aircrack-ng is a set of tools for auditing wireless networks. It's an enhanced/reborn version of aircrack. It consists of airodump (an 802.11 packet capture program), aireplay (an 802.11 packet injection program), aircrack (static WEP and WPA-PSK cracking), airdecap (decrypts WEP/WPA capture files), and some tools to handle capture files (merge, convert, etc.).
MultiTail lets you view one or multiple files like the original tail program. The difference is that it creates multiple windows on your console (with ncurses). Merging of 2 or more log files is possible. It can also use colors while displaying the log files (through regular expressions) for faster recognition of what is important. It can also filter lines (again with regular expressions). It has interactive menus for editing given regular expressions and deleting and adding windows. One can also have windows with the output of shell scripts and other software. When viewing the output of external software, MultiTail can mimic the functionality of tools like 'watch'.
Webfwlog is a Web-based firewall log reporting and analysis tool. It allows users to design reports to use on logged firewall data in whatever configuration they desire. Included are sample reports as a starting point. Reports can be sorted with a single click, or "drilled-down" all the way to the packet level, and saved for later use. Supported log formats are netfilter, ipfilter, ipfw, ipchains, and Windows XP. Netfilter support includes ulogd MySQL or PostgreSQL database logs using the iptables ULOG target.
ns4 is a command line configuration management tool that runs on a Unix or Windows based operating system. It allows the automated backup of node (i.e. routers and switches) configurations to an FTP/SFTP server or local media on a daily basis to create configuration archives. It can run ad-hoc commands on multiple nodes as well as custom scripts for automating complex tasks. It uses Perl and allows you to manipulate the output of commands using regular expressions within scripts. Configuration based cartridges are used to specify new node types, allowing the user to extend its functionality in a simple and dynamic way.
A 'honeypot' is designed to detect server-side attacks. In contrast, a 'honeyclient' is designed to detect client-side attacks. Specifically, a honeyclient is a dedicated host that drives specially instrumented applications to access remote servers to see if those servers are behaving in a malicious manner (by compromising the client). Honeyclients can proactively detect exploits against client applications without known signatures. This framework uses a client-server model with SOAP messaging as the primary communication method, and uses the free version of VMware Server as a means of virtualizing the client environment.
check_writable is a Nagios plugin that checks if one or more directories are writable by checking that the supplied directory is indeed a directory, checking if the the filesystem permissions are OK, creating a temporary file, writing random data to the temporary file, and reading it back. It returns a critical status if one of the tests fails.
fupids2 is a so-called human oriented IDS based on the FUPIDS project. fupids2 calculates an attacker level for every user on all Unix/Linux/BSD systems in the network. It looks at the behavior of the user (the programs the user uses, the daytime the user is active, the building and room the user uses, the part of the room in which the user sits, and so on) and reports if the user engages in behavior that is unusual for that person. This method can often detect accounts overtaken by attackers.
mwcollect is an easy solution to collect worm-like malware in a non-native environment like FreeBSD or Linux. The first versions were used to collect binaries for botnet monitoring, and bots are still what it is mostly collecting. Some people consider it a next generation honeypot; however, that comparison often leads to the misunderstanding that computers running mwcollect can actually be infected with the malware, which is not the case.
esniff (formerly dbsniff) is a very basic set of tools useful for network traffic analysis and scripting across machines. It consists of three tools: esniff, nwait/npush, and loss_chk/loss_srv. esniff is a packet sniffer based on pcap that does certain things like traffic summaries (not better but hopefully easier than tcpdump). nwait and npush implement the DOS "pause" command working over the network. loss_chk and loss_srv are for checking the loss rate of a line.
Weplab is a tool to review the security of WEP encryption in wireless networks from an educational point of view. Several attacks are available, so it can measure the effectiveness and minimum requirements of each one. Currently, weplab supports several methods, and it is able to crack the WEP key from 600,000 encrypted packets.