MISP alternatives

Looking for an alternative tool to replace MISP? During the review of MISP we looked at other open source tools. Based on their category, tags, and text, these are the ones that have the best match.

Top 3

  1. HELK (threat hunting with the ELK stack)
  2. sqhunter (threat hunting)
  3. CHIRON ELK (network analytics and threat detection)

These tools are ranked as the best alternatives to MISP.

Alternatives (by score)

64

HELK (The Hunting ELK)

Introduction

The main purpose to use HELK is to do analytic research on data, which are typically the events coming from your systems. Suspicious events could be discovered by doing so-called threat hunting. It may give additional insights about the existing infrastructure and required security defenses.

Project details

Strengths and weaknesses

  • + The source code of this software is available

    Typical usage

    • System monitoring
    • Threat discovery
    • Threat hunting

    HELK review

    64

    sqhunter

    Introduction

    Sqhunter is a security tool to find known and unknown threats within your network. The goal is to find possible adversaries within your network by doing specific queries. The tool uses data from osquery, Salt Open, and the Cymon API.

    Project details

    sqhunter is written in Python.

    Strengths and weaknesses

    • + The source code of this software is available

      Typical usage

      • Security monitoring
      • Threat discovery
      • Threat hunting

      sqhunter review

      64

      CHIRON ELK

      Introduction

      CHIRON is a tool to provide network analytics based on the ELK stack. It is combined with Machine Learning threat detection using the Aktaion framework. Typical usage of the tool is home use and get the visibility of home internet devices. By leveraging the Aktaion framework, it helps with detection threats like ransomware, phishing, or other malicious traffic.

      Project details

      CHIRON ELK is written in Python.

      Strengths and weaknesses

      • + The source code of this software is available
      • - No releases on GitHub available

      Typical usage

      • Network analysis
      • Network security monitoring
      • Network traffic analysis
      • Threat discovery

      CHIRON ELK review

      100

      Suricata

      Introduction

      Suricata is a somewhat younger NIDS, though has a rapid development cycle. It can work with Snort rulesets, yet also has optimized rulesets for usage with Suricata itself. For example, this set is known as Emerging Threats and fully optimized.

      Project details

      Suricata is written in C, Lua.

      Strengths and weaknesses

      • + More than 50 contributors
      • + The source code of this software is available

        Typical usage

        • Information gathering
        • Intrusion detection
        • Network analysis
        • Threat discovery

        Suricata review

        64

        rastrea2r

        Introduction

        Rastrea2r is a threat hunting utility for indicators of compromise (IOC). It is named after the Spanish word rastreador, which means hunter. This multi-platform open source tool helps incident responders and SOC analysts to triage suspected systems. The hunt for IOCs can be achieved in just a matter of a few minutes.

        Project details

        64

        Binary Analysis Next Generation (BANG)

        Introduction

        BANG is a framework to unpack files recursively and scan them. The files can be firmware, binaries, or malware. The main goal is to scan all files and perform classification and labeling. This way each file can be further analyzed based on the characteristics.

        Project details

        Binary Analysis Next Generation is written in Python.

        Strengths and weaknesses

        • + The source code of this software is available
        • - No releases on GitHub available

        Typical usage

        • Binary analysis
        • Malware analysis
        • Malware scanning

        Binary Analysis Next Generation review

        64

        Mal Tindex

        Introduction

        Mal Tindex is a tool that performs binary analysis on malware samples. It analyzes the binaries it is provided to learn about the specifics of each malware sample that makes them unique. This way data can be gathered that may provide background information. For example, it could provide the attribution of a particular actor or malware campaign.

        Project details

        Mal Tindex is written in Python.

        Strengths and weaknesses

        • + The source code of this software is available

          Typical usage

          • Malware analysis
          • Malware research

          Mal Tindex review

          64

          MalPipe

          Introduction

          MalPipe is a modular malware and indicator collection and processing framework. It is designed to pull information about malware, domains, URLs, and IP addresses from multiple feeds. Finally, it will enrich the collected data and export the results.

          Project details

          MalPipe is written in Python.

