutely no graphical user interface. Everything is setup either via the command line or via a set of configuration files (simple ASCII files that can be edited by any ASCII editor).
The output from motion can be:
- jpg files
- ppm format files
- mpeg video sequences
Main features:
- Taking snapshots of movement
- Watch multiple video devices at the same time
- Watch multiple inputs on one capture card at the same time
- Live streaming webcam (using multipart/x-mixed-replace)
- Real time creation of mpeg movies using libavcodec from ffmpeg
- Take automated snapshots on regular intervals
- Take automated snapshots at irregular intervals using cron
- Sending an e-mail when detecting movement
- Sending a SMS message when detecting movement
- Execute external commands when detecting movement
- Motion tracking
- Feed events to an MySQL or PostgreSQL database.
- Feed video back to a video4linux loopback for real time viewing
- Web interface using Motion Related Projects such as motion.cgi, Kenneths Webcam Package, Kevins Webpage, X-Motion and many more.
- User configurable and user defined on screen display.
- Control via xml-rpc - small control binary to control motion while running
- Automatic noise and threshold control
- Ability to control the pan/tilt of a Logitech Sphere (or Orbit) camera
- Highly configurable display of text on images.
- High configurable definition of path and file names of the stored images and films.
Enhancements:
- V4L2 devices are now supported along with V4L2_bayer, SN9C10X, MJPEG, and UYVY.
- Device status was enhanced.
- Debian packaging was improved.
- The SWF codec for movie creation was added.
- ucvideo track pan/tilt support was added.
- A FreeBSD directory for building ports was added.

listener is a typical security-related program like the motion package (which detects motion on a Webcam): it listens for sound.

If listener detects any sounds, it starts recording until the sound stops (or a bit later, which is configurable). It stores the audio in .WAV files.

I would like to add a low-, high- and bandfilter to listener (plugins). Ive googled but could not find a simple example on how to implement this. So if anyone can help me?