Free intrusion software for linux

Trinux is a ramdisk-based Linux distribution that boots from a single floppy or CD-ROM, loads it packages from an HTTP/FTP server, a FAT/NTFS/ISO filesystem, or additional floppies.

Trinux contains the latest versions of popular Open Source network security tools for port scanning, packet sniffing, vulnerability scanning, sniffer detection, packet construction, active/passive OS fingerprinting, network monitoring, session-hijacking, backup/recovery, computer forensics, intrusion detection, and more.

Trinux also provides support for Perl, PHP, and Python scripting languages. Remote Trinux boxes can be managed securely with OpenSSH.

Trinux gives you the power of Linux security tools without requiring a full-blown Linux install or the need to download, compile, install, and update a complete suite of security tools that are typically not found in mainstream distributions.

Trinux will boot on any i486 or better with at least 12-16 megabytes of RAM, depending on how many packages are loaded. Hardware support for many common Ethernet cards is provided in the default kerneli and additional NICs are supported via Linux kernel modules.

Trinux 0.7x/0.8x is was developed using Slackware 7.1 and supports the latest 2.2.x kernels and glibc 2.1.x. Trinux 0.8x supports Linux kernel 2.4.x. Trinux was first released in April 1998. Versions up through 0.51 were based on Debian 1.31 binaries linked against libc5. Version 0.6x was built using RedHat Linux 5.2. Trinux utilizes Busybox to replace many common UNIX utilities.

Trinux is released under the terms of the GNU Public License.

Streamline is a high-speed networking subsystem for commodity operating systems. It increases performance by moving processing tasks to the fastest location. Streamline supports in-kernel execution, but also dedicated hardware (NICs) and even remote machines. An implementation of Streamline for Linux 2.6.13 and higher is made publicly available.
The goal of Streamline is to make fast network processing viable for common tasks. Many advanced processing schemes so far fail to make it into OSes, because they are difficult to combine with the socket(..) API or only applicable in a few situations. Our goal is to integrate known as well as develop new methods that replace sockets(..). without burdening application developers and end-users. Streamline achieves this by constructing a tailored dataplane for each application at runtime from an extensible set of functions.
Applications request information streams by specifying a series of abstract functions that need to be performed on incoming data (e.g., select tcp packets for port 80, reassemble into a stream, filter out known attacks). At runtime, streamline searches for implementations of these functions. These can be found in the kernel, in the application library, or in dedicated hardware such as programmable network cards or asymmetric multicores. When all functions are found, interconnecting datapaths are setup. Paths may need to cross the PCI bus, userspace/kernelspace barrier or even LANs. Optimisation of these paths is one of the factors that contributes to Streamlines performance.
The base system comes bundled with functions for pattern matching (Aho Corasick, RegEx), accounting, filtering (among others BPF), stream reassembly, rewriting, inspection, and more. Obvious uses are intrusion detection, network address translation, media streaming and realtime (pre)processing of scientific data.
Enhancements:
- This is mostly a stabilization release, which adds support for Linux kernels up to 2.6.22 and Fedora Core installations.
- The only truly new feature is a virtual filesystem interface (like sysfs) to streamline.
- With this "netmonfs" you can inspect live datastreams as if youre reading local files.
- Setting up streams and filters is easily accomplished through mkdir, open, and other well-known tools.
- Note that netmonfs is still beta quality software.

SIDEN is a distributed network discovery tool used for intrusion detection research. The current SIDEN architecture allows you to simulate coordinated/distributed network probes by a group of attackers.

SIDEN has been tested successfully on the OpenBSD and FreeBSD operating systems. If you try SIDEN and it works on any other platform, please contact me. Yes, it sounds interesting that I havent even tested it out on the popular Linux platform. There should be little reason why it wont work on other platforms (especially UNIX variants), since its fully implemented in Perl.

PushSite provides an utility to update remote site.

Pushsite is intended for updating remote websites -- its like mirroring but in reverse. It only sends the changed/new files to conserve bandwidth. Of course, it has other applications too (e.g. software distribution).

PushSite can detect changes to files held on the local system and update a copy on a remote system via FTP. It can also detect changes made directly to the remote site (basic intrusion detection). Only the amended files are updated thereby conserving bandwidth.

The Bait and Switch Honeypot is a multifaceted attempt to take honeypots out of the shadows of the network security model and to make them an active participant in system defense.
To do this, we are creating a system that reacts to hostile intrusion attempts by redirecting all hostile traffic to a honeypot that is partially mirroring your production system. Once switched, the would-be hacker is unknowingly attacking your honeypot instead of the real data and your clients and/or users still safely accessing the real system.
Life goes on, your data is safe, and you are learning about the bad guy as an added benefit. The system is based on snort, linuxs iproute2, netfilter, and custom code for now.
We have plans on adding additional support in the future if possible.
Enhancements:
- So its beta release day. The final package is up, but largely unannounced. Ive cleaned up the few bugs I knew about, added the blacklisting feature, tested and added features to electr0ns config script, and updated the documentation to the point where I think its very useable and easy to understand.
- I have also added a baitnswitch-users mailing list through sourceforge.

KNOPPIX-NSM is dedicated to providing a framework for individuals wanting to learn about Network Security Monitoring.
We have tryed to do most of the hard work to help get the beginner/newbie up and running fast so they spend more time learning about NSM, leaving the details as a later exercise once familiar with the concepts.
KNOPPIX-NSM is based on the ever popular Knoppix, which means that you can test all the tools in a live session running on the cd without installing to harddrive. KNOPPIX-NSM has the added bonus of be able to install to harddisk so you can deploy a NSM framework into your production network and use it for realtime monitoring.
Some of the benefits include:
Rapid sensor deployment
You can boot you sensors from the live CD, store all data to a local HD partion and have them logging back to a central server.
Complete out of channel Intrusion Detection and Analysis center
With KNOPPIX-NSM you can deploy a complete NSM network to monitor your existing network infrastructure. KNOPPIX-NSM comes pre-configured for deployment of multiple sensors and databases, all you need to do is create the sensor accounts in the database and change some passwords.
Secure
KNOPPIX-NSM has been built with security in mind. All remote communications are over ssl tunnels so that you do not have to be concerned about eaves droppers if you decide to run KNOPPIX-NSM in your main network channels. Another feature is the use of iptables to ensure that only allowed hosts can connect and only necessary services are visible to the network.
Easy console deployment
Need another console, just boot from the cd (setting the host and ip at boot time) and you are up and running straight away.
The intent of KNOPPIX-NSM is to provide a distrubtion with accompanying documentation on the tools that we have selected and how they are put together in the NSM framework.
Main features:
- all remote management over ssl/ssh,
- all tools installed, patched and ready to run,
- automated scripts for easy installation/modification,
- support for bonded network interfaces,
- based on knoppix Live CD,
- debian based when installed to harddrive,
- ease of maintenance through apt-get,

mod_fortress is an application level firewall and intrusion detection system. mod_fortress is designed to intercept certain CGI/HTTP attacks by acting as a non-transparent proxy between an Apache server and an HTTP client.
Main features:
- Detects and Logs common known cgi/http security requests and scans
- SSL support
- Detects all known(and hopefully unknown) Anti-IDS Evasive Scaning methods (Whisker, twwwscan, VoidEye...etc)
- "Fortress In the Middle": Ability to act as a non-transparent proxy to modify HTTP return error codes.
- Custom logging option via a changeable format string.
- Supports Apache 1.3/2.0 (2.0 port by Anton Soudouvstev).