Bait and Switch Honeypot System
A multifaceted attempt to take honeypots out of the shadows of the network security model and to make them an active participant in system defense. To do this, we are creating a system that reacts to hostile intrusion attempts by redirecting all hostile traffic to a honeypot that is partially mirroring your production system.
Bro is a Network Intrusion Detection System (NIDS) that passively monitors network traffic and looks for suspicious activity. Read more
check-ps detects rootkits by detecting falsified output and similar anolomies. The ps check should work on anything with /proc, the (currently incomplete) netstat check is more linux specific.
devialog is a behavior/anomaly-based syslog intrusion detection system which detects unknown attacks via anomalies in syslog. It can generate signatures for ease of management, act upon anomalies in a predefined fashion or perform as a standard log parser.
EasyIDS is an easy-to-install intrusion detection system based upon Snort. EasyIDS is designed for the network security beginner. EasyIDS includes CentOS Linux, Snort, MySQL, BASE, ntop, oinkmaster, and more.
FCheck is an open source Perl script providing intrusion detection and policy enforcement of Windows 95/98/NT/3.x and Unix server administration through the use of comparative system snapshots.
File System Saint
File System Saint is a lightweight host-based intrusion detection system with primary focus on speed and ease of use.
Firestorm is a very lightweight and flexible base for a heirarchical NIDS. It aims to be very fast, support many open protocols and formats.
fupids2 is a child of the FUPIDS (Fuzzy Userprofile Intrusion Detection System) project and based on its idea. fupids2 calculates an attacker level for every user on all linux/bsd (and hopefully unix systems too) in your network. fupids2 does not only use the tool-using-behavior of every user like FUPIDS did, it also knows about the buildings and rooms an user normaly uses.
fwsnort parses the rules files included in the snort intrusion detection system and builds an equivalent iptables ruleset for as many rules as possible.
HLBR - The invisible IPS
HLBR is an IPS (Intrusion Prevention System) that works directly at
the layer 2 of the OSI model (so it's invisible at the layer 3 - IP). It is an alternative to anyone that needs to integrate an
IPS with their firewall system. It is able to analyse the contents of
passing packets and block attacks.
Integrity Checking Utility is a Perl program used for executing AIDE filesystem integrity checks on remote hosts from an ICU server and sending reports via email.
IDABench is a pluggable framework for intrusion analysis built upon the Naval Surface Warfare Center, Dahlgren Division's SHADOW versions 1.7 and 1.8. IDABench is not intended to be an intrusion detection system, although it can be used as such.
ImSafe is a host-based intrusion detection tool for Linux. It is performing anomaly detection at the process level and tries to detect various type of attacks. What is great about ImSafe is that the system doesn't know anything about the attacks and thus can detect unknown, unpublished attacks or any other form of malicious use of the monitored application.It performs quite well when monitoring usual services like a FTP server, telnet daemon, etc.
(commercial) Industrial Defender is a complete integrated multi-layer security solution based on SE Linux which is designed to protect mission-critical control system environments. It provides perimeter protection, NIDS, HIDS, control application security monitoring, performance monitoring and rogue device detection in a manner that accommodates and leverages the unique characteristics of control system environments.
krd is a rootkit detection utility which scan /proc/kcore for interesting data. Suspicious programs (sk, adore, etc.), worms/backdoors/viruses are detected even if running silently in your kernel. For instance, the ASCII string OSF indicates the ELF infector GMON.A is present.
LaBrea takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet. The program answers connection attempts in such a way that the machine at the other end gets "stuck", sometimes for a very long time.
Linux IDS Patch (lids) for Linux is an intrusion detect system in Linux kernel
Login Anomaly Detection System
Login Anomaly Detection System detects anomalies in logins and logouts and is able to perform various actions in response.
Nabou Advanced Host Intrusion Detection System
Nabou Advanced Host Intrusion Detection System stores the properties for each file in a dbm database and will warn you if something has been changed on a file. The most important thing to check for, is the MD5-checksum.
Nebula Intrusion Signature Generator
Nebula is a data analysis tool that automatically generates intrusion signatures from attack traces. It runs as a daemon that processes data submitted from honeypots. New signatures are published as Snort rules and can be used to defend a network from future intrusion attempts.
