Today, network intrusions are “normal.” In fact, the FBI says that phishing attacks cost $5.3 billion yearly and will increase to $9 billion by the end of 2018. This is why security tools like network intrusion detection and prevention systems (IDPS) are needed to spot intruders before they can cause serious damage.
Security Onion
Open Source says Security Onion is a great way to monitor your Linux network’s traffic for suspicious activities. However, you need to properly manage it, review alerts, monitor network activity, and regularly update the IDS based detection rules. Nevertheless, Security Onion provides you with full packet capture, network and host-based intrusion detection, and a set of powerful analysis tools. This benefits you in many ways, including:
• Giving you a really flexible environment in which to tune up your network security based on your own unique requirements.
• There are pre-installed sensor management tools, traffic analyzers, and packet sniffers that you can operate without any additional IDS or IPS software.
• It’s updated on a regular basis so you can rest assured of its high-security levels.
Snort
Snort is an open source intrusion detection system that can not only provide you with intrusion detection, but it can also prevent attacks. Introduced by Cisco in 2014, Linux Security says today it’s commonly used for security monitoring because it contains many great features like being both customizable and extendable. There’s also a large, supportive community behind it, which has helped it become a really well-known tool that’s supported by a large variety of operating systems including FreeBSD, Linux, macOS, and Microsoft Windows.
OpenWIPS-NG
This intrusion detection and prevention system by Thomas d’Otrepe de Bouvette (the creator of Aircrack software) is free and wireless. As such, it has three main parts it relies on. These include:
• A sensor that captures wireless traffic and sends the information back to your server for further analysis. It’s also important in responding to network attacks.
• The server aggregates the sensors’ data, analyzes it and responds to attacks. It also logs any type of attack and sends you an alert about it.
• The GUI interface manages the server and displays the information about network threats.
Having such a robust system in place is beneficial in that it:
• Is modular and plugin based
• Has software and hardware that’s built by DIYers
• Contains other great features that are all supported by the use of plugins
Suricata
Suricata is another great open source option. It’s both fast and highly robust when it comes to detecting problems on your network. Developed by the Open Information Security Foundation it can detect any intrusion in real-time, prevent inline intrusion from occurring, and also monitor your network’s security. It consists of a few modules (e.g. Capturing, Collection, Decoding, Detection, and Output) that capture traffic as it passes through your network and prior to it being decoded. From here it captures and specifies how the flow should separate between processors before it configures separate flows. There are many great benefits to this, including:
• Network processing occurs on the seventh layer of the OSI model which enhances its capability to detect malware
• It automatically detects and parses IP, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB and FTP protocols
• There are advanced features including multi-threading and GPU acceleration
BroIDS
This passive tool analyzes all your traffic. Developed by Vern Paxson, it’s used to collect network measurements, conduct forensic investigations, and gain a baseline of your traffic. It consists of a set of log files that record all the activities on your network. This allows it to provide you with sophisticated functionality when it comes to detecting and analyzing threats, extracting files from HTTP sessions and detecting malware, software vulnerabilities, and SSH brute force attacks before also validating your SSL certificate chains. This happens in two layers which consist of:
• The Bro Event Engine uses C++ to analyze both live and recorded network traffic packs and warn you of anything unusual that’s happening.
• The Bro Policy Scripts analyze events then create policies for action. This is handled by sending emails, raising alerts, executing system commands, and calling emergency phone numbers.
All of this is very beneficial to you because it provides a really flexible way to monitor your network. This is great for big networks with lots of traffic. Even here it can still conduct in-depth traffic analysis then provide you with the information you can easily understand.
OSSEC
This free open source host-based IDS performs various tasks including log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response. It’s equipped with a centralized and cross-platform architecture that lets you accurately monitor multiple systems at once through its three main components, which include:
• The main applications supported by Linux, Windows, Solaris, and Mac
• The Windows agent is only necessary when you’re using a Windows-based computers, client, or server
• The web-based GUI interface defines rules and monitors your network
All of this is beneficial to you in that you’re able to get real-time that you yourself configure. You can manage this and everything else in one centralized location.
Open Source Tripwire
Open Source Tripwire is another host-based intrusion detection system. It focuses on detecting changes in your file system. Here it scans the file system per your instructions. It stores the information it finds in each file in a database so it can use cryptographic hashes to compare any changes it finds and send you the appropriate reports. Additionally, Tripwire helps with integrity assurance, change management, and policy compliance. All of this is great when you’re running a small, decentralized Linux system.
McAfee Network Security Platform (NSP)
eSecurity Planet says this network threat and intrusion prevention solution protects your systems and their information regardless of where they reside – in data centers, the cloud, or your hybrid enterprise environment. From there it supports up to 32 million connections per appliance. This is a great way to locate advanced targeted attacks on your network so they can be blocked.
Cisco Firepower Next-Generation Intrusion Prevention System (NGIPS)
You’ll find this in software and appliances (both physical and virtual) that are used everywhere from small branch offices to large enterprises. It offers 50 – 60 Mbps, URL-based security intelligence, and AMP Threat Grid integration. The company’s Talos security research team supports it.