List of Open Source Security Tools
As a founder of a security company, I’m constantly looking for open source tools to either incorporate in our offering, or get inspiration from, or provide integration with. And there are dozens of great open source security tools, so I decided to publish a list of them. This plethora of options is one of the reasons that security is so hard – they are many different ways to achieve something and it almost always involves headaches with configuring and connecting various “point solutions” (as marketers call them). So here’s the list in on apparent order (note that I’ve listed only defensive tools, offensive ones like metasploit, nmap, wireshark, etc. probably deserve a separate post):
Security monitoring, intrusion detection/prevention
- Suricata – intrusion detection system
- Snort – intrusion detection system
- Zeek – network security monitoring
- OSSEC – host-based intrusion detection system
- Wazuh – a more active fork of OSSEC
- Velociraptor – endpoint visibility and response
- OSSIM – open source SIEM, at the core of AlienVault
- SecurityOnion – security monitoring and log management
- Elastic SIEM – SIEM functionality by Elasticsearch
- Mozdef – SIEM-like layer ontop of
Elasticsearch
- Sagan – log analytics and correlation
- Apache Metron – (retired) network security monitoring, evolved from Cisco OpenSOC
- Arkime – packet capture and search tool (formerly Moloch)
- PRADAS – real-time asset detection
- BloodHound – ActiveDirectory relationship detection
Threat intelligence
- MISP – threat intelligence platform
- SpiderFoot – threat intelligence aggregation
- OpenCTI – threat intelligence platform
- OpenDXL – open source tools for security intelligence sharing
- Sigma – Generic Signature Format for SIEM Systems
Incident response
- StackStorm – SOAR platform
- CimSweep – Windows incident response
- GRR – incident response and remote live forensics
- TheHive – incident response / SOAR platform
- TheHive Cortex – TheHive companion used for fast queriying
- Shuffle – open source SOAR platform
- osquery – real-time querying of endpoint data
- Kansa – PowerShell incident response
Vulnerability assessment
- OpenVAS – very popular vulnerability assessment
- ZAProxy – web vulnerability scanner by OWASP
- WebScarab – (obsolete) web vulnerability scanner by OWASP
- w3af – web vulnerability scanner
- Loki – IoC scanner
- CVE Search – set of tools for search in CVE data
Firewall
- pfsense – the most popular open source firewall
- OPNSense – hardened BSD-based firewall
- Smoothwall – Linux-based Firewall
Antivirus / endpoint protection
- ClamAV – open source antivirus angine
- Armadito AV – open source AV (retired)
- YARA – The pattern matching swiss knife for malware researchers
Email security
- Hermes Secure Email Gateway – an Ubuntu-based email gateway
- Proxmox – email gateway
- MailScanner – email security system
- SpamAssassin – anti-spam platform
- OrangeAssassin – drop-in replacement of SpamAssassin
I’m sure there are more (and I’d be happy to add them, e.g. this list suggested in reddit, or others in the reddit thread). Assessing each individual tool, its ease of use, its compliance aspects and the combination between multiple tools is a hard task (here’s a SANS paper on “stitching” multiple tools together). And making sense of the whole landscape (as I’ve tried previously) hints about the complexity of a security professional’s job.
As a founder of a security company, I’m constantly looking for open source tools to either incorporate in our offering, or get inspiration from, or provide integration with. And there are dozens of great open source security tools, so I decided to publish a list of them. This plethora of options is one of the reasons that security is so hard – they are many different ways to achieve something and it almost always involves headaches with configuring and connecting various “point solutions” (as marketers call them). So here’s the list in on apparent order (note that I’ve listed only defensive tools, offensive ones like metasploit, nmap, wireshark, etc. probably deserve a separate post):
Security monitoring, intrusion detection/prevention
- Suricata – intrusion detection system
- Snort – intrusion detection system
- Zeek – network security monitoring
- OSSEC – host-based intrusion detection system
- Wazuh – a more active fork of OSSEC
- Velociraptor – endpoint visibility and response
- OSSIM – open source SIEM, at the core of AlienVault
- SecurityOnion – security monitoring and log management
- Elastic SIEM – SIEM functionality by Elasticsearch
- Mozdef – SIEM-like layer ontop of
Elasticsearch - Sagan – log analytics and correlation
- Apache Metron – (retired) network security monitoring, evolved from Cisco OpenSOC
- Arkime – packet capture and search tool (formerly Moloch)
- PRADAS – real-time asset detection
- BloodHound – ActiveDirectory relationship detection
Threat intelligence
- MISP – threat intelligence platform
- SpiderFoot – threat intelligence aggregation
- OpenCTI – threat intelligence platform
- OpenDXL – open source tools for security intelligence sharing
- Sigma – Generic Signature Format for SIEM Systems
Incident response
- StackStorm – SOAR platform
- CimSweep – Windows incident response
- GRR – incident response and remote live forensics
- TheHive – incident response / SOAR platform
- TheHive Cortex – TheHive companion used for fast queriying
- Shuffle – open source SOAR platform
- osquery – real-time querying of endpoint data
- Kansa – PowerShell incident response
Vulnerability assessment
- OpenVAS – very popular vulnerability assessment
- ZAProxy – web vulnerability scanner by OWASP
- WebScarab – (obsolete) web vulnerability scanner by OWASP
- w3af – web vulnerability scanner
- Loki – IoC scanner
- CVE Search – set of tools for search in CVE data
Firewall
- pfsense – the most popular open source firewall
- OPNSense – hardened BSD-based firewall
- Smoothwall – Linux-based Firewall
Antivirus / endpoint protection
- ClamAV – open source antivirus angine
- Armadito AV – open source AV (retired)
- YARA – The pattern matching swiss knife for malware researchers
Email security
- Hermes Secure Email Gateway – an Ubuntu-based email gateway
- Proxmox – email gateway
- MailScanner – email security system
- SpamAssassin – anti-spam platform
- OrangeAssassin – drop-in replacement of SpamAssassin
I’m sure there are more (and I’d be happy to add them, e.g. this list suggested in reddit, or others in the reddit thread). Assessing each individual tool, its ease of use, its compliance aspects and the combination between multiple tools is a hard task (here’s a SANS paper on “stitching” multiple tools together). And making sense of the whole landscape (as I’ve tried previously) hints about the complexity of a security professional’s job.
Arkime (formerly Moloch) would be a good addition to the list! Full searchable packet capture, and when you start a search the owl mascot says “I’m hooting”.
Vulcan Cyber offers Remedy Cloud which is a searchable, curated database of remedies and fixes for vulnerabilities. Use it at https://vulcan.io/remedy-cloud. And if you want to go further and prioritize vulnerabilities request access to Vulcan Free which is freemium but not exactly open source. Request access here: https://vulcan.io/lp/vulcan-free
Great list! I found a couple that I need to have a play with.
I have two more suggestions:
Yara – under the AV section
Sigma – under the threat intelligence section.
Hi! i like one more suggestion:
Faraday (https://github.com/infobyte/faraday) an Open Source Vulnerability Management