Sandfly 1.1.11 is now available. This release has many new Sandflies that detect the following Linux threats:
- Greatly enhanced process forensics data.
- Malicious and suspicious process environment capture.
- Ability to see the IP address of SSH session that started a process.
- Command shell process masquerading detection.
- Blank user password detection and alerting.
- Can optionally search entire filesystem for suspicious directories for incident response.
- Can optionally search entire filesystem for stealth rootkits hiding directories for incident response.
- Detects malicious commands in user login/logout scripts.
- Detects many more legacy Linux rootkits.
- Detects anti-forensic activity with history files.
- Searches for malicious device files associated with Linux rootkits.
- Detects suspicious cron script activity.
- Detects suspicious at job activity.
- Detects history files on inactive accounts which can help spot compromised accounts.
- Detects suspicious Perl scripts running from system directories.
- Detects suspicious Python scripts running from system directories.
- Detects suspicious PHP scripts running from system directories.
- Small bug fixes.
We are adding many new sandflies now to detect an ever increasing list of threats against Linux. If you have any questions about the update, please contact us.