Академический Документы
Профессиональный Документы
Культура Документы
By
Alisha Gupta
September 6, 2015
Roll No.:31503209
MULVAL
1.1
Features
MulVAL uses Datalog as its modeling language. The information in the vulnerability
database provided by the bug-reporting community, the configuration information of
each machine and the network, and other relevant information are all encoded as
Datalog facts.
The reasoning engine consists of a collection of Datalog rules that captures the operating system behavior and the interaction of various components in the network. Thus
integrating information from the bug-reporting community and off-the-shelf scanning
tools in the reasoning model is straightforward. The reasoning engine in MulVAL scales
well with the size of the network.
The inputs to MulVALs analysis are:
Advisories: What vulnerabilities have been reported and do they exist on the
machines?
Host configuration: What software and services are running on the hosts, and
how are they con- figured?
Network configuration: How are the network routers and firewalls configured?
Principals: Who are the users of the network?
Interaction: What is the model of how all these components interact?
Policy: What accesses do I want to permit?
MulVAL comprises a scannerrun asynchronously on each host and which adapts existing tools such as OVAL to a great extent and an analyzer, run on one host whenever
new information arrives from the scanners.
1.2
URL
1.3
The current version of MulVAL has been tested on the Linux and Mac OS X operating
systems.
1.4
Download
To run MulVAL, you need to have the following software installed and make sure both the
program xsb and dot reside in your PATH.
XSB: http://xsb.sourceforge.net/
GraphViz: http://www.graphviz.org/.
MySQL: http://dev.mysql.com/downloads
1.5
Installation
Argus is a system and network monitoring application.It will monitor nearly anything
you ask it to monitor. It presents a nice clean, easy to view web interface that will keep both
the managers happy and the techs happy . It can send alerts numerous ways and can automatically escalate if someone falls asleep.Argus was originally designed to monitor servers
and network connections in a mission-critical ISP (Internet Service Provider) environment,
and scales well from small-businesses through large enterprises.
2.1
Features
2.2
URL
http://argus.tcp4me.com/
2.3
2.4
Language used
Argus has the ability to display its web pages in the language of your choice. Argus ships
with support for several languages, and support for additional languages can be easily added.
Configuring
When displaying web pages, the argus cgi program uses the language value set in the config
file (lang), or set in the environment, and uses that to load a file.
The cgi program checks the environment variables LC ALL, LC ARGUS, and then LANG,
in order and uses the first one it finds. If none are set, it uses the value default. Often, one
of these environment variables will already be set correctly.
It then looks in the directory datadir/locale for a file by that name. If it cannot load the
specified file, it will use english.
So, to configure your language of choice, you have 3 options:
add a line to your argus config like: lang: en us
adjust the environment variables to match the correct filename. the variable will need
to be set before starting your web server. how exactly to set environment variables for
your web server is beyond the scope of this document.
adjust the name of the file in datadir/locale to match what argus is looking for (either
to the environment variable that is already configured or the value default). you can
either rename or symlink the correct file to the desired name.
2.5
Download
Argus is fully open-source, and may be downloaded and used by anyone at no charge.
Find the current stable version here:
argus-3.7.tgz [14 Feb 2013 - 436K]
The current development code is here:
argus-dev-20121229.tgz
Older versions are available here:
http://www.tcp4me.com/code/argus-archive/
2.6
Installation
fping is used by the Ping Monitoring module for ping tests. While this is not
required, it is highly recommended. Find fping at www.fping.com
a cgi capable web server, such as apache. Find apache at httpd.apache.org
Berkeley DB and perl DB File Find DB at www.sleepycat.com DB File ships with
perl.
an understanding of UNIX file permissions and how to use and operate your web
server.
unbundle the tarball
run ./Configure
run make
as root, run make install
create 2 files in the data directory:
config
users
configure your web server be sure that
data dir is writable by the www user (or whatever uid your web server runs as)
copy icons to somewhere accessible by your web server (these locations get specified in config file, above) or feel free to replace them with your own icons, or no
icons at all.
start the argus server by running argusd
or install the rc.argusd script as appropriate for your system.
check the argus log file (datadir/log) and/or your syslog logs to verify that argus is
operating correctly.
load the argus cgi interface in your web browser, and verify that everything is configured
correctly.
perform any optional advanced configuration described in the advanced installation
section.
2.7
Configuring
2.7.1
The config file defines what and how things are monitored as well as the layout and relationships of the various items.
It contains various types of things:
key-value pairs, aka. data
frequency: 300
specifications of things to monitor, aka. Services Service TCP/SMTP
groups of services, aka. Groups
Group Foo
hostname: foo.example.com
Service TCP/SMTP
Service TCP/HTTP
alternate names for things, aka. Aliases
Alias Foo Top:Servers:Foo
Aliases are described further in the advanced documentation
definitions of notification methods notification methods are described in notification
documentation
definitions of special features, such as DARP, the asynchronous resolver
In the config file, the parameter-value data must come first, followed by notification
methods and special features, followed by groups and services.
2.7.2
Example
WIRESHARK
Wireshark is a network packet analyzer. A network packet analyzer will try to capture
network packets and tries to display that packet data as detailed as possible. Wireshark is
perhaps one of the best open source packet analyzers available today.
3.1
Features
Some features of wireshark are: The current stable release of Wireshark is 1.12.7.
Capture live packet data from a network interface.
Open files containing packet data captured with tcpdump/WinDump, Wireshark, and
a number of other packet capture programs.
Import packets from text files containing hex dumps of packet data.
Display packets with very detailed protocol information.
Save packet data captured.
Export some or all packets in a number of capture file formats.
Filter packets on many criteria.
Search for packets on many criteria.
Colorize packet display based on filters.
Create various statistics.
3.2
URL
http://www.wireshark.org
3.3
The current version of Wireshark should support any version of Windows that is still
within its extended support lifetime and it includes Windows 8, 7, Vista, Server 2012,
Server 2008 R2, Server 2008, and Server 2003.
Older versions of Windows which are outside Microsofts extended lifecycle support
window are no longer supported.
Wireshark currently runs on most UNIX platforms.Binary packages are available for
most Unices and Linux distributions including the following platforms:
Apple Mac OS X
10
Debian GNU/Linux
FreeBSD
Gentoo Linux
HP-UX
Mandriva Linux
NetBSD
OpenPKG
Red Hat Enterprise/Fedora Linux
Sun Solaris/i386
Sun Solaris/SPARC
Canonical Ubuntu
3.4
Download
3.5
Installation
3.6
Configuration
/CaptureSupport - operating system must support packet capturing, e.g. capture support is enabled / a capture driver is installed
Users Guide about Time Zones computers time and time zone settings
should be correct, so the time stamps captured are meaningful
Capture traffic sent to and sent from the local machine
Capture traffic destined for machines other than our own
Make sure you capture from a location in the network where all relevant traffic will
pass through:
/NetworkTopology - choose the right place in the network topology in order
to get the required network traffic.
/NetworkMedia - there might be network media (/Ethernet, /PPP, ...) specific
limitations
Promiscuous mode - must be switched on
Capture traffic using a remote machine
Remote Capturing is currently very limited:
/Pipes - using a UNIX pipe and use a different tool to capture from
/WinPcapRemote - using [WinPcap]s remote capturing feature (rpcapd)
RMON - use SNMPs RMON to capture
12
ARGUS
Argus is the network Audit Record Generation and Utilization System. The Argus
Project is focused on developing all aspects of large scale network activity audit. Argus,
itself, is next-generation network flow technology, going from packets on the wire to advanced network flow data, to network forensics data; all in support of Network Operations,
Performance and Security Management.
4.1
Features
Argus is composed of an advanced comprehensive network flow data generator, the Argus sensor, which processes packets and generates detailed network flow status reports
of all the flows in the packet stream.
It captures much of the packet dynamics and semantics of each flow, with a great
deal of data reduction, so we can store, process, inspect and analyze large amounts of
network data efficiently.
It provides reachability, availability, connectivity, duration, rate, load, good-put, loss,
jitter, retransmission, and delay metrics for all network flows.
It is used by many sites to generate network activity reports for every network transaction on their networks.
The network audit data that it generates is great for security, operations and performance management. The data is used for network forensics, non-repudiation, network
asset and service inventory, behavioral baselining of server and client relationships,
detecting covert channels, and analyzing Zero day events.
4.2
URL
http://qosient.com/argus/
4.3
AIX
HP-UX
VxWorks
IRIX
Windows (under Cygwin)
OpenWrt
4.4
Download
Currently, the set of stable source code can be grabbed from these links:
http://qosient.com/argus/src/argus-3.0.8.1.tar.gz
http://qosient.com/argus/src/argus-clients-3.0.8.tar.gz
Download the files from these links and den follow the instructions of installation process
as defined below.
4.5
Installation
4.6
Configuration
Argus accepts configuration options on the command line, but Argus is generally configured
using the argus.conf file that is normally found in either /etc or ARGUSHOME. The variables
that are set by this file can be overriden by the use of command line switches. And on the
command line you can specify an alternative configuration file that is specified using the -F
14
configfile option.
You can also eliminate any configuration directives in the /etc/argus.conf file by using the
-X option on the commandline, so you have a lot of flexibility.
To setup a /etc/argus.conf file, copy the example configuration to /etc and modify its values
accordingly.
Argus can compile more than one file together .Use this command for this purpose:
argus -w tcp.file tcp -w nottcp.file not tcp
15
HP WEBINSPECT
HP WebInspect is the industry-leading Web application security assessment solution designed to thoroughly analyze todays complex Web applications and Web services for security vulnerabilities. With broad technology cover and application runtime visibility through
the HP WebInspect Agent, HP WebInspect provides the broadest dynamic application security testing coverage and detects new types of vulnerabilities that often go undetected
by black-box security testing technologies.An automated dynamic application security testing (DAST) tool that mimics real-world hacking techniques and attacks,
and provides comprehensive dynamic analysis of complex web applications and
services.
5.1
Features
5.2
URL
http://www8.hp.com/in/en/software-solutions/webinspect-dynamic-analysis-dast/
5.3
HP WebInspect 10.30
16
5.4
HP Webinspect supports Windows Server 2012, SQL Server 2012, ALM 11.5 and 11.52 as
well as continued support for Windows 8.
5.5
Language used
5.6
Download
5.7
Installation
17
IBM WATCHFIRE
6.1
Features
6.2
URL
6.3
6.4
Language used
6.5
Download
6.6
Installation
18
IBM APPSCAN
IBM Security AppScan enhances web application security and mobile application security,
improves application security program management and strengthens regulatory compliance.
By scanning your web and mobile applications prior to deployment, AppScan enables us to
identify security vulnerabilities and generate reports and fix recommendations.
7.1
Features
Flash support: Appscan 8.0 has increased flash support compared to its earlier
versions. It can now explore and test applications based on an Adobe Flex framework.
AMF protocol is also supported.
Glass box testing: This process installs an agent on the server which helps find
hidden URLs and additional issues.
Web services scanning: Web service scanning is one area which organizations are
looking for a more effective automated support, and Appscan has scored well in this
area.
Java script security analyzer : Appscan has introduced JavaScript security analyser
which analyses the crawled html pages for vulnerabilities and allows users to focus on
different client-side issues and DOM (document object model) based XSS problems.
Reporting: Based on your requirements, you can generate reports in desired formats
and include desired fields in it.
Remediation support: For the identified vulnerabilities, the program provides a
description of the issue along with the remediation notes.
Customizable scanning policies: Appscan comes with a set of defined scanning
policies.
Tools support: It has tools like Authentication Tester, Token Analyzer, and HTTP
Request Editor which comes in handy when testing for vulnerabilities manually. Support for Ajax and dojo frameworks.
7.2
URL
http://www-03.ibm.com/software/products/en/appscan
7.3
Microsoft Windows Server 2008: Standard and Enterprise, SP1 and SP2
Microsoft Windows Server 2008 R2: Standard and Enterprise, with or without SP1
Microsoft Windows 8.1: Pro and Enterprise
Microsoft Windows 8: Standard, Pro and Enterprise
Microsoft Windows 7: Enterprise, Professional and Ultimate, with or without SP1
Linux and Mac OS
7.4
Language used
7.5
Download
7.6
Installation
7.7
Configuration
22