---

IDS / IPS Tools

Content Leader: Jess Garcia - Last Updated: May 20, 2007

---

Under Construction ... - We are in the process of completing the descriptions. If you speak spanish, you can check the spanish version.

---

Index

Below you can find information on the following tools & products:

• Traffic analysis
• NIDS (Network Based Intrusion Detection Systems)
• HIDS (Host Based Intrusion Detection Systems)
• NIPS (Network Based Intrusion Prevention Systems)
• HIPS (Host Based Intrusion Prevention Systems)

---

Traffic analysis

• etherape - Network monitor for Unix which displays network activity graphically: hosts and links change in size with traffic, color coded protocols display, etc.
• ethereal/tethereal - THE standard sniffer for protocol analysis.
• DataEcho - TCP session reconstruction utility. It can capture traffic directly from a network adapter or can use a pcap file as input. DataEcho allows the playback of a user's web browsing, email, or other text-based protocol activity.
• ipsumdump -
• libpcap/winpcap - The standard traffic capture library
• mergecap - Merges two or more capture files into one.
• netdude -
• ngrep - pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets.
• p0f - p0f uses a fingerprinting technique based on analyzing the structure of a TCP/IP packet to passively determine the operating system and other configuration properties of a remote host.
• ssldump -
• tcpbridge - Tool for briding network traffic across two interfaces and optionally modifying the packets in betweeen. Part of the tcpreplay suite.
• tcpdpriv -
• tcpdump/windump -
• tcpflow -
• tcpreplay -
• tcprewrite - Tool to rewrite the packets in a pcap file. Part of the tcpreplay suite.
• tcpspy -
• tcpstat -
• tcptrace -
• tomahawk - Utility to bidirectionally replay saved tcpdump dumpfiles at arbitrary speeds.

---

NIDS

Engines

• arpwatch -
• ASDIC - ASDIC is a system for advanced traffic analysis. You can look at ASDIC as a reverse firewall. Input unstructured traffic information and output a rule set.
• Azwalaro - NIDS based on Ethereal dissectors.
• Bro-IDS -
• shadow -
• snort -
• PADS -

Consoles

• BASE - Basic Analysis and Security Engine.
• Sguil -
• Snortcenter2 -
• Aanval/Openaanval -
• IDS Policy Manager -
• SNORTSAM -

---

HIDS

Generic

• Debcheck -
• Gherkin -
• Host-sentry -
• OpenHIDS -
• Os-hids -
• OSSEC -
• Prelude -
• SLAD - Provides an extendable plugin architecture allowing to use various GPL-based security scanners and auditing tools (John-the-Ripper, Chkrootkit, LSOF, ClamAV, Tripwire, TIGER, Logwatch, TrapWatch, LM-Sensors, snort, ...) under one common framework. SLAD has been primarily developed to work together with Nessus to enhance its local scanning capabilities.
• snare -
• tiger -
• Wkr -

File Integrity Assessment

• AIDE - (Advanced Intrusion Detection Environment). Free tripwire substitute.
• Samhain -
• Osiris -
• AFICK -
• tripwire -

Rootkit Detectors

• chkrootkit -
• klister -
• Rootkit Revealer -
• Rootkit Profiler LX - Kernel rootkit detection toolkit for Linux

---

NIPS (Network Based Intrusion Prevention Systems)

Open Source

• Snort In-Line
• HLBR

Commercial Products

• Standard
  • Ambiron TrustWave IP Angel (formerly Lucid Security)
  • Barbedwire
  • Captus
  • Cisco
  • DeepNines
  • Demarc Sentaurus
  • Enterasys
  • Fortinet
  • ISS
  • Juniper/Netscreen/Onesecure IDP
  • Lattis
  • Mazu Networks
  • McAfee Intrushield
  • NFR
  • Radware DefensePro
  • SourceFire
  • TippingPoint
  • TopLayer

• Behavioral Anomaly
  • Lancope

• Other references:
  • http://www.networkintrusion.co.uk/inline.htm

---

HIPS (Host Based Intrusion Prevention Systems)

Open Source

• Systrace

Commercial

• McAfee Host Intrusion Prevention
  • Formerly Entercept
• Cisco Secure Agent
  • Formerly Okena
• Securewave
• Subdomain
• Trustcorps TRUSHIELD