20 Open Source Security Tools for Blue Teams

Start building your defensive capability with these powerful tools. Highly capable open source security tools are allowing Blue Teams to confront threats head on.

The following is an overview of 10 20* essential security tools which enable defenders to build resilient systems and networks. These open-source security tools are effective, well supported, and can provide immediate value.

Nmap - map your network and ports with the number one port scanning tool. Nmap now features powerful NSE scripts that can detect vulnerabilities, misconfiguration and security related information around network services. After you have nmap installed be sure to look at the features of the included ncat - its netcat on steroids.
Read More: NMAP Cheat Sheet
OpenVAS - open source vulnerability scanning suite that grew from a fork of the Nessus engine when it went commercial. Manage all aspects of a security vulnerability management system from web based dashboards. For a fast and easy external scan with OpenVAS try our online OpenVAS scanner.
Read More:
Install OpenVAS on Kali
OpenVAS Tutorial and tips
OSSEC - host based intrusion detection system or HIDS, easy to setup and configure. OSSEC has far reaching benefits for both security and operations staff.
Read More: OSSEC Intro and Installation Guide

Security Onion
Security Onion - a network security monitoring distribution that can replace expensive commercial grey boxes with blinking lights. Security Onion is easy to setup and configure. With minimal effort you will start to detect security related events on your network. Detect everything from brute force scanning kids to those nasty APT's.

Metasploit Framework
Metasploit Framework - test all aspects of your security with an offensive focus. Primarily a penetration testing tool, Metasploit has modules that not only include exploits but also scanning and auditing.
OpenSSH - secure all your traffic between two points by tunnelling insecure protocols through an SSH tunnel. Includes scp providing easy access to copy files securely. Can be used as poor mans VPN for Open Wireless Access points (airports, coffee shops). Tunnel back through your home computer and the traffic is then secured in transit. Access internal network services through SSH tunnels using only one point of access. From Windows, you will probably want to have putty as a client and winscp for copying files. Under Linux just use the command line ssh and scp.
Read More: SSH Examples Tips & Tunnels
Wireshark - view traffic in as much detail as you want. Use Wireshark to follow network streams and find problems. Tcpdump and Tshark are command line alternatives. Wireshark runs on Windows, Linux, FreeBSD or OSX based systems.
Read More:
Wireshark Tutorial and cheatsheet
tshark tutorial and filter examples.
Kali Linux
Kali Linux - was built from the foundation of BackTrack Linux. Kali is a security testing Linux distribution based on Debian. It comes prepackaged with hundreds of powerful security testing tools. From Airodump-ng with wireless injection drivers to Metasploit this bundle saves security testers a great deal of time configuring tools.
Nikto - a web server testing tool that has been kicking around for over 10 years. Nikto is great for firing at a web server to find known vulnerable scripts, configuration mistakes and related security problems. It won't find your XSS and SQL web application bugs, but it does find many things that other tools miss.
Read More: Nikto install and tutorial
Yara is a robust malware research and detection tool with multiple uses. It allows for the creation of custom rules for malware families, which can be text or binary. Useful for incident response and investigations. Yara scans files and directories and can examine running processes.
Arkime (formerly Moloch)
Arkime - is packet capture analysis ninja style. Powered by an elastic search backend this makes searching through pcaps fast. Has great support for protocol decoding and display of captured data. With a security focus this is an essential tool for anyone interested in traffic analysis.
ZEEK (formerly Bro IDS)
ZEEK - Zeek is highly scalable and can be deployed onto multi-gigabit networks for real time traffic analysis. It can also be used as a tactical tool to quickly assess packet captures.
Read More:
Deploy Zeek in 5 minutes with Docker.
Zeek Dashboard using Grafana
Bro-IDS install and tutorial

Snort - is a real time traffic analysis and packet logging tool. It can be thought of as a traditional IDS, with detection performed by matching signatures. The project is now managed by Cisco who use the technology in its range of SourceFire appliances. An alternative project is the Suricata system that is a fork of the original Snort source.
Read More:
Snort Tutorial and Practical Examples
Suricata install and tutorial

OSQuery - monitors a host for changes and is built to be performant from the ground up. This project is cross platform and was started by the Facebook Security Team. It is a powerful agent that can be run on all your systems (Windows, Linux or OSX) providing detailed visibility into anomalies and security related events.
Read More:
OSQuery Linux Tutorial and Tips with Examples

GRR - Google Rapid Response
GRR - Google Rapid Response - a tool developed by Google for security incident response. This python agent / server combination allows incident response to be performed against a target system remotely.
Running ClamAV on gateway servers (SMTP / HTTP) is a popular solution for companies that lean into the open source world. With a team run out of Cisco Talos, it is no wonder that this software continues to kick goals for organisations of all sizes.
Read more: ClamAV install and tutorial
Velociraptor A DFIR Framework. Used for endpoint monitoring, digital forensics, and incident response.
Supports custom detections, collections, and analysis capabilities to be written in queries instead of coElastic Stackde. Queries can be shared, which allows security teams to hunt for new threats swiftly. Velociraptor was acquired by Rapid 7 in April 2021. At the time of this article Rapid 7 indicated there are no plans for them to make Velociraptor commercial but will embed it into their Insight Platform.
ELK Stack | Elastic Stack
A collection of four open-source products — Elasticsearch, Logstash, Beats and Kibana. Use data from any source or format. Then search, analyze, and visualize it in real-time. Commonly known as the Elk Stack, now known as Elastic Stack. Alternative options include the open source Graylog or the very popular (commercial) Splunk.
Sigma | SIEM Signatures
Sigma is a standardised format for developing rules to be used in SIEM systems (such as ELK, Graylog, Splunk). Enabling researchers or analysts to describe their developed detection methods and make them shareable with others. Comprehensive rules available for detection of known threats. Rule development is often closely aligned with MITRE ATT&CK®.
MISP | Threat Intelligence Sharing Platform
MISP is a platform for the collection, processing and distribution of open source threat intelligence feeds. A centralised database of threat intelligence data that you can run to enable your enrich your SIEM and enable your analysts. Started in 2011 this project comes out of The Computer Incident Response Center Luxembourg (CIRCL). It is used by security analysts, governments and corporations around the world.
Updated 2024 - Open Source Blue Team Security Tools have matured and become increasingly effective and powerful over the past few years. It is a great time to be a defender. Stitch together a few of these tools and develop an advanced defensive capability for your organisation. Read through for new tutorials, tips and examples linked to the resources listed above.

Next Level Your Technical Network Intelligence

Use Cases and More Info

  • 13 Vulnerability Scanners
  • 17 Free DNS & Network Tools
  • 4+ Billion Records of DNS / IP data