--
hlfl (High Level Firewall Language) permits writing firewall rulesets
using its high level language, and transforms them into rules for
real software, including IPFilter, ipchains, Netfilter and Cisco IOS.
hlfl attempts to make the best use of the features of the underlying
firewall, such that a conversion from stateless to stateful requires
no modification to the original script.
hlfl was initiated by Renaud Deraison, co-founder of the Nessus
Project.
WWW: http://www.hlfl.org/
MAINTAINER= Jason Peel <jsyn@openbsd.org>
--
Encrypt/decrypt stdin using the Advanced Encryption Standard winner
"Rijndael" encryption algorithm in Cipher Block Feedback (stream)
mode. Uses /dev/urandom to create a salt. Prepends the output stream
with salt when encrypting, strips it off when decrypting.
WWW: http://aescrypt.sourceforge.net/
--
Corkscrew is a tool for tunneling SSH through HTTP proxies.
Corkscrew has been tested against the Gauntlet, CacheFlow, and
JunkBuster proxies.
WWW: http://www.agroman.net/corkscrew/
Submitted by Jason Peel <jsyn@nthought.com>
that can be played with ordinary sound players. The phone conversation can
either be played directly from the network or from a tcpdump output file.
Vomit is also capable of inserting wavefiles into ongoing telephone
conversations. Vomit can be used as a network debugging tool, a speaker
phone, etc ...
vomit is written by Niels Provos and the port created by Jason Peel.
--
The Siphon Project is a portable passive network mapping suite. In
the latest public version, Siphon passively maps TCP ports and
performs passive operating system detection. Through the magic of
RFC ambiguity and programmer uniqueness, different machines exhibit
telltale characteristics that enable Siphon to make a fairly accurate
guess at what operating system is running on machines sending packets
out over the wire. The beauty of this method is that our tool does
not need to send out a slew of non-RFC compliant packets that trip
intrusion detection systems. In fact, we send out no packets at
all. Whereas nmap crashes some machines and network hardware when
performing its active OS detection tests, Siphon would never crash
remote machines. Siphon is available for UNIX and Win32.
WWW: http://www.gravitino.net/projects/siphon/
Submitted by Jason Peel <jsyn@nthought.com>
--
The Sentinel project is designed to be a portable, accurate
implementation of all publicly known promiscuous detection
techniques.
These include:
DNS Test - Etherping Test - ARP Test - ICMP Ping Latency Test
--
AIDE (Advanced Intrusion Detection Environment) is a free replacement
for Tripwire. It does the same things as the semi-free Tripwire and
more.
What does it do?
It creates a database from the regular expression rules that it
finds from the config file. Once this database is initialized it
can be used to verify the integrity of the files. It has several
message digest algorithms (md5,sha1,rmd160,tiger,haval,etc.) that
are used to check the integrity of the file. More algorithms can
be added with relative ease. All of the usual file attributes can
also be checked for inconsistencies. It can read databases from
older or newer versions. See the manual pages within the distribution
for further info. There is also a beginning of a manual.
WWW: http://www.cs.tut.fi/~rammer/aide.html
*) Fixed a format string bug which is exploitable if --batch is not used.
*) Checked all translations for format strings bugs.
*) Removed the Russian translation due to too many bugs.
*) Fixed keyserver access and expire time calculation.
ok maintainer
---
This module offers some high level convenience functions for accessing
web pages on SSL servers, a sslcat() function for writing your own
clients, and finally access to the SSL api of SSLeay package so you can
write servers or clients for more complicated applications.
an object-oriented method for interacting with GnuPG, being able
to perform functions such as but not limited to encrypting, signing,
decryption, verification, and key-listing parsing.
shared memory coprocess interface that gpg provides for its wrappers.
It tries its best to map the interactive interface of the gpg to a
more programmatic model.
patch from:
Florian Weimer <Florian.Weimer@RUS.UNI-STUTTGART.DE>
# http://cert.uni-stuttgart.de/files/fw/gnupg-klima-rosa.diff
# http://cert.uni-stuttgart.de/files/fw/gnupg-klima-rosa.diff.asc
It introduces additional consistency checks, as suggested by the
authors of the paper. The checks are slightly different, but they
make the two additional attacks infeasible, I think. In the future,
it might be a good idea to add a check the generated signature for
validity, this will detect bugs in the MPI implementation which could
result in a revealed secret key, too.
ok markus@
This is Crypt::CBC, a Perl-only implementation of the cryptographic
cipher block chaining mode (CBC). In combination with a block cipher
such as Crypt::DES or Crypt::IDEA, you can encrypt and decrypt messages
of arbitrarily long length.
