Skip to main content

Open Source Intrusion Detection Tools [BEGINNER’S GUIDE]

IDS Basics

If you aren’t already running network IDS, you should be. There are two types of Network IDS: Signature Detection & Anomaly Detection

In a signature-based IDS, there are rules or patterns of known malicious traffic that it is looking for. Once a match to a signature is found it generates an alert. These alerts can turn up issues such as malware, scanning activity, attacks against servers and much more.

With anomaly-based IDS, the payload of the traffic is far less important than the activity that generated it. An anomaly-based IDS tool relies on baselines rather than signatures. It will look for unusual activity that deviates from statistical averages of previous activities or activity that has been previously unseen. Perhaps a server is sending out more HTTP activity than usual or a new host has been seen inside your DMZ.

Both are typically deployed in the same manner, though one could make the case you could easily (and people have) create an anomaly-based IDS on externally collected netflow data or similar traffic information.

When evaluating IDS solutions, it's important to evaluate whether you need an IDS that can monitor both your cloud and on-premises assets. Whether you need to monitor hosts or the networks connecting them to identify the latest threats, there are some great open source intrusion detection
(IDS) tools available to you.


Ah, the venerable piggy that loves packets. I'm sure everyone remembers 1998 as the year a version of Windows came out but it was also the year that Martin Roesch first released Snort. Though then it really wasn't a true IDS, its destiny had been written. Since then it has become the de-facto standard for IDS and eventually IPS (thanks to community effort!). It's important to note that Snort has no real GUI or easy to use administrative console. Lots of other open source tools have been created to help out, notably Snorby [] and others like Base and Squil.

  • Long product life with no signs of going away
  • Great community support
  • Plenty of administrative front-ends
  • Thoroughly proven and tested


What's the only reason for not running Snort? If you're using Suricata instead. Though Suricata's architecture is different than Snort it behaves the same way as Snort and can use the same signatures. What's great about Suricata is what else it's capable of over Snort. It does so much more that it probably deserves a dedicated post of it's own. Let's run down a few of them:

Multi-Threaded - Snort runs with a single thread meaning it can only use one CPU(core) at a time. Suricata can run many threads so it can take advantage of all the cpu/cores you have available.

There has been much contention on whether this is advantageous, Snort says No and a few benchmarks say Yes.

Built in Hardware Acceleration - Did you know you can use graphic cards to inspect network traffic?

File Extraction - Someone downloading malware? You can capture it right from Suricata and study it.

LuaJIT - It's a lot of letters yes, but it's also a scripting engine that can be used with information from the packets inspected by Suricata. This makes complex matching even easier and you can even gain efficiency by combining multiple rules into one script.

Logging more than packets - Suricata can grab and log things like TLS/SSL certs, HTTP requests, DNS requests.


Bro, or sometimes referred to as Bro-IDS is a bit different than Snort and Suricata. In a way Bro is both a signature and anomaly-based IDS. Its analysis engine will convert traffic captured into a series of events. An event could be a user logon to FTP, a connection to a website or practically anything. The power of the system is what comes after the event engine and that's the Policy Script Interpreter. This policy engine has it's own language ( Bro-Script ) and it can do some very powerful and versatile tasks.

Open DLP

OpenDLP isn't really a HIDS system but it's functionality makes it worth a mention here. This tool has one goal and that's DLP or Data Loss Prevention. It will scan data while it's "at-rest" looking for pieces of data like credit cards or SSNs and can be extended with regular expressions to find data that is sensitive to your organization. OpenDLP will look for this data on file systems or even inside databases on both Windows and Linux. It can also perform these scans via an installable agent or without any software installation.

Not a FIM or HIDS technically, but interesting
Very Windows friendly
Looks for DLP only


Popular posts from this blog

My Life as Information security engineer Chapter 1: Tools

  Hi folks, here I am going to share the tools list that I am using in my daily life cycle. NMAP  Nmap (“Network Mapper”) is a free and open-source (license) utility for network discovery and security auditing. Basically, I will use it to discover the open ports and closed ports where I did Port Mapping in firewalls. We can use this in the local network as well as in the WAN network. Also with help of the NSE script, we do multiple things like vulnerability check, exploitation, etc., Ref: CURL and WGET curl   is a tool to transfer data from or to a server, using one of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP or FILE). Normally using this tool to analyze the website headers when my web security device blocking some dynamic content websites and to create the Application signature in IPS. Wget   using to download files directly instead of opening and surfing the brow

AquaSec Container Security Solution ( DevSecOps ) - A quickView

  What is AquaSec?      The Aqua Platform is the leading Cloud Native Application Protection Platform (CNAPP) and provides prevention, detection, and response automation across the entire application lifecycle to secure the supply chain, secure cloud infrastructure, and secure running workloads wherever they are deployed.    Solutions : Cloud Native Security Platform CSPM Cloud Security Container Security Kubernetes Security Serverless Security Cloud VM Security Dynamic Threat Analysis (DTA) Container Vulnerability Scanning Aquasec offers a 14days trial to learn the container security / Automated DevSecOps. Use this link to get free trail  Sign In | Aqua (   How to start with AquaSec? Once login into the portal click the nine dots in the left-side top > Aqua Hub  Then click the "Integrations" The Integration page has a lot of options to connect your container Platform Choosing your platform provides the required key to integrate. (follow the OEM documents ) The

What is IP Obfuscation ? How it's working ? how to use Cuteit tool ?

  What is IP  Obfuscation?     Which is a method to hide or convert a doted format IP address  (e.g.   into an Integer or Hexadecimal value or Octal form by using some mathematical formula. It’s a kind of method to spoof the human eyes and web security services. dot format to Decimal Conversion 👉  [] to translate (172 x256 3 )+(67×256 2 )+(129×256 1 )+(3×256 0 ) =  2890105091 Now you can use  https://2890105091  to access This is one of the ways to do IP  Obfuscation.  The tool  ‘ Cuteit ‘ is  A simple python tool to help you to social engineer, bypass whitelisting firewalls, potentially break regex rules for command-line logging looking for IP addresses and obfuscate cleartext strings to C2 locations within the payload. HOW TO USE CUTEIT ? Download & Install Cuteit from the below link git :   git clone Direct link: usage: Cu