Samhain alternatives

Looking for an alternative tool to replace Samhain? During the review of Samhain we looked at other open source tools. Based on their category, tags, and text, these are the ones that have the best match.

Top 3

OSSEC (host-based intrusion detection system)
Snort (network intrusion detection system)
Zeek (network security monitoring tool)

These tools are ranked as the best alternatives to Samhain.

Alternatives (by score)

OSSEC

Introduction

OSSEC uses a centralized, cross-platform architecture allowing multiple systems to be monitored and managed.

Highlights:
The OSSEC project was acquired by Third Brigade, Inc in June 2008. This included the copyrights owned by Daniel Cid, its project leader. They promised to continue the development, keep it open source, and extend commercial support and training to the community.

Trend Micro acquired Third Brigade in May 2009. This included the OSSEC project. Trend Micro promised to keep the software open source and free.

Project details

Strengths and weaknesses

+ Commercial support available
+ Well-known tool

- Commercial support available

OSSEC review

Snort

Introduction

Besides intrusion detection, Snort has the capabilities to prevent attacks. By taking a particular action based on traffic patterns, it can become an intrusion prevention system (IPS).

Project details

Snort is written in C.

Strengths and weaknesses

+ Supported by a large company
+ Well-known tool

Typical usage

Security monitoring

Snort review

100

Zeek (Bro)

Introduction

Zeek helps to perform security monitoring by looking into the network's activity. It can find suspicious data streams. Based on the data, it alert, react, and integrate with other tools.

Project details

Zeek is written in C++.

Strengths and weaknesses

+ More than 50 contributors
+ More than 2000 GitHub stars
+ The source code of this software is available
+ Well-known tool

Typical usage

Security monitoring

Zeek review

Chiron

Introduction

Chiron is a security assessment framework for IPv6. It provides several modules including an IPv6 scanner, IPv6 Local Link, IPv4-to-IPv6 proxy, IPv6 attack module, and IPv6 proxy. These modules help to perform an assessment, like a penetration test.

The tool uses IPv6 extension headers to create a headers chain. This may allow evading security devices like IDS, IPS, and firewalls. Due to the flexibility of the framework, the tool can also be used to perform fuzzing of the IPv6 stack of a device.

Project details

Chiron is written in Python.

Strengths and weaknesses

+ The source code of this software is available

- No releases on GitHub available

Typical usage

Network analysis
Network scanning
Network security monitoring

Chiron review

Pytbull (pytbull)

Introduction

None

Project details

Scirius

Introduction

Scirius is a web application to do Suricata ruleset management. There is both a community version as paid version available.

Project details

Scirius is written in Python.

Strengths and weaknesses

+ The source code of this software is available

Typical usage

Network security monitoring

Scirius review

100

Suricata

Introduction

Suricata is a somewhat younger NIDS, though has a rapid development cycle. It can work with Snort rulesets, yet also has optimized rulesets for usage with Suricata itself. For example, this set is known as Emerging Threats and fully optimized.

Project details

Suricata is written in C, Lua.

Strengths and weaknesses

+ More than 50 contributors
+ The source code of this software is available

Typical usage

Information gathering
Intrusion detection
Network analysis
Threat discovery

Suricata review

100

Acra

Introduction

Acra is a database encryption proxy that provides encryption and data leakage prevention to applications. It provides selective encryption, access control, database and data leak prevention, and even intrusion detection capabilities. It is focused on developers and supports most popular programming languages such as Go, PHP, Python, Ruby.

Project details

Acra is written in Golang, Node.js, Objective-C, PHP, Python, Ruby.

Strengths and weaknesses

+ Commercial support available
+ The source code of this software is available

Typical usage

Data encryption
Data leak prevention
Data security
Vulnerability mitigation

Acra review

100

GRR Rapid Response

Introduction

The goal of the GRR tooling is to support digital forensics and investigations. By using a fast and scalable model, analysts can quickly perform their analysis. One of the main features is the ability to search for particular information or details. This process is called hunting.

Project details

GRR Rapid Response is written in Python.

Strengths and weaknesses

+ More than 25 contributors
+ More than 3000 GitHub stars
+ The source code of this software is available
+ Supported by a large company

Typical usage

Digital forensics
Intrusion detection
Threat hunting

GRR Rapid Response review

Loki

Introduction

Loki is security tool to find so-called indicators of compromise (IOC). It does this by scanning files and then uses pattern matching.

Project details

Loki is written in Python.

Strengths and weaknesses

+ More than 10 contributors
+ Commercial support available
+ More than 500 GitHub stars
+ The source code of this software is available

Typical usage

Digital forensics
Intrusion detection
Security monitoring

Loki review

Maltrail

Introduction

Maltrail monitors for traffic on the network that might indicate system compromise or other bad behavior. It is great for intrusion detection and monitoring.

Project details

Maltrail is written in Python.

Strengths and weaknesses

+ More than 10 contributors
+ More than 3000 GitHub stars
+ The source code of this software is available

Typical usage

Intrusion detection
Network analysis
Security monitoring

Maltrail review

Some relevant tool missing as an alternative to Samhain? Please contact us with your suggestion.