Open-source and free software packages
Automated Incident Reporting (AirCERT) is a scalable distributed system for sharing security event data among administrative domains. Using AirCERT, organizations can exchange security data ranging from raw alerts generated automatically by network intrusion detection systems (and related sensor technology), to incident reports based on the assessments of human analysts.
Bro is a Unix-based Network Intrusion Detection System (IDS). Bro monitors network traffic and detects intrusion attempts based on the traffic characteristics and content. Bro detects intrusions by comparing network traffic against rules describing events that are deemed troublesome. Bro was developed by Vern Paxson of Lawrence Berkeley National Labs and the International Computer Science Institute. Bro is also is also being developed at: Technical University Munich, University of Cambridge, and Princeton University.
Hogwash is an intrusion detection system(IDS)/packet scrubber. What does that mean? Hogwash can detect attacks on your network, and if you want, filter them out. Hogwash can't stop every attack (nothing can) so we shoot for getting 95% of them out of the way.
Osiris is a file integrity verification system that can be used to monitor changes to a file system over time.
OSSIM - Open Source Security Information Management is a distribution of open source products that are integrated to provide an infrastructure for security monitoring. Its objective is to provide a framework for centralizing, organizing, and improving detection and display for monitoring security events within the organization.
Prelude is a new innovative Hybrid Intrusion Detection system designed to be very modular, distributed, rock solid and fast.
Samhain is an open source file integrity and host-based intrusion detection system for Unix and Linux.
Scanmap3d is a JAVA program, written as a concept demonstration for visualisation of snort network ID data
Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides realtime events from snort/barnyard. It also includes other components which facilitate the practice of Network Security Monitoring and event driven analysis of IDS alerts.
SHADOW is the result of a project that was originally called the Cooperative Intrusion Detection Evaluation and Response (CIDER) project. It was an effort of NSWC Dahlgren, NFR, NSA, the SANS community and other interested parties to locate, document, and improve security software. The material on this page is approved for public release, distribution is unlimited. Today, SHADOW is maintained and developed by NSWC.
Shoki is a free, open source network intrusion detection system for conducting traffic analysis.
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
Commercial software packages and companies
Dynamic Threat Protection is the overarching framework that provides the for all Internet Security Systems' products and services. This unique approach delivers simplified, proactive protection against known and unknown attacks by combining simplified protection processes with world-leading security intelligence and technology.
IntruLock products is an attempt to consolidate all security and monitoring tasks in one common easy to use environment. It allows to see what happens in your network at a glance, get additional information, analyze, configure alerts and notifications and execute required actions from one application. A free lite version is also available.
With NFR Security's intelligent intrusion management system, you'll not only detect and deter network attacks, you also integrate with popular firewall providers to prevent future attacks.
Arbor's solutions are built upon the Peakflow Platform, an architecture for network-wide data collection, analysis, and anomaly-detection. Based on its measurement engine, Peakflow builds granular, dynamic graphs that display traffic and routing information, both real-time and historical, by AS, router, interface, and protocol. With Peakflow's flexible visualization capabilities and XML-based schema, you can create a variety of graphs and reports, ranging from detailed statistical analysis to management reports that facilitate communication across the organization.
Founded by the creators of Snort, the most widely deployed Intrusion Detection technology worldwide, Sourcefire has been recognized throughout the industry for enabling customers to quickly and effectively address security risks. Today, Sourcefire is redefining the network security industry by combining enhanced Snort with sophisticated proprietary technologies to offer the first ever unified security monitoring infrastructure, delivering all of the capabilities needed to proactively identify threats and defend against intruders.
En Garde's T-sight, an advanced intrusion investigation and response tool for Windows NT and Windows 2000 can assist you when an attempt at a break-in or a compromise occurs.
Tripwire Integrity Management solutions monitor changes to vital system and configuration files. Any changes that occur are compared to a snapshot of the established good baseline.
Academic software packages
alertSTAT is an intrusion detection system that uses IDMEF alerts as defined by the Intrusion Detection Working Group in RFC 2026 as input.
Objectives To build a prototype computer security tool that will be targeted at diagnosing and recovering from network-based break-ins. Our prototype will interact with the user analyzing the break-in and advising on recovery. The technology adopted has the ability to handle multiple methods (often with different costs) of obtaining desired information, and the ability to work around missing information. The prototype will not be an independent program, but will invoke and coordinate a suite of third-party computer security programs (COTS or public) and utility programs. A critical part of our tool will be the generation of a standardised report and an explanation of what it discovers and its path of reasoning and actions. The explanation will be produced for the user and the report sent to an organization that collects and coordinates security incident reports from a range of sites (eg, CERT, ASSIST).
EMERALD represents state-of-the art in research and development of systems and components for anomaly and misuse detection in computer systems and networks.
LinSTAT is a host-based intrusion detection system, that uses an event stream provided by a kernel auditing module as input.
logSTAT is a host-based intrusion detection system, that uses UNIX syslogs as input
Modular Intrusion Detection and Countermeasure Environment by Thomas Biege is a framework for a highly modular Intrusion Detection and Countermeasure System.
The overall objective of this research is to develop high performance data mining algorithms and tools that will provide support required to analyze the massive data sets generated by various processes that monitor computing and information systems. This research is being conducted as a part of MINDS (Minnesota Intrusion Detection System) project that is developing a suite of data mining techniques to automatically detect attacks against computer networks and systems.
NetSTAT is a network-based intrusion detection system, that uses the traffic sniffed on a local network as input.
NIDES is a comprehensive intrusion-detection system that performs real-time monitoring of user activity on multiple target systems connected via Ethernet.? NIDES runs on its own workstation (the NIDES host) and analyzes audit data collected from various interconnected systems, searching for activity that may indicate unusual and/or malicious user behavior. Analysis is performed using two complimentary detection units: a rule-based signature analysis subsystem and a statistical profile-based anomaly-detection subsystem. The NIDES rule-base employs expert rules to characterize known intrusive activity represented in activity logs, and raises alarms as matches are identified between the observed activity logs and the rule encodings. The statistical subsystem maintains historical profiles of usage per user and raises an alarm when observed activity departs from established patterns of usage for an individual. The alarms generated by the two analysis units are screened by a resolver component, which filters and displays warnings as necessary through the NIDES host X-window interface.
USTAT is a host-based intrusion detection system, that uses the audit records produced by Sun Microsystems' Solaris Basic Security Module (BSM) as input.
webSTAT is a host-based intrusion detection system, that uses Apache webserver logs as input.
WinSTAT is a host-based intrusion detection system, that uses Windows NT event logs as input.