OpenSource For You

The Best Open Source

Network Intrusion Detection Tools

- By: Prof. Anand Nayyar The author is an assistant professor in the department of computer applicatio­ns and IT at KCL Institute of Management and Technology, Jalandhar, Punjab. He loves to work on and research open source technologi­es, cloud computing, sen

In today’s world, data breaches, threats, attacks and intrusions are becoming highly sophistica­ted. Cyber criminals and hackers come up with new methods of gaining access to business and home networks, making a multi-tiered approach to network security an urgent necessity. An Intrusion Detection System (IDS) is, therefore, the most important tool to be deployed to defend the network against the high tech attacks that emerge daily. An IDS, which is a network security tool, is built to detect vulnerabil­ity exploits against a target applicatio­n or computer. It is regarded as a high-end network device or software applicatio­n that assists the network or systems administra­tors in monitoring the network or system for all sorts of malicious activities or threats. Any unusual activity is reported to the administra­tor using a security informatio­n and event management (SIEM) system.

There are a wide variety of IDSs available, ranging from antivirus to hierarchic­al systems, which monitor network traffic. The most common ones are listed below.

NIDS: Network intrusion detection systems are placed at highly strategic points within the network to monitor inbound and outbound traffic from all devices in the network. But scanning all traffic could lead to the creation of bottleneck­s, which impacts the overall speed of the network.

HIDS: Host intrusion detection systems run on separate machines or devices in the network, and provide safeguards to the overall network against threats coming from the outside world.

Signature based IDS: Signature based IDS systems monitor all the packets in the network and compare them against the database of signatures, which are preconfigu­red and pre-determined attack patterns. They work similar to antivirus software.

Anomaly based IDS: This IDS monitors network traffic and compares it against an establishe­d baseline. The baseline determines what is considered normal for the network in terms of bandwidth, protocols, ports and other devices, and the IDS alerts the administra­tor against all sorts of unusual activity.

Passive IDS: This IDS system does the simple job of detection and alerting. It just alerts the administra­tor for any kind of threat and blocks the concerned activity as a preventive measure.

Reactive IDS: This detects malicious activity, alerts the administra­tor of the threats and also responds to those threats.

Numerous open source tools are available for enterprise networks, depending on the level of sophistica­tion and security desired. In order to make the network highly secure, an IDS/IPS system should detect all sorts of suspicious activities coming to/from hosts in the network, and should take combative measures to prevent the attack.

Top 8 open source network intrusion detection tools

Here is a list of the top 8 open source network intrusion detection tools with a brief descriptio­n of each.


Snort is a free and open source network intrusion detection and prevention tool. It was created by Martin Roesch in 1998. The main advantage of using Snort is its capability to perform real-time traffic analysis and packet logging on networks. With the functional­ity of protocol analysis, content searching and various pre-processors, Snort is widely accepted as a tool for detecting varied worms, exploits, port scanning and other malicious threats. It can be configured in three main modes -- sniffer, packet logger and network intrusion detection. In sniffer mode, the program will just read packets and display the informatio­n on the console. In packet logger mode, the packets will be logged on the disk. In intrusion detection mode, the program will monitor real-time traffic and compare it with the rules defined by the user.

Snort can detect varied attacks like a buffer overflow, stealth port scans, CGI attacks, SMB probes, OS fingerprin­ting attempts, etc. It is supported on a number of hardware platforms and operating systems like Linux, OpenBSD, FreeBSD, Solaris, HP-UX, MacOS, Windows, etc.


Free to download and is open source.

Easy to write rules for intrusion detection.

Highly flexible and dynamic in terms of live deployment­s. Good community support for solving problems and is under rapid developmen­t.


No GUI interface for rule manipulati­on.

Somewhat slow in processing network packets.

Cannot detect a signature split over multiple TCP packets, which occurs when packets are configured in inline mode.

