Seven Cool Open Source Projects for Defenders
Most of these require some commitment of brainpower and willingness to learn, but I am nevertheless very pleased to see this much innovation on the defensive side. Collectively these projects do not "solve" any problems (nor should they), but I am certain they can help address one or more problems you may encounter -- especially regarding visibility. In other words, these are the sorts of tools (with one or two exceptions) that will help you detect and respond to intruders.
These are numbered for reference and not for priority.
- Charles Smutz recently announced his Ruminate IDS, whose goal is to "demonstrate the feasibility and value of flexible and scalable analysis of objects transferred through the network." Charles is also author of the Vortex prohect, a "a near real time IDS and network surveillance engine for TCP stream data."
- Doug Burks just released a new version of SecurityOnion, an Ubuntu-based live CD to facilitate network security monitoring. You'll find many of the tools on this list in SO and I expect those missing will be included at some point!
- Over at Berkeley, development of the Bro IDS project is kicking into high gear with Seth Hall's new role as a full-time developer. We miss you Seth!
- OISF just released a new version of their Suricata IDS. If you're going to RSA next month, see the OISF team at their next Brainstorming Session. I plan to stop by.
- Dustin Webber and new team member Jason Meller just released a new version of Snorby, a Web 2.0 interface for Snort alerts. I hope to see Snorby packaged in SO soon.
- Edward Bjarte Fjellskål continues to release cool new code, from the packet capture system OpenFPC with Leon Ward to Polman for managing IDS rules.
- Sourcefire's Razorback framework seems to be making some progress again, and the relaunch of new Snort, VRT, and ClamAV blogs under new community manager Joel Esler is a welcome move.
Check these out if you have some time!
Tweet
 
 
 
Comments
http://www.ossec.net/dcid/?p=113
there's a new beta agent that takes ossec logs from alerts.log and feeds them into sguil.
for completeness sake :
http://www.sguil.net/
http://www.ossec.net/
OSSEC has also been added to Security Onion.
Specifically of interest:
- Generic notes and output format: http://chiselapp.com/user/potatohead/repository/NSM_Dino/wiki?name=dvessey-misc-bro
- Easy steps to follow to run on a collection of PCAPs: http://chiselapp.com/user/potatohead/repository/NSM_Dino/wiki?name=dvessey-bro-analysis-howto
The output formats used were meant to make inserting in a SQL database easier. As I moved through development, I figured it would probably be better to split stuff up into multiple tables for sampling then use a merge table for querying your whole dataset.
Cheers! Let me know if you find it useful!
Wim--The OSSEC Agent for Sguil is actually not new; it has been around since 2007. It's still in "beta", but seems to perform properly.
All--If you have any questions or suggestions for Security Onion, please let me know.
Thanks,
Doug Burks
http://securityonion.blogspot.com