Sunday, May 31, 2020

Docker / Containers- Security Analysis and Vulnerability Assessment Tools

DockerScan:

A Docker analysis tools to detect vulnerabilities in Docker images and Docker registries.

Very quick install
> python3.5 -m pip install -U pip > python3.5 -m pip install dockerscan
Show options:
> dockerscan -h
Docker Demo

Available actions
Currently Docker Scan support these actions:
Scan: Scan a network trying to locate Docker Registries.

Registry
Delete: Delete remote image / tag
Info: Show info from remote registry
Push: Push an image (like Docker client)
Upload: Upload a random file

Image
Analyze: Looking for sensitive information in a Docker image.
Looking for passwords in environment vars.
Try to find any URL / IP in the environment vars.
Try to deduce the user used internally to run the software. This is not trivial. If the entry point is a .sh file. Read the file and try to find call to sudo-like: “sudo”, “gosu”, “sh -u”… And report the user found.

Extract: extract a docker image

Info: Get a image meta information

Modify:
entrypoint: change the entrypoint in a docker
trojanize: inject a reverser shell into a docker image
user: change running user in a docker image

Download Link : https://github.com/cr0hn/dockerscan

Friday, May 15, 2020

DevSecOps Static Code Analysis Tool - Checkov

Checkov:

It help to scans cloud infrastructure provisioned using Terraform, Cloudformation or kubernetes and detects security and compliance misconfigurations.

Simple and open-source

Checkov is written in Python and provides a simple method to write and manage codified, version-controlled policies.

Features

100+ built-in policies cover security and compliance best practices for AWS, Azure & Google Cloud.
Scans Terraform and AWS CloudFormation configurations.
Scans for AWS credentials in EC2 Userdata, Lambda environment variables and Terrafrom providers
Policies support evaluation of variables to their optional default value.
Supports in-line suppression of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.
Output currently available as CLI, JSON or JUnit XML.

Image Source : https://www.checkov.io/

Download Link : https://github.com/bridgecrewio/checkov/

Documentation : https://www.checkov.io/documentation

Monday, November 11, 2019

SIEMonster V4 - Free | Open Source Security Incident and Event Management (SIEM)

SIEMonster Security Information and Event Management (SIEM):

built on customizable, components. Included is UEBA, Bro, Suricata, The Hive, Cortex, Apache Ni-Fi, Kafka, MISP and Wazuh.

SIEMonster provides Community Edition is a single appliance or Virtual machine, for companies from 1-100 endpoints. It is completely free to use.

SIEMonster is a collection of the best open source security tools and our own development as professional hackers to provide a SIEM for everyone. We showcase the latest and greatest tools for security professionals and our Community Edition v.4 Fully Loaded has it all. Designed for smaller organizations, charities, classrooms or even those who just want to check out our Fully Loaded SIEM. This edition is completely free, for the community and to be supported by the community.

Community Edition gives you the ability to monitor all network assets in an affordable scalable solution. This single server solution makes it easier for organizations who only have 1-100 endpoints. To access the Community Edition you will need to sign up to the Community Portal, which is available via the download button on our website. There you will also find all the resources you will need to help install and learn about SIEMonster. We have created an admin guide and videos for you. You are also encouraged to interact with other Community Edition users for support or just share how you are using the SIEM and even help out another user, after all that’s what Community is all about.

SIEMonster’s slogan is SIEM for everyone and this is why our prices are so affordable. Whether you are a small, medium or large enterprise we have the right product and licensing for you.

Pre Requisites :

You will need a minimum of 32GB RAM and 8 VCPU’s of power.

Note: Community edition will monitor up to 100 endpoints at 5,000 EPS as it’s designed to give you a taste and allow you to play with the product for as long as you like.

When you’re ready to get serious, let us know, and we’ll help you with our other editions.

Reference : Docs | Videos

https://siemonster.knowledgeowl.com/help

Download Link:

https://go.siemonster.com/Community-Edition

Sunday, November 3, 2019

Apache Metron - Open Source Big Data Security Analytics Framework

Apache Metron:

integrates a variety of open source big data technologies in order to offer a centralized tool for security monitoring and analysis. Metron provides capabilities for log aggregation, full packet capture indexing, storage, advanced behavioral analytics and data enrichment, while applying the most current threat intelligence information to security telemetry within a single platform.

Logical Architecture

Apache Metron can be used as a SIEM system. It offers a variety of options that make up a SIEM system. First, you can save data over a long period of time.

Some Features:

Because Apache Metron is designed as a big data solution, the open source solution can handle data lakes too.

Simply put, data lakes are an in-house storage option for all data and sources. Business users can access and analyze the data based on their permissions. Usually the data in Data Lake is unmodified, so it will not be transformed. The Data Lake is accessed by various analysis tools, which convert the data for their own use.

Nice Intro Video

Current Release: 0.7.1

Download Link :

https://archive.apache.org/dist/metron/

https://github.com/apache/metron

Wednesday, October 30, 2019

CloudSeeker - Free tool

CloudSeeker:

           A free tool that gives enterprises visibility into cyber exposure caused

 by the proliferation of cloud services and ability to tackle the visibility gap

 caused by unsanctioned IT.

Cofense CloudSeeker - free utility starts with a catalog of popular SaaS applications and checks each to see if a domain has been configured for use. Once the scan is complete, export the data for a better understanding of potential issues.

CloudSeeker Helps:

Give insight into which apps are in use
Uncover applications provisioned without IT’s knowledge
Uncover risks to your organization

Link : https://cofense.com/cloudseeker/

Thursday, September 26, 2019

DocBleach - Content Disarm and Reconstruction(CDR) - Open Source tool

DocBleach:

is an advanced Content Disarm and Reconstruction open source software. Its objective is to remove misbehaving dynamic content from your Office files, or everything that could be a threat to the safety of your computer.

DocBleach allows you to sanitize your Word, Excel, PowerPoint, PDF, ... documents. This repository contains the DocBleach Web API, packaged as a docker service. Two clicks and you'll feel safer.

Let's assume your job involves working with files from external sources, for instance reading resumes from unknown applicants. You receive for example a .doc file, your anti-virus doesn't detect it as harmful, and you decide to open it anyway. You get infected. You can use DocBleach to sanitize this document: chances are you don't get infected, because the dynamic content isn't run.

Howto's

To build DocBleach, use Maven:

$ mvn clean package
...
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 10.696 s
[INFO] Finished at: 2016-12-19T17:36:10+01:00
[INFO] Final Memory: 29M/234M
[INFO] ------------------------------------------------------------------------

The final jar is stored in cli/target/docbleach.jar.
To use DocBleach, you may either use the Web Interface or run it in CLI:

java -jar docbleach.jar -in unsafe_document.doc -out safe_doc.doc

The input file may be a relative/absolute path, an URI (think: http:// link), or a dash (-).
The output file may be a relative/absolute path, or a dash (-).
If a dash is given, the input will be taken from stdin, and the output will be sent to stdout.
DocBleach's information (removed threats, errors, ...) are sent to stderr.

Download Link :

https://github.com/docbleach/DocBleach.git
https://github.com/docbleach/DocBleach-Web

DocBleach - Online ( Hosted in OVH )

Sanitizes a potentially dangerous file (Office Document, PDF), by removing macros and other active contents.

Friendly reminder: do NOT post sensitive documents here, unless you trust this page owner.

Online Link : https://www.docbleach.ovh/

Sunday, September 15, 2019

Threat Hunting Tool - Bro (Zeek) Network Security Monitor

Bro (Zeek) - Threat Hunting Tool:

A powerful framework for network traffic analysis and security monitoring.Bro is a passive, open-source network traffic analyzer. It is primarily a security monitor that inspects all traffic on a link in depth for signs of suspicious activity. More generally, however, Bro supports a wide range of traffic analysis tasks even outside of the security domain, including performance measurements and helping with trouble-shooting.

Note that "Zeek" is the new name of what used to be known as the "Bro" network security monitoring system.

Key Features

In-depth Analysis Zeek ships with analyzers for many protocols, enabling high-level semantic analysis at the application layer.
Adaptable and Flexible Zeek's domain-specific scripting language enables site-specific monitoring policies and means that it is not restricted to any particular detection approach.
Efficient Zeek targets high-performance networks and is used operationally at a variety of large sites.
Highly Stateful Zeek keeps extensive application-layer state about the network it monitors and provides a high-level archive of a network's activity.

Download Link :

https://www.zeek.org/download/index.html