Shulou(Shulou.com)06/01 Report--

As network security professionals, we have been preventing attackers from accessing our network, but the rise of mobile devices, distributed teams, and the Internet of things (IoT) has made it more difficult to protect the network. The problem that network security workers have to pay attention to is that when an attacker successfully attacks your network, you find that the longer the attack, the greater the loss caused by data leakage.

By using a reliable intrusion detection system (IDS) supported by a strong incident response plan, users can reduce the potential damage to vulnerabilities.

IDS is usually divided into two groups: signature-based IDS, which scans to find known malicious traffic and alerts them. There is also an exception-based IDS that exposes the exception by looking at the baseline.

If you want to protect data and systems, it is critical to deploy IDS in the network, from internal servers to data centers to public cloud environments. It is worth noting that IDS can also reveal employee misconduct, including internal threats and idle work during working hours chatting through transport tools such as Netflix or Facebook Messenger.

Fortunately, there are many open source intrusion detection tools worth trying. Here are five examples.

1 、 Snort

As the de facto standard of IDS, Snort is a very valuable tool. This Linux utility is easy to deploy and can be configured to monitor network traffic for intrusion attempts, log intrusions, and perform specified actions when intrusion attempts are detected. It is one of the most widely deployed IDS tools and can also be used as an intrusion prevention system (IPS).

Snort dates back to 1998 and still shows no sign of disappearing, and some active communities have provided good help and support. Snort does not have a GUI (graphical user interface) and lacks an administrative console, but users can use another open source tool like Snorby or Base to make up for this deficiency. The high level of customization provided by Snort provides a good choice for many different organizations.

If you don't want to use Snort for some reason, then Suricata is also a good choice.

2 、 Bro

Bro can convert traffic into a series of events through the analysis engine, and can detect suspicious signatures and anomalies. Users can use brol-script to design tasks for the policy engine, which is a good choice for those who want to do more work through automation. For example, the tool can automatically download suspicious files it finds on the network and send them to analysts, notify relevant personnel if any anomalies are found, blacklist source files, and turn off the device that downloaded it.

The disadvantage of Bro is that users need to establish a steep learning curve if they want to extract the maximum value from it, and it can be very complex. However, the community continues to grow and provides more and more help to users, and Bro is able to detect anomalies and patterns that other intrusion detection tools may ignore.

3 、 Kismet

As the standard of wireless IDS, Kismet is an indispensable tool for most enterprises. It focuses on wireless protocols, including Wi-Fi and Bluetooth, and tracks access points created by employees without authorization. It can detect default network or configuration vulnerabilities, and can frequency hopping, but it takes a long time to search the network, and the search scope for the best results is limited.

Kismet can run on several different platforms, including Android and iOS, but support for Windows is limited. In addition, there are a variety of API for integrating other tools to provide multithreaded packet decoding for higher workloads. It recently launched a new, Web-based user interface that supports extensions.

4 、 OSSEC

Based on the host IDS or HIDS, let's take a look at OSSEC, which is by far the most comprehensive HIDS choice. It is very easy to extend and can run on most operating systems, including Windows,Linux,Mac OS,Solaris. It has a client / server architecture that sends alerts and logs to a central server for analysis. This means that an alarm will be issued even if the host system is offline or completely compromised. With this architecture, deployment can be made easier because it enables centralized management of multiple agents.

OSSEC is a small installer that, once up and running, consumes very little system resources. In addition, it is also customizable and can be configured for automatic real-time operation. OSSEC has a large community and a lot of resources at its disposal.

If you have concerns about the central server, you may include Samhain Labs in your alternative, which is also host-based, but it provides a variety of proxy output methods.

5 、 Open DLP

Data leakage Prevention (DLP) is the main purpose of this tool. It can statically scan data in a database or file system. Open DLP will search for sensitive data related to the user organization to discover unauthorized replication and transfer operations. This is useful for defending against mole and careless employees sending sensitive data. It works well on Windows, supports Linux, and can be deployed through agents or as agentless tools.

Bottom line

As you can see, there are many excellent free and open source intrusion detection tools to choose from, which is by no means an exhaustive list, but these five options are a good start.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.