Intrusion Prevention & Detection

Network Monitoring, Intrusion Prevention Systems (IPS) & Intrusion Detection Systems (IDS).

Monitoring Tool Organization
Port Scan Broadband (DSL) Reports

IDS Tools & Network Analyzers

  • Nessus - Open Source Vulnerability Scanner
    Nessus is a free, powerful remote security scanner for Linux, BSD, Solaris, and other Unices. It is plug-in-based: each security test is written as an external plugin using NASL (Nessus Attack Scripting Language) or C. Nassus is client-server (server scanner, client frontend), has a GTK interface, can test unlimited amount of hosts, doing thorough service recognition, and performs over 1600 remote security checks, with an daily updated security vulnerability database. It allows complete and exportable reports (HTML, XML, LaTeX, ASCII), and suggests solutions for security problems.
  • Snort - Open Source Network Intrusion Detection System
    Snort is a lightweight network intrusion detection system (IDS), capable of performing real-time traffic analysis and packet logging on IP networks. Open source software, by Marty Roesch. Snort can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language (for traffic collect), a detection engine with modular plugin architecture, and real-time alerting capability mechanisms.
    Snort has three primary uses: It can be used as a straight packet sniffer (like tcpdump), a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection system.
    Snort should work any place libpcap does, and is known to have been compiled successfully on the following platforms: Linux, BSD, Solaris, SunOS, HP-UX, AIX, IRIX, Tru64, MacOS X Server, Win32 (9x/NT/2000/XP).
    • Analysis Console for Intrusion Databases (ACID)
      ACID is a PHP-based analysis engine to search and process a database of incidents generated by security-related software such as IDSes and firewalls (e.g. Snort, ipchains, iptables). By Carnegie Mellon CERT.
    • SnortCenter
      Snort IDS Rule & Sensor Management. SnortCenter is a web-based client-server management system written in PHP and Perl. It will help you to configure Snort and keep the signatures up-to-date. The Management Console will build the configuration files for you and then send it to the remote sensor.
    • IDS Policy Manager
      IDS Policy Manager for Windows 2000/XP is a powerful way to modify the Snort configuration and rule files.
  • Wireshark
    Wireshark is a network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It has a rich and powerful feature set and is world's most popular tool of its kind. It runs on most computing platforms including Windows, OS X, Linux, and UNIX. Network professionals, security experts, developers, and educators around the world use it regularly. It is freely available as open source, and is released under the GNU General Public License version 2.
    Wireshark was originated from Ethereal. In May of 2006, Gerald Combs (the original author of Ethereal) went to work for CACE Technologies (best known for WinPcap). Unfortunately, he had to leave the Ethereal trademarks behind. The only reasonable way to ensure the continued success of the project was to change the name. This is how Wireshark was born.
    Alternative link.
    Projeto SourceForge: Wireshark
    - SF Wireshark Downloads.
  • Ethereal Network Analyzer
    "Sniffing the glue that holds the Internet together".
    Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Etheral sources and binaries for Windows, Linux, SunOS/Solaris and other Unix available for download.
  • Nmap
    Nmap ("Network Mapper") is an open source utility for network exploration or security auditing. It is a stealth network port scanner for Linux/Windows/UNIX/Solaris, designed to rapidly scan large networks, although it works fine against single hosts. Nmap is free software distributed under the terms of GNU GPL license. By Insecure.Org.
    • Zenmap
      Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Formerly NMapWin.
      SourceForge Project: NMapWin. - SF NMapWin Downloads.
    Public repository of tcpdump / libpcap. This page was started to collect various patches that have been floating around for LBL's tcpdump and libpcap programs, and to continue the work needed on both projects.
    • WinDump: tcpdump for Windows using WinPcap
      WinDump is the porting to the Windows platform of tcpdump, one of the most used network sniffers/analyzers for UNIX. It can run under any Win32 (9x/Me/NT/2000/XP). WinDump uses a libpcap-compatible library for Windows, WinPcap, that is freely downloadable from the WinPcap site. WinPcap: the free industry-standard windows packet capture library.
  • Winfingerprint
    Winfingerprint is a Win32 MFC VC++ .NET based security tool: a Host/Network Enumeration Scanner. Winfingerprint is capable of performing SMB, TCP, UDP, ICMP, RPC, SNMP scans. Using SMB, winfingerprint can enumerate OS, users, groups, SIDs, password policies, services, service packs and hotfixes, NetBIOS shares, transports, sessions, disks, security event log, and time of day in either an NT Domain or Active Directory environment. Winfingerprint-cli is a command line version of winfingerprint and it is currently bundled with each release.
    SourceForge Project: winfingerprint, open source distributed under GPL.
  • AnalogX Network Utilities
    • AnalogX PacketMon
      AnalogX PacketMon allows you to capture IP packets that pass through your network interface - whether they originated from the machine on which PacketMon is installed, or a completely different machine on your network. PacketMon is currently available for Win2000/XP only.
    • Internet Traffic Report (ITR) Client
      AnalogX ITR Client is a GUI tool running in Windows system tray which gives you quick access to graphical tools used to diagnose network access problems: ping, trace route, and Internet Traffic Report on-line rates.

Log Analysis

  • Log
    This site is dedicated to pulling together a repository of useful information on log analysis for computer security. By Tina Bird and Marcus Ranum.
  • SWATCH: The Simple WATCHer of Logfiles
    Swatch is an active log file monitoring tool. Swatch started out as the "simple watchdog" for actively monitoring log files produced by UNIX's syslog facility. It has since been evolving into a utility that can monitor just about any type of log.
    SWATCH is a console utility written in Perl, released under the GNU General Public License (GPL).
    SourceForge Project: Swatch.
  • OsHids
    OsHids is an Open Source software that analyzes your log files and take some actions if it founds something malicious. The OsHids can be run on "Real-time", as a daemon, or you can execute it using crontab on Unix/Linux. By Open Source Security.
    SourceForge project: oshids.
    Detecting Intrusions with your Firewall Log and OsHids (PDF).
  • Logcheck
    Logcheck is software package for Unix/Linux that is designed to automatically run and check system log files for security violations and unusual activity. Logcheck utilizes a program called logtail that remembers the last position it read from in a log file. Open source at SourceForge.
  • syslog-ng
    syslog-ng is a syslogd replacement, but with new functionality for the new generation. syslog-ng adds the possibility to filter based on message contents using regular expressions. The new configuration scheme is intuitive and powerful. Forwarding logs over TCP and remembering all forwarding hops makes it ideal for firewalled environments.
    By BalaBit IT. syslog-ng Download.
    Syslog-ng FAQ.
  • NTsyslog
    Windows NT/2000/XP syslog service. This program is free software. By
    SourceForge project: NTsyslog.
  • LogWatch [In Portuguese]
    Centralized database for analysis and management of log information, with flexible and customizable filters, queries and reports. Agents for several log types: Firewall, IDS, OS, Antivirus, Web, Proxy, Router and Switch, Database Server, E-Mail, Network Services, and others.
    By 3Elos Segurança, Brasil. Commercial product, available in English and Portuguese.