IDS Tools

OpenSource NIDS Snort: Snort  is an OpenSource networkbased IDS. It analyses network traffic in realtime. Alerts are generated based on signatures and protocol analysis. Snort is available for many operating systems, including Linux, BSD, Solaris and Windows. The name "Snort" is a Trademark of Sourcefire, INC. Snort GUIs and analysis tools: BASE: The Basic Analysis and Security Engine for Snort Analysis. A well maintained fork of the old ACID project. ACID: The Analysis Console for Intrusion Databases (no longer actively maintained ) Snortsnarf: Organizes Snort alerts into static web pages OpenAanval: a real-time analysis GUI for Snort and other syslog-based systems Circus Maximus Snort Report: generates reports based on Snort databases Cerebus: a unified IDS alert file browser for snort by Dragos Ruiu Henwen: A Snort GUI for MAC OS X With sguil a new Snort GUI is on the market. sguil is purely an analysis interface, no sensor management capabilities are currently included. sguil is your current open source tool of choice if you want to implement a NSM (network security monitoring) solution. The GUI is written in tcl/tk. Snortalog: a Snort log file summarizer written in perl. Formerly known as snort-ng. SnortCenter: Excellent web GUI for signature- and sensor-management (project seems currently stalled) Watchhog: a tool that allows a network administrator to implement a distributed intrusion detection system and manage it from one central location. The freeware version is availabe for private use only and supports two sensors max. IDS Policy Manager: a Windows management GUI for Snort IDS sensors in a distributed environment Snort spoolers: Barnyard: processes files created with the Unified Output Plugin and handles e.g. database inserts mudpit is spooling processor for snort. It processes unified logging output and and inserts the data in a local or remote database. Unlike barnyard, mudpit processes both alert and log output streams. FLoP: The "Fast Logging Project", a new way to log sensor data from multiple Snort sensors to a central database system. Snort-based alert generators: Mucus: a NIDS event generator, which uses the Snort IDS signatures as input for traffic generation snot: an arbitrary packet generator, that uses snort rules files as its source of packet information sneeze: a Snort false-positive generator written in perl fpg: the "False Positive Generator", part of the FLoP toolset Snort performance improvement: libpcap-mmap: a tuned libpcap version by Phil Wood for improved performance. The newer versions are usable both with linux kernels 2.4 and 2.6. With kernels > 2.6.4 the PACKET_MMAP limit is removed, thus allowing PCAP_FRAMES values > 32760 for even better performance! PF_RING: a new type of network socket that improves the packet capture speed. This works with both linux kernels 2.4 and 2.6. It requires a patched kernel and applications compiled with a patched libpcap version. My tests so far indicate that it works very well with "real" interfaces, yet does not work with bond interfaces. Snort plugins: IDMEF (Intrusion Detection Exchange Message Format) output plugin The Snort XML-Plugin Snort DNS Preprocessor (snort 1.9 only) Snortsam - a Snort plugin for shunning (dynamical blocking of IP addresses) on firewalls William Metcalf and Victor Julien provided patches for snort and snort_inline to integrate a preprocessor for virus scanning. The scan engine used is clamav. Snort rules lookup databases: The Snort Rules Database by snort.org Whitehats: ARACHNIDS (advanced reference archive of current heuristics for network intrusion detection systems) database. I recommend to use this only to lookup explanations for older snort rules. Bleeding Snort Ruleset: a set of "bleeding edge" Snort rules The Snort Wireless Project is alive again and ready for snort 2.1.1 with the help of Sebastien Gracia. NetSQUID: gathers alerts generated by Snort, then automatically creates an IPTables firewall entry to block the alerting host Oinkmaster: The de-facto standard update-Tool for Snort Signatures logtopcap: converts Snort unified log files to pcap files Brian Caswell and Jeff Nathan published their new Snort preprocessor sp_perl. It allows regexp matching and runtime execution of perl code. The presentation slides from CanSecWest are also available. New snort patch for IDS alert verification: the tool triggers NASL (Nessus Attack Scripting Language) scripts to check an attacked host for real vulnerabilities. Seems to be somewhat dubious for enterprise environments, but hey, it's at least a new idea which has to be tested. Other (non-Snort-based) OpenSource NIDS: Bro: a less well known but nonetheless very interesting NIDS from Vern Paxson. Bro targets "high-speed (Gbps), high-volume" intrusion detection. Shadow: One of the first freely available NIDS The Shadow/Snort-CD by Seeker: Documentation and the ISO image are provided. Shoki: a signaturebased NIDS with PostgreSQL Backend Database Tamandua: Anyone has this running ? How about telling me about it ? Firestorm NIDS: Currently sensor-only NIDS. Claims high performance and tries actively to show its superiority to Snort and other free NIDS. BENIDS: an experimental pcap-based NIDS with XML signature files. Supports IDMEF-Output. OpenSource HIDS: SNARE - System Intrusion Analysis & Reporting Environment Improves Linux with hostbased IDS and C2-style auditing. Samhain: a distributed file integrity checker Basically, Samhain is a System Integrity Verifier. Then why not group it under SIV? Samhain has much more features than a simple hash database. Samhain allows distributed file checking with a central database. It runs in daemon mode and knows about previous alert, so it will not raise the same alert again. On Linux and FreeBSD systems Samhain detects LKM (loadable kernel module) rootkits. With the web based console Belthane it is easy to update the signature database on the central server and to monitor the change logs. OsHIDS: an OpenSource log analysis tool M-ICE: (Modular Intrusion Detection and Countermeasure Environment) OpenSource Hybrid IDS: Prelude combines hostbased and networkbased IDS in one system. While it is a relatively young system it seems to evolve quite nicely. In my opinion a very promising project. See also Preludes new honeyd patch. OpenSource System Integrity Verifier: Tripwire: the well-known commercial system has a somewhat old OpenSource brother Aide (Advanced Intrusion Detection Environment): a Tripwire replacement Samhain: see above Intrusion Prevention: Inline-Snort: a patch for Snort which enables Snort to drop or modify network packets Hogwash: an IPS which was formerly based on Snort. The new H2 engine will replace the Snort engine. (seems no longer to be actively maintained)  Miscellaneous Tools: fragroute: an attack router which implements NIDS evasion techniques after the famous Ptacek/Newsham paper "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection ". NADS (Normalized Attack Detection System):a C library to normalizes HTTP urls (currently proof-of-concept code) IDABench: a pluggable framework for intrusion analysis, based on SHADOW tcpreplay: a tool to replay saved tcpdump files at arbitrary speeds ------>    FONTE: ForInSecT