--
This release fixes a bug in pid creation. If a user specified -P /dirname
instead of -P /dirname/ stunnel would assume that it's a file, delete it and
create a new one. Now stunnel makes sure if it's really a file.
Based on a tarball from Shell Hung <i@shellhung.org>
--
This module sprung out of a need to do one thing and one thing only,
do it securely, and do it well. This module creates and checks
detached signatures for data. That's it. If you want to do anything
else that PGP lets you do, look elsewhere.
--
Compared to the previous release, this version brings amongst other
changes the following:
o Support for giving interfacenames as internal/external address.
o contrib/ directory added.
o contrib/sockd-stat.awk, provides statistics based on sockd logfiles.
Contributed by Stephan Eisvogel <eisvogel@hawo.stw.uni-erlangen.de>.
o If gethostbyname() fails, treat it as if resolveprotocol was set to
fake, meaning we hope the socksserver will be able to resolve it.
Will presumably make certain dns configurations work better for
client.
See the NEWS file for a more complete list.
is to provide a powerful and extensible environment for solving
classical (pen-and-paper) ciphers, providing as much automation as
possible. Classical ciphers include common schemes like monoalphabetic
substitutions, where each letter of the alphabet is mapped to another
(usually different) letter consistently through the text. The first
version of Crank is restricting itself to these special ciphers. Other
algorithms forever devoid of Crank's attentions include Enigma, RSA,
DES, MurkelFish, or anything else invented after 1900.
NEWS:
- Due to an endianness handling problem Blowfish algorithm was not compatible
with other implementations. Now it has been corrected. If you want
to access the old algorithm used use the "blowfish-compat" module.
- Fixes in mcrypt_list_algorithms() for some systems. Bugs pointed out by
Jonathan Woolmington <jwool@ind.tansu.com.au>
- Fixes in stream mode.
- mcrypt_generic_init() no longer fails if smaller key is used. It uses
the most appropriate key size of the algorithm and pads with zeros.
- Fixes in wake algorithm (and support for IV).
- IV is now used in arcfour (arcfour-iv is now longer used).
Speedups in Arcfour.
disk all the files shared and the documents printed in a LanManager
environnement (all the Microsoft and Samba machines using LanManager
protocol to share data).
This is a proof of concept to show that LanManager (CIFS) is an
extremely insecure protocol.
It has been pointed out that there is another bug in the signature
verification code of GnuPG.
* This can easily lead to false positives *
All versions of GnuPG released before today are vulnerable!
To check a detached singature you normally do this:
gpg --verify foo.sig foo.txt
The problem here is that someone may replace foo.sig with a standard
signature containing some arbitrary signed text and its signature,
and then modify foo.txt - GnuPG does not detect this - Ooops.
The solution for this problem ist not easy and needs a change in the
semantics of the --verify command: It will not any longer be
possible to do this:
gpg --verify foo.sig <foo.txt
Instead you have to use this
gpg --verify foo.sig - <foo.txt
The difference here is that gpg sees 2 files on the command lines
and thereby knows that it should check a detached signature. We
really need this information and there is no way to avoid that
change, sorry. You should make sure that you never use the first
form, because this will lead to false positives when foo.sig is not
a detached signature - gnupg does detect the other case and warns
you, but this is not sufficient. If you use GnuPG from other
applications, please change it.
ok markus@
Version 3.9, 2000.12.13:
* Updated temporary key generation:
- stunnel is now honoring requested key-lengths correctly,
- temporary key is changed every hour.
* transfer() no longer hangs on some platforms.
Special thanks to Peter Wagemans for the patch.
* Potential security problem with syslog() call fixed.
--
mcrypt is intended to be a replacement of the old unix crypt(1)
under the GNU General Public License. Unix crypt(1) was a popular
file encryption program in unix boxes.
It was based on the Enigma encryption algorithm but it was considerable
trivialized. Since this was not adequate, even for individual privacy
needs, mcrypt was created as a similar program using some modern
block encryption algorithms.
Mcrypt also has a compatibility mode with unix crypt(1) and with
Solaris des(1). It supports all the algorithms and modes found in
libmcrypt and it is very extendable.
At the time writing this, it supports the algorithms: BLOWFISH,
TWOFISH, DES, TripleDES, 3-WAY, SAFER, LOKI97, GOST, RC2, RC6, MARS,
IDEA, RIJNDAEL, SERPENT, CAST, ARCFOUR and WAKE.
Block algorithms are implemented in modes: CFB, CBC, ECB, OFB (8
bit and n bit, where n is the size of the algorithm's block length).
For a brief description of the algorithms and the modes look at the
mcrypt manpage (this may be out of date). In mcrypt it is on the
user to decide which algorithm he considers best for encrypting his
data.
--
libmcrypt is the library which implements all the algorithms and
modes found in mcrypt. It is currently under development but it
seems to work pretty good.
Unlike most encryption libraries libmcrypt does not have everything
(random number generators, hashes, hmac implementation, key exchange,
public key encryption etc.). Libmcrypt only implements an interface
to access block and stream encryption algorithms.
Its purpose was to assist in the development of mcrypt by providing
a uniform interface to access several different encryption algorithms,
so that the main program is independent of the encryption algorithms
and the modes used.
Libmcrypt supports the algorithms: BLOWFISH, TWOFISH, DES, TripleDES,
3-WAY, SAFER-sk64, SAFER-sk128, SAFER+, LOKI97, GOST, RC2, RC6,
MARS, IDEA, RIJNDAEL-128 (AES), RIJNDAEL-192, RIJNDAEL-256, SERPENT,
CAST-128 (known as CAST5), CAST-256, ARCFOUR and WAKE. Block
algorithms can be used in: CBC, ECB, CFB and OFB (8 bit and n bit,
where n is the size of the algorithm's block length).
*** Tuesday, November 21, 2000 -- Dante v1.1.6
o fix a bug related to hostnamelength parsing in server.
Thanks to "Thomas Jarosch" <thomas.jarosch@styletec.de>.
*** Monday, October 16, 2000 -- Dante v1.1.5
o New prototype for gethostbyaddr in RedHat 7.0 added.
First reported by Paul R Streitman <prs@us.ibm.com>.
o RedHat needs libnsl for tcpwrappers to work.
*** Thursday, October 5, 2000 -- Dante v1.1.4
o fix bug affecting clients going through socks v4 servers.
Reported and nicely diagnosed by Jack Keane (jkeane@OpenReach.com).
o increase default listen backlog to 511, based on request by
Doug Hardie (bc979@lafn.org).
*** Monday, September 25, 2000 -- Dante v1.1.3
o some fixes/additions to example/ files.
o HP-UX 11.00 should now work.
Thanks to Malte Cornils <malte@cornils.net> for testing.
o httpproxysupport in client (meaning "socksify" can work
when going through webproxies too).
o expire badmarking on bad/non-working routes/proxyservers after
configured time. Default to never expiring, as in previous
versions. See BADROUTE_EXPIRE in config.h.
o say what address we expected the bindreply to come from in
"unexpected bindreply ..."
o don't close controlconnection if another socket is using it.
Fixes a bug triggered when using the bindextension in certain
cases. Problem reported by Jacques A. Vidrine (n@nectar.com).
o compilation outside source directory fixed, based on patch from
NISHIMURA Daisuke <nishi@graco.c.u-tokyo.ac.jp>
o bsdi uses elf; NISHIMURA Daisuke <nishi@graco.c.u-tokyo.ac.jp>
o dlib/hostcache.c now compiled again. First reported by
"Jacques A. Vidrine" <n@nectar.com>
--
This Perl module provides support for the https protocol under LWP,
so that a LWP::UserAgent can make https GET & HEAD & POST requests.
Please see 'perldoc LWP' for more information on POST requests.
- Decapitalize first letter of comment if appropriate.
- Remove trailing blank lines.
- Remove punctuation.
- Remove version numbers which are often overlooked when updating.
- espie@ ok
It now FAKEs, and installs in a nice clean CPAN way
- CONFIGURE_STYLE is perl now, remove a lot of old manual code
- remove all old patches, and add in a new one which cleans up
the program a bit (remove small linux specific hacks)
thanks to brad@ for the review
