LiFTeR: Changes for July 2, 2015
- fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for
Fmem:
- 4.0.5-300 for FC22
- 4.0.6-300 for FC22
- lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-2.noarch.rpm - Support for the following kernels were added for
LiME:
- 4.0.5-300 for FC22
- 4.0.6-300 for FC22
- fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for
Fmem:
- 4.0.6-200 for FC21
- fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for
Fmem:
- 4.0.5-200 for FC21
- lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for
LiME:
- 4.0.6-200 for FC21
- lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for
LiME:
- 4.0.5-200 for FC21
- fmem-kernel-modules-el7-x86_64-1.6-1.12.noarch.rpm - Support for the following kernels were added for
Fmem:
- 3.10.0-229.7.2 for EL7
- lime-kernel-modules-el7-x86_64-1.1.r17-12.noarch.rpm - Support for the following kernels were added for
LiME:
- 3.10.0-229.7.2 for EL7
- bokken-1.8-1.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and bokken-1.8-1.{el6,el7}.x86_64.rpm - Bokken is a GUI for the
Pyew and Radare projects so it offers almost all the same features that
Pyew has and and some of the Radare's ones. It's intended to be a basic disassembler, mainly, to analyze malware and vulnerabilities.
- Removed pyew entirely. Its support has been in a non-official deprecated state for the past two years but we were trying not to do it. Pyew has some dependencies that makes harder to package it, it's missing a lot of features from r2, plus it sees very few releases.
- Removed other almost useless features in their current form: Strings repr and Interactive mode. We expect to bring those at some point in a proper way.
- Added r2 console. It crashes here and there but we think it's rather usable.
- Added interactive Python console.
- Rearranged and simplified some tabs: Strings, Relocs and File info.
- Some additional cleanups and fixes.
Note: Although bokken was installed for CentOS/RHEL6, it does not work correctly due to a bug in the librsvg2 library.
- radare{,-devel}-2.0.9.9-1.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and radare{,-devel}-2.0.9.9-1.el7.x86_64.rpm - Radare is a framework for doing reverse engineering.
- valabind-0.9.2-1.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and valabind-0.9.2-1.el7.x86_64.rpm - Valabind is a tool to parse vala
or vapi files to transform them into swig interface files, C++,
NodeJS-ffi, or GIR.
With swig, you can create language bindings for any API written in vala or C with a vapi interface.
It can also generate bindings for C++.
- python-radare-2.0.9.9-1.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and python-radare-2.0.9.9-1.el7.x86_64.rpm- Python-Radare are
bindings that allow Radare to be used from Python.
- dd_rescue-1.98-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Dd_rescue
is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however
not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors.
Here are the changes from the previously distributed version (1.46):
- It has a few improvements such as a few cleanups, a fault injection framework for testing and significantly improved speed of the pseudo RNG. But the important feature is the addtion of a crypt plugin. You can insert it into the plugin chain to de/encrypt data using the AES family of algorithms. (More are planned for the future.) You can use 128/192/256 bit keys and optionally use a higher number of rounds to have an increased security margin. Keys (and IVs) can be generated, saved, retrieved or generated from password and salt. Please be aware that despite diligent testing this is a new plugin -- so be prepared that there will be some changes and bugfixes to it in the near future.
- silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.2-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
- silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.2-2.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.2-2.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
- silk-ipset-{devel,lib,tools}-3.10.2-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset
distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA).
The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses.
SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite.
Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
See here for the list of changes in this release.
- liblnk{,-devel,-python,-tools}-20150617-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i686,x86_64}.rpm and liblnk{,-devel,-python,-tools}-20150617-1.el7.x86_64.rpm -
Liblnk
contains libraries and tools to access the Windows Shortcut File (LNK) format file.
See here for the list of changes.
- libolecf{,-devel-,-python,-tools}-20150629-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libolecf
contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
See here for the list of changes.
- libvmdk{,-devel,-python,-tools}-20150516-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libvmdk
is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
See here the list of changes.
- dfvfs-20150630-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access
to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
See here for the list of changes.
- daq-2.0.5-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6}.{i386,x86_64}.rpm and daq-2.0.5-1.el7.x86_64.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
See here for the changes in 2.0.5.
- snort-2.9.7.3-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6}.{i686,x86_64}.rpm and snort-2.9.7.3-1.el7.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
- snort-openappid-2.9.7.3-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.7.3-1.el7.x86_64.rpm -
This is the snort package built with the following additions:
- The --enable-open-appid option was added to the configure script that configures the build of snort. See here for more details.
- The files found here and named snort-openappid.tar.gz are installed in /usr/share/snort/cisco/apps.
- Here is the Open Source Detectors Developers Guide here.
- snort-sample-rules-2.9.7.3-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
- nDPI{,-devel}-1.6-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of
the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available
only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience.
Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while
being them un-necessary for network traffic monitoring.
nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.
See here for the list of supported protocols. Note that RHEL/CentOS 5 is not supported due to issues with autoconf.
- xplico-1.1.0-3.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder.
This release was rebuilt to work with nDPI-1.6. All other suported systems were upgraded for release version consistency.
Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support.
- pytsk-20150406-4.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i386,x86_64}.rpm - Pytsk
is Python bindings for The Sleuth Kit.
This version was primarily rebuilt to fix problems caused by GCC Version 5 on Fedora 22. The other systems were rebuilt to keep release consistency.
- python-xlwt-1.0.0-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i386,x86_64}.rpm - Python-xlwt is a library for generating spreadsheet files that
are compatible with Excel 97/2000/XP/2003, OpenOffice.org Calc, and Gnumeric. Python-xlwt has full support for Unicode. Excel spreadsheets can be generated on any platform without
needing Excel or a COM server.
See here for a list of changes since the previously released version (0.7.4).
- Volatility-2.4-9.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i386,x86_64}.rpm and Volatility-2.4-9.el7.x86_64.rpm-
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility uses the code as available from here as of 2015-06-30.
It also contains the mimikatz plugin.
- super_mediator-1.1.0-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i686,x86_64}.rpm and super_mediator-1.1.0-1.el7.x86_64.rpm -
Super_mediator is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
See here for the changes since the last version (0.3.0).