OSSEC alternatives

Looking for an alternative tool to replace OSSEC? During the review of OSSEC we looked at other open source tools. Based on their category, tags, and text, these are the ones that have the best match.

Top 3

  1. chkrootkit (malware scanner)
  2. Samhain (host-based intrusion detection system)
  3. Snort (network intrusion detection system)

These tools are ranked as the best alternatives to OSSEC.

Alternatives (by score)

59

chkrootkit

Introduction

The chkrootkit tool consists of multiple parts that may detect the presence of rootkit parts of rootkit behavior on a system.

Some areas that are checked include:

  • interface in promiscuous mode
  • lastlog deletions
  • wtmp deletions
  • wtmpx deletions
  • signs of LKM trojans
  • utmp deletions

Project details

chkrootkit is written in C, shell script.

Strengths and weaknesses

  • + Used language is shell script
  • + Project is mature (10+ years)
  • - Long time between releases

Typical usage

  • Malware detection
  • Malware scanning

chkrootkit review

52

Samhain

Introduction

Samhain is a host-based intrusion detection system (HIDS). It provides file integrity checking and log file monitoring/analysis. Additional features are rootkit detection, port monitoring, detection of rogue SUID executables, and the detection of hidden processes.

Samhain is typically deployed as a standalone application, although it supports centralized logging. This makes it ideal for environments with multiple systems.

Samhain is open source software and written by Rainer Wichmann.

Project details

Strengths and weaknesses

  • + The source code of this software is available

    Samhain review

    67

    Snort

    Introduction

    Besides intrusion detection, Snort has the capabilities to prevent attacks. By taking a particular action based on traffic patterns, it can become an intrusion prevention system (IPS).

    Project details

    Snort is written in C.

    Strengths and weaknesses

    • + Supported by a large company
    • + Well-known tool

      Typical usage

      • Security monitoring

      Snort review

      100

      Zeek (Bro)

      Introduction

      Bro helps to perform security monitoring by looking into the network's activity. It can find suspicious data streams. Based on the data, it alert, react, and integrate with other tools.

      Project details

      Zeek is written in C++.

      Strengths and weaknesses

      • + More than 50 contributors
      • + More than 2000 GitHub stars
      • + The source code of this software is available
      • + Well-known tool

        Typical usage

        • Security monitoring

        Zeek review

        60

        Chiron

        Introduction

        Chiron is a security assessment framework for IPv6. It provides several modules including an IPv6 scanner, IPv6 Local Link, IPv4-to-IPv6 proxy, IPv6 attack module, and IPv6 proxy. These modules help to perform an assessment, like a penetration test.

        The tool uses IPv6 extension headers to create a headers chain. This may allow evading security devices like IDS, IPS, and firewalls. Due to the flexibility of the framework, the tool can also be used to perform fuzzing of the IPv6 stack of a device.

        Project details

        Chiron is written in Python.

        Strengths and weaknesses

        • + The source code of this software is available
        • - No releases on GitHub available

        Typical usage

        • Network analysis
        • Network scanning
        • Network security monitoring

        Chiron review

        56

        Pytbull (pytbull)

        Introduction

        None

        Project details

        68

        Scirius

        Introduction

        Scirius is a web application to do Suricata ruleset management. There is both a community version as paid version available.

        Project details

        Scirius is written in Python.

        Strengths and weaknesses

        • + The source code of this software is available

          Typical usage

          • Network security monitoring

          Scirius review

          100

          Suricata

          Introduction

          Suricata is a somewhat younger NIDS, though has a rapid development cycle. It can work with Snort rulesets, yet also has optimized rulesets for usage with Suricata itself. For example, this set is known as Emerging Threats and fully optimized.

          Project details

          Suricata is written in C, Lua.

          Strengths and weaknesses

          • + More than 50 contributors
          • + The source code of this software is available

            Typical usage

            • Information gathering
            • Intrusion detection
            • Network analysis
            • Threat discovery

            Suricata review

            93

            Acra

            Introduction

            Acra is a database encryption proxy that provides encryption and data leakage prevention to applications. It provides selective encryption, access control, database and data leak prevention, and even intrusion detection capabilities. It is focused on developers and supports most popular programming languages such as Go, PHP, Python, Ruby.

            Project details

            Acra is written in Golang, Node.js, Objective-C, PHP, Python, Ruby.

            Strengths and weaknesses

            • + Commercial support available
            • + The source code of this software is available

              Typical usage

              • Data encryption
              • Data leak prevention
              • Data security
              • Vulnerability mitigation

              Acra review

              100

              GRR Rapid Response

              Introduction

              The goal of the GRR tooling is to support digital forensics and investigations. By using a fast and scalable model, analysts can quickly perform their analysis. One of the main features is the ability to search for particular information or details. This process is called hunting.

              Project details

              GRR Rapid Response is written in Python.

              Strengths and weaknesses

              • + More than 25 contributors
              • + More than 3000 GitHub stars
              • + The source code of this software is available
              • + Supported by a large company

                Typical usage

                • Digital forensics
                • Intrusion detection
                • Threat hunting

                GRR Rapid Response review

                93

                Loki

                Introduction

                Loki is security tool to find so-called indicators of compromise (IOC). It does this by scanning files and then uses pattern matching.

                Project details

                Loki is written in Python.

                Strengths and weaknesses

                • + More than 10 contributors
                • + Commercial support available
                • + More than 500 GitHub stars
                • + The source code of this software is available

                  Typical usage

                  • Digital forensics
                  • Intrusion detection
                  • Security monitoring

                  Loki review

                  85

                  Maltrail

                  Introduction

                  Maltrail monitors for traffic on the network that might indicate system compromise or other bad behavior. It is great for intrusion detection and monitoring.

                  Project details

                  Maltrail is written in Python.

                  Strengths and weaknesses

                  • + More than 10 contributors
                  • + More than 2000 GitHub stars
                  • + The source code of this software is available

                    Typical usage

                    • Intrusion detection
                    • Network analysis
                    • Security monitoring

                    Maltrail review

                    Some relevant tool missing as an alternative to OSSEC? Please contact us with your suggestion.