Suricata alternatives

Looking for an alternative tool to replace Suricata? During the review of Suricata we looked at other open source tools. Based on their category, tags, and text, these are the ones that have the best match.

Top 3

  1. Zeek (network security monitoring tool)
  2. Sweet Security (security monitoring on Raspberry Pi and similar)
  3. Snort (network intrusion detection system)

These tools are ranked as the best alternatives to Suricata.

Alternatives (by score)

100

Zeek (Bro)

Introduction

Bro helps to perform security monitoring by looking into the network's activity. It can find suspicious data streams. Based on the data, it alert, react, and integrate with other tools.

Project details

Zeek is written in C++.

Strengths and weaknesses

  • + More than 50 contributors
  • + More than 2000 GitHub stars
  • + The source code of this software is available
  • + Well-known tool

    Typical usage

    • Security monitoring

    Zeek review

    64

    Sweet Security

    Introduction

    This tool helps with automating the installation of several components like Bro IDS, Elasticsearch, Logstash, Kibana (ELK stack), and Critical Stack. Saving time on installation and configuration is its primary purpose.

    Project details

    Sweet Security is written in Python.

    Strengths and weaknesses

    • + The source code of this software is available

      Typical usage

      • Network security monitoring
      • Security monitoring

      Sweet Security review

      67

      Snort

      Introduction

      Besides intrusion detection, Snort has the capabilities to prevent attacks. By taking a particular action based on traffic patterns, it can become an intrusion prevention system (IPS).

      Project details

      Snort is written in C.

      Strengths and weaknesses

      • + Supported by a large company
      • + Well-known tool

        Typical usage

        • Security monitoring

        Snort review

        76

        DejaVu

        Introduction

        DejaVu is an open source deception framework which can be used to deploy and administer decoys or canaries across a network infrastructure. Defenders can use deception as a technique to learn quickly about possible attackers on the network and take actions.

        Project details

        Strengths and weaknesses

        • + The source code of this software is available
        • - No releases on GitHub available

        Typical usage

        • Security monitoring
        • Threat discovery

        DejaVu review

        64

        CHIRON ELK

        Introduction

        CHIRON is a tool to provide network analytics based on the ELK stack. It is combined with Machine Learning threat detection using the Aktaion framework. Typical usage of the tool is home use and get the visibility of home internet devices. By leveraging the Aktaion framework, it helps with detection threats like ransomware, phishing, or other malicious traffic.

        Project details

        CHIRON ELK is written in Python.

        Strengths and weaknesses

        • + The source code of this software is available
        • - No releases on GitHub available

        Typical usage

        • Network analysis
        • Network security monitoring
        • Network traffic analysis
        • Threat discovery

        CHIRON ELK review

        68

        Scirius

        Introduction

        Scirius is a web application to do Suricata ruleset management. There is both a community version as paid version available.

        Project details

        Scirius is written in Python.

        Strengths and weaknesses

        • + The source code of this software is available

          Typical usage

          • Network security monitoring

          Scirius review

          85

          Maltrail

          Introduction

          Maltrail monitors for traffic on the network that might indicate system compromise or other bad behavior. It is great for intrusion detection and monitoring.

          Project details

          Maltrail is written in Python.

          Strengths and weaknesses

          • + More than 10 contributors
          • + More than 2000 GitHub stars
          • + The source code of this software is available

            Typical usage

            • Intrusion detection
            • Network analysis
            • Security monitoring

            Maltrail review

            100

            IVRE

            Introduction

            IVRE is a framework to perform reconnaissance for network traffic. It leverages other tools to pull in the data and show it in the web interface.

            Project details

            IVRE is written in Python.

            Strengths and weaknesses

            • + More than 10 contributors
            • + More than 1000 GitHub stars
            • + The source code of this software is available

              Typical usage

              • Digital forensics
              • Information gathering
              • Intrusion detection
              • Network analysis

              IVRE review

              97

              Moloch

              Introduction

              Moloch comes with a web interface that allows for easy browsing of pcap data (packet capture). It can also search in the data or export it. Besides pcap, the JSON format is supported, so data can be easily consumed in other tools (like Wireshark).

              Project details

              Moloch is written in C, Node.js.

              Strengths and weaknesses

              • + More than 25 contributors
              • + More than 3000 GitHub stars
              • + Many releases available
              • + The source code of this software is available
              • + Supported by a large company

                Typical usage

                • Network security monitoring
                • Security monitoring

                Moloch review

                100

                MISP

                Introduction

                MISP collects, stores, and distributes security indicators and discovered threats. This makes the platform useful for those involved with security incidents and malware research. Users benefit from having a well-tested platform to structure the vast number of data points available when it comes to security threats. The tooling allows interaction with other tools, like security incident and event management (SIEM) and intrusion detection systems (IDS).

                Project details

                MISP is written in PHP.

                Strengths and weaknesses

                • + More than 50 contributors
                • + The source code of this software is available

                  Typical usage

                  • Fraud detection
                  • Information gathering
                  • Threat hunting

                  MISP review

                  68

                  Chiron

                  Introduction

                  Chiron is a security assessment framework for IPv6. It provides several modules including an IPv6 scanner, IPv6 Local Link, IPv4-to-IPv6 proxy, IPv6 attack module, and IPv6 proxy. These modules help to perform an assessment, like a penetration test.

                  The tool uses IPv6 extension headers to create a headers chain. This may allow evading security devices like IDS, IPS, and firewalls. Due to the flexibility of the framework, the tool can also be used to perform fuzzing of the IPv6 stack of a device.

                  Project details

                  Chiron is written in Python.

                  Strengths and weaknesses

                  • + The source code of this software is available
                  • - No releases on GitHub available

                  Typical usage

                  • Network analysis
                  • Network scanning
                  • Network security monitoring

                  Chiron review

                  56

                  Pytbull (pytbull)

                  Introduction

                  None

                  Project details

                  59

                  OSSEC

                  Introduction

                  OSSEC uses a centralized, cross-platform architecture allowing multiple systems to be monitored and managed.

                  Highlights:
                  The OSSEC project was acquired by Third Brigade, Inc in June 2008. This included the copyrights owned by Daniel Cid, its project leader. They promised to continue the development, keep it open source, and extend commercial support and training to the community.

                  Trend Micro acquired Third Brigade in May 2009. This included the OSSEC project. Trend Micro promised to keep the software open source and free.

                  Project details

                  Strengths and weaknesses

                  • + Commercial support available
                  • + Well-known tool
                  • - Commercial support available

                  OSSEC review

                  52

                  Samhain

                  Introduction

                  Samhain is a host-based intrusion detection system (HIDS). It provides file integrity checking and log file monitoring/analysis. Additional features are rootkit detection, port monitoring, detection of rogue SUID executables, and the detection of hidden processes.

                  Samhain is typically deployed as a standalone application, although it supports centralized logging. This makes it ideal for environments with multiple systems.

                  Samhain is open source software and written by Rainer Wichmann.

                  Project details

                  Strengths and weaknesses

                  • + The source code of this software is available

                    Samhain review

                    100

                    GRR Rapid Response

                    Introduction

                    The goal of the GRR tooling is to support digital forensics and investigations. By using a fast and scalable model, analysts can quickly perform their analysis. One of the main features is the ability to search for particular information or details. This process is called hunting.

                    Project details

                    GRR Rapid Response is written in Python.

                    Strengths and weaknesses

                    • + More than 25 contributors
                    • + More than 3000 GitHub stars
                    • + The source code of this software is available
                    • + Supported by a large company

                      Typical usage

                      • Digital forensics
                      • Intrusion detection
                      • Threat hunting

                      GRR Rapid Response review

                      80

                      HELK (The Hunting ELK)

                      Introduction

                      The main purpose to use HELK is to do analytic research on data, which are typically the events coming from your systems. Suspicious events could be discovered by doing so-called threat hunting. It may give additional insights about the existing infrastructure and required security defenses.

                      Project details

                      Strengths and weaknesses

                      • + The source code of this software is available

                        Typical usage

                        • System monitoring
                        • Threat discovery
                        • Threat hunting

                        HELK review

                        64

                        rastrea2r

                        Introduction

                        Rastrea2r is a threat hunting utility for indicators of compromise (IOC). It is named after the Spanish word rastreador, which means hunter. This multi-platform open source tool helps incident responders and SOC analysts to triage suspected systems. The hunt for IOCs can be achieved in just a matter of a few minutes.

                        Project details

                        Some relevant tool missing as an alternative to Suricata? Please contact us with your suggestion.