Monday, January 10, 2011

Seven Cool Open Source Projects for Defenders

Long-time blog readers should know that I don't rely on tools to defend my enterprise. I rely on people first, followed by tools, then processes. However, today I took a moment to consider the myriad of really cool work happening (mainly) in the open source tool community. When I started counting, I found about seven projects that are likely to help you defend your enterprise.

Most of these require some commitment of brainpower and willingness to learn, but I am nevertheless very pleased to see this much innovation on the defensive side. Collectively these projects do not "solve" any problems (nor should they), but I am certain they can help address one or more problems you may encounter -- especially regarding visibility. In other words, these are the sorts of tools (with one or two exceptions) that will help you detect and respond to intruders.

These are numbered for reference and not for priority.

  1. Charles Smutz recently announced his Ruminate IDS, whose goal is to "demonstrate the feasibility and value of flexible and scalable analysis of objects transferred through the network." Charles is also author of the Vortex prohect, a "a near real time IDS and network surveillance engine for TCP stream data."

  2. Doug Burks just released a new version of SecurityOnion, an Ubuntu-based live CD to facilitate network security monitoring. You'll find many of the tools on this list in SO and I expect those missing will be included at some point!

  3. Over at Berkeley, development of the Bro IDS project is kicking into high gear with Seth Hall's new role as a full-time developer. We miss you Seth!

  4. OISF just released a new version of their Suricata IDS. If you're going to RSA next month, see the OISF team at their next Brainstorming Session. I plan to stop by.

  5. Dustin Webber and new team member Jason Meller just released a new version of Snorby, a Web 2.0 interface for Snort alerts. I hope to see Snorby packaged in SO soon.

  6. Edward Bjarte Fjellskål continues to release cool new code, from the packet capture system OpenFPC with Leon Ward to Polman for managing IDS rules.

  7. Sourcefire's Razorback framework seems to be making some progress again, and the relaunch of new Snort, VRT, and ClamAV blogs under new community manager Joel Esler is a welcome move.


Check these out if you have some time!

7 comments:

mr_clark said...

Anything new happening with SGUIL? It's been stuck at 0.7 for SOOOOOO VERY LONG!!

philippe said...

what about ossec? really like that one personally

Wim Remes said...

well ... to answer both mr_clark and philippe at the same time :

http://www.ossec.net/dcid/?p=113

there's a new beta agent that takes ossec logs from alerts.log and feeds them into sguil.

for completeness sake :
http://www.sguil.net/
http://www.ossec.net/

OSSEC has also been added to Security Onion.

Joel Esler said...

Thank you Richard for your kind comments, hopefully I am making progress

bamm said...

Man, I've been getting beat up about this again and again. I am working on getting a new release out. Really.

David said...

On bro: I've done a bit of hacking on it and a set of policy scripts to help with retrospective analysis. I just posted what I had in my fossil repo to chiselapp (not sure how stable they are...): http://chiselapp.com/user/potatohead/repository/NSM_Dino/index

Specifically of interest:
- Generic notes and output format: http://chiselapp.com/user/potatohead/repository/NSM_Dino/wiki?name=dvessey-misc-bro

- Easy steps to follow to run on a collection of PCAPs: http://chiselapp.com/user/potatohead/repository/NSM_Dino/wiki?name=dvessey-bro-analysis-howto


The output formats used were meant to make inserting in a SQL database easier. As I moved through development, I figured it would probably be better to split stuff up into multiple tables for sampling then use a merge table for querying your whole dataset.

Cheers! Let me know if you find it useful!

Doug Burks said...

Richard--Thanks for mentioning Security Onion!

Wim--The OSSEC Agent for Sguil is actually not new; it has been around since 2007. It's still in "beta", but seems to perform properly.

All--If you have any questions or suggestions for Security Onion, please let me know.

Thanks,
Doug Burks
http://securityonion.blogspot.com