As a founder of a security company, I’m constantly looking for open source tools to either incorporate in our offering, or get inspiration from, or provide integration with. And there are dozens of great open source security tools, so I decided to publish a list of them. This plethora of options is one of the reasons that security is so hard – they are many different ways to achieve something and it almost always involves headaches with configuring and connecting various “point solutions” (as marketers call them). So here’s the list in on apparent order (note that I’ve listed only defensive tools, offensive ones like metasploit, nmap, wireshark, etc. probably deserve a separate post):

Security monitoring, intrusion detection/prevention

• Suricata – intrusion detection system
• Snort – intrusion detection system
• Zeek – network security monitoring
• OSSEC – host-based intrusion detection system
• Wazuh – a more active fork of OSSEC
• Velociraptor – endpoint visibility and response
• OSSIM – open source SIEM, at the core of AlienVault
• SecurityOnion – security monitoring and log management
• Elastic SIEM – SIEM functionality by Elasticsearch
• Mozdef – SIEM-like layer ontop of
  Elasticsearch
• Sagan – log analytics and correlation
• Apache Metron – (retired) network security monitoring, evolved from Cisco OpenSOC
• Arkime – packet capture and search tool (formerly Moloch)
• PRADAS – real-time asset detection
• BloodHound – ActiveDirectory relationship detection

Threat intelligence

• MISP – threat intelligence platform
• SpiderFoot – threat intelligence aggregation
• OpenCTI – threat intelligence platform
• OpenDXL – open source tools for security intelligence sharing

Incident response

• StackStorm – SOAR platform
• CimSweep – Windows incident response
• GRR – incident response and remote live forensics
• TheHive – incident response / SOAR platform
• TheHive Cortex – TheHive companion used for fast queriying
• Shuffle – open source SOAR platform
• osquery – real-time querying of endpoint data
• Kansa – PowerShell incident response

Vulnerability assessment

• OpenVAS – very popular vulnerability assessment

• ZAProxy – web vulnerability scanner by OWASP
• WebScarab – (obsolete) web vulnerability scanner by OWASP
• w3af – web vulnerability scanner
• Loki – IoC scanner
• CVE Search – set of tools for search in CVE data

Firewall

• pfsense – the most popular open source firewall
• OPNSense – hardenedBSD-based firewall
• Smoothwall – linux-based Firewall

Antivirus / endpoint protection

• ClamAV – open source antivirus angine
• Armadito AV – open source AV (retired)

Email security

• Hermes Secure Email Gateway – an Ubuntu-based email gateway
• Proxmox – email gateway
• MailScanner – email security system
• SpamAssassin – anti-spam platform
• OrangeAssassin – drop-in replacement of SpamAssassin

I’m sure there are more (and I’d be happy to add them, e.g. this list suggested in reddit, or others in the reddit thread). Assessing each individual tool, its ease of use, its compliance aspects and the combination between multiple tools is a hard task (here’s a SANS paper on “stitching” multiple tools together). And making sense of the whole landscape (as I’ve tried previously) hints about the complexity of a security professional’s job.