10 Open Source Security Breach Prevention and Detection Tools

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

While the breach prevention and detection market is dominated by names like Symantec, McAfee and Juniper, open source tools are also popular with security pros.

Open source security breach prevention and detection tools can play a major role in keeping your organization safe in the battle against hackers, cybercriminals and foreign governments.

Here are 10 of the best open source security intrusion prevention/detection systems (IPDS), firewalls, network monitoring platforms, anti-virus platforms and wireless monitoring applications.


Snort is the best known and de-facto standard open source intrusion prevention system (IPS) for Windows and Unix, offering real-time traffic analysis and packet logging as well as full-blown intrusion prevention capabilities. The base Snort engine is freely available, has been downloaded over 4 million times and is probably the most widely deployed IPS in the world.

Snort rules are available on subscription, and free on a delayed basis.

SourceFire, the company that produces a commercial version of Snort, was acquired by Cisco in 2013, and Cisco security products make use of Snort’s open source technology.


Similar to Snort, Suricata is a high performance network IPDS and network security monitoring engine. Because it is multi-threaded, one instance will balance the load of processing across every processor on a sensor Suricata is configured to use, allowing commodity hardware to achieve 10 gigabit speeds without sacrificing ruleset coverage.

Suricata is open source and owned by a community-run non-profit foundation, the Open Information Security Foundation (OISF). The open source security software is being developed by the OISF and its supporting vendors which include FireEye, Proofpoint and Positive Technologies.


OSSEC is a scalable, multi-platform, open source host-based intrusion detection system which is downloaded on average 5,000 times per month to protect individual workstations and servers.

It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response.

Security Onion

Security Onion is a Linux distribution for general corporate security and includes open source security tools for intrusion detection, network security monitoring and log management.

The open source distro is based on Ubuntu and contains many of the open source security tools discussed here, including Snort, Suricata, Bro, OSSEC and others including Sguil, Squert, ELSA, Xplico and NetworkMiner.

Bro Network Security Monitor

Bro is an open source network security platform that illuminates network activity in detail and can be deployed at scale. It provides a comprehensive platform for more general network traffic analysis, and its security features include event correlation, attack detection and log recording.

The open source software is being developed by a core team of researchers and developers at the International Computer Science Institute in Berkeley, Calif., and the National Center for Supercomputing Applications in Urbana-Champaign, Ill.


Vistumbler is an open source Wi-FI stumbler that allows you to detect and locate Wi-FI access points, including unauthorized rogue access points. It uses the Windows Native Wi-FI API or netsh to find access points and get wireless information. Vistumbler can be used with a GPS unit to pinpoint the location of access points it finds and show them on a Google Earth file. Shorewall The Shoreline Firewall, more commonly known as “Shorewall,” is a high-level tool for configuring Linux’s Netfilter packet filter feature. It can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone Linux system.

Shorewall does not use Netfilter’s ipchains compatibility mode and can thus take advantage of Netfilter’s connection state tracking capabilities.

Smoothwall Express

Smoothwall Express is an open source firewall that includes its own security-hardened Linux operating system and an easy-to-use Web interface.

Features include LAN, DMZ and wireless network support, real time content filtering and HTTPS filtering.

Project sponsor Smoothwall Ltd also sells proprietary UTM, Web access manager and secure Web gateway products.

Untangle NG Firewall

NG Firewall is a next-generation platform for deploying network-based applications which inspect network traffic simultaneously. The platform unites these applications around a common GUI, database and reporting.

The free version of NG Firewall, called NG Firewall Free, includes 11 open source applications including Web filtering, application control, virus blocker, intrusion prevention and firewalling.


ClamAV is the open source standard for mail gateway scanning antivirus software, and is available for Windows, OS X, Linux and BSD.

The open source scanning tool includes a multi-threaded scanner daemon, command line utilities for on demand file scanning and automatic signature updates which are made available every few hours.

The ClamAV project is owned by Cisco.

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Paul Rubens Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis