Categories: Resources

Threat Hunting

  • BeaKer – BeaKer visualizes Microsoft Sysmon network data to help threat hunters track down the source of suspicious network connections. The custom dashboard presents which users and executables created connections between two given IPs, how many times they’ve connected, the protocols and ports used, and much
  • Snort – Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS)created by Martin Roesch in 1998. Snort is now developed by Sourcefire, of which Roesch is the founder and CTO. In 2009, Snort entered InfoWorld’s Open Source Hall of Fame as one of the “greatest [pieces of] open source software of all time”.
  • Zeek – Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
  • OSSEC – Comprehensive Open Source HIDS. Not for the faint of heart. Takes a bit to get your head around how it works. Performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows. Plenty of reasonable documentation. Sweet spot is medium to large deployments.
  • Suricata – Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF and its supporting vendors.
  • Security Onion – Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Zeek, OSSEC, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
  • sshwatch – IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log.
  • Stealth – File integrity checker that leaves virtually no sediment. Controller runs from another machine, which makes it hard for an attacker to know that the file system is being checked at defined pseudo random intervals over SSH. Highly recommended for small to medium deployments.
  • AIEngine – AIEngine is a next generation interactive/programmable Python/Ruby/Java/Lua packet inspection engine with capabilities of learning without any human intervention, NIDS(Network Intrusion Detection System) functionality, DNS domain classification, network collector, network forensics and many others.
  • Denyhosts – Thwart SSH dictionary based attacks and brute force attacks.
  • Fail2Ban – Scans log files and takes action on IPs that show malicious behavior.
  • SSHGuard – A software to protect services in addition to SSH, written in C
  • Lynis – an open source security auditing tool for Linux/Unix.
  • CrowdSec – CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network.
  • datamash – GNU datamash is a command-line program which performs basic numeric, textual and statistical operations on input textual data files.
  • RITA – The Real Intelligence Threat Analytics framework ingests Zeek logs or PCAPs converted to Zeek logs
  • BZAR – The BZAR (Bro/Zeek ATT&CK-based Analytics and Reporting) project uses the Bro/Zeek Network Security Monitor to detect ATT&CK-based adversarial activity.
Other cyber news you might have missed: