LiFTeR: Changes for April 17, 2020
- daq{,-devel,-modules}-2.0.7-10.1.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and daq{,-devel,-modules}-2.0.7-10.1.{fc31,el7,el8}.x86_64.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
This release differs from daq provided by Fedora and EPEL because it contains the static libraries required by snort.
- snort-2.9.16-1.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and snort-2.9.16-1.{fc31,el7,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
This release includes support for PF_Ring for CentOS/RHEL 6, 7, and 8 for the x86_64 architecture.
- snort-sample-rules-2.9.16-1.{fc26,fc27,fc28,fc29,fc30,fc31,el6,el7,el8}.noarch.rpm -
These rules are sample rules only and are intended to allow snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
- snort-openappid-2.9.1.16-1.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.16-1.{fc31,el7,el8}.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
In addition, this release includes support for PF_Ring for CentOS/RHEL 6, 7, and 8 for the x86_64 architecture.sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
- bulk_extractor-1.6.0-2.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and bulk_extractor-1.6.0-2.{fc31,el7,el8}.x86_64.rpm -
Bulk_extractor
is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures.
The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools.
Bulk_extractor also creates histograms of features that it finds, as features that are more common tend to be more important.
This version fixes many issues.
In addition, it also contains the BEViewer GUI front-end for bulk_extractor.
This version was rebuilt to add SQLite and LibXML build dependencies.
- libewf-experimental{,-devel,-tools,-python3,-tools}-20200405-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libewf-experimental{,-devel,-tools,-python2,-tools}-20200405-1.el6.{i686,x86_64}.rpm,
libewf-experimental{,-devel,-tools,-python36,-tools}-20200405-1.el7.x86_64.rpm, and libewf-experimental{,-devel,-tools,-python3,-tools}-20200405-1.{fc31,el8}.x86_64.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
See this page for the list of supported and unsupported formats.
Libewf-Experimental installs packages in /usr/local so that it can be optionally installed along with the conventional Libewf packages, where package contents are installed in /usr. Further, the Libewf-Experimental packages have been installed in the forensics-test repository. You will need to enable this repository with this command for Fedora or CentOS/RHEL 8:
sudo dnf config-manager --set-enabled forensics-test
or this command for CentOS/RHEL 6 and 7:
sudo yum-config-manager --enable forensics-test
- python{2,36}-psutil-5.7.0-2.el7.x86_64.rpm -
Python-psutil is a cross-platform library for retrieving information onrunning processes and system utilization (CPU, memory, disks, network) in Python.
Note that the Python 2 version is now provided and the Python 3 version no longer obsoletes the Python 2 version.
- silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.1-1.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.1-1.{fc31,el7,el8}.x86_64.rpm and -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
Note: The version of SiLK that was released on 2019-10-24 contained some bugs that were fixed in the version dated 2019-10-28.
This release contains those fixes.
- silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.1-2.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.1-2.{fc31,el6,el7,el8}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
Note: The version of SiLK that was released on 2019-10-24 contained some bugs that were fixed in the version dated 2019-10-28.
This release contains those fixes.
- analysis-pipeline-5.11.3-4.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.11.3-4.{fc31,el7,el8}.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
This package was rebuilt to use silk 3.19.0 release 3.
- prism-1.2-9.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and prism-1.2-9.{fc31,el7,el8}.x86_64.rpm -
The prism trend script is a tool for quickly visualizing flow data as a time-series broken down into several configurable bins by SiLK's rwfilter tool.
The script can be used directly, or might be used as a component in other more specialized scripts.
In addition to providing immediate visualizations, the Prism trend script can store these breakdowns in a relational database (currently supporting PostgreSQL or sqlite) for later quick lookup.
This package was rebuilt to use silk 3.19.0.
- super_mediator-1.7.1-3.{fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and super_mediator-1.7.1-3.{fc31,el7,el8}.x86_64.rpm -
Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
This package was rebuilt to use silk 3.19.0.
- libfsapfs{,-devel,-python2,-python3}-20200416-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsapfs{,-devel,-python2}-20200416-1.el6.{i686,x86_64}.rpm, libfsapfs{,-devel,-python2,-python36}-20200416-1.el7.x86_64.rpm, and libfsapfs{,-devel,-python2,-python3}-20200416-1.{fc31,el8}.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
- pfring-7.6.0-2903.{el6,el7}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
- pfring-dkms-7.6.0-2903.{el6,el7}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
- ndpi-3.2.0-2375.{el6,el7}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
- fmem-kernel-modules-fc31-x86_64-1.6-1.19.noarch.rpm -
Support for the following kernels were added for Fmem:
- 5.5.16-200 for FC31
- lime-kernel-modules-fc31-x86_64-1.1.r17-19.noarch.rpm -
Support for the following kernels were added for LiME:
- 5.5.16-200 for FC31
- fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.35.noarch.rpm -
Support for the following kernels were added for Fmem:
- 5.5.16-100 for FC30
- lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-35.noarch.rpm -
Support for the following kernels were added for LiME:
- 5.5.16-100 for FC30
- fmem-kernel-modules-el8-x86_64-1.6-1.6.noarch.rpm -
Support for the following kernels were added for Fmem:
- 4.18.0-147.8.1 for EL8
- lime-kernel-modules-el8-x86_64-1.1.r17-6.noarch.rpm -
Support for the following kernels were added for LiME:
- 4.18.0-147.8.1 for EL8