LiFTeR: Changes for July 26, 2023
- snort-3.1.66.0-1.{fc36,fc37,fc38,el8}.x86_64.rpm and snort-3.1.66.0-1.el9.{x86_64,aarch64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol3analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the list of changes.
- yaf{,-devel}-3.0.0.alpha3-1.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and yaf{,-devel}-3.0.0.alpha3-1.el9.{aarch64,x86_64}.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Note that for CentOS 7, 8, and 9 x86_64 systems, yaf has been built to use PF_Ring.
See here for the list of changes.
These packages are installed in the forensics-test repository.
Please address any comments on these packages to netsa-help@cert.org.
- bellsoft-jdk8u382+6-linux-amd64-full.rpm -
Bellsoft Java was installed for Fedora 36, 37, and 38, CentOS/RHEL 7, 8, and 9, and Amazon Linux 2 for the x86_64 architecture.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
- bellsoft-jdk8u382+6-linux-aarch64.rpm -
Bellsoft Java was installed for CentOS/RHEL 9 for the aarch64 architecture.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
- autopsy-4.20.0-2.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and autopsy-4.20.0-2.el9.{x86_64,aarch64}.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
Notes:
- This version uses Java 8 from Bellsoft.
- This release corrects errors in the /usr/bin/autopsy script where the hardware platform was incorrectly determined.
- This release fixes a problem with the Java JAR file from the Sleuthkit for the AARCH64 hardware platform. This means that autopsy does work in CentOS 9 for the AARCH64 architecture.
- If you wish to run
autopsy
on a system that you are accessing via Microsoft's Remote Desktop Protocol (RDP), testing has shown that the setting the color depth on the backend X server is critical. Use the following to install the XRDP client, if necessary, adjust the host's firewall to allow RDP connection, adjust this depth parameter, and start or restart the XRDP client:
[ -f /etc/xrdp/xrdp.ini ] || (sudo $(uname -r | grep -q el7 && echo yum || echo dnf) install xrdp && sudo systemctl enable xrdp)
sudo firewall-cmd --permanent --add-port=3389/tcp; sudo firewall-cmd --reload
sudo sed --in-place 's/#xserverbpp=24/xserverbpp=24/' /etc/xrdp/xrdp.ini
sudo systemctl stop xrdp
sudo systemctl start xrdp
- pfring-8.5.0-{8401,8410}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
- pfring-dkms-8.5.0.{8401,8410}-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
- ndpi-4.7.0-{4311,4318}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
- lime-kernel-modules-fc38-x86_64-1.9.1-7.noarch.rpm -
Support for the following kernels were added for LiME:
- 6.4.4-200 for FC38
- fmem-kernel-modules-fc38-x86_64-1.6-1.7.noarch.rpm -
Support for the following kernels were added for Fmem:
- 6.4.4-200 for FC38
- lime-kernel-modules-fc37-x86_64-1.9.1-7.noarch.rpm -
Support for the following kernels were added for LiME:
- 6.4.4-100 for FC37
- fmem-kernel-modules-fc37-x86_64-1.6-1.7.noarch.rpm -
Support for the following kernels were added for Fmem:
- 6.4.4-100 for FC37
- lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-20.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
- 5.14.0-340 for EL9
- fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.20.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
- 5.14.0-340 for EL9