Nift is a graphical front-end (written in gtk+) for footprinting tools and methods already freely avaliable.
nipper processes network device configuration files, performs a security audit and outputs a security report with recommendations and a configuration report. nipper currently supports Cisco IOS, PIX, ASA, FWSM, NMP, CatOS and Juniper NetScreen devices. Read more
nLive Core is a tool that checks network traffic for anomalous applications, hosts, and users. It combines machine learning and anomaly detection technologies and provides comprehensive visibility into the network interior packet traffic. Coupled with extensive reporting capabilities, it is a single solution that secures the network and enables the meeting of compliance requirements.
OpenFPC is a set of tools that combine to provide a lightweight full-packet network traffic recorder & buffering system. It's design goal is to allow non-expert users to deploy a distributed network traffic recorder on COTS hardware while integrating into existing alert and log management tools.
OSSEC HIDS is an Open source Host-based intrusion detection system. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response. All this information is correlated and analyzed by a single engine, creating a very powerfull detection tool. Read more
Prelude is an Hybrid IDS framework, that is, it is a product that enable all available security application, be it opensource or proprietary, to report to a centralized system. In order to achieve this task, Prelude relies on the IDMEF (Intrusion Detection Message Exchange Format) IETF standard, that enables different kinds of sensors to generate events using an unified language.
pyHIDS is a simple HIDS (host-based intrusion detection system) for verifying the integrity of a system. It uses an RSA signature to check the integrity of its database. Alerts are written in the logs of the system and can be sent via email to a list of users.
Razorback is a framework for an intelligence driven security solution. It consists of a Dispatcher at the core of the system, surrounded by Nuggets of varying types.
The Realeyes IDS captures and analyzes full sessions. When an incident is reported, the graphical user interface will display both halves of the session to determine what occurred. The GUI also provides management of application users, sensors, and a database. Realeyes is a replacement for the RenaissanceCore software.
Remote Access Session
Remote Access Session is a security tool to analyze the integrity of systems. The program tries to gain access to a system using the most advanced techniques of remote intrusion.
Ruminate is a platform for analyzing data transferred through the network. Ruminate focuses on scalability, flexibility, and the ability to perform arbitrary actions on objects transferred through the network.
sectool is a security tool for RPM based distributions. It can be used for security auditing and intrusion detection. Its goal is to catch mistakes caused by admins or point out things that they were not aware of. It checks system configuration and suspicious settings. It's easily extensible with language independent tests.
Sguil (pronounced sgweel) is an analyst console for network security monitoring. Read more
System iNtrusion Analysis and Reporting Environment Read more
Snort Report is an add-on module for the Snort Intrusion Detection System. It provides realtime reporting from the MySQL database generated by Snort. It requires a platform with MySQL 3.23, PHP 4.0, and Snort 1.8. It has been tested on Redhat 6.2, 7.0, 7.1, and OpenBSD 2.9.
snort_inline is basically a modified version of Snort that accepts packets from iptables and IPFW via libipq instead of libpcap. Read more
Suricata is a network intrusion detection and prevention engine developed by the Open Information Security Foundation and its supporting vendors.
sXid is an all in one suid/sgid monitoring program designed to be run from cron on a regular basis. Basically it tracks any changes in your s[ug]id files and folders.
tcpreplay is a suite of tools to edit and replay captured network traffic. Read more
Tiger is a security tool designed to perform audits of UNIX systems. It's useful as an security check tool and as a host intrusion detection tool. Read more
(commercial) Tripwire is a system integrity checker and a utility that compares properties of designated files and directories against information stored in a previously generated database. Read more
Trusion is intended to be a cross-platform physical intrusion detection system that uses your webcam to detect movement.
ViperDB is a file checker somewhat similar to Tripwire, but based on different assumptions. It only reports if a change is found and therefore can be run every couple of minutes.
VXE (Virtual eXecuting Environment) is an Intrusion Prevention System (IPS). It protects UNIX servers from intruders, hacker attacks from network and so on. It protects software subsystems, such as: SMTP, POP, HTTP and any other subsystem, already installed at the server.
WormTrack is a network IDS that allows detection of scanning worms on a LAN by monitoring anomalous ARP traffic.
Zeppoo makes it possible to detect if a rootkit is installed on your system. It also makes it possible to detect hidden tasks, modules, syscalls, some corrupted symbols, and also hidden connections.