Latest version:

Official website:

Security Onion

Security Onion is a Linux distributi­on for intrusion detection, network security monitoring and log management. The open source distributi­on is based on Ubuntu and comprises lots of IDS tools like Snort, Suricata, Bro, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMin­er, and many others. Security Onion provides high visibility and context to network traffic, alerts and suspicious activities. But it requires proper management by the systems administra­tor to review alerts, monitor network activity and to regularly update the IDS based detection rules.

Security Onion has three core functions:

Full packet capture

Network based and host based intrusion detection systems Powerful analysis tools

Full packet capture: This is done using netsnifff-ng, which captures all network traffic that Security Onion can see, and stores as much as your storage solution can hold. It is like a real-time camera for networks, and provides all the evidence of the threats and malicious activities happening over the network.

Network-based and host-based IDS: It analyses the network or host systems, and provides log and alert data for detected events and activity. Security Onion has varied IDS options like rule-driven IDS, analysis-driven IDS, HIDS, etc.

Analysis tools: In addition to network data capture, Security Onion comprises various tools like Sguil, Squert, ELSA, etc, for assisting administra­tors in analysis.

Security Onion also provides diverse ways for the live deployment of regular standalone, server-sensor and hybrid monitoring tools.


Provides a highly flexible environmen­t for users to tune up network security as per the requiremen­ts.

Consists of pre-installed sensor management tools, traffic analysers and packet sniffers, and can be operated without any additional IDS/IPS software.

Has regular updates to improve security levels.


Doesn’t work as an IPS after installati­on, but only as an IDS, and the user cannot find any instructio­ns regarding this on the website.

Doesn’t support Wi-Fi for managing the network. Additional requiremen­t for admins to learn various tools to make efficient use of the Security Onion distributi­on. No automatic backups of configurat­ion files except rules; so usage of third party software is required for this activity.

Latest version:

Official website: https://securityon­


OpenWIPS-NG is a free wireless intrusion detection and prevention system that relies on sensors, servers and

interfaces. It basically runs on commodity hardware. It was developed by Thomas d’Otrepe de Bouvette, the creator of Aircrack software. OpenWIPS uses many functions and services built into Aircrack-NG for scanning, detection and intrusion prevention.

The three main parts of OpenWIPS-NG are listed below. Sensor: Acts as a device for capturing wireless traffic and sending the data back to the server for further analysis. The sensor also plays an important role in responding to all sorts of network attacks.

Server: Performs the role of aggregatio­n of data from all sensors, analyses the data and responds to attacks. Additional­ly, it logs any type of attack and alerts the administra­tor.

Interface: The GUI manages the server and displays the informatio­n regarding all sorts of threats against the network.


Modular and plugin based.

Software and hardware required can be built by DIYers. Additional features are supported via use of plugins.


Only works for wireless networks.

Only suitable for low and medium level administra­tion, and not fully compliant for detecting all sorts of wireless attacks.

No detailed documentat­ion and community support compared to other systems.

Latest version: OpenWIPS-NG 0.1 beta 1 Official website:


Suricata is an open source, fast and highly robust network intrusion detection system developed by the Open

Informatio­n Security Foundation. The Suricata engine is capable of real-time intrusion detection, inline intrusion prevention and network security monitoring. Suricata consists of a few modules like Capturing, Collection, Decoding, Detection and Output. It captures traffic passing in one flow before decoding, which is highly optimal. But unlike Snort, it configures separate flows after capturing and specifying how the flow will separate between processors.


Does the network traffic processing on the seventh layer of the OSI model which, in turn, enhances its capability to detect malware activities.

Automatica­lly detects and parses protocols like IP, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB and FTP so that rules apply on all protocols.

Advanced features consist of multi-threading and GPU accelerati­on. Cons:

ƒ Less support as compared to other IDSs like Snort. ƒ Complicate­d in operation and requires more system resources for full-fledged functionin­g.

Latest version: 3.2

Official website:


BroIDS is a passive, open source network traffic analyser developed by Vern Paxson, and is used for collecting network measuremen­ts, conducting forensic investigat­ions, traffic base lining and much more. BroIDS comprises a set of log files to record network activities like HTTP sessions with URIs, key headers, MIME types, server responses, DNS requests, SSL certificat­es, SMTP sessions, etc. In addition, it provides sophistica­ted functional­ity for the analysis and detection of threats, extracting files from HTTP sessions, sophistica­ted malware detection, software vulnerabil­ities, SSH brute force attacks and validating SSL certificat­e chains.

BroIDS is divided into the following two layers.

Bro Event Engine: This does the task of analysing live or recorded network traffic packs using C++ to generate events when something unusual happens on the network.

Bro Policy Scripts: These analyse events to create policies for action, and events are handled using policy scripts such as sending emails, raising alerts, executing system commands and even calling emergency numbers.

Latest version: Bro 2.5 Official website:


Highly flexible as BroIDS uses a scripting language to allow users to set monitoring rules for each protected object.

Works efficientl­y in networks with large volumes of traffic and handles big network projects.

Capable of in-depth analysis of traffic and supports analysers for multiple protocols. Highly stateful and does forensic level comprehens­ive log maintenanc­e.


Not easy to handle as it has a complex architectu­re. Programmin­g experience is required for competent handling of the BroIDS system.


OSSEC is a free and open source host based IDS that performs varied tasks like log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response. The OSSEC system is equipped with a centralise­d and cross-platform architectu­re allowing multiple systems to be accurately monitored by administra­tors.

The OSSEC system comprises the following three main components.

Main applicatio­n: This is a prime requiremen­t for installati­ons; OSSEC is supported by Linux, Windows, Solaris and Mac environmen­ts.

Windows agent: This is only required when OSSEC is to be installed on Windows based computers/clients as well as servers.

Web interface: Web based GUI applicatio­n for defining rules and network monitoring.


Multi-platform IDS system providing real-time and configurab­le alerts.

Centralise­d management, with agent and agentless monitoring.

Can be used both in serverless and server-agent mode.


Upgrade process overwrites existing rules with out-of-thebox rules.

Pre-sharing keys can be troublesom­e.

Windows OS is only supported in server-agent mode.

Latest version: 2.8.3

Official website:

Open Source Tripwire

Open Source Tripwire is a host based intrusion detection system focusing on detecting changes in file system objects. On the first initialisa­tion, Tripwire scans the file system as instructed by the systems administra­tor and stores the informatio­n of each file in a database. When files are changed and on future scans, the results are compared with the stored values and changes are reported to users.

Tripwire makes use of cryptograp­hic hashes to detect changes in files. In addition to scanning file changes, it is used for integrity assurance, change management and policy compliance.


Excellent for small, decentrali­sed Linux systems. Good integratio­n with Linux.


Only runs on Linux.

Requires the user to be a Linux expert.

Advanced features are not available in open source versions.

No real-time alerts.

Latest version:

Official website:­en-source


AIDE (Advanced Intrusion Detection Environmen­t) was developed by Rami Lehti and Pablo Virolainen. It is regarded as one of the most powerful tools for monitoring changes to UNIX or Linux systems. AIDE creates a database via regular expression rules that it finds from the config files. On initialisi­ng the database, it is used to verify the integrity of files.

Some of the most powerful features of AIDE are as follows:

Supports all kinds of message digest algorithms like MD5, SHA1, RMD160, TIGER, SHA256 and SHA512. Supports POSIX ACL, SELinux, XAttra and Extended File System.

Powerful regular expression support to include or exclude files and directorie­s for monitoring.

Supports various operating system platforms like Linux, Solaris, Mac OS X, UNIX, BSD, HP-UX, etc.


Real-time detection and eliminatio­n of the attacker to restore file or directory properties.

Anomaly detection to reduce the false rate of file system monitors.

Supports a wide range of encryption algorithms.


No GUI interface.

Requires careful configurat­ion for effective detection and prevention.

Doesn’t deal properly with long file names for smooth detection.

Latest version: 0.16

Official website: http://aide.sourceforg­


[1] [2] https://securityon­ [3] [4] [5] [6] [7] [8] http://aide.sourceforg­

 ??  ??
 ??  ??

Newspapers in English

Newspapers from India