LiFTeR: Changes for January 5, 2018
- pfring-7.0.0-1677.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
- pfring-dkms-7.0.0-1677.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
- python-dfdatetime-20171228-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.noarch.rpm -
dfDateTime,
or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
- dfvfs-20171230-1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
- sleuthkit{,-devel,-libs}-4.5.0-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
See here for the changes since the last version (4.4.2) released to this repository.
- pytsk3-20171108-2.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i386,x86_64}.rpm - Pytsk
is Python bindings for The Sleuth Kit.
- plaso-20171231-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm and plaso-20171231-1.el7.x86_64.rpm -
Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
See the release announcement here.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 21, 22, 23, 24, 25, 26, and 27 for the i686 and x86_64 architectures and CentOS/RHEL version 7 for the x86_64 architecture for this version of plaso.
- analysis-pipeline-5.7-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.7-1.el7.x86_64.rpm -
The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
See here for the list of changes for this release.
- dd_rescue-1.99.8-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - Dd_rescue
is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however
not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors.
See here for the changes since the last version (1.99.5) released to this repository.
- libodraw{,-devel,-tools}-20171105-1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i686,x86_64}.rpm and libodraw{,-devel,-tools}-20171105-1.el6.{i686,x86_64}.rpm - Libodraw
is a library to access to optical disc (split) RAW image files (bin/cue, iso/cue).
- nDPI{,-devel}-2.3-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of
the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available
only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience.
Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while
being them un-necessary for network traffic monitoring.
nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.
See here for the list of supported protocols.
- radare2{,-devel}-2.2.0-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm and radare2{,-devel}-2.2.0-1.el7.x86_64.rpm - Radare
is a framework for doing reverse engineering.
- valabind-0.10.0-4.el7.x86_64.rpm - Valabind is a tool to parse vala
or vapi files to transform them into swig interface files, C++,
NodeJS-ffi, or GIR.
With swig, you can create language bindings for any API written in vala or C with a vapi interface.
It can also generate bindings for C++.
This release was built for CentOS/RHEL 7 to build Python-Radare2 .
- python-radare2-2.1.0-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm and python-radare2-2.2.0-1.el7.x86_64.rpm- Python-Radare
are bindings that allow Radare to be used from Python.
- xplico-1.2.1-1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder.
See here for the changes since the last version (1.2.0) released to this repository.
- yaf{,-devel}-2.9.3-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.9.3-1.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
- Volatility-2.6-2.{fc22,fc23,fc24,fc25,fc26,fc27,el6}.{i386,x86_64}.rpm and Volatility-2.6-2.el7.x86_64.rpm -
The Volatility Framework is a completely
open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility is the official version of Volatility 2.6 that has been patched to January 2, 2018.
You can read about this version here
Since the Volatility-community-plugins contain the mimikatz plugin, that plugin is no longer packaged with Volatility.
- python{2,3}-ssdeep-3.2-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm and python2-ssdeep-3.2-1.{el6,el7}.{i686,x86_64}.rpm - Python-SSDeep
is a Python wrapper for ssdeep by Jesse Kornblum, which is a library for computing context triggered piecewise hashes (CTPH).
Also called fuzzy hashes, CTPH can match inputs that have homologies.
Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.
- Volatility-community-plugins-20180102-2.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.noarch.rpm - The Volatility Community Plugins
is a collection of Volatility plugins written and maintained by authors in the forensics community.
Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun.
Either way, it's an entire arsenal of plugins that you can easily extend into your existing Volatility installation.
These plugins are installed in /usr/share/volatility/plugins/community/ and to use them you need to specify this location on the command line thusly:
volatility --plugins=/usr/share/volatility/plugins/community ...
Note: The following plugins were removed the el6: BartoszInglot, ESET_Browserhooks, LoicJaquemet, ThomasChopitea, TranVienHa, and YingLi.
- fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for
Fmem:
- 4.14.11-300 for FC27
- lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for
LiME:
- 4.14.11-300 for FC27
- fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for
Fmem:
- 4.14.11-200 for FC26
- lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for
LiME:
- 4.14.11-200 for FC26
- fmem-kernel-modules-el7-x86_64-1.6-1.38.noarch.rpm - Support for the following kernels were added for
Fmem:
- 3.10.0-693.11.6 for EL7
- lime-kernel-modules-el7-x86_64-1.1.r17-38.noarch.rpm - Support for the following kernels were added for
LiME:
- 3.10.0-693.11.6 for EL7
- fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.41.noarch.rpm - Support for the following kernels were added for
Fmem:
- 2.6.32-696.18.7 for EL6
- lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-41.noarch.rpm - Support for the following kernels were added for
LiME:
- 2.6.32-696.18.7 for EL6
- snort-2.9.11.1-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6}.{i686,x86_64}.rpm and snort-2.9.11.1-1.el7.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
- snort-sample-rules-2.9.11.1-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully.
These rules only flag HttP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
- snort-openappid-2.9.11.1-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.13-1.el7.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
In addition, this release includes support for PF_Ring for CentOS/RHEL 6 and 7 for the x86_64 architecture.
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf