11 open source security tools catching fire on GitHub

Malware analysis, penetration testing, computer forensics -- GitHub hosts a number of compelling tools for securing computing environments of all sizes

11 open source security tools catching fire on GitHub

11 open source security tools catching fire on GitHub

The famous tenet “all bugs are shallow” is a cornerstone of open source development. Known as Linus’s Law, the idea that open code leads to more effective bug detection in one’s projects is often the first thing IT pros think of when it comes to the security upside of the open source model. 

Now, thanks to popular code-sharing sites like GitHub, the open source community is increasingly aiding other organizations in securing their own code and systems, offering a wealth of security tools and frameworks for malware analysis, penetration testing, computer forensics, and more.

Following are 11 essential security projects showcased on GitHub. Any admin interested in more secure code and systems should check them out.

Metasploit Framework

Metasploit Framework

Driven by the open source community and security firm Rapid7, Metasploit Framework is an exploit development and delivery system for penetration testing. It features a library of exploits to help assess the security of an application by locating weak points before malicious attackers find them.  It can be used to test software for Windows, Linux, Mac, Android, iOS, and other platforms. 

“Metasploit is a way for security researchers to express exploits in a fairly common format,” says Rapid7 engineering manager Tod Beardsley. “We have thousands of modules that target all sorts of devices -- regular computers, phones, routers, switches, industrial control systems, embedded devices. There is not a class of software or firmware I can think of that Metasploit would not be useful against.”

Brakeman

Brakeman

Brakeman is a vulnerability scanner for Ruby on Rails apps that also offers data flow analysis, following values from one part of a program to another. There is no need to set up an entire application stack to use the software, according to Justin Collins, author and maintainer of Brakeman. 

While not exceptionally fast, Brakeman purports to be faster than “black box” scanners, with large applications taking just a few minutes to scan. Users need to pay attention to false positives, though fixes to aid with false positives have recently been developed. Brakeman should be used with a website security scanner. Collins has no plans to extend it to other platforms, but developers are encouraged to look at the code.

Cuckoo Sandbox

Cuckoo Sandbox

Cuckoo Sandbox is an automated dynamic malware analysis system for examining suspicious files in an isolated environment.  

“Its main purpose is to automatically execute and monitor the behavior of any given malware when launched inside a Windows virtual machine. When the execution is completed, Cuckoo will further analyze the collected data and produce a comprehensive report that explains what the malware is capable of,” says project founder Claudio Guarnieri.

Generated data includes native function and Windows API call traces, copies of created and deleted files, and a memory dump of the analysis machine. Processing and reporting can be customized, and resulting reports can be generated in various formats, including JSON and HTML. Cuckoo Sandbox began as a Google Summer of Code project in 2010.

Moloch

Moloch

Moloch is a scalable IPv4 packet capturing, indexing, and database system that features a simple Web interface for browsing, searching, and exporting. Iit's implemented using HTTPS and HTTP digest password support or Apache in front and is not meant to replace IDS engines.

The software stores and indexes all network traffic in standard PCAP format and can be deployed across many systems, scaling to multiple gigabits per second of traffic. Components include capture, featuring a single-threaded C application, with users able to run multiple capture processes per machine; a viewer, which is a Node.js application for the Web interface and transfer of PCAP files; and Elasticsearch database technology for searching.

MozDef: The Mozilla Defense Platform

MozDef: The Mozilla Defense Platform

The Mozilla Defense Platform, aka MozDef, is aimed at automating the security incident handling process, enabling defenders to get what attackers have had: a real-time, integrated platform to monitor, react, collaborate on and advance their capabilities, according to project author Jeff Bryner.

MozDef expands traditional SEIM (security information and event management) functionality into collaborative incident response, visualizations, and easy integration into other enterprise systems, Bryner says. It uses Elasticsearch, Meteor, and MongoDB to collect a variety of data and retain it in whatever way is suitable. “You can view MozDef as a SIEM overlay on top of Elasticsearch that facilitates security incident response workflows,” Bryner says. The project started out as a proof of concept within Mozilla in 2013.

 

MIDAS

MIDAS

Based on collaborations between Etsy and Facebook security teams, MIDAS is a framework for building Mac intrusion detection analysis systems, aka MIDASes. The modular framework provides helper utilities and an example module for detecting modifications to OS X persistence mechanisms. The project is based on concepts featured in Homebrew Defensive Security and Attack-Driven Defense presentations. 

“Our mutual goal in releasing this framework is to foster more discussion in this area and provide organizations with a starting point in instrumenting OS X endpoints to detect common patterns of compromise and persistence,” the Etsy and Facebook security teams note in the documentation. MIDAS users can define modules for host-based checks, verifications, analysis, and more.

Bro

Bro

The Bro network analysis framework is “really different from what most people associate with intrusion detection,” says Robin Sommer, lead developer of Bro and a senior researcher with the International Computer Science Institute at the University of California, Berkeley.

While intrusion detection systems are generally associated with attack patterns, Bro is really a programming language, making it more powerful than typical systems, Sommer says, in that users can program tasks at a very high semantic level.

Bro looks for attacks and offers contextual information and usage patterns. It offers visibility into machines on a network, tapping into network traffic and looking into network packets; it also provides a platform for more general traffic analysis.

OS X Auditor

OS X Auditor

OS X Auditor is a free computer forensics tool that parses and hashes artifacts on a running system or a copy of a system to be analyzed. Artifacts can include kernel extensions, system and third-party agents and daemons, a deprecated system and third-party startup items, user-downloaded files, and installed agents. Users’ quarantined files are extracted along with Safari history, Firefox cookies, Chrome history, social and email accounts, and WiFi access points of the system under audit.

The Sleuth Kit

The Sleuth Kit

The Sleuth Kit features a library and a collection of command-line tools for investigating disk images, including volume and file system data. The kit offers a plug-in framework, enabling users to add modules to analyze file contents and build automated systems, for example. 

Tailored for Microsoft and Unix systems, The Sleuth Kit lets investigators identify and recover evidence from images during incident response or live systems. Serving as a UI on top of The Sleuth Kit and other tools is Autopsy, a digital forensics platform. “Autopsy is more user-oriented,” says Brian Carrier, founder of both The Sleuth Kit and Autopsy. “The Sleuth Kit is more of a library that people incorporate into their own tools but users do not directly use.”

OSSEC

OSSEC

The OSSEC host-based intrusion detection system performs log analysis, file integrity checks, policy monitoring, alerting, and active response on a variety of systems, including Linux, Mac OS, Solaris, AIX, and Windows.

OSSEC aids organizations in meeting compliance requirements, including PCI and HIPAA, and it can be configured to send alerts when it detects unauthorized file system modifications and malicious behavior embedded in the log files of software and custom apps. A centralized management server manages policies across multiple operating systems. OSSEC is supported by Trend Micro.

PassiveDNS

PassiveDNS

PassiveDNS collects DNS records in a passive manner to aid in incident handling, network security monitoring, and digital forensics. The software can be configured to read a pcap (packet capture) file and output DNS data to a log file or to sniff traffic from an interface.

The tool works on IPv4 and IPv6 traffic, parsing traffic over TCP and UDP, and it caches duplicate DNS data in-memory to limit the amount of data logged without jeopardizing forensics.