LiFTeR: Changes for November 25, 2020
- snort-2.9.17.0-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm and snort-2.9.17.0-1.el6.{i686,x86_64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
This release includes support for PF_Ring for CentOS/RHEL 6, 7, and 8 for the x86_64 architecture.
- snort-sample-rules-2.9.17.0-1.{fc31,fc32,fc33,el6,el7,el8}.noarch.rpm -
These rules are sample rules only and are intended to allow snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
- snort-openappid-2.9.17-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm and snort-openappid-2.9.1.17-1.el6.{i686,x86_64}.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
In addition, this release includes support for PF_Ring for CentOS/RHEL 6, 7, and 8 for the x86_64 architecture.sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
- yaf{,-devel}-2.11.2-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm and yaf{,-devel}-2.11.2-1.el6.{i686,x86_64}.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
- Volatility3-2.0.0.b1-2.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
This release is a beta version of Volatility 3 which can be found here.
It is patched to 2020-11-23.
- libewf-experimental{,-devel,-tools,-python3,-tools}-20201123-1.{fc31,fc32,fc33,el8}.x86_64.rpm, libewf-experimental{,-devel,-tools,-python36,-tools}-20201123-1.el7.x86_64.rpm, and libewf-experimental{,-devel,-tools,-python2,-tools}-20201123-1.el6.{i686,x86_64}.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
See this page for the list of supported and unsupported formats.
Libewf-Experimental installs packages in /usr/local so that it can be optionally installed along with the conventional Libewf packages, where package contents are installed in /usr. Further, the Libewf-Experimental packages have been installed in the forensics-test repository. You will need to enable this repository with this command for Fedora or CentOS/RHEL 8:
sudo dnf config-manager --set-enabled forensics-test
or this command for CentOS/RHEL 7:
sudo yum-config-manager --enable forensics-test
- sleuthkit{,-devel,-libs}-4.10.1-1.1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
- apfs-fuse-20200928-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
APFS-Fuse is a read-only FUSE driver for the new Apple File System.
Since Apple didn't yet document the disk format of APFS, this driver should be considered experimental.
It may not be able to read all files, it may return wrong data, or it may simply crash.
Use at your own risk.
But since it's read-only, at least the data on your apfs drive should be safe.
Be aware that not all compression methods are supported yet (only the ones the author has encountered so far). Thus, the driver may return compressed files instead of uncompressed ones.
- python2-distorm3-3.5.0-1.el6.{i386,x86_64}.rpm, python{2,36}-distorm3-3.5.0-1.el7.x86_64.rpm, and python{2,3}-distorm3-3.5.0-1.(fc31,fc32,fc33,el8}.x86_64.rpm -
Distorm3 is a lightweight, easy-to-use and fast decomposer library.
It disassembles instructions in 16, 32 and 64 bit modes.
Supported instruction sets: FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD's SVM and AVX.
Distorm3 is used by The Volatility Framework.
- libodraw{,-devel,-tools}-20201003-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Libodraw is a library to access to optical disc (split) RAW image files (bin/cue, iso/cue).
- zeek{,-core,ctl,-debugsource,-devel,-libcaf-devel}-3.0.11-0.{fc31,fc32,fc33,el7,el8}.x86_64.rpm, and libbroker-devel-3.0.11-0.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well. Well grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally by both major companies and numerous educational and scientific institutions for securing their cyberinfrastructure.
See here for the changes for all versions of Zeek.
Zeek was originally developed by Vern Paxson. Robin Sommer now leads the project, jointly with a core team of researchers and developers at the International Computer Science Institute in Berkeley, CA; and the National Center for Supercomputing Applications in Urbana-Champaign, IL.
Please note: zeek packages install files in /opt/zeek. To use these files, add the following to your ~/.bashrc file:
[[ -d /opt/zeek/bin && ! "$PATH" =~ /opt/zeek/bin ]] && PATH=$PATH:/opt/zeek/bin
[[ -d /opt/zeek/share/man && ! "$MANPATH" =~ /opt/zeek/share/man ]] && MANPATH=$MANPATH:/opt/zeek/share/man
Then run:
. ~/.bashrc
- pfring-7.8.0-3283.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
- pfring-dkms-7.8.0-3283.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
- ndpi-3.4.0-2929.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
- fmem-kernel-modules-fc33-x86_64-1.6-1.4.noarch.rpm -
Support for the following kernels were added for Fmem:
- 5.9.9-200 for FC33
- lime-kernel-modules-fc33-x86_64-1.1.r17-4.noarch.rpm -
Support for the following kernels were added for LiME:
- 5.9.9-200 for FC33
- fmem-kernel-modules-fc32-x86_64-1.6-1.26.noarch.rpm -
Support for the following kernels were added for Fmem:
- 5.9.9-100 for FC32
- lime-kernel-modules-fc32-x86_64-1.1.r17-26.noarch.rpm -
Support for the following kernels were added for LiME:
- 5.9.9-100 for FC32