Dar is a shell command that makes backup of a directory tree and files. Its features include splitting archives over several files, DVD, CD, ZIP, or floppies, compression, full or differential backups, strong encryption, proper saving and restoration of hard links, extended attributes, file forks, Door inodes, and sparse files, remote backup using pipes and external commands (such as ssh), and rearrangement of the "slices" of an existing archive. It can run commands between slices, before and after saving some defined files or directories (for a proper database backup, for example), and quickly retrieve individual files from differential and full backups. Several external GUIs exist as alternatives to its CLI interface, like kdar, DarGUI, SaraB, etc.
SSLsplit is a tool that performs man-in-the-middle attacks against SSL/TLS encrypted network connections for network forensics and penetration testing. It terminates SSL/TLS and initiates a new connection to the original destination, logging all data transmitted. It supports plain TCP and SSL, HTTP and HTTPS, and IPv4 and IPv6. For SSL and HTTPS, it generates and signs forged X509v3 certificates on-the-fly using the original certificate's subject DN and subjectAltName extension. It supports Server Name Indication, RSA, DSA, and ECDSA keys, and DHE and ECDHE cipher suites. It can also use existing certificates if the private key is available.
cryptmount is a utility for creating and managing secure filing systems on GNU/Linux systems. After initial setup, it allows any user to mount or unmount filesystems on demand, solely by providing the decryption password, with any system devices needed to access the filing system being configured automatically. A wide variety of encryption schemes (provided by the kernel dm-crypt system and the libgcrypt library) can be used to protect both the filesystem and the access key. The protected filing systems can reside in either ordinary files or disk partitions. The package also supports encrypted swap partitions, and automatic configuration on system boot-up.
fwknop implements an authorization scheme called Single Packet Authorization that requires only a single encrypted packet to communicate various pieces of information, including desired access through an iptables, ipfw, or pf firewall policy and/or specific commands to execute on the target system. The main application of this program is to protect services such as SSH with an additional layer of security in order to make the exploitation of vulnerabilities much more difficult. The authorization server works by passively monitoring authorization packets via libpcap. Also supported is a robust port knocking implementation based around iptables log messages.
Xplico is an IP traffic decoder that extracts data from an Internet traffic capture. From a pcap file, it can extracts each email (POP, IMAP, and SMTP protocols), all HTTP content, VoIP calls (SIP, RTP, H323, MEGACO, MGCP), IRC, MSN, and so on. It isn't a packet sniffer or a network protocol analyzer, but rather an IP/Internet traffic decoder or network forensic analysis tool (NFAT).
C-ICAP Classify is a module that allows classification (labeling) of Web pages, images, and soon video based on content. Labels are placed in HTTP headers. Any PIC-Label META tags are exported into HTTP headers. This allows for creation of very flexible filters according to rules defined by the user, using the ICAP enabled proxy's ACLs. It is not a URL filter, so implementing it with sslBump or similar proxy technologies makes it very difficult to bypass. Text classification is done using Fast Hyperspace (based on Hyperspace from CRM114) and/or a Fast Naive Bayes. Image and video (when implemented) use haar feature detection from the OpenCV library.
Andrisoft WANGUARD is an enterprise-grade traffic monitoring and DDoS detection and protection solution that delivers the functionality NOC, IT, and security teams need to effectively monitor and protect their network through a single, integrated package. WANGUARD Sensor relies on sFlow, NetFlow, IPFIX, or Port Mirroring / SPAN.
GNUnet is a peer-to-peer framework with focus on providing security. All peer-to-peer messages in the network are confidential and authenticated. The framework provides a transport abstraction layer and can currently encapsulate the network traffic in UDP, TCP, HTTP, HTTPS, or direct 802.11 (WLAN). GNUnet supports accounting to provide contributing nodes with better service. The services built on top of the framework include anonymous file sharing and a virtual network providing IPv4-IPv6 transition via protocol translation over the P2P network.
Malheur is a tool for the automatic analysis of malware behavior (program behavior recorded from malicious software in a sandbox environment). It is designed to support the regular analysis of malicious software and the development of detection and defense measures. It allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes. It can be applied to recorded program behavior of various formats as long as monitored events are separated by delimiter symbols, e.g. as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox, and Joebox.