Suricata IDS - Network threat detection engine

•    C

---

The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.

intrusion-detection network-security-monitoring security ids ips nsm network-monitoring

Bro - Network Security Monitor

•    C++

---

Bro is a powerful network analysis framework that is much different from the typical intrusion detection system you may know. Bro provides a comprehensive platform for more general network traffic analysis as well.

intrusion-detection intrusion-prevention ids network-analyzer monitoring packet-capture

Wazuh - Host and endpoint security

•    C

---

Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level. This solution, based on lightweight multi-platform agents, provides the capabilities like Log management and analysis, File integrity monitoring, Intrusion and anomaly detection, Policy and compliance monitoring.

ossec security loganalyzer compliance monitoring intrusion-detection policy-monitoring openscap security-hardening ids pci-dss file-integrity-management log-analysis vulnerability-detection incident-response threat-detection

pytbull

•    Python

---

pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing Framework for Snort, Suricata and any IDS/IPS that generates an alert file. It can be used to test the detection and blocking capabilities of an IDS/IPS and to validate config.

OpenWIPS-ng - Wireless Intrusion Prevention System

•    C

---

OpenWIPS-ng is an open source and modular Wireless IPS (Intrusion Prevention System). It is composed of three parts: Sensor(s): "Dumb" devices that capture wireless traffic and sends it to the server for analysis. Also responds to attacks. Server: Aggregates the data from all sensors, analyzes it and responds to attacks. It also logs and alerts in case of an attack. Interface: GUI manages the server and displays information about the threats on your wireless network(s).

intrusion-detection network-security-monitoring security ids ips nsm network-monitoring

Snort - Network Intrusion Prevention and Detection System

•    C

---

Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Snort can perform protocol analysis and content searching/matching. It can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

intrusion-detection intrusion-prevention network attack port-scanner packet-capture

security-onion - Linux distro for intrusion detection, enterprise security monitoring, and log management

•    

---

For more information about Security Onion, please see our main website, blog, and wiki. This repo contains the ISO image, Wiki, and Roadmap for Security Onion.

intrusion-detection network-security-monitoring log-management ids nsm hunting dfir

KIDS - Kernel Intrusion Detection System

•    C

---

The Kernel Intrusion Detection System-KIDS, is a Network IDS, where the main part, packets grab/string match, is running at kernelspace, with a hook of Netfilter Framework. The project is not ready for use, then incomplete pieces of code may be found.

OSSEC - Host-based Intrusion Detection System

•    C

---

OSSEC is a full platform to monitor and control your systems. It mixes together all the aspects of HIDS (host-based intrusion detection), log monitoring and SIM/SIEM together in a simple, powerful and open source solution.

intrusion-detection siem threat-intelligence security-analytics threat-analytics monitoring

fail2ban - Daemon to ban hosts that cause multiple authentication errors

•    Python

---

Fail2Ban scans log files like /var/log/auth.log and bans IP addresses having too many failed login attempts. It does this by updating system firewall rules to reject new connections from those IP addresses, for a configurable amount of time. Fail2Ban comes out-of-the-box ready to read many standard log files, such as those for sshd and Apache, and is easy to configure to read any log file you choose, for any error you choose. Though Fail2Ban is able to reduce the rate of incorrect authentications attempts, it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

security intrusion-prevention fail2ban bsd gplv2 ban-hosts intrusion-detection ids ips anti-bot attack-prevention

OSSEC - Host-based Intrusion Detection System

•    C

---

OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

security intrusion-detection-system

DetectionLab - Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices

•    HTML

---

This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.NOTE: This lab has not been hardened in any way and runs with default vagrant credentials. Please do not connect or bridge it to any networks you care about. This lab is deliberately designed to be insecure; the primary purpose of it is to provide visibility and introspection into each host.

vagrant vagrantfile packer information-security lab-environment dfir threat-detection threat-hunting threat hunting

Modular Intrusion Countermeasure Env.

•    C

---

M-ICE is a modular hostbased intrusion detection framework. It is used as middleware to close the gap between IDS research and IDS development. M-ICE consists of various parts that can be connected together by using network-or interprocess-communication

Intrusion Detection Exchange Arch.

•    Java

---

A Java-based client-server architecture for processing network intrusion detection data. The server receives XML alerts from Snort sensors buffers them for review by clients. The console provides a real-time view of IDS activity.

MISP - MISP (core software) - Open Source Threat Intelligence Platform (formely known as Malware Information Sharing Platform)

•    PHP

---

MISP, is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and threat about cyber security incidents analysis and malware analysis. MISP is designed by and for incident analysts, security and ICT professionals or malware reverser to support their day-to-day operations to share structured informations efficiently. The objective of MISP is to foster the sharing of structured information within the security community and abroad. MISP provides functionalities to support the exchange of information but also the consumption of the information by Network Intrusion Detection System (NIDS), LIDS but also log analysis tools, SIEMs.

misp threat-sharing threat-hunting threatintel malware-analysis stix information-exchange fraud-management tip security cti cybersecurity fraud-detection fraud-prevention threat-analysis information-security information-sharing threat-intelligence threat-intelligence-platform intelligence

ClearOS - Linux based Operating System

•    C

---

ClearOS is a powerful network and gateway server designed for small organizations and distributed environments. The open source revolution in the software industry has made it possible to provide ClearOS at no cost. Among other features, antivirus, antispam, VPN and content filtering are built right into the software -- no need for expensive third party add-ons. With ClearOS, you can avoid costly vendor lock-in and proprietary formats; instead, you can embrace open standards and protocols.

os operating-system linux-operating-system server-os linux-firewall

Sguil - The Analyst Console for Network Security Monitoring

•    Tcl

---

Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis.

intrusion-detection network-security-monitoring security ids ips nsm network-monitoring

NetDash

•    PHP

---

Network Intrusion Detection and Full Packet Capture System

ImSafe - Host Based IDS

•    C

---

Immune Security Architecture For your Enterprise -- Host-Based Intrusion detection for UNIX based systems, at the process level. Detect changes in the normal behavior of processes, advanced features to detect Buffer Overflows.

Acra - Database protection suite with selective encryption and intrusion detection

•    Go

---

Acra helps you to easily secure your databases in distributed, microservice-rich environments. It allows you to selectively encrypt sensitive records with strong multi-layer cryptography, detect potential intrusions and SQL injections and cryptographically compartment data stored in large sharded schemes. It's security model guarantees that compromising the database or your application does not leak sensitive data, or keys to decrypt it.

database-security database-encryption encryption intrusion-detection security database-proxy