20 Open Source Security Tools for Blue Teams

Highly capable open source security tools are allowing Blue Teams to confront threats head on. Start building your defensive capability with these powerful tools.

The following is an overview of 10 20* essential security tools which enable defenders to build resilient systems and networks. These open-source security tools are effective, well supported, and can provide immediate value.

Nmap - map your network and ports with the number one port scanning tool. Nmap now features powerful NSE scripts that can detect vulnerabilities, misconfiguration and security related information around network services. After you have nmap installed be sure to look at the features of the included ncat - its netcat on steroids.
Read More: NMAP Cheat Sheet

OpenVAS - open source vulnerability scanning suite that grew from a fork of the Nessus engine when it went commercial. Manage all aspects of a security vulnerability management system from web based dashboards. For a fast and easy external scan with OpenVAS try our online OpenVAS scanner.
Read More: Install OpenVAS on Kali and OpenVAS Tutorial and tips

OSSEC - host based intrusion detection system or HIDS, easy to setup and configure. OSSEC has far reaching benefits for both security and operations staff.
Read More: OSSEC Intro and Installation Guide
Security Onion
Security Onion - a network security monitoring distribution that can replace expensive commercial grey boxes with blinking lights. Security Onion is easy to setup and configure. With minimal effort you will start to detect security related events on your network. Detect everything from brute force scanning kids to those nasty APT's.
Metasploit Framework
Metasploit Framework - test all aspects of your security with an offensive focus. Primarily a penetration testing tool, Metasploit has modules that not only include exploits but also scanning and auditing.

OpenSSH - secure all your traffic between two points by tunnelling insecure protocols through an SSH tunnel. Includes scp providing easy access to copy files securely. Can be used as poor mans VPN for Open Wireless Access points (airports, coffee shops). Tunnel back through your home computer and the traffic is then secured in transit. Access internal network services through SSH tunnels using only one point of access. From Windows, you will probably want to have putty as a client and winscp for copying files. Under Linux just use the command line ssh and scp.
Read More: SSH Examples Tips & Tunnels

Wireshark - view traffic in as much detail as you want. Use Wireshark to follow network streams and find problems. Tcpdump and Tshark are command line alternatives. Wireshark runs on Windows, Linux, FreeBSD or OSX based systems.
Read More: Wireshark Tutorial and cheatsheet and tshark tutorial and filter examples.

Kali Linux
Kali Linux - was built from the foundation of BackTrack Linux. Kali is a security testing Linux distribution based on Debian. It comes prepackaged with hundreds of powerful security testing tools. From Airodump-ng with wireless injection drivers to Metasploit this bundle saves security testers a great deal of time configuring tools.

Nikto - a web server testing tool that has been kicking around for over 10 years. Nikto is great for firing at a web server to find known vulnerable scripts, configuration mistakes and related security problems. It won't find your XSS and SQL web application bugs, but it does find many things that other tools miss.
Read More: Nikto install and tutorial

Yara is a robust malware research and detection tool with multiple uses. It allows for the creation of custom rules for malware families, which can be text or binary. Useful for incident response and investigations. Yara scans files and directories and can examine running processes.

Arkime (formerly Moloch)
Arkime - is packet capture analysis ninja style. Powered by an elastic search backend this makes searching through pcaps fast. Has great support for protocol decoding and display of captured data. With a security focus this is an essential tool for anyone interested in traffic analysis.

ZEEK previously known as Bro IDS
ZEEK - totes itself as more than an Intrusion Detection System, and it is hard to argue with this statement. The IDS component is powerful, but rather than focusing on signatures as seen in traditional IDS systems this tool decodes protocols and looks for anomalies within the traffic.
Read More: Bro-IDS install and tutorial
Snort - is a real time traffic analysis and packet logging tool. It can be thought of as a traditional IDS, with detection performed by matching signatures. The project is now managed by Cisco who use the technology in its range of SourceFire appliances. An alternative project is the Suricata system that is a fork of the original Snort source.
Read More: Suricata install and tutorial

OSQuery - monitors a host for changes and is built to be performant from the ground up. This project is cross platform and was started by the Facebook Security Team. It is a powerful agent that can be run on all your systems (Windows, Linux or OSX) providing detailed visibility into anomalies and security related events.

GRR - Google Rapid Response
GRR - Google Rapid Response - a tool developed by Google for security incident response. This python agent / server combination allows incident response to be performed against a target system remotely.

Running ClamAV on gateway servers (SMTP / HTTP) is a popular solution for companies that lean into the open source world. With a team run out of Cisco Talos, it is no wonder that this software continues to kick goals for organisations of all sizes.
Read more: ClamAV install and tutorial

Velociraptor A DFIR Framework. Used for endpoint monitoring, digital forensics, and incident response.
Supports custom detections, collections, and analysis capabilities to be written in queries instead of coElastic Stackde. Queries can be shared, which allows security teams to hunt for new threats swiftly. Velociraptor was acquired by Rapid 7 in April 2021. At the time of this article Rapid 7 indicated there are no plans for them to make Velociraptor commercial but will embed it into their Insight Platform.

ELK Stack | Elastic Stack
A collection of four open-source products — Elasticsearch, Logstash, Beats and Kibana. Use data from any source or format. Then search, analyze, and visualize it in real-time. Commonly known as the Elk Stack, now known as Elastic Stack. Alternative options include the open source Graylog or the very popular (commercial) Splunk.

Sigma | SIEM Signatures
Sigma is a standardised format for developing rules to be used in SIEM systems (such as ELK, Graylog, Splunk). Enabling researchers or analysts to describe their developed detection methods and make them shareable with others. Comprehensive rules available for detection of known threats. Rule development is often closely aligned with MITRE ATT&CK®.

MISP | Threat Intelligence Sharing Platform
MISP is a platform for the collection, processing and distribution of open source threat intelligence feeds. A centralised database of threat intelligence data that you can run to enable your enrich your SIEM and enable your analysts. Started in 2011 this project comes out of The Computer Incident Response Center Luxembourg (CIRCL). It is used by security analysts, governments and corporations around the world.
Updated 2021 - Open Source Blue Team Security Tools have matured and become increasingly effective and powerful over the past few years. It is a great time to be a defender. Stitch together a few of these tools and develop an advanced defensive capability for your organisation.
Poster showing a list of useful open source tools for Blue Teams

Next Level Your Technical Network Intelligence

Get Access Now

  • 13 Vulnerability Scanners

  • 17 Free DNS & Network Tools

  • 4+ Billion Records of DNS / IP data