          Strengths and weaknesses

          • + The source code of this software is available
          • - No releases on GitHub available

          Typical usage

          • Data enrichment
          • Data processing
          • Intrusion detection
          • Malware analysis
          • Malware detection

          MalPipe review

          78

          SSMA

          Introduction

          SSMA is short for Simple Static Malware Analyzer. The tool can perform a set of tests against a malware sample and retrieve metadata from it. SSMA can analyze ELF and PE and analyze its structure. For example, it can retrieve the PE file header information and its sections. Other pieces it can analyze is the usage of packers, anti-debugging techniques, cryptographic algorithms, domains, email addresses, and IP addresses. It can also check if the sample is already detected or blocked by using VirusTotal and the blocklist of malwaredomains.com.

          Project details

          SSMA is written in Python.

          Strengths and weaknesses

          • + The source code of this software is available
          • - No releases on GitHub available

          Typical usage

          • Malware analysis
          • Malware detection
          • Malware scanning
          • Reverse engineering

          SSMA review

          97

          YARA

          Introduction

          YARA is a tool to identify and classify malware samples. It uses textual or binary patterns to match data, combined with a boolean expression to define a match. YARA is multi-platform, can be used via a command-line interface or via Python scripts using the yara-python extension.

          Project details

          YARA is written in C.

          Strengths and weaknesses

          • + More than 50 contributors
          • + More than 2000 GitHub stars
          • + The source code of this software is available

            Typical usage

            • Malware analysis
            • Malware detection
            • Malware scanning

            YARA review

            97

            OnionShare

            Introduction

            This tool is useful for sharing sensitive data, including information to be shared with journalists where you rather stay anonymously. It can also be helpful for sharing bigger amounts of data, without having to use a typical cloud service like Dropbox.

            Project details

            OnionShare is written in Python.

            Strengths and weaknesses

            • + More than 50 contributors
            • + More than 2000 GitHub stars
            • + Many releases available
            • + The source code of this software is available

              Typical usage

              • File sharing

              OnionShare review

              100

              Intrigue Core

              Introduction

              Intrigue Core provides a framework to measure the attack surface of an environment. This includes discovering infrastructure and applications, performing security research, and doing vulnerability discovery.

              Intrigue also allows enriching available data and perform OSINT research (open source intelligence). The related scans include DNS subdomain brute-forcing, email harvesting, IP geolocation, port scanning, and using public search engines like Censys, Shodan, and Bing.

              Project details

              Intrigue Core is written in Ruby.

              Strengths and weaknesses

              • + More than 500 GitHub stars
              • + The source code of this software is available

                Typical usage

                • OSINT research
                • Asset discovery
                • Attack surface measurement
                • Intelligence gathering
                • Penetration testing
                • Security assessment

                Intrigue Core review

                60

                MultiScanner

                Introduction

                MultiScanner helps malware analysts by providing a toolkit to perform both automated and manual analysis. The data extracted from the analysis can be easily stored together, including the relevant metadata and samples. It allows enriching the data further by retrieving information from external resources.

                Project details

                Strengths and weaknesses

                • + More than 10 contributors
                • + The source code of this software is available

                  Typical usage

                  • Malware analysis
                  • Malware detection
                  • Malware scanning

                  MultiScanner review

                  60

                  YaraGuardian

                  Introduction

                  YaraGuardian provides a web-based interface that helps to manage Yara rules. It can be used to search, organize, and bulk-edit rules. The tool also prevents creating duplicate entries, which is a nice additional benefit of this management utility.

                  Project details

                  YaraGuardian is written in Python.

                  Strengths and weaknesses

                  • + The source code of this software is available

                    Typical usage

                    • Malware analysis

                    YaraGuardian review

                    60

                    bamfdetect

                    Introduction

                    With bamfdetect, malware and bots can be analyzed. It identifies and extracts information and returns data in JSON format.

                    Project details

                    bamfdetect is written in Python.

                    Strengths and weaknesses

                    • + The source code of this software is available

                      Typical usage

                      • Malware analysis
                      • Malware scanning

                      bamfdetect review

                      64

                      XRay

                      Introduction

                      XRay is a security tool for reconnaissance, mapping, and OSINT gathering from public networks.

                      Project details

                      XRay is written in Golang.

                      Strengths and weaknesses

                      • + The source code of this software is available

                        Typical usage

                        • Information gathering
                        • Reconnaissance

                        XRay review

                        Some relevant tool missing as an alternative to MISP? Please contact us with your suggestion.