We're very impressed by the collective smarts of the security community and we highly recommend reading the whole list and investigating any tools you are unfamiliar with. Click any tool name for more details on that particular application, including the chance to read (and write) reviews. Many site elements are explained by tool tips if you hover your mouse over them. Enjoy!
This network intrusion detection and prevention system excels at traffic analysis and packet logging on IP networks. Through protocol analysis, content searching, and various pre-processors, Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious behavior. Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine. Also check out the free Basic Analysis and Security Engine (BASE), a web interface for analyzing Snort alerts.
While Snort itself is free and open source, parent company SourceFire offers their VRT-certified rules for $499 per sensor per year and a complementary product line of software and appliances with more enterprise-level features. Sourcefire also offers a free 30-day delayed feed.
Read 2 reviews.
Latest release: version 22.214.171.124 on April 23, 2014 (3 months ago).
OSSEC HIDS performs log analysis, integrity checking, rootkit detection, time-based alerting and active response. In addition to its IDS functionality, it is commonly used as a SEM/SIM solution. Because of its powerful log analysis engine, ISPs, universities and data centers are running OSSEC HIDS to monitor and analyze their firewalls, IDSs, web servers and authentication logs.
Read 2 reviews.
Latest release: version 2.7.1 on Nov. 20, 2013 (8 months, 1 week ago).
Alienvault OSSIM stands for Open Source Security Information Management. Its goal is to provide a comprehensive compilation of tools which, when working together, grant network/security administrators with a detailed view over each and every aspect of networks, hosts, physical access devices, and servers. OSSIM incorporates several other tools, including Nagios and OSSEC HIDS.
Read 3 reviews.
Latest release: version 4.4 on Dec. 13, 2013 (7 months, 2 weeks ago).
Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis.
Review this tool.
Latest release: version 0.7.0 on March 26, 2008 (6 years, 4 months ago).
ArcSight provides a suite of tools for SIEM—security information and event management. The best-known seems to be ArcSight Enterprise Security Manager (ESM), described as the "brain" of the SIEM platform. It is a log analyzer and correlation engine designed to sift out important network events. The ESM itself is a standalone appliance, and the management programs run on Linux, Windows, AIX, and Solaris. For open-source alternatives see OSSEC HIDS and OSSIM.
Read 1 review.
Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their TCP personality can be adapted so that they appear to be running certain versions of operating systems. Honeyd enables a single host to claim multiple addresses on a LAN for network simulation. It is possible to ping the virtual machines, or to traceroute them. Any type of service on the virtual machine can be simulated according to a simple configuration file. It is also possible to proxy services to another machine rather than simulating them. It has many library dependencies, which can make compiling/installing Honeyd difficult.
Read 1 review.
Latest release: version 1.5c on May 27, 2007 (7 years, 2 months ago).