If you don’t have a lot of budget at your disposal, these open-source intrusion detection tools are worth a look.
As businesses grapple with the pandemic, millions of workers are no longer working in the traditional office behind the traditional perimeter. They are working from home, accessing data and network resources using unauthorized devices, unauthorized software and unsecured WiFi.
As the name implies, an IDS monitors the network for suspicious behavior and issues alerts when such activities are discovered. IDS is able to detect malware (for example trojans, backdoors, rootkits etc.), is also able to detect social engineering attacks (for example man in the middle attacks and phishing) that trick users into disclosing sensitive information. It can also help detect malicious insiders.
Types of IDS
IDS can be broadly divided into two groups: signature-based and anomaly-based.
A signature-based IDS scans for known malicious signatures and issues alerts when it discovers them. Malware signatures are rapidly evolving, so signature-based IDS needs to be updated regularly with the latest signatures.
An anomaly-based IDS focuses on identifying unusual behaviors or patterns of activities. Anomaly-based IDS is good at identifying a cybercriminal that is probing the network and flags anything that might be considered abnormal, like multiple failed login attempts.
Top 5 open source intrusion detection systems
While most large enterprises have enterprise-grade technology in place, intrusion detection systems are also crucial for small and medium businesses to protect users, internal servers and public cloud environments. If you don’t have a lot of budget at your disposal, open-source intrusion detection tools are worth looking at.
Here are the five best open-source intrusion detection systems on the market currently:
- Security Onion
Snort is the oldest IDS and almost a de-facto standard IDS in the open-source world. Even though it doesn’t have a real GUI, it offers a high level of customization, which makes it the IDS of choice for organizations. It can be used to detect a variety of attacks like buffer overflows, stealth port scans, CGI attacks, OS fingerprinting attempts, and more. The Snort community thrives on the backbone of passionate source developers that provide support for the software. Snort is available for Linux, Windows, Fedora, Centos, and FreeBSD. While the interface isn’t very user-friendly, there are several applications available in the market such as Snorby, BASE, Squil, and Anaval that can perform in-depth analysis on the data collected by Snort.
Formerly known as Bro, Zeek is a powerful network monitoring tool that focuses on general traffic analysis. It uses a domain-specific language that does not rely on traditional signatures. This means that you can design tasks for its policy engine. For example, you can configure the tool to automatically download suspicious files, send them for analysis, notify relevant authorities if anything is uncovered, blacklist the source and shut down the device that downloaded it. Zeek runs on Unix, Linux, Free BSD, and Mac OS X and can detect suspicious signatures and anomalies. Zeek’s user community is supported by some well known universities, supercomputing centers, research labs, and also lots of open-science communities.
OSSEC is an open-source host-based IDS system that performs log analysis, file integrity monitoring, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response. OSSEC runs on all major operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows. It has a client/server architecture that sends alerts and logs to a centralized server for analysis even if the host system is fully compromised. The OSSEC installer is extremely light (under 1MB) and the majority of analysis occurs on the server making OSSEC very light on CPU usage. Another advantage of the architecture is ease of use as the administrator can centrally manage all agents from a single server.
Suricata is a robust network threat detection engine that is capable of real time intrusion detection, inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Even though the architecture of Suricata is different from Snort, it behaves like Snort and can use the same signatures. While Snort is single thread, meaning it can only use one CPU at a time, Suricata is multi-threaded, able to take advantage of all available CPUs. It also has built-in hardware acceleration technology that can leverage the power of graphic cards to inspect network traffic. Suricata has the ability to invoke Lua scripts which can be used to peer into traffic or decode malware. Suricata is available on Linux, FreeBSD, OpenBSD, macOS / Mac OS X, and Windows and has very loyal community support.
Security Onion is an open-source tool designed for threat hunting, intrusion detection, enterprise security monitoring and log management. The interesting part of this tool is that it combines the power of other security tools like Snort, Kibana, Zeek, Wazuh, CyberChef, NetworkMiner, Suricata, and Logstash. This feature makes it highly comprehensive and versatile, covering pretty much every angle of IT security. Setting-up and working with multiple tools can be complicated but Security Onion features an intuitive set-up wizard that simplifies the set-up process. One of the drawbacks of this tool is that some of the tools have overlapping capabilities and navigating between tools can be tricky.
With small businesses involved in 28% of the breaches in 2020, SMBs need to be extra vigilant in protecting their digital infrastructure and home-working employees. When resources are tight and you’re looking for an effective security solution, open source security software can certainly help keep up your defenses.