The Best Open Source
Network Intrusion Detection Tools
In today’s world, data breaches, threats, attacks and intrusions are becoming highly sophisticated. Cyber criminals and hackers come up with new methods of gaining access to business and home networks, making a multi-tiered approach to network security an urgent necessity. An Intrusion Detection System (IDS) is, therefore, the most important tool to be deployed to defend the network against the high tech attacks that emerge daily. An IDS, which is a network security tool, is built to detect vulnerability exploits against a target application or computer. It is regarded as a high-end network device or software application that assists the network or systems administrators in monitoring the network or system for all sorts of malicious activities or threats. Any unusual activity is reported to the administrator using a security information and event management (SIEM) system.
There are a wide variety of IDSs available, ranging from antivirus to hierarchical systems, which monitor network traffic. The most common ones are listed below.
NIDS: Network intrusion detection systems are placed at highly strategic points within the network to monitor inbound and outbound traffic from all devices in the network. But scanning all traffic could lead to the creation of bottlenecks, which impacts the overall speed of the network.
HIDS: Host intrusion detection systems run on separate machines or devices in the network, and provide safeguards to the overall network against threats coming from the outside world.
Signature based IDS: Signature based IDS systems monitor all the packets in the network and compare them against the database of signatures, which are preconfigured and pre-determined attack patterns. They work similar to antivirus software.
Anomaly based IDS: This IDS monitors network traffic and compares it against an established baseline. The baseline determines what is considered normal for the network in terms of bandwidth, protocols, ports and other devices, and the IDS alerts the administrator against all sorts of unusual activity.
Passive IDS: This IDS system does the simple job of detection and alerting. It just alerts the administrator for any kind of threat and blocks the concerned activity as a preventive measure.
Reactive IDS: This detects malicious activity, alerts the administrator of the threats and also responds to those threats.
Numerous open source tools are available for enterprise networks, depending on the level of sophistication and security desired. In order to make the network highly secure, an IDS/IPS system should detect all sorts of suspicious activities coming to/from hosts in the network, and should take combative measures to prevent the attack.
Top 8 open source network intrusion detection tools
Here is a list of the top 8 open source network intrusion detection tools with a brief description of each.
Snort
Snort is a free and open source network intrusion detection and prevention tool. It was created by Martin Roesch in 1998. The main advantage of using Snort is its capability to perform real-time traffic analysis and packet logging on networks. With the functionality of protocol analysis, content searching and various pre-processors, Snort is widely accepted as a tool for detecting varied worms, exploits, port scanning and other malicious threats. It can be configured in three main modes -- sniffer, packet logger and network intrusion detection. In sniffer mode, the program will just read packets and display the information on the console. In packet logger mode, the packets will be logged on the disk. In intrusion detection mode, the program will monitor real-time traffic and compare it with the rules defined by the user.
Snort can detect varied attacks like a buffer overflow, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, etc. It is supported on a number of hardware platforms and operating systems like Linux, OpenBSD, FreeBSD, Solaris, HP-UX, MacOS, Windows, etc.
Pros:
Free to download and is open source.
Easy to write rules for intrusion detection.
Highly flexible and dynamic in terms of live deployments. Good community support for solving problems and is under rapid development.
Cons:
No GUI interface for rule manipulation.
Somewhat slow in processing network packets.
Cannot detect a signature split over multiple TCP packets, which occurs when packets are configured in inline mode.
Latest version: 2.9.9.0
Official website: www.snort.org
Security Onion
Security Onion is a Linux distribution for intrusion detection, network security monitoring and log management. The open source distribution is based on Ubuntu and comprises lots of IDS tools like Snort, Suricata, Bro, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many others. Security Onion provides high visibility and context to network traffic, alerts and suspicious activities. But it requires proper management by the systems administrator to review alerts, monitor network activity and to regularly update the IDS based detection rules.
Security Onion has three core functions:
Full packet capture
Network based and host based intrusion detection systems Powerful analysis tools
Full packet capture: This is done using netsnifff-ng, which captures all network traffic that Security Onion can see, and stores as much as your storage solution can hold. It is like a real-time camera for networks, and provides all the evidence of the threats and malicious activities happening over the network.
Network-based and host-based IDS: It analyses the network or host systems, and provides log and alert data for detected events and activity. Security Onion has varied IDS options like rule-driven IDS, analysis-driven IDS, HIDS, etc.
Analysis tools: In addition to network data capture, Security Onion comprises various tools like Sguil, Squert, ELSA, etc, for assisting administrators in analysis.
Security Onion also provides diverse ways for the live deployment of regular standalone, server-sensor and hybrid monitoring tools.
Pros:
Provides a highly flexible environment for users to tune up network security as per the requirements.
Consists of pre-installed sensor management tools, traffic analysers and packet sniffers, and can be operated without any additional IDS/IPS software.
Has regular updates to improve security levels.
Cons:
Doesn’t work as an IPS after installation, but only as an IDS, and the user cannot find any instructions regarding this on the website.
Doesn’t support Wi-Fi for managing the network. Additional requirement for admins to learn various tools to make efficient use of the Security Onion distribution. No automatic backups of configuration files except rules; so usage of third party software is required for this activity.
Latest version: 14.04.5.1
Official website: https://securityonion.net/
OpenWIPS-NG
OpenWIPS-NG is a free wireless intrusion detection and prevention system that relies on sensors, servers and
interfaces. It basically runs on commodity hardware. It was developed by Thomas d’Otrepe de Bouvette, the creator of Aircrack software. OpenWIPS uses many functions and services built into Aircrack-NG for scanning, detection and intrusion prevention.
The three main parts of OpenWIPS-NG are listed below. Sensor: Acts as a device for capturing wireless traffic and sending the data back to the server for further analysis. The sensor also plays an important role in responding to all sorts of network attacks.
Server: Performs the role of aggregation of data from all sensors, analyses the data and responds to attacks. Additionally, it logs any type of attack and alerts the administrator.
Interface: The GUI manages the server and displays the information regarding all sorts of threats against the network.
Pros
Modular and plugin based.
Software and hardware required can be built by DIYers. Additional features are supported via use of plugins.
Cons
Only works for wireless networks.
Only suitable for low and medium level administration, and not fully compliant for detecting all sorts of wireless attacks.
No detailed documentation and community support compared to other systems.
Latest version: OpenWIPS-NG 0.1 beta 1 Official website: http://www.openwips-ng.org/
Suricata
Suricata is an open source, fast and highly robust network intrusion detection system developed by the Open
Information Security Foundation. The Suricata engine is capable of real-time intrusion detection, inline intrusion prevention and network security monitoring. Suricata consists of a few modules like Capturing, Collection, Decoding, Detection and Output. It captures traffic passing in one flow before decoding, which is highly optimal. But unlike Snort, it configures separate flows after capturing and specifying how the flow will separate between processors.
Pros:
Does the network traffic processing on the seventh layer of the OSI model which, in turn, enhances its capability to detect malware activities.
Automatically detects and parses protocols like IP, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB and FTP so that rules apply on all protocols.
Advanced features consist of multi-threading and GPU acceleration. Cons:
Less support as compared to other IDSs like Snort. Complicated in operation and requires more system resources for full-fledged functioning.
Latest version: 3.2
Official website: https://suricata-ids.org
BroIDS
BroIDS is a passive, open source network traffic analyser developed by Vern Paxson, and is used for collecting network measurements, conducting forensic investigations, traffic base lining and much more. BroIDS comprises a set of log files to record network activities like HTTP sessions with URIs, key headers, MIME types, server responses, DNS requests, SSL certificates, SMTP sessions, etc. In addition, it provides sophisticated functionality for the analysis and detection of threats, extracting files from HTTP sessions, sophisticated malware detection, software vulnerabilities, SSH brute force attacks and validating SSL certificate chains.
BroIDS is divided into the following two layers.
Bro Event Engine: This does the task of analysing live or recorded network traffic packs using C++ to generate events when something unusual happens on the network.
Bro Policy Scripts: These analyse events to create policies for action, and events are handled using policy scripts such as sending emails, raising alerts, executing system commands and even calling emergency numbers.
Latest version: Bro 2.5 Official website: www.bro.org
Pros:
Highly flexible as BroIDS uses a scripting language to allow users to set monitoring rules for each protected object.
Works efficiently in networks with large volumes of traffic and handles big network projects.
Capable of in-depth analysis of traffic and supports analysers for multiple protocols. Highly stateful and does forensic level comprehensive log maintenance.
Cons:
Not easy to handle as it has a complex architecture. Programming experience is required for competent handling of the BroIDS system.
OSSEC
OSSEC is a free and open source host based IDS that performs varied tasks like log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response. The OSSEC system is equipped with a centralised and cross-platform architecture allowing multiple systems to be accurately monitored by administrators.
The OSSEC system comprises the following three main components.
Main application: This is a prime requirement for installations; OSSEC is supported by Linux, Windows, Solaris and Mac environments.
Windows agent: This is only required when OSSEC is to be installed on Windows based computers/clients as well as servers.
Web interface: Web based GUI application for defining rules and network monitoring.
Pros:
Multi-platform IDS system providing real-time and configurable alerts.
Centralised management, with agent and agentless monitoring.
Can be used both in serverless and server-agent mode.
Cons:
Upgrade process overwrites existing rules with out-of-thebox rules.
Pre-sharing keys can be troublesome.
Windows OS is only supported in server-agent mode.
Latest version: 2.8.3
Official website: http://ossec.github.io/
Open Source Tripwire
Open Source Tripwire is a host based intrusion detection system focusing on detecting changes in file system objects. On the first initialisation, Tripwire scans the file system as instructed by the systems administrator and stores the information of each file in a database. When files are changed and on future scans, the results are compared with the stored values and changes are reported to users.
Tripwire makes use of cryptographic hashes to detect changes in files. In addition to scanning file changes, it is used for integrity assurance, change management and policy compliance.
Pros:
Excellent for small, decentralised Linux systems. Good integration with Linux.
Cons:
Only runs on Linux.
Requires the user to be a Linux expert.
Advanced features are not available in open source versions.
No real-time alerts.
Latest version: 2.4.3.1
Official website: https://github.com/Tripwire/tripwireopen-source
AIDE
AIDE (Advanced Intrusion Detection Environment) was developed by Rami Lehti and Pablo Virolainen. It is regarded as one of the most powerful tools for monitoring changes to UNIX or Linux systems. AIDE creates a database via regular expression rules that it finds from the config files. On initialising the database, it is used to verify the integrity of files.
Some of the most powerful features of AIDE are as follows:
Supports all kinds of message digest algorithms like MD5, SHA1, RMD160, TIGER, SHA256 and SHA512. Supports POSIX ACL, SELinux, XAttra and Extended File System.
Powerful regular expression support to include or exclude files and directories for monitoring.
Supports various operating system platforms like Linux, Solaris, Mac OS X, UNIX, BSD, HP-UX, etc.
Pros:
Real-time detection and elimination of the attacker to restore file or directory properties.
Anomaly detection to reduce the false rate of file system monitors.
Supports a wide range of encryption algorithms.
Cons:
No GUI interface.
Requires careful configuration for effective detection and prevention.
Doesn’t deal properly with long file names for smooth detection.
Latest version: 0.16
Official website: http://aide.sourceforge.net/
References
[1] www.snort.org [2] https://securityonion.net/ [3] http://www.openwips-ng.org/ [4] https://suricata-ids.org [5] www.bro.org [6] http://ossec.github.io/ [7] https://github.com/Tripwire/tripwire-open-source [8] http://aide.sourceforge.net/