Free intrusion detection system software for linux

The Bait and Switch Honeypot is a multifaceted attempt to take honeypots out of the shadows of the network security model and to make them an active participant in system defense.
To do this, we are creating a system that reacts to hostile intrusion attempts by redirecting all hostile traffic to a honeypot that is partially mirroring your production system. Once switched, the would-be hacker is unknowingly attacking your honeypot instead of the real data and your clients and/or users still safely accessing the real system.
Life goes on, your data is safe, and you are learning about the bad guy as an added benefit. The system is based on snort, linuxs iproute2, netfilter, and custom code for now.
We have plans on adding additional support in the future if possible.
Enhancements:
- So its beta release day. The final package is up, but largely unannounced. Ive cleaned up the few bugs I knew about, added the blacklisting feature, tested and added features to electr0ns config script, and updated the documentation to the point where I think its very useable and easy to understand.
- I have also added a baitnswitch-users mailing list through sourceforge.

Intelligent Filesystem Guard is a tool that monitors information about changes in files and directories.

Intelligent Filesystem Guard can be used either for the detection of changes in important files (as an intrusion detection system guarding data against viruses and Trojan horses) or for guarding user data.

A large emphasis is put on monitoring files. One of the functions of this system is to tell what happened with the file according to a user query. The system is able to warn of any sort of change, such as modification, creation, erasure, or movement.

Dynamic Taste Detection patch makes XMMS adapt its playlist randomization function to your personal taste.

Songs you dont like end up at the end of the playlist, and songs you like to hear together tend to end up next to each other.

The Firewall Tester (FTester) is a tool designed for testing firewalls filtering policies and Intrusion Detection System (IDS) capabilities.The tool consists of two perl scripts, a packet injector (ftest) and the listening sniffer (ftestd). The first script injects custom packets, defined in ftest.conf, with a signature in the data part while the sniffer listens for such marked packets. The scripts both write a log file which is in the same form for both scripts. A diff of the two produced files (ftest.log and ftestd.log) shows the packets that were unable to reach the sniffer due to filtering rules if these two scripts are ran on hosts placed on two different sides of a firewall. Stateful inspection firewalls are handled with the connection spoofing option. A script called freport is also available for automatically write to log files.
Of course this is not an automated process, ftest.conf must be crafted for every different situation. Examples and rules are included in the attached configuration file.
The IDS (Intrusion Detection System) testing feature can be used either with ftest only or with the additional support of ftestd for handling stateful inspection IDS, ftest can also use common IDS evasion techniques. Instead of using the configuration syntax currently the script can also process snort rule definition file.
These two scripts were written because I was tired of doing this by hand (with packet-crafting tools and tcpdump), I know that there are at least two dozens of other methods to do this but another reason was to learn some perl ;). I hope that you enjoy them.
Main features:
- firewall testing
- IDS testing
- simulation of real tcp connections for stateful inspection firewalls and IDS
- connection spoofing
- IP fragmentation / TCP segmentation
- IDS evasion techniques

The Community Edition of EnGarde Secure Linux was designed to support features suitable for individuals, students, security enthusiasts, and those wishing to evaluate the level of security and ease of management available in Guardian Digital enterprise products.
EnGarde Community Editions development is very much driven by not only the requests from the community, but also their continued participation.
The Community Edition is a dynamic, rapidly-evolving product that serves to exhibit the best-of-breed applications currently under development.
Guardian Digital enterprise products provide greater levels of support, support for more advanced hardware, more sophisticated upgrade path, and features more suitable for enterprises, including support for our other enterprise applications.
Main features:
- Simple and Secure Remote Administration
- Powerful Host Intrusion Detection
- Secure Network Services
- Built-in Support and Alerts
- Robust Network Intrusion Detection
- Quick and Secure Web, DNS email, FTP
- Network Gateway Firewall
- Monitor System Access
- Protect Against Data Loss
- Security Control Center
- Engineered to be Secure
- Significantly Reduces Support Costs

SIDEN is a distributed network discovery tool used for intrusion detection research. The current SIDEN architecture allows you to simulate coordinated/distributed network probes by a group of attackers.

SIDEN has been tested successfully on the OpenBSD and FreeBSD operating systems. If you try SIDEN and it works on any other platform, please contact me. Yes, it sounds interesting that I havent even tested it out on the popular Linux platform. There should be little reason why it wont work on other platforms (especially UNIX variants), since its fully implemented in Perl.

Firestorm is an extremely high performance network intrusion detection system (NIDS). At the moment it just a sensor but plans are to include real support for analysis, reporting, remote console and on-the-fly sensor configuration. It is fully pluggable and hence extremely flexible. Firestorm performs a lot better than all other systems I have tested (such as snort and prelude) by as much as a factor of 2 (and thats under favourable conditions, it way outstrips the competition under a targeted DoS attack).
A Network Intrusion Detection System is a system which can identify suspicious patterns in network traffic. If a firewall is a doorman, a NIDS is an undercover KGB agent. He silently gathers intelligence and can watch an enemy even if the door security has already let them in (maybe the enemy can make fake identification documents).
Tested Platforms
Linux 2.x
FreeBSD 4.x
OpenBSD
Solaris
Should compile and run on any mainstream UNIX really...
Main features:
- Protocol anomaly detection
- Full application layer decodes
- Fully pluggable
- High performance OS Specific capture module for Linux
- Capture from libpcap files (normal AND redhat extended)
- Packet decode engine fully supports encapsulation
- Decode plugins included for many protocols (see below)
- Comprehensive snort rule support
- Wu-Manber setwise string matching
- Easy to configure; just one config file
- Can run chroot and with lowered privs (when started as root)
- Can run as a realtime process (when started as root)
- Preprocessors to allow supplementary modes of detection (eg: anomaly)
- Full IP defragmentation (passes fragroute evasion tests)
- TCP stateful inspection with window tracking
- Intelligent TCP stream reassembly
- HTTP URL normalization
- EXTREMELY fast and scalable signature engine
- Configurable token-bucket rate-limiting of any alerts
- GNOME2 based analyst console user interface
- Enhanced logging format for ease of analysis
- ELOG indexing for lightning fast sorting and filtering of alerts