Links:
Realeyes IDS The Realeyes IDS captures and analyzes full sessions. When an incident is reported, the graphical user interface will display both halves of the session to determine what occurred. The GUI also provides management of application users, sensors, and a database. Realeyes is a replacement for the RenaissanceCore software. new Bait and Switch Honeypot System A multifaceted attempt to take honeypots out of the shadows of the network security model and to make them an active participant in system defense. To do this, we are creating a system that reacts to hostile intrusion attempts by redirecting all hostile traffic to a honeypot that is partially mirroring your production system. Bro Bro is a Network Intrusion Detection System (NIDS) that passively monitors network traffic and looks for suspicious activity. Read more check-ps check-ps detects rootkits by detecting falsified output and similar anolomies. The ps check should work on anything with /proc, the (currently incomplete) netstat check is more linux specific. devialog devialog is a behavior/anomaly-based syslog intrusion detection system which detects unknown attacks via anomalies in syslog. It can generate signatures for ease of management, act upon anomalies in a predefined fashion or perform as a standard log parser. EasyIDS EasyIDS is an easy-to-install intrusion detection system based upon Snort. EasyIDS is designed for the network security beginner. EasyIDS includes CentOS Linux, Snort, MySQL, BASE, ntop, oinkmaster, and more. FCheck FCheck is an open source Perl script providing intrusion detection and policy enforcement of Windows 95/98/NT/3.x and Unix server administration through the use of comparative system snapshots. File System Saint File System Saint is a lightweight host-based intrusion detection system with primary focus on speed and ease of use. Firestorm Firestorm is a very lightweight and flexible base for a heirarchical NIDS. It aims to be very fast, support many open protocols and formats. FirstLight IPS FirstLight IPS is an intrusion prevention system designed to control the flow of packets actively. The filter can operate in an intrusion detection mode both inline and passively, besides acting as an IPS. Rules can be individually assigned to block, alarm, or both. The installation creates a bridge across two interfaces. The management and configuration occur with a GTK interface on the system, or connected via a third NIC using xterm. It can import Snort-formatted rules besides its own XML format. fupids2 fupids2 is a child of the FUPIDS (Fuzzy Userprofile Intrusion Detection System) project and based on its idea. fupids2 calculates an attacker level for every user on all linux/bsd (and hopefully unix systems too) in your network. fupids2 does not only use the tool-using-behavior of every user like FUPIDS did, it also knows about the buildings and rooms an user normaly uses. fwsnort fwsnort parses the rules files included in the snort intrusion detection system and builds an equivalent iptables ruleset for as many rules as possible. HLBR - The invisible IPS HLBR is an IPS (Intrusion Prevention System) that works directly at the layer 2 of the OSI model (so it's invisible at the layer 3 - IP). It is an alternative to anyone that needs to integrate an IPS with their firewall system. It is able to analyse the contents of passing packets and block attacks. ICU Integrity Checking Utility is a Perl program used for executing AIDE filesystem integrity checks on remote hosts from an ICU server and sending reports via email. IDABench IDABench is a pluggable framework for intrusion analysis built upon the Naval Surface Warfare Center, Dahlgren Division's SHADOW versions 1.7 and 1.8. IDABench is not intended to be an intrusion detection system, although it can be used as such. ImSafe ImSafe is a host-based intrusion detection tool for Linux. It is performing anomaly detection at the process level and tries to detect various type of attacks. What is great about ImSafe is that the system doesn't know anything about the attacks and thus can detect unknown, unpublished attacks or any other form of malicious use of the monitored application.It performs quite well when monitoring usual services like a FTP server, telnet daemon, etc. Industrial Defender (commercial) Industrial Defender is a complete integrated multi-layer security solution based on SE Linux which is designed to protect mission-critical control system environments. It provides perimeter protection, NIDS, HIDS, control application security monitoring, performance monitoring and rogue device detection in a manner that accommodates and leverages the unique characteristics of control system environments. krd krd is a rootkit detection utility which scan /proc/kcore for interesting data. Suspicious programs (sk, adore, etc.), worms/backdoors/viruses are detected even if running silently in your kernel. For instance, the ASCII string OSF indicates the ELF infector GMON.A is present. LaBrea LaBrea takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet. The program answers connection attempts in such a way that the machine at the other end gets "stuck", sometimes for a very long time. lids Linux IDS Patch (lids) for Linux is an intrusion detect system in Linux kernel Login Anomaly Detection System Login Anomaly Detection System detects anomalies in logins and logouts and is able to perform various actions in response. Nabou Advanced Host Intrusion Detection System Nabou Advanced Host Intrusion Detection System stores the properties for each file in a dbm database and will warn you if something has been changed on a file. The most important thing to check for, is the MD5-checksum. Nebula Intrusion Signature Generator Nebula is a data analysis tool that automatically generates intrusion signatures from attack traces. It runs as a daemon that processes data submitted from honeypots. New signatures are published as Snort rules and can be used to defend a network from future intrusion attempts. Nift Nift is a graphical front-end (written in gtk+) for footprinting tools and methods already freely avaliable. nipper nipper processes network device configuration files, performs a security audit and outputs a security report with recommendations and a configuration report. nipper currently supports Cisco IOS, PIX, ASA, FWSM, NMP, CatOS and Juniper NetScreen devices. Read more nLive Core nLive Core is a tool that checks network traffic for anomalous applications, hosts, and users. It combines machine learning and anomaly detection technologies and provides comprehensive visibility into the network interior packet traffic. Coupled with extensive reporting capabilities, it is a single solution that secures the network and enables the meeting of compliance requirements. NullBound NullBound Malware Prevention System is an enterprise level anti-spyware application that operates at the network level. The system can support up to thousands of end-user computers per single installation. It also operates passively on the network allowing for a seamless integration and no network degradation. OSSEC HIDS OSSEC HIDS is an Open source Host-based intrusion detection system. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response. All this information is correlated and analyzed by a single engine, creating a very powerfull detection tool. Read more Prelude Prelude is an Hybrid IDS framework, that is, it is a product that enable all available security application, be it opensource or proprietary, to report to a centralized system. In order to achieve this task, Prelude relies on the IDMEF (Intrusion Detection Message Exchange Format) IETF standard, that enables different kinds of sensors to generate events using an unified language. Remote Access Session Remote Access Session is a security tool to analyze the integrity of systems. The program tries to gain access to a system using the most advanced techniques of remote intrusion. sectool sectool is a security tool for RPM based distributions. It can be used for security auditing and intrusion detection. Its goal is to catch mistakes caused by admins or point out things that they were not aware of. It checks system configuration and suspicious settings. It's easily extensible with language independent tests. Sguil Sguil (pronounced sgweel) is an analyst console for network security monitoring. Read more SNARE System iNtrusion Analysis and Reporting Environment Read more Snort Report Snort Report is an add-on module for the Snort Intrusion Detection System. It provides realtime reporting from the MySQL database generated by Snort. It requires a platform with MySQL 3.23, PHP 4.0, and Snort 1.8. It has been tested on Redhat 6.2, 7.0, 7.1, and OpenBSD 2.9. snort_inline snort_inline is basically a modified version of Snort that accepts packets from iptables and IPFW via libipq instead of libpcap. Read more System Integrity Checker SIC stands for System Integrity Checker. You can use it to make sure that no unauthorized changes have been made to your computer systems. Tcpreplay tcpreplay is a suite of tools to edit and replay captured network traffic. Read more Tiger Tiger is a security tool designed to perform audits of UNIX systems. It's useful as an security check tool and as a host intrusion detection tool. Read more Tripwire (commercial) Tripwire is a system integrity checker and a utility that compares properties of designated files and directories against information stored in a previously generated database. Read more ViperDB ViperDB is a file checker somewhat similar to Tripwire, but based on different assumptions. It only reports if a change is found and therefore can be run every couple of minutes. VXE VXE (Virtual eXecuting Environment) is an Intrusion Prevention System (IPS). It protects UNIX servers from intruders, hacker attacks from network and so on. It protects software subsystems, such as: SMTP, POP, HTTP and any other subsystem, already installed at the server. Zeppoo Zeppoo makes it possible to detect if a rootkit is installed on your system. It also makes it possible to detect hidden tasks, modules, syscalls, some corrupted symbols, and also hidden connections.
