This article reviews top ten network analysis tools for different functional areas.

1. SolarWinds NetFlow Traffic Analyzer, aka Orion NTA

Full investigation of network activities
SolarWinds NetFlow Traffic Analyzer is a widely used NetFlow analysis utility. It helps to explore
traffic flow activities over the network and examines the device behaviour for excessive traffic flow.
This tool allows network administrators to regulate extreme bandwidth utilisation for smooth network
operations without upgrading network resources.
NetFlow Traffic Analyzer can examine standard Flow data of multivendor network devices such as
Cisco, Juniper, Riverbed, HP, Nortel, or Huawei with central GUI based network applications. It also
supports triggered alerts and reports on the basis of accumulated Flow data to achieve appropriate
network utilization. Instead of IP or port based Flow analysis, you can also map common web
applications such as Facebook, Twitter, or torrent sites for application based analysis.
Using this utility administrator you can customise different chart elements to simplify the chart view
by eliminating unnecessary data. This tool also supports sFlow v2 & v4 and vSwitch interfaces to
capture data.
Price: Starts at $1875; 30-day free trial can be downloaded from the link below.
Website:
http://www.solarwinds.com/netflow-traffic-analyzer.aspx
Pros

Variety of chart customisations

Advanced applications mapping (Facebook, online gaming portals)

Full SNMP management

Cons

Network Performance Monitor is required for proper functionalities.

2. Alcatel Lucents Motive Network Analyzer Copper

Ultimate utility to examine service providers copper access network
Motive Network Analyzer Copper (NA-C) offers comprehensive inspections to service provider
networks with rapid fault localisation and quick troubleshooting experience through its near-real time
smart carrier data collection, expert diagnosis and repair advice capabilities. This tool also helps a
carriers network optimise day to day DSL stability issues to meet the requirement of high bandwidth
network services, and it assists easy upgrades to ADSL2+, VDSL2, and VDSL2 vectoring and
bonding.
Motive NA-C enhances quality line stability, performance, and proactive fault detection with Singleended Line Testing (SELT) and Dual-ended Line Testing (DELT) to identify various connectivity
problems, including detection and localization of open circuit/short circuit faults and powered down
CPE detection. Motive NA-C allows service providers to offer customer-focused stress free network
solutions and services to manage reliability with its clients.
Price: Price details are not disclosed by the company. Click here to buy:https://www.alcatellucent.com/how-to-buy-form
Website: https://www.alcatel-lucent.com/products/motive-network-analyzer-copper
Pros

Multivendor DSLAM support

On-demand line quality inspections

Single-ended/Double-ended/Narrow Line Testing

Cons

Some of its features are quite complex and difficult to understand.

Domain specific analysis

3. Alcatel Lucents Motive Network Analyzer Fiber

Ultimate utility to manage fiber access networks
Motive Network Analyzer Fiber (NA-F) helps service providers to improve their fiber access
network by enhancing fiber activation success rate, fault identification and availability to customers.
This network analyzer reduces operating costs of fiber access networks by providing smooth
integration with existing operations support systems (OSSs), GPON equipment and customer
systems. It features automated power validation upon PON provisioning or repair service repair
actions that go unobserved during manual error-prone validations. With GIS maps integration, this
tool enhances the experience of rapid fault localisation and diagnostics by knowing the exact fault
location, thereby helping administrators resolve issues quickly.
Its Link Quality Indicator evaluates end to end proactive maintenance of fiber access networks to
provide fast, consistent and accurate fault localisation. This utility can also examine fiber-related
ONT UNI configuration issues and Ethernet connectivity problems of customers.
Price: Price details are not disclosed by the company. Xlick here to buy:https://www.alcatellucent.com/how-to-buy-form
Website: https://www.alcatel-lucent.com/products/motive-network-analyzer-fiber
Pros

Automatic power validation

Embedded optical time-domain reflectometer (OTDR) measurements

SLA based Critical link monitoring

Fault localisation visuals on GIS maps

Cons

Limited to fiber access networks

Takes time to understand its features

4. Nagios Network Analyzer

Detailed analysis for small to large scale networks
Nagios Network Analyzer is a widely used flow data analysis solution utility. It offers detailed analysis
of various network services such as POP3, HTTP, ICMP, etc. It generates quick and easily
interpreted charts to refine captured data with very valuable statistics like processor, disk usage,
bandwidth utilisation and much more to assess a networks health.
Nagios Network Analyzer can be easily integrated with Nagios IX and can also be customised to
meet network requirements. This tool provides a central view of network traffic and bandwidth
utilisations and also offers automated alerts and SNMP traps when suspicious activity takes place on
the network.
The Nagios Network Analyzer system has two categories of licencing:
1) Open Source foundation cores and components like NFDUMP and RRDTool.
2) Nagios Network Analyzer UI and system frameworks, which are released under a commercial
license and contain some code used under license by Nagios Enterprises that cannot be released
under an OSS license.
Price: $995 for 1 license https://www.nagios.com/products/nagios-networkanalyzer/#pricing
Download Link:
https://www.nagios.com/downloads/nagios-network-analyzer/

Website:
https://www.nagios.com/products/nagios-network-analyzer/
Pros

Comprehensive dashboard

Easily understandable graphs

Automated alert system

Advanced user management

Cons

Sometimes no response with sflow capture

5. ManageEngine NetFlow Analyzer

Good for medium to large scale multi-vendor networks
ManageEngine Netflow Analyzer is a good choice to examine multi-vendor LAN/WAN environments.
Using this utility you will be able to analyse most NetFlow packets originating from enterprise routers
or switches, and it also helps administrators by producing network traffic reports to recognise the
ongoing activities of the network.
This tool can effectively collect various traffic flows such as NetFlow, sFlow, jFlow, etc., and provides
less complicated data outcomes for easy understanding. It also enables you to customise various
device flows into different groups to manage multiple networks as a single entity.
ManageEngine Netflow Analyzer doesnt require any special hardware configuration to run and can
map most application flows such as Oracle, PeopleSoft, MSSQL, etc. It has an ability to integrate
high end Cisco technologies such as NBAR, CBQoS, etc., and also deal with real time network
observation to provide in-depth analyses of what kinds of traffic, applications, and conversations are
running throughout the network, which helps a network administrator to resolve issues quickly.

For pricing or more information visit:

https://www.manageengine.com/products/netflow/
Pros

Validation of QoS policies

Automated Netflow reports

In-depth analysis by creating IP or Device groups

Role-based user access

6. Caspa Free
Recommended freeware utility for LAN analysis
Caspa Free is a freeware utility for Ethernet monitoring, troubleshooting and analysis. It offers both
LAN and WLAN near real-time packet analysis, capturing and automated diagnosis with its built-in
functionalities such as superior packet decoding and comprehensive examination of the entire
network.
Caspa Free can easily identify and analyse hundreds of network protocols with its smart custom
reporting, e-mail monitoring, and TCP timing sequence charts for 24/7 network monitoring.
You can also design your own dashboard with required parameters and services to analyse real time
traffic flow; even administrators are free to customise alarm triggers.
Price: Caspa Free is freeware utility and can be downloaded from the links provided below.
Download Links:
http://www.colasoft.com/download/products/capsa_free.php
Website:
http://www.colasoft.com/capsa-free/

Pros

In-depth LAN analysis

Customised automated alarms

Easy to understand network analysis (recommended for learning purposes)

Cons

Fewer options for customisation

Limited to Ethernet packets analysis

7. Wireshark
A freeware tool recommended for small and medium enterprise networks
Wireshark is a well-known utility which does not require introduction; almost every network specialist
knows about it. This freeware application is widely used for network monitoring and analysis at a
microscopic level.
This tool offers online or offline deep inspections of various protocols and can be installed on any
standard platform such as Windows, Linux, OS X, Solaris, etc. It can capture data from various
sources including Ethernet, WLAN, WAN and many others. Captured data can be accessed via GUI,
TTY-mode or TShark utility.
Most network instructors use Wireshark in their training programs to capture packets and
demonstrate the packet inspection to provide better understanding of packet flow to their students.
Website:
https://www.Wireshark.org/
Download link:
https://www.Wireshark.org/download.html
Pros

Read/Write support for various capture file formats such as tcpdump, Cisco
Secure IDS iplog, Network General Sniffer, etc.

Examination of LAN/WAN protocols

In-depth VoIP analysis

Cons

Fewer options for charts/reporting

Limited functionalities as can be expected from freeware utilities

8. Caligare Flow Inspector

A complete network analysis with lots of conditional customisations
Caligare is an official Cisco partner in technology development and its Flow Inspector tool provides
optimal NetFlow analysis with different set conditions such as source/destination IP addresses,
interfaces, and TCP/UPD/ICMP protocols. It also offers real time network analysis and user data
tracking so that network administrators can reduce the risk of data or network failure. The best part
about this utility is its statistics reports. Using this software program you will be able to know:

Source and Destination hosts with the highest network utilisation

Most used applications throughout the network

Top most protocols distribution over the network

Source and Destination Autonomous Systems with the most network flows

Top interfaces, next-hops and ICMP distributions, etc.

Price: To find pricing information for the Professional edition (for 1-9 devices) or Enterprise edition
(unlimited devices), follow this linkhttp://www.caligare.com/netflow/order.php
Or, download a free version at http://www.caligare.com/netflow/free_netflow.php
Website:
http://www.caligare.com/netflow/caligare_flow_inspector.php
Pros

Easy QoS and VoIP analysis

Heuristic application recognizer

Well-structured statistics with various parameters

LDAP authentication support

Cons

Free and Professional versions have some limitations

9. SteelCentral Packet Analyzer

A tool with quick analysis of multi-gigabyte trace files
SteelCentral Packet Analyzer, also known as Cascade Pilot, is a product of well-known network
solution company Riverbed. It is fully integrated with Wireshark and its Send to Wireshark feature
exports only the selected traffic for deep packet inspection to Wireshark.
This tool can process multi-gigabyte trace files in a few seconds and also analyse local and remote
online/offline traffic sources using simple drag-and-drop multi-level drill-down. It also detects
anomalies using the Watches feature and helps administrators identify specific traffic through the
collection of network analysis metrics called Views.
Price: Not disclosed by the company; you will have to contact the companys sales executive. For a
30-day trial copy, visit http://www.riverbed.com/contact/Try-Evaluate-Cascade-Pilot-30-DayTrial.html
Website: https://support.riverbed.com/content/support/software/steelcentralnpm/packet-analyzer.html
Pros

Flexible trigger-alerting mechanism

Rapid analysis of multi-gigabyte trace files

Fully integrated with Wireshark

10. Riverbed AirPcap

A must-have utility for advanced WLAN analysis with Wireshark
Riverbed AirPcap offers wireless packet capture solutions for MS Windows environments and
delivers deep protocol analysis of multiple traffic flows. All 802.11 captured data can be integrated
with Wireshark and SteelCentral Packet Analyzer. There are three variants of Riverbed AirPcap:

AirPcap Classic can capture and analyse low-level 802.11b/g wireless traffic.

AirPcap Tx includes all functionalities of AirPcap Classic and supports packet

injection as well.

AirPcap Nx offers dual-band solutions including packet capture and injection

for 802.11a/b/g/n, and features 22 MIMO with two internal antennas and two
integrated MC-Card connectors for optional external antennas.

Website: https://support.riverbed.com/content/support/software/steelcentralnpm/airpcap.html
Pros

Integration with Wireshark and SteelCentral Packet Analyzer

Dual band compatibility with AirPcap Nx

Cons

Limited to wireless packet capture

Not available as a standalone product (must be integrated with Wireshark or

SteelCentral Packet Analyzer)

TOP 20
1. Microsoft Network Monitor
Microsoft Network Monitor is a packet analyzer that allows you to capture, view and
analyze network traffic. This tool is handy for troubleshooting network problems and
applications on the network. Main features include support for over 300 public and
Microsoft proprietary protocols, simultaneous capture sessions, a Wireless Monitor
Mode and sniffing of promiscuous mode traffic, amongst others.

When you launch Microsoft Network Monitor, choose which adapter to bind to from
the main window and then click New Capture to initiate a new capture tab. Within
the Capture tab, click Capture Settings to change filter options, adapter options, or
global settings accordingly and then hit Start to initiate the packet capture process.

2. Nagios
Nagios is a powerful network monitoring tool that helps you to ensure that your critical
systems, applications and services are always up and running. It provides features
such as alerting, event handling and reporting. The Nagios Core is the heart of the
application that contains the core monitoring engine and a basic web UI. On top of
the Nagios Core, you are able to implement plugins that will allow you to monitor
services, applications, and metrics, a chosen frontend as well as add-ons for data
visualisation, graphs, load distribution, and MySQL database support, amongst
others.
Tip: If you want to try out Nagios without needing to install and configure it from
scratch, download Nagios XI and enable the free version. Nagios XI is the preconfigured enterprise class version built upon Nagios Core and is backed by a
commercial company that offers support and additional features such as more plugins
and advanced reporting.
Note: The free version of Nagios XI is ideal for smaller environments and will monitor
up to seven nodes.

Once youve installed and configured Nagios, launch the Web UI and begin to
configure host groups and service groups. Once Nagios has had some time to
monitor the status of the specified hosts and services, it can start to paint a picture of
what the health of your systems look like.

3. OpenNMS
OpenNMS is an open source enterprise grade network management application that
offers automated discovery, event and notification management, performance
measurement, and service assurance features. OpenNMS includes a client app for
the iPhone, iPad or iPod Touch for on-the-go access, giving you the ability to view
outages, nodes, alarms and add an interface to monitor.

Once you successfully login to the OpenNMS web UI, use the dashboard to get a
quick snapshot view of any outages, alarms or notifications. You can drill down and
get more information about any of these sections from the Status drop down menu.
The Reports section allows you to generate reports to send by e-mail or download as
a PDF.

4. Advanced IP Scanner
Advanced IP Scanner is a fast and easy to use network scanner that detects any
network devices (including wireless devices such as mobile phones, printers and
WIFI routers) on your network. It allows you to connect to common services such as
HTTP, FTP and shared folders if they are enabled on the remote machine. You are
also able to wake up and shut down remote computers.

The installer allows you to fully install the application on your machine or run the
portable version. When you launch Advanced IP Scanner, start by going to Settings >
Options to select which resources to scan and how fast/accurate you want the results
to be. You can then choose which subnet to scan and proceed with pressing the
Scan button. Once the scan is complete, expand the results to see which resources
you are able to connect to for each discovered device.

5. Capsa Free
Capsa Free is a network analyzer that allows you to monitor network traffic,
troubleshoot network issues and analyze packets. Features include support for over
300 network protocols (including the ability to create and customize protocols), MSN
and Yahoo Messenger filters, email monitor and auto-save, and customizable reports
and dashboards.

When you launch Capsa, choose the adapter you want it to bind to and click Start to
initiate the capture process. Use the tabs in the main window to view the dashboard,
a summary of the traffic statistics, the TCP/UDP conversations, as well as packet
analysis.

6. Fiddler
Fiddler is a web debugging tool that captures HTTP traffic between chosen
computers and the Internet. It allows you to analyze incoming and outgoing data to
monitor and modify requests and responses before they hit the browser. Fiddler gives
you extremely detailed information about HTTP traffic and can be used for testing the
performance of your websites or security testing of your web applications (e.g. Fiddler
can decrypt HTTPS traffic).

When you launch Fiddler, HTTP traffic will start to be captured automatically. To
toggle traffic capturing, hit F12. You can choose which processes you wish to capture
HTTP traffic for by clicking on All Processes in the bottom status bar, or by dragging
the Any Process icon from the top menu bar onto an open application.

7. NetworkMiner
NetworkMiner captures network packets and then parses the data to extract files and
images, helping you to reconstruct events that a user has taken on the network it
can also do this by parsing a pre-captured PCAP file. You can enter keywords which
will be highlighted as network packets are being captured. NetworkMiner is classed
as a Network Forensic Analysis Tool (NFAT) that can obtain information such as
hostname, operating system and open ports from hosts.

In the example above, I set NetworkMiner to capture packets, opened a web browser
and searched for soccer as a keyword on Google Images. The images displayed in
the Images tab are what I saw during my browser session.
When you load NetworkMiner, choose a network adapter to bind to and hit the Start
button to initiate the packet capture process.

8. Pandora FMS
Pandora FMS is a performance monitoring, network monitoring and availability
management tool that keeps an eye on servers, applications and communications. It
has an advanced event correlation system that allows you to create alerts based on
events from different sources and notify administrators before an issue escalates.

When you login to the Pandora FMS Web UI, start by going to the Agent detail and
Services node from the left hand navigation pane. From here, you can configure
monitoring agents and services.

9. Zenoss Core
Zenoss Core is a powerful open source IT monitoring platform that monitors
applications, servers, storage, networking and virtualization to provide availability and
performance statistics. It also has a high performance event handling system and an
advanced notification system.

Once you login to Zenoss Core Web UI for the first time, you are presented with a
two-step wizard that asks you to create user accounts and add your first few devices /
hosts to monitor. You are then taken directly to the Dashboard tab. Use the
Dashboard, Events, Infrastructure, Reports and Advanced tabs to configure Zenoss
Core and review reports and events that need attention.

10. PRTG Network Monitor Freeware

PRTG Network Monitor monitors network availability and network usage using a
variety of protocols including SNMP, Netflow and WMI. It is a powerful tool that offers
an easy to use web-based interface and apps for iOS and Android. Amongst others,
PRTG Network Monitors key features include:
(1) Comprehensive Network Monitoring which offers more than 170 sensor types for
application monitoring, virtual server monitoring, SLA monitoring, QoS monitoring
(2) Flexible Alerting, including 9 different notification methods, status alerts, limit
alerts, threshold alerts, conditional alerts, and alert scheduling
(3) In-Depth Reporting, including the ability to create reports in HTML/PDF format,
scheduled reports, as well as pre-defined reports (e.g. Top 100 Ping Times) and
report templates.
Note: The Freeware version of PRTG Network Monitor is limited to 10 sensors.

When you launch PRTG Network Monitor, head straight to the configuration wizard to
get started. This wizard will run you through the main configuration settings required
to get the application up and running, including the adding of servers to monitors and
which sensors to use.

11. The Dude

The Dude is a network monitoring tool that monitors devices and alerts you when
there is a problem. It can also automatically scan all devices on a given subnet and
then draw and layout a map of your network.

When you launch The Dude, you first choose to connect to a local or remote network
and specify credentials accordingly. Click Settings to configure options for SNMP,
Polling, Syslog and Reports.

12 Splunk
Splunk is a data collection and analysis platform that allows you to monitor, gather
and analyze data from different sources on your network (e.g. event logs, devices,
services, TCP/UDP traffic, etc). You can set up alerts to notify you when something is
wrong or use Splunks extensive search, reporting and dashboard features to make

the most of the collected data. Splunk also allows you to install Apps to extend
system functionality.
Note: When you first download and install Splunk, it automatically installs the
Enterprise version for you to trial for 60 days before switching to the Free version. To
switch to the Free version straight away, go to Manager > Licensing.

When you login to the Splunk web UI for the first time, add a data source and
configure your indexes to get started. Once you do this you can then create reports,
build dashboards, and search and analyze data.

13. Angry IP Scanner

Angry IP Scanner is standalone application that facilitates IP address and port
scanning. It is used to scan a range of IP addresses to find hosts that are alive and
obtain information about them (including MAC address, open ports, hostname, ping
time, NetBios information, etc).

When you execute the application, go to Tools > Preferences to configure Scanning
and Port options, then go to Tools > Fetchers to choose what information to gather
from each scanned IP address.

14 Icinga 2
Icigna is a Linux based fully open source monitoring application which checks the
availability of network resources and immediately notifies users when something goes
down. Icigna provides business intelligence data for in depth analysis and a powerful
command line interface.

When you first launch the Icigna web UI, you are prompted for credentials. Once
youve authenticated, use the navigation menu on the left hand side to manage the
configuration of hosts, view the dashboard, reports, see a history of events, and
more.

15. Total Network Monitor

Total Network Monitor continuously monitors hosts and services on the local network,
notifying you of any issues that require attention via a detailed report of the problem.
The result of each probe is classified using green, red, or black colors to quickly show
whether the probe was successful, had a negative result or wasnt able to complete.

When you launch Total Network Monitor, go to Tools > Scan Wizard to have the
wizard scan a specified network range automatically and assign the discovered hosts
to a group. Alternatively, create a new group manually to start adding devices/hosts
individually.

16. NetXMS

NetXMS is a multi-platform network management and monitoring system that offers

event management, performance monitoring, alerting, reporting and graphing for the
entire IT infrastructure model. NetXMSs main features include support for multiple
operating systems and database engines, distributed network monitoring, autodiscovery, and business impact analysis tools, amongst others. NetXMS gives you
the option to run a web-based interface or a management console.

Once you login to NetXMS you need to first go to the Server Configuration window
to change a few settings that are dependent on your network requirements (e.g.
changing the number of data collection handlers or enabling network discovery). You
can then run the Network Discovery option for NetXMS to automatically discover
devices on your network, or add new nodes by right clicking on Infrastructure
Services and selecting Tools > Create Node.

17. Xymon
Xymon is a web-based system designed to run on Unix-based systems that
allows you to dive deep into the configuration, performance and real-time statistics of
your networking environment. It offers monitoring capabilities with historical data,
reporting and performance graphs.

Once youve installed Xymon, the first place you need to go is the hosts.cfg file to add
the hosts that you are going to monitor. Here, you add information such as the host IP
address, the network services to be monitored, what URLs to check, and so on.
When you launch the Xymon Web UI, the main page lists the systems and services
being monitored by Xymon. Clicking on each system or service allows you to bring up
status information about a particular host and then drill down to view specific
information such as CPU utilization, memory consumption, RAID status, etc.

18. WirelessNetView
WirelessNetView is a lightweight utility (available as a standalone executable or
installation package) that monitors the activity of reachable wireless networks and
displays information related to them, such as SSID, Signal Quality, MAC Address,
Channel Number, Cipher Algorithm, etc.

As soon as you execute WirelessNetView, it automatically populates a list of all

reachable Wi-Fi networks in the area and displays information relevant to them (all
columns are enabled by default).
Note: Wireless Network Watcher is a small utility that goes hand in hand with
WirelessNetView. It scans your wireless network and displays a list of all computers
and devices that are currently connected, showing information such as IP adddress,
MAC address, computer name and NIC card manufacturer all of which can be
exported to a html/xml/csv/txt file.

19. Xirrus Wi-Fi Inspector

Xirrus Wi-Fi Inspector can be used to search for Wi-Fi networks, manage and
troubleshoot connections, verify Wi-Fi coverage, locate Wi-Fi devices and detect
rogue Access Points. Xirrus Wi-Fi Inspector comes with built-in connection, quality
and speed tests.

Once you launch Wi-Fi Inspector and choose an adapter, a list of available Wi-Fi
connections is displayed in the Networks pane. Details related to your current Wi-Fi
connection are displayed in the top right hand corner. Everything pretty much
happens from the top ribbon bar you can run a test, change the layout, edit settings,
refresh connections, etc.

20. WireShark
This list wouldnt be complete without the ever popular WireShark. WireShark is an
interactive network protocol analyzer and capture utility. It provides for in-depth
inspection of hundreds of protocols and runs on multiple platforms.

When you launch Wireshark, choose which interface you want to bind to and click the
green shark fin icon to get going. Packets will immediately start to be captured. Once
youve collected what you need, you can export the data to a file for analysis in
another application or use the in-built filter to drill down and analyze the captured
packets at a deeper level from within Wireshark itself.
Are there any free tools not on this list that youve found useful and would like to
share with the community? Then leave us a comment below and let us know!

And theres more! If youre a sys admin thats been faced with malware
infection, cracked passwords, defaced website, compromised DNS,
licensing violations, stolen hardware and other issues which can cause
cardiac arrest? We have what you need! Download this free e-book: First
Aid Kit for Admins today!

SNIFFING TOOLS:
Top 10 Data/Packet Sniffing and Analyzer
Tools for Hackers

1: Wireshark
Wireshark (known as Ethereal until a trademark dispute in Summer 2006) is a fantastic
open source network protocol analyzer for Unix and Windows. It allows you to examine
data from a live network or from a capture file on disk. You can interactively browse the
capture data, delving down into just the level of packet detail you need. Wireshark has
several powerful features, including a rich display filter language and the ability to view
the reconstructed stream of a TCP session. It also supports hundreds of protocols and
media types. A tcpdump-like console version named tethereal is included. One word of
caution is that Ethereal has suffered from dozens of remotely exploitable security holes,

so stay up-to-date and be wary of running it on untrusted or hostile networks (such as

security conferences).
http://media-2.cacetech.com/video/wireshark/introduction-to-wireshark/

2: Tcpdump
Tcpdump is the IP sniffer we all used before Ethereal (Wireshark) came on the scene,
and many of us continue to use it frequently. It may not have the bells and whistles
(such as a pretty GUI or parsing logic for hundreds of application protocols) that
Wireshark has, but it does the job well and with fewer security holes. It also requires
fewer system resources. While it doesnt receive new features often, it is actively
maintained to fix bugs and portability problems. It is great for tracking down network
problems or monitoring activity. There is a separate Windows port named WinDump.
TCPDump is the source of the Libpcap/WinPcap packet capture library, which is used
by Nmap among many other tools.

3: Cain and Abel

UNIX users often smugly assert that the best free security tools support their platform
first, and Windows ports are often an afterthought. They are usually right, but Cain &
Abel is a glaring exception. This Windows-only password recovery tool handles an
enormous variety of tasks. It can recover passwords by sniffing the network, cracking
encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording
VoIP conversations, decoding scrambled passwords, revealing password boxes,
uncovering cached passwords and analyzing routing protocols. It is also well
documented.

4: Kismet
Kismet is an console (ncurses) based 802.11 layer2 wireless network detector, sniffer,
and intrusion detection system. It identifies networks by passively sniffing (as opposed
to more active tools such as NetStumbler), and can even decloak hidden (nonbeaconing) networks if they are in use. It can automatically detect network IP blocks by
sniffing TCP, UDP, ARP, and DHCP packets, log traffic in Wireshark/TCPDump
compatible format, and even plot detected networks and estimated ranges on

downloaded maps. As you might expect, this tool is commonly used for wardriving. Oh,
and also warwalking, warflying, and warskating,

5: Dsniff

This popular and well-engineered suite by Dug Song includes many

tools. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a
network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and
macof facilitate the interception of network traffic normally unavailable to an attacker
(e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-themiddle attacks against redirected ssh and https sessions by exploiting weak bindings in
ad-hoc PKI. A separately maintained partial Windows port is available here. Overall, this
is a great toolset. It handles pretty much all of your password sniffing needs.

6: NetStumbler
Netstumbler is the best known Windows tool for finding open wireless access points
(wardriving). They also distribute a WinCE version for PDAs and such
named Ministumbler. The tool is currently free but Windows-only and no source code is
provided. It uses a more active approach to finding WAPs than passive sniffers such
as Kismet or KisMAC.

7: Ettercap
Ettercap is a terminal-based network sniffer/interceptor/logger for ethernet LANs. It
supports active and passive dissection of many protocols (even ciphered ones, like ssh
and https). Data injection in an established connection and filtering on the fly is also
possible, keeping the connection synchronized. Many sniffing modes were implemented
to give you a powerful and complete sniffing suite. Plugins are supported. It has the
ability to check whether you are in a switched LAN or not, and to use OS fingerprints
(active or passive) to let you know the geometry of the LAN.

8: Ngrep
ngrep strives to provide most of GNU greps common features, applying them to the
network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular
or hexadecimal expressions to match against data payloads of packets. It currently
recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI, Token Ring and null
interfaces, and understands bpf filter logic in the same fashion as more common packet
sniffing tools, such as tcpdump and snoop.

9: Ntop
Ntop shows network usage in a way similar to what top does for processes. In
interactive mode, it displays the network status on the users terminal. In Web mode, it
acts as a Web server, creating an HTML dump of the network status. It sports a
NetFlow/sFlow emitter/collector, an HTTP-based client interface for creating ntop-centric
monitoring applications, and RRD for persistently storing traffic statistics.

10: EtherApe
EtherApe is a graphical network monitor for Unix modeled after etherman.
Featuring link layer, IP and TCP modes, EtherApe displays network activity graphically
with a color coded protocols display. Hosts and links change in size with traffic. It
supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to
be shown, and can read traffic from a file as well as live from the network.

3.SNORTING:
4.IDS and IPS:
If an IPS is a control tool, then an IDS is a visibility tool. Intrusion Detection Systems sit off to
the side of the network, monitoring traffic at many different points, and provide visibility into the
security posture of the network

Open Source Intrusion Detection Tools: A

Quick Overview
Joe
Schrei

LinkedIn Facebook Twitter Google Plus Reddit

ber
January
13,
2014

Whether you need to monitor hosts or the networks connecting them to identify the
latest threats, there are some great open source intrusion detection (IDS) tools available
to you.
I won't bore you with how long I've been doing network security, but I've been doing
packet analysis before any of these tools even existed. Tcpdump and me, good buddies.
I've deployed and managed virtually every commercial and open source IDS tool out
there. In fact my ardor for packets landed me a job analyzing network traffic for Fortune
50 companies while working at a major MSSP I'm sure everyone has heard of. Enough
about me, let's get to it.

Network IDS - These tools operate by inspecting traffic that occurs between hosts.

If you aren't already running network IDS, you should be. There are two types of
Network IDS:Signature detection and Anomaly Detection.
In a signature-based IDS, there are rules or patterns of known malicious traffic that it is
looking for. Once a match to a signature is found it generates an alert. These alerts can
turn up issues such as malware, scanning activity, attacks against servers and much
more.
With anomaly-based IDS, the payload of the traffic is far less important than the activity
that generated it. An anomaly-based IDS tool relies on baselines rather than signatures.
It will look for unusual activity that deviates from statistical averages of previous
activities or activity that has been previously unseen. Perhaps a server is sending out
more HTTP activity than usual or a new host has been seen inside your DMZ.
Both are typically deployed in the same manner, though one could make the case you
could easily (and people have) create an anomaly-based IDS on externally-collected
netflow data or similar traffic information.
Looking for attacks isn't the only use case for IDS, you can also use it to find violations
of network policy. IDS will tell you an employee was using Gtalk, uploading to Box, or
spending all their time watching Hulu instead of working.

Snort

Ah, the venerable piggy that loves packets. I'm sure everyone remembers 1998 as the
year a version of Windows came out but it was also the year that Martin Roesch first
released Snort. Though then it really wasn't a true IDS, its destiny had been written.
Since then it has become the de-facto standard for IDS and eventually IPS (thanks to
community effort!). It's important to note that Snort has no real GUI or easy to use
administrative console. Lots of other open source tools have been created to help out,
notably Snorby and others like Base and Squil.

Long product life with no signs of going away

Great community support

Plenty of administrative front-ends

Thoroughly proven and tested

You can find Snort inside AlienVault, not just used as a tool but fully integrated from
signature updates to packet match display.

Suricata

What's the only reason for not running Snort? If you're using Suricata instead. Though
Suricata's architecture is different than Snort it behaves the same way as Snort and can
use the same signatures. What's great about Suricata is what else it's capable of over
Snort. It does so much more that it probably deserves a dedicated post of it's own. Let's
run down a few of them:

Multi-Threaded - Snort runs with a single thread meaning it can only use one
CPU(core) at a time. Suricata can run many threads so it can take advantage of all the
cpu/cores you have available. There has been much contention on whether this is

advantageous, Snort says No and a few benchmarks say Yes.

Built in Hardware Acceleration - Did you know you can use graphic cards to
inspect network traffic?

File Extraction - Someone downloading malware? You can capture it right from

Suricata and study it.

LuaJIT - It's a lot of letters yes, but it's also a scripting engine that can be used
with information from the packets inspected by Suricata. This makes complex matching
even easier and you can even gain efficiency by combining multiple rules into one
script.

Logging more than packets - Suricata can grab and log things like TLS/SSL certs,
HTTP requests,DNS requests
So much more...
With so many features and capabilities it's no wonder it's the default network IDS inside
USM now.

Bro

Bro, or sometimes referred to as Bro-IDS is a bit different than Snort and Suricata. In a
way Bro is both a signature and anomaly-based IDS. Its analysis engine will convert
traffic captured into a series of events. An event could be a user logon to FTP, a
connection to a website or practically anything. The power of the system is what
comes after the event engine and that's the Policy Script Interpreter. This policy engine
has it's own language ( Bro-Script ) and it can do some very powerful and versatile
tasks.
If you're an analyst and you've wondered "How can I automate some of my work?" then
this is the tool you've been looking for. Want to download files seen on the wire, submit
them for malware analysis,notify you if a problem is found then blacklist the source and
shutdown the user's computer who downloaded it? Want to track the usage patterns of
a user after they've contacted an IP from a reputation database?
If you're not an analyst than this tool will have a challenging learning curve. Since it was
developed as a research tool it didn't initially focus on things like GUIs, usability, and
ease of installation. While it does many cool things out of the box many of those things
aren't immediately actionable and may be difficult to interpret.
Summary:

Complicated to set up

Can detect patterns of activity other IDS systems can not

Very extensible architecture

Starting to gain a larger community following

Kismet

Just as Snort became the standard for network intrusion, Kismet is the baseline for
wireless IDS. Wireless IDS deals less with the packet payload but more with strange
things happening inside the wireless protocols(mostly 802.11) and functions. WIDS will
find unauthorized Access Points (Rogue AP Detection), perhaps one created by an
employee accidentally(yes, I've seen that) that opens a network up. Perhaps someone
has stood up an AP with the same name as your corporate network to perform MITM
attacks? Kismet will find all of these. Kismet runs on a variety of platforms, even
Android. Besides IDS Kismet can also be used for more utilitarian things like wireless site
surveys or fun activities like WarDriving.

Host IDS - Host based IDS systems, or HIDS, work by monitoring activity that is
occurring internally on a host.
HIDS look for unusual or nefarious activity by examining logs created by the operating
system, looking for changes made to key system files, tracking installed software, and
sometimes examining the network connections a host makes. The first HIDS systems
were rather rudimentary, usually just creating md5 hashes of files on a recurring basis
and looking for discrepancies (File Integrity Monitoring). Since then HIDS have grown
far more complex and perform a variety of useful security functions. Also if you need to
become compliant to one of the many standards (PCI, ISO, etc..) then HIDS is
compulsory.

OSSEC

In the realm of full featured Open Source HIDS tools, there is OSSEC and not much else.
Go ahead and google away, I'll wait. The great news is OSSEC is very good at what it
does and it is rather extensible. OSSEC will run on almost any major operating system
and uses a Client/Server based architecture which is very important in a HIDS system.
Since a HIDS could be potentially compromised at the same time the OS is, it's very
important that security and forensic information leave the host and be stored elsewhere
as soon as possible to avoid any kind of tampering or obfuscation that would prevent
detection.
OSSEC's architecture design incorporates this strategy by delivering alerts and logs to a
centralized server where analysis and notification can occur even if the host system is
taken offline or compromised. Another advantage of this architecture is the ability
to centrally manage agents from a single server. Since deployments can range from
one to thousands of installations, the ability to make changes en masse via a central
server is critical for an administrator's sanity.
When discussing OSSEC and other HIDS there is often trepidation in installing an agent
or software on to critical servers. It should be noted that the installation of OSSEC is
extremely light, the installer is under 1MB, and that the majority of analysis actually
occurs on the server which means very little cpu is consumed by OSSEC on the host.
OSSEC also has the ability to send OS logs to the server for analysis and storage, which
is particularly helpful on Windows machines that have no native and cross-platform
logging mechanisms.
Summary:

Agents for almost every OS

Compiled Agent for Windows

Lots of functionality than just FIM

Rigid but simple installation process

USM features a complete integration of OSSEC. Whether you need to install agents on
servers, modify policies, or even instigate OSSEC's active response features it can all be
done within USM. Logs from OSSEC clients are also pre-integrated into USM's SIEM and
Correlation engines.

Samhain

In comparison to OSSEC, Samhain is the best competition. But it's very much the case
of same but different when making the comparison. Samhain has the same
client/server architecture but it's not beholden to it like OSSEC is. The agent itself has a
variety of output methods, one being a central server but others like Syslog, Email, and
RDBMS which are greatly appreciated.
Another important difference is where the analysis occurs. Unlike OSSEC the processing
occurs on the client itself. While this does give an advantage in terms of processing
speed it could have potential impact on your servers. However, it does put those CPU
cycles to good use as it has a much stronger emphasis on FIM.
Summary:

Harder to install

Windows clients require Cygwin

Great FIM functionality

More flexible client

OpenDLP

OpenDLP isn't really a HIDS system but it's functionality makes it worth a mention here.
This tool has one goal and that's DLP or Data Loss Prevention. It will scan data while
it's "at-rest" looking for pieces of data like credit cards or SSNs and can be extended
with regular expressions to find data that is sensitive to your organization. OpenDLP will
look for this data on file systems or even inside databases on both Windows and
Linux. It can also perform these scans via an installable agent or without any software
installation.

Not a FIM or HIDS technically, but interesting

Very Windows friendly

Looks for DLP only

FIM Only
There are quite a few FIM tools that get categorized with HIDS. Some are actively
developed and others haven't been updated in years. Since these tools only perform
one function I won't elaborate much more. A few of these are AIDE, OS
Tripwire and AFick.

Security Onion
If you're interested in trying out some or all of the open source IDS tools from this post
you could save some time and check out Security Onion. It's a distribution of Ubuntu
with everything pre-installed.

Snort is one of the industry's top network

intrusion-detection tools, but there are

plenty of free alternatives. Matthew

Pascucci discusses.

Security Onion
Security Onion is an Ubuntu-based Linux distribution for network monitoring and
intrusion detection. The image can be distributed as sensors within the network to
monitor multiple VLANs and subnets, and works well in VMware and virtual
environments. This configuration can be used as an IDS only. It isn't currently
supported to be run as an IPS. However, there is the option to run this both as a
network and host intrusion-detection deployment, and to utilize services such as Squil,
Bro IDS and OSSEC to perform the IDS functions of the service. The wiki and
documentation for the site and software is terrific, and defects and bugs are recorded
and reviewed. As great as Security Onion is, however, it still needs more assistance
with development, which will most likely happen in time.

OSSEC
OSSEC is an open source host intrusion-detection system (HIDS) that does more than
detect intrusions. Like most open source IDS offerings, there are multiple additional
modules that can be used with the core functionality of IDS. In addition to network
intrusion-detection, the OSSEC client has the ability to perform file integrity
monitoring and rootkit detection with real-time alerts, all of which are centrally
managed with the ability to create different policies, depending on a company's needs.
The OSSEC client runs locally on most operating systems, including Linux versions,
Mac OSX and Windows. It also offers commercial support via Trend Micro's Global
Support Team. This is a very mature offering.

PRO+
Content
Find more PRO+ content and other member only offers, here.

E-Handbook

Learn about user authentication methods, from passwords to biometrics

E-Zine

Insider Edition: Beyond 'next gen': Putting a 21st century security strategy in place

E-Handbook

What to Look for in Secure Sockets Layer

OpenWIPS-NG
OpenWIPS-NG is a free wireless IDS/IPS that relies on a server, sensors and
interfaces. It runs on commodity hardware. Created by the author of Aircrack-NG, this
system uses many of the functions and services already built into Aircrack-NG for
scanning, detection and intrusion prevention. OpenWIPS-NG is modular and allows
an administrator to download plug-ins for additional features. The documentation isn't
as detailed as some systems', but it allows for companies to perform WIPS on a tight
budget.

Suricata
Out of all the IDS/IPS systems that are currently available, Suricata competes most
directly with Snort. This system has an architecture that is similar to Snort's, relies on
signatures like Snort, and can even use the VRT Snort rules and the same Emerging

Threat rule set that Snort itself uses. Being newer than Snort, Suricata has ways to
catch up to in this area. If Snort isn't an option in your organization, this is the closest
free tool available to run on an enterprise network.

Bro IDS
Bro IDS is similar to Security Onion in that it uses more than IDS rules to determine
where attacks are coming from. Bro IDS uses a combination of tools. At one point it
used Snort-based signatures converted into Bro signatures. This is no longer the case,
and it is now possible to write custom signatures for the Bro IDS. This system is
highly documented and has been around for over 15 years.
Snort has definitely made its presence known by the influence it has over most of the
IDS/IPS market, including freeware and open source IDS/IPS. The systems reviewed
here all perform IDS/IPS a little differently, but are suitable, free alternatives that
companies on a budget can utilize to more fully protect their network.

From the editor: More on Intrusion Detection Systems

Intrusion detection and prevention security guide

IDS and IPS implementation and deployment best practices

About the author

Matthew Pascucci is a senior information security engineer for a large retail
company, where he leads the threat and vulnerability management program. He's
written for various information security publications, has spoken for many industry
companies and is heavily involved with his local InfraGard chapter. You can follow
him on Twitter at @matthewpascucci or check out his blog at
www.frontlinesentinel.com.

SecTools.Org: Top 125 Network Security Tools

For more than a decade, the Nmap Project has been cataloguing the network security
community's favorite tools. In 2011 this site became much more dynamic, offering
ratings, reviews, searching, sorting, and a new tool suggestion form. This site allows
open source and commercial tools on any platform, except those tools that we
maintain (such as the Nmap Security Scanner, Ncat network connector, and Nping
packet manipulator).
We're very impressed by the collective smarts of the security community and we
highly recommend reading the whole list and investigating any tools you are
unfamiliar with. Click any tool name for more details on that particular application,
including the chance to read (and write) reviews. Many site elements are explained by
tool tips if you hover your mouse over them. Enjoy!
Filtering by tag:

ids
remove filters

Sort by: popularity rating release date

6 tools
(1) Snort

(#5, 2)

This network intrusion detection and prevention system excels at traffic analysis and
packet logging on IP networks. Through protocol analysis, content searching, and
various pre-processors, Snort detects thousands of worms, vulnerability exploit
attempts, port scans, and other suspicious behavior. Snort uses a flexible rule-based
language to describe traffic that it should collect or pass, and a modular detection
engine. Also check out the free Basic Analysis and Security Engine (BASE), a web
interface for analyzing Snort alerts.
While Snort itself is free and open source, parent company SourceFire offers their
VRT-certified rules for $499 per sensor per year and a complementary product line of
software and appliances with more enterprise-level features. Sourcefire also offers a
free 30-day delayed feed. Read 2 reviews.
Latest release: version 2.9.7.5 on July 23, 2015 (10 months, 1 week ago).

ids

(1) OSSEC

HIDS (#27, 29)

OSSEC HIDS performs log analysis, integrity checking, rootkit detection, time-based
alerting and active response. In addition to its IDS functionality, it is commonly used
as a SEM/SIM solution. Because of its powerful log analysis engine, ISPs,
universities and data centers are running OSSEC HIDS to monitor and analyze their
firewalls, IDSs, web servers and authentication logs. Read 2 reviews.
Latest release: version 2.8.2 on June 10, 2015 (11 months, 2 weeks ago).

ids

(2) OSSIM

(#48, new!)

Alienvault OSSIM stands for Open Source Security Information Management. Its
goal is to provide a comprehensive compilation of tools which, when working
together, grant network/security administrators with a detailed view over each and
every aspect of networks, hosts, physical access devices, and servers. OSSIM
incorporates several other tools, including Nagios and OSSEC HIDS. Read 2 reviews.
Latest release: version 5.0.3 on June 2, 2015 (11 months, 4 weeks ago).

ids

(1) Sguil

(#86, 1)

Sguil (pronounced sgweel) is built by network security analysts for network security
analysts. Sguil's main component is an intuitive GUI that provides access to realtime
events, session data, and raw packet captures. Sguil facilitates the practice of Network
Security Monitoring and event driven analysis. Read 1 review.
Latest release: version 0.9.0 on March 28, 2014 (2 years, 1 month ago).

ids

(1) ArcSight

SIEM platform (#115, new!)

ArcSight provides a suite of tools for SIEMsecurity information and event

management. The best-known seems to be ArcSight Enterprise Security Manager
(ESM), described as the "brain" of the SIEM platform. It is a log analyzer and
correlation engine designed to sift out important network events. The ESM itself is a
standalone appliance, and the management programs run on Linux, Windows, AIX,
and Solaris. For open-source alternatives see OSSEC HIDS and OSSIM. Read 1
review.

ids

(1) Honeyd

(#124, 44)

Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be
configured to run arbitrary services, and their TCP personality can be adapted so that
they appear to be running certain versions of operating systems. Honeyd enables a
single host to claim multiple addresses on a LAN for network simulation. It is
possible to ping the virtual machines, or to traceroute them. Any type of service on the
virtual machine can be simulated according to a simple configuration file. It is also
possible to proxy services to another machine rather than simulating them. It has
many library dependencies, which can make compiling/installing Honeyd
difficult. Read 2 reviews.
Latest release: version 1.5c on May 27, 2007 (9 years ago).

INFORMATION GATHERING
TOOLS:
There are more that 20 + tools that i use for Information gathering as its the most important phase of any
hack attack and its always good to gather as much as information you can gather. Because very less
people are aware that information that we have collected in this phase is used to create dictionary files for
brute force attacks and other social engineering attacks. So of my favourite Information gathering tools
are :
a. Google (best for passive information gathering) : Use Google dorks at their best. You can get
1000s of such dorks at exploit-db.com website.
b. Facebook, Google +, Linked In and other social networking sites are great places to gather
personal information about anyone.
c. Nothing beats NETCRAFT if you have to do passive information gathering of WEB SERVERS.
d. Whois is always informative as still considered as best tool for passive information gathering about
websites.
e. HTTrack and Webripper are also good tools to make offline copy of any website for executing local
attacks which we cant do on servers as nowadays most servers uses exhaustive security protocols.
f. Wireshark : If you are taking about anything related to network sniffing or capturing network data, not a
single tool can beat Wireshark. Its really a Wireless shark which eats everything :P.
g. Few other favourite tools for information gathering are DNSDICT, DNSRECON, DNSENUM.
h. Spokeo : People Search Engine, where you can search people by Name, Email and Phone Number.
Try Spokeo:
Find anybodys photos, videos and blogs instantly. You may be surprised!

There are lot many tools that you guys can use for information gathering.

Top Information Gathering Tools:

Nmap
http://nmap.org/
P0f
http://lcamtuf.coredump.cx/p0f.shtml
MingSweeper
http://www.hoobie.net/mingsweeper/
THC Amap
http://freeworld.thc.org/thc-amap/
Angry IP Scanner
http://www.angryziber.com/w/Download
Unicornscan
http://sourceforge.net/projects/osace
Samspade
http://samspade.org/

Strobe
http://packetstormsecurity.org/UNIX/scanners/
Netcat
http://netcat.sourceforge.net/
Superscan
http://www.foundstone.com/us/resources/proddesc/superscan.htm
SQL Scan
http://www.foundstone.com/us/resources/proddesc/sqlscan.htm
ipEye
http://www.ntsecurity.nu/toolbox/ipeye/
Nuke Nabber
http://packetstormsecurity.org/MSDOS/audit/nn29b.exe
Snort
http://www.snort.org
Trout
http://www.foundstone.com/us/resources/proddesc/trout.htm
Hping2
http://www.hping.org/
XProbe2

http://www.sys-security.com/index.php?page=xprobe
EtherPeek (now known OmniPeek)
http://www.wildpackets.com/
This is not the complete list and you are welcome to contribute to this list. Any new
information gathering tools are welcome, please leave at comment.

Read more: Top Information Gathering Tools For Hackers Hacking Geeks

NETWORK SCANNING TOOLS:

me only look at specific vulnerabilities, but there are also those
that offer broad IT security scanning. (Watch the slideshow
version of this story.)
1. OpenVAS

The Open Vulnerability Assessment System (OpenVAS) is a free

network security scanner platform, with most components
licensed under the GNU General Public License (GNU GPL). The
main component is available via several Linux packages or as a
downloadable Virtual Appliance for testing/evaluation purposes.
Though the scanner itself doesnt work on Windows machines,
they offer clients for Windows.

The main component of the OpenVAS is the security scanner,

which only can run in Linux. It does the actual work of scanning
and receives a feed updated daily of Network Vulnerability Tests
(NVT), more than 33,000 in total.
The OpenVAS Manager controls the scanner and provides the
intelligence. The OpenVAS Administrator provides a commandline interface and can act as full service daemon, providing user
management and feed management.
There are a couple clients to serve as the GUI or CLI. The
Greenbone Security Assistant (GSA) offers a web-based GUI.
The Greenbone Security Desktop (GSD) is a Qt-based desktop
client that runs on various OSs, including Linux and Windows.
And the OpenVAS CLI offers a command-line interface.
OpenVAS isnt the easiest and quickest scanner to install and
use, but its one of the most feature-rich, broad IT security
scanners that you can find for free. It scans for thousands of
vulnerabilities, supports concurrent scan tasks, and scheduled
scans. It also offers note and false positive management of the
scan results. However, it does require Linux at least for the main
component.
2. Retina CS Community

Retina CS Community provides vulnerability scanning and

patching for Microsoft and common third-party applications, such
as Adobe and Firefox, for up to 256 IPs free. Plus it supports
vulnerabilities within mobile devices, web applications, virtualized
applications, servers, and private clouds. It looks for network
vulnerabilities, configuration issues, and missing patches.

The Retina CS Community software essentially provides just the

patching functionality.Retina Network Community is the software
that provides the vulnerability scanning, which must be
separately installed before the Retina CS Community software.
RESOURCES

VIDEO/WEBCAST
Live Webcast 7/12/16: Automating the Identity Lifecycle with Okta Provisioning

WHITE PAPER
A Business Case for Funding Your Insider Threat
SEE ALL

Go

Retina CS Community installs on Windows Server 2008 or later,

requires the .Net Framework 3.5 to be installed, IIS server
enabled, and Microsoft SQL 2008 or later to be installed. Keep in
mind, installation on Domain Controllers or Small Business
Servers is not supported.
Once the software is installed youre provided with a GUI
program for Retina Network Community component and a webbased GUI for the Retina CS Community component. It supports
different user profiles so you can align the assessment to your job
function.

To scan you can choose from a variety of scan and report

templates and specify IP range to scan or use the smart selection
function. You can provide any necessary credentials for scanned
assets that require them and choose how you want the report
delivered, including email delivery or alerts.
Retina CS Community is a great free offering by a commercial
vendor, providing scanning and patching for up to 256 IPs free
and supporting a variety of assets. However, some small
businesses may find the system requirements too stringent, as it
requires a Windows Server.
3. Microsoft Baseline Security Analyzer (MBSA)

Microsoft Baseline Security Analyzer (MBSA) can perform local

or remote scans on Windows desktops and servers, identifying
any missing service packs, security patches, and common
security misconfigurations. The 2.3 release adds support for
Windows 8.1, Windows 8, Windows Server 2012 R2, and
Windows Server 2012, while also supporting previous versions
down to Windows XP.
MBSA is relatively straightforward to understand and use. When
you open it you can select a single Windows machine to scan by
choosing a computer name from the list or specifying an IP
address or when scanning multiple machines you can choose an
entire domain or specify an IP address range. You can then
choose what you want to scan for, including Windows, IIS and
SQL administrative vulnerabilities, weak passwords, and
Windows updates.
TOP NEWS

Salesforce picks AWS as preferred public cloud provider

Business users get live chat in Office Online

FCC formalizes massive fines for selling, using cell-phone jammers

Once the scan is complete youll find a separate report for each
Windows machine scanned with an overall security classification
and categorized details of the results. For each item you can click
a link to read details on what was scanned and how to correct it,
if a vulnerability were found, and for some you can click to see
more result details. The reports are automatically saved for future
reference, but you can also print and/or copy the report to the
clipboard.
Although free and user-friendly, keep in mind that MBSA lacks
scanning of advanced Windows settings, drivers, non-Microsoft
software, and network-specific vulnerabilities. Nevertheless, its a
great tool to help you find and minimize general security risks.
4. Nexpose Community Edition

Nexpose Community Edition can scan networks, operating

systems, web applications, databases, and virtual environments.
The Community Edition, however, limits you to scanning up to 32
IPs at a time. Its also limited to one-year of use until you must
apply for a new license. They also offer a seven-day free trial of
their commercial editions.
Nexpose installs on Windows, Linux, or virtual machines and
provides a web-based GUI. Through the web portal you can
create sites to define the IPs or URLs youd like to scan, select
the scanning preferences, scanning schedule, and provide any
necessary credentials for scanned assets.
Once a site is scanned youll see a list of assets and
vulnerabilities. You can see asset details including OS and
software information and details on vulnerabilities and how to fix
them. You can optionally set policies to define and track your

desired compliance standards. You can also generate and export

reports on a variety of aspects.
Nexpose Community Edition is a solid full-featured vulnerability
scanner thats easy to setup but the 32 IP limit may make it
impractical for larger networks.
5. SecureCheq

SecureCheq can perform local scans on Windows desktops and

servers, identifying various insecure advanced Windows settings
like defined by CIS, ISO or COBIT standards. It concentrates on
common configuration errors related to OS hardening, data
protection, communication security, user account activity and
audit logging. The free version, however, is limited to scanning
less than two dozen settings, about a quarter of what the full
version supports.
SecureCheq is a simple tool. After scanning the PC youll see a
list of all the checked settings and a Passed or Failed result.
Click a setting and youll find links to references about the
vulnerability, summary of the vulnerability, and how to fix it.
Though you cant save the results for later viewing in the
application, you can print them or view/save the OVAL XML file.
Although SecureCheq is easy-to-use and scans for advanced
configuration settings, it actually misses some of the more
general Windows vulnerabilities and network-based threats.
However, it complements the Microsoft Baseline Security
Analyzer (MBSA) well; scan for basic threats and then follow up
with SecureCheq for advanced vulnerabilities.

6. Qualys FreeScan

Qualys FreeScan provides up to 10 free scans of URLs or IPs of

Internet facing or local servers or machines. You initially access it
via their web portal and then download their virtual machine
software if running scans on your internal network.
Qualys FreeScan supports a few different scan types;
vulnerability checks for hidden malware, SSL issues, and other
network-related vulnerabilities. OWASP is for auditing
vulnerabilities of web applications. Patch Tuesday scans for and
helps install missing software patches. SCAP checks computer
settings compliance against the SCAP (Security Content
Automation Protocol) benchmark provided by National Institute of
Standards and Technology (NIST).
Though you first see just an online tool that appears to just do
scanning via the Internet, if you enter a local IP or scan, it will
prompt you to download a virtual scanner via a VMware or
VirtualBox image. This allows you to do scanning of your local
network. Once a scan is complete you can view interactive
reports by threat or by patch.
Since Qualys FreeScan only provides 10 free scans, its not
something you can use regularly. Consider using another solution
for day-to-day use and periodically run Qualys FreeScan for a
double-check.

7: Web Application Scanning Tools:

These are the best open source web application penetration testing tools:

Grabber
Grabber is a nice web application scanner which can detect many security vulnerabilities in web
applications. It performs scans and tells where the vulnerability exists. It can detect the following
vulnerabilities:

Cross site scripting

SQL injection

Ajax testing

File inclusion

JS source code analyzer

Backup file check

It is not fast as compared to other security scanners, but it is simple and portable. This should be
used only to test small web applications because it takes too much time to scan large applications.
This tool does not offer any GUI interface. It also cannot create any PDF report. This tool was
designed to be simple and for personal use. You can try this tool just for personal use. If you are
thinking of it for professional use, I will never recommend it.
This tool was developed in Python. And an executable version is also available if you want. Source
code is available, so you can modify it according your needs. The main script is grabber.py, which
once executed calls other modules like sql.py, xss.py or others.
Download it here: http://rgaucher.info/beta/grabber/
Source code on Github: https://github.com/neuroo/grabber
Vega
Vega is another free open source web vulnerability scanner and testing platform. With this tool, you
can perform security testing of a web application. This tool is written in Java and offers a GUI based
environment. It is available for OS X, Linux and Windows.
It can be used to find SQL injection, header injection, directory listing, shell injection, cross site
scripting, file inclusion and other web application vulnerabilities. This tool can also be extended using
a powerful API written in JavaScript.
While working with the tool, it lets you set a few preferences like total number of path descendants,
number of child paths of a node, depth and maximum number of request per second. You can use

Vega Scanner, Vega Proxy, Proxy Scanner and also Scanner with credentials. If you need help, you
can find resources in the documentation section:
Documentation: https://subgraph.com/vega/documentation/index.en.html
Download Vega: https://subgraph.com/vega/
ETHICAL HACKING TRAINING

Zed Attack Proxy

Zed Attack Proxy is also known as ZAP. This tool is open source and is developed by AWASP. It is
available for Windows, Unix/Linux and Macintosh platforms. I personally like this tool. It can be used
to find a wide range of vulnerabilities in web applications. The tool is very simple and easy to use.
Even if you are new to penetration testing, you can easily use this tool to start learning penetration
testing of web applications.
These are the key functionalities of ZAP:

Intercepting Proxy

Automatic Scanner

Traditional but powerful spiders

Fuzzer

Web Socket Support

Plug-n-hack support

Authentication support

REST based API

Dynamic SSL certificates

Smartcard and Client Digital Certificates support

You can either use this tool as a scanner by inputting the URL to perform scanning, or you can use
this tool as an intercepting proxy to manually perform tests on specific pages.
Download ZAP : http://code.google.com/p/zaproxy/
Wapiti
Wapiti is also a nice web vulnerability scanner which lets you audit the security of your web
applications. It performs black-box testing by scanning web pages and injecting data. It tries to inject
payloads and see if a script is vulnerable. It supports both GET and POSTHTTP attacks and detects
multiple vulnerabilities.

It can detect following vulnerabilities:

File Disclosure

File inclusion

Cross Site Scripting (XSS)

Command execution detection

CRLF Injection

SEL Injection and Xpath Injection

Weak .htaccess configuration

Backup files disclosure

and many other

Wapiti is a command-line application. So, it may not be easy for beginners. But for experts, it will
perform well. For using this tool, you need to learn lots of commands which can be found in official
documentation.
Download Wapiti with source code: http://wapiti.sourceforge.net/
W3af
W3af is a popular web application attack and audit framework. This framework aims to provide a
better web application penetration testing platform. It is developed using Python. By using this tool,
you will be able to identify more than 200 kinds of web application vulnerabilities including SQL
injection, Cross-Site Scripting and many others.
It comes with a graphical and console interface. You can use it easily by using its easy to understand
interface.
If you are using it with Graphical Interface, I do not think that you are going to face any problem with
the tool. You only need to select the options and then start the scanner. If a website needs
authentication, you can also use authentication modules to scan the session-protected pages.
We have already covered this tool in detail in our previous W3af walkthrough series. You can read
those articles to know more about this tool.
You can access source code at the Github repository:https://github.com/andresriancho/w3af/
Download it from the official website: http://w3af.org/
WebScarab

WebScarab is a Java-based security framework for analyzing web applications using HTTP or
HTTPS protocol. With available plugins, you can extend the functionality of the tool. This tool works
as an intercepting proxy. So, you can review the request and response coming to your browser and
going to thw server. You can also modify the request or response before they are received by server
or browser.
If you are a beginner, this tool is not for you. This tool was designed for those who have a good
understanding of HTTP protocol and can write codes.
Webscarab provides many features which helps penetration testers work closely on a web
application and find security vulnerabilities. It has a spider which can automatically find new URLs of
the target website. It can easily extract scripts and HTML of the page. Proxy observes the traffic
between server and your browser, and you can take control of the request and response by using
available plugins. Available modules can easily detect most common vulnerabilities like SQL
injection, XSS< CRLF and many other vulnerabilities.
Source code of the tool is available on Github: https://github.com/OWASP/OWASP-WebScarab
Download WebScarab
here:https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
Skipfish
Skipfish is also a nice web application security tool. It crawls the website and then check each pages
for various security threats and at the end prepares the final report. This tool was written in C. It is
highly optimized for HTTP handling and utilizing minimum CPU. It claims that it can easily handle
2000 requests per second without adding a load on CPU. It use a heuristics approach while crawling
and testing web pages. This tool also claims to offer high quality and less false positives.
This tool is available for Linux, FreeBSD, MacOS X and Windows.
Download Skipfish or code from GOogle Codes: http://code.google.com/p/skipfish/
Ratproxy
Ratproxy is also an open source web application security audit tool which can be used to find
security vulnerabilities in web applications. It is supports Linux, FreeBSD, MacOS X, and Windows
(Cygwin) environments.

This tool is designed to overcome the problems users usually face while using other proxy tools for
security audits. It is capable of distinguishing between CSS stylesheets and JavaScript codes. It also
supports SSL man in the middle attack, which means you can also see data passing through SSL.
You can read more about this tool here:http://code.google.com/p/ratproxy/wiki/RatproxyDoc
Download http://code.google.com/p/ratproxy/
SQLMap
SQLMap is another popular open source penetration testing tool. It automates the process of finding
and exploiting SQL injection vulnerability in a websites database. It has a powerful detection engine
and many useful features. So, a penetration tester can easily perform SQL injection check on a
website.
It supports range of database servers including MySQL, Oracle, PostgreSQL, Microsoft SQL Server,
Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB. It offers full support to 6
kinds of SQL injection techniques: time-based blind, boolean-based blind, error-based, UNION
query, stacked queries and out-of-band.
Access the source code on Github repository:https://github.com/sqlmapproject/sqlmap
Download SQLMap here: https://github.com/sqlmapproject/sqlmap
Wfuzz
Wfuzz is another freely available open source tool for web application penetration testing. It can be
used to brute force GET and POST parameters for testing against various kinds of injections like
SQL, XSS, LDAP and many others. It also supports cookie fuzzing, multi-threading, SOCK, Proxy,
Authentication, parameters brute forcing, multiple proxy and many other things. You can read more
about the features of the tool here: http://code.google.com/p/wfuzz/
This tool does not offer a GUI interface, so you will have to work on command line interface.
Download Wfuzz from code.google.com: http://code.google.com/p/wfuzz/
Grendel-Scan
Grendel-Scan is another nice open source web application security tool. This is an automatic tool for
finding security vulnerabilities in web applications. Many features are also available for manual
penetration testing. This tool is available for Windows, Linux and Macintosh. This tool was developed
in Java.
Download the tool and source code: http://sourceforge.net/projects/grendel/

Watcher
Watcher is a passive web security scanner. It does not attack with loads of requests or crawl the
target website. It is not a separate tool but is an add-on of Fiddler. So you need to first install Fiddler
and then install Watcher to use it.
It quietly analyzes the request and response from the user-interaction and then makes a report on
the application. As it is a passive scanner, it will not affect the websites hosting or cloud
infrastructure.
Download watcher and its source code: http://websecuritytool.codeplex.com/
X5S
X5s is also a Fiddler add-on which aims to provide a way to find cross-site scripting vulnerabilities.
This is not an automatic tool. So, you need to understand how encoding issues can lead to XSS. You
need to manually find the injection point and then check where XSS can be in the application.
We have covered the X5S in a previous post. So, you can refer to that article to read more about
X5S and XSS.
Download X5S and source code from codeplex: http://xss.codeplex.com/
You can also refer to this official guide to know how to use
X5S:http://xss.codeplex.com/wikipage?title=tutorial
Arachni
Arachni is an open source tool developed for providing a penetration testing environment. This tool
can detect various web application security vulnerabilities. It can detect various vulnerabilities like
SQL Injection, XSS, Local File inclusion, remote file inclusion, unvalidated redirect, and many others.
Download this tool here: http://www.arachni-scanner.com/
Final Word
These are the best open source web application security testing tools. I tried my best to list all the
tools available online. If a tool was not updated for many years, I did not mention it here. Because if
a tool is more than 10 years old, it can create compatibility issues in the recent environment. If you
are a developer, you can also join the developers community of these tools and help these tools to
grow. By helping these tools, you will also increase your knowledge and expertise.

If you want to start penetration testing, I will recommend using Linux distributions which have been
created for penetration testing. These environments are backtrack, gnacktrack, backbox and
blackbuntu. All these tools come with various free and opensource tools for website penetration
testing. So, you can go with those environments.
If you think I forgot to mention an important tool, you can drop a comment and I will try to add it.

8 SIEM TOOLS :

"The best way to compare SIEM products is to fully understand what problem is you are looking for
them to solve," says Mav Turner, director of the security group at Austin-based SolarWinds Inc. "As
fun as it is to play feature bingo and to let a vendor demonstrate the thousands of things a product
can do, administrators should make sure they understand the few critical things they absolutely need
to the product to do. If the core use cases can't be quickly demonstrated, they should probably
evaluate other products."

Essential SIