Surgeon General's Warning
Like many other security tools, most PICS software is "dual-use." The software is intended to aid security personnel, investigators, and others involved in legitimate security activities. Unfortunately, much of the technology could provide inappropriate assistance to the computer abuse community.
Release Policy
PICS typically releases software to the public about 6-12 mopnths after the software has been provided to PICS sponsors.
In general, PICS will not publicly release software which has significant potential for abuse, especially if that software is well ahead of the current public state of the art.
Listed below is some of the software that PICS has introduced. This list is:
| 2swatch/ | Directory containing 2swatch distribution. 2swatch is a concurrent system log watching tool based on the original Stanford swatch tool. |
| arpd/ | Directory containing arpd distribution. Arpd is a daemon that replies to ARP requests. |
| comply/ | Directory containing comply distribution. Comply checks for compliance of IP traffic with specified security policy. |
| dynam1/ | Directory containing dynamic portmapper monitor. This monitor records traffic correlated with portmapper scans. It was written several years ago, before RPC and other buffer overflows became popular. In fact, this tool detected some of the first RPC buffer overflows ever seen "in the wild". |
| dynam2/ | Directory containing dynamic network scan monitor. This monitor records traffic correlated with scans of several hosts connected to the same network. This software was a research tool that we used (several years ago) to validate the idea of dynamic filter updates in response to probing activity. This toolpre-dated commercial dynamic filter updates by about 2 years |
| hfw/ | Directory containing host firewall software. HFW performs packet filtering on arbitrary ports of the host network interface. This software anticipated the later Linux ipfwadm/ipfilter/etc software by 4 years, and is related to software which has protected workstations at SDSC for almost 7 years. |
| hostlog/ | Directory containing PICS' host syslog package. Hostlog installs several extended and integrated network services daemons and a syslog replacement. This is our first syslog replacement, which begins to address the many security flaws in current system logging protocols and software. We have a third-generation system which will be releasd in the future. |
| madaudit/ | Directory containing IP auditing software. |
| maker/ | Directory containing maker distribution. Maker is an interactive syslog filter generation tool. |
|
netoff/ |
Directory containing netoff distribution. Netoff disables host transmission of IP packets through a network interface. |
| parse/ | Directory containing parse distribution. Parse is an IP session breakdown and display tool. This is a subset of our current session replay software. The newer system is in use by PICS partners in a variety of research, educational, law enforcement and national security areas. |
| redux/ | Directory containing redux distribution. Redux is a post-mortem syslog reduction and analysis tool. This tool was our first attempt at an "intelligent co-pilot" or "assistant" for an analyst performing log analysis during an investigation of a security incident. |
| td3/ | Directory containing PICS' modifications to the tcpdump tool. Several years ago we addressed numerous shortcomings in the popular tcpdump program when being used for incident detection and analysis. Some of these shortcomings were eventually addressed in the public tcpdump distribution; others remain unique. |
| tripfix/ | Directory containing PICS' patches to the Purdue tripwire tool. Again, we have addressed shortcomings in the tripwire tools, based on our experiences using it on real-world intrusions |
| validate/ | Directory containing validate distribution. validate is a syslog filter validation and maintenance tool. |