Cookie Settings
Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Other cookies are those that are being identified and have not been classified into any category as yet.

No cookies to display.

5 Open Source Intrusion Detection Tools That Are Too Good to Ignore

leadership team 2024

By Michelle Drolet

Founder & CEO

Michelle is a prominent leader in data security preparedness, renowned for her extensive expertise i

Read More

Everyone should employ an intrusion detection system (IDS) to monitor their network and flag any suspicious activity or automatically shut down potentially malicious traffic. We look at five of the best open source options.

As cybersecurity professionals, we try to prevent attackers from gaining access to our networks but protecting perimeters that have grown exponentially with the rise of mobile devices, distributed teams, and the internet of things (IoT) is not easy. The unpalatable truth is that sometimes the attackers are going to get through and the cost of a data breach grows the longer it takes you to uncover the attack.
By employing a solid intrusion detection system (IDS) backed up by a robust incident response plan, you can reduce the potential damage of a breach.
You’ll find that IDS is typically divided into two groups: There’s signature-based IDS, which scans for known malicious traffic patterns and alerts when it discovers them, and there’s anomaly-based IDS, which looks at baselines rather than signatures to expose deviations from the norm.
It’s crucial to deploy IDS across your network, from internal servers to data centers to public cloud environments if you want to safeguard your data and systems. It’s worth noting that IDS can also reveal misbehavior on the part of your employees, encompassing insider threats and plain old laziness in the form of streaming Netflix all day or chatting on Facebook Messenger.
Luckily, there are many open source intrusion detection tools that are worth checking out and we’ve got five examples for you right here.

1. Snort

As the de-facto standard for IDS, Snort is an extremely valuable tool. This Linux utility is easy to deploy and can be configured to monitor your network traffic for intrusion attempts, log them, and take a specified action when an intrusion attempt is detected. It’s one of the most widely deployed IDS tools and it also acts as an intrusion prevention system (IPS).
Snort stretches way back to 1998 and shows no signs of fading away, with an active and very helpful community that provides great support. There’s no GUI here and it lacks an administrative console, but you can snag another open source tool like Snorby or Base to bridge that gap. The high level of customization that Snort offers makes a great choice for a lot of different organizations.
If you don’t want to use Snort for some reason, then Suricata is a strong alternative.

2. Bro

Powered by an analysis engine that converts traffic into a series of events, Bro can detect suspicious signatures and anomalies. You can use Bro-Script to craft tasks for the policy engine, which makes this a powerful choice for anyone aiming to automate more work. For example, this tool is capable of automatically downloading suspicious files it spots on the network, sending them for analysis, notifying relevant people if anything untoward is uncovered, blacklisting the source and shutting down the device that downloaded it.
The drawback with Bro is that there’s a steep learning curve to extract the most value out of it and it can prove complicated to set up. However, the community is growing and providing more help by the day and Bro is capable of detecting anomalies and patterns that other intrusion detection tools might miss.

3. Kismet

As the standard for wireless IDS, Kismet is an essential tool for most businesses. It focusses on wireless protocols, including Wi-Fi and Bluetooth, and tracks down unauthorized access points, which are all too easy for employees to create accidentally. It can detect default networks or configuration gaps and it can hop channels, but it does take a long time to search networks and has a limited range for best results.
Kismet will run on several different platforms, including Android and iOS, but Windows support is limited. There are various APIs for integrating additional tools and it offers multithreaded packet decoding for higher workloads. It recently got an all-new, web-based user interface with extended plug-in support.

4. OSSEC

Moving on to host-based IDS, or HIDS, we come to OSSEC, which is by far the most full-featured HIDS option. It’s very extensible and runs on most major operating systems, including Windows, Linux, Mac OS, Solaris and more. It has a client/server architecture which sends alerts and logs to a centralized server for analysis. That means alerts will go through even if the host system is knocked offline or fully compromised. This architecture also makes deployment a breeze because it enables central management of multiple agents.
It’s a small installer and has a very light impact on system resources once it’s up and running. It is also very customizable and can be configured to act in real-time automatically. There’s a large community around OSSEC and plenty of resources to dip into.
If the idea of a central server gives you pause, then you might consider Samhain Labs as an alternative that’s also host-based, but offers multiple output methods from the agent.

5. Open DLP

Data Loss Prevention (DLP) is the aim of the game for this tool. It’s capable of scanning your data while it’s at rest in databases or on file systems. Open DLP will search for sensitive data relating to your organization to uncover unauthorized copying and transmission of that data. This can be great for finding malicious insiders or incompetent employees sending out data that they shouldn’t. It works well on Windows, but also supports Linux and can be deployed via agents or as an agentless tool.

The bottom line

As you can see there are lots of excellent, free, open source intrusion detection tools to choose from and this is by no means an exhaustive list, but these five options are a great place to start.