Three new tools related to IDS, forensics, honeypots

["SecurIT Informatique Inc." <securit () iquebec com>]

To moderators : I hope I have it right this time.  Sorry for the flood...

Hello lists. I'd like to annouce the release of my latests tools in the 
security game, and I think that the community will find them very 
interesting indeed. For article lenghts consideration, here is a short 
resume of these tools. The binaries and full documentation can be 
downloaded at http://securit.iquebec.com. All these tools are available in 
Open Source and Pro versions. Check the website for pricing.

ComLog 1.05 : This tool is a command prompt (cmd.exe) logger, useful for 
generating intrusion evidence that was previously unavailable. With this 
tool, you can log command prompt sessions be it from the console, a 
compromised IIS system or through a netcat tunnel. This works a bit like a 
wrapper, ComLog taking the place of cmd.exe and passes the commands to be 
executed to the real cmd.exe which is renamed cm_.exe. Version 1.05 changes 
incude MS-DOS icon added to the executable, and better camouflage to avoid 
detection by the monitoree. Pro version allows you to choose the filename 
for cm_.exe to anything you like, to make it even harder to detect. It also 
allows you to specify pattern strings that you want obfuscated from the 
monitoree's output.

LogAgent 4.0 : This tool is a log file monitoring and centralisation tool. 
You can use it to monitor the Event Viewer logs, and ASCII log files from 
just about any application, including, but limited to, antivirus, personal 
firewalls, ComLog, Snort, etc. LogAgent 4.0 also comes with 2 companion 
tools that are ADSScan and the combo HashGen and IntegCheck. ADSScan is an 
alternate data streams scanner, and HashGen/IntegCheck is a MD5-SHA1 file 
system integrity checker, or also known as a host-based intrusion detection 
system. The Pro version lets you run LogAgent as a service (registered 
only), and will start automatically ADSScan and IntegCheck for you each 
time it starts. LogAgent 4.0 Pro also generated data of its own, which is 
related to the Running Services, the Open Shares, and the StartUp 
configuration, which can later be used as forensics evidence of intrusions. 
LogAgent 4.0 Pro ships with a 5-machine evaluation license, no time-limit.

LogIDS 1.0 : I think this tool will change the way people look at intrusion 
detection. LogIDS 1.0 is a real-time, log-analysis based intrusion 
detection system. As this description indicates, LogIDS 1.0 is able to 
analyze log files from various sources, and can be used with LogAgent 4.0 
to supply these log files. The strenght of LogIDS comes from the fact that 
it is very flexible and it gains from the capabilities of the various tools 
you use with it. You have the ability to tell LogIDS the format of each log 
file you supply it with, which then enables you to define rules for each of 
these log files, giving you one single interface to analyze and display all 
this data gathered from varied sources (Event Viewer, ComLog, antivirus 
logs, personal firewall logs, Snort logs, LogAgent 4.0 Pro Logs, ADSscan, 
IntegCheck, just to name a few examples). The interface is also pretty 
innovative, the GUI is a logical representation of your network 
architecture, where each node (machine or subnet) possess its own window 
where logs belonging to it are displayed. The GUI also sport several icons 
that can be used with the ruleset to graphically describe tha actions 
reported in the logs. Sounds can also be emitted for alerts and warnings. 
LogIDS 1.0 Pro contains built-in analysis for Snort, Event Viewer, and the 
data generated by LogAgent 4.0 Pro and its companion tools. Pro version 
ships with a 5-machines evaluation license, no time-limit. LogIDS 1.0 Pro 
licenses include a LogAgent 4.0 Pro license to allow it to run as a 
service. Screen captures available at 
http://iquebec.ifrance.com/securit/image/figure1.gif and 
http://iquebec.ifrance.com/securit/image/figure10.gif.

I hope these tools will help improve the security of networks out there in 
the wild.

Thank you for your time

Adam Richard, aka Floydman
SécurIT Informatique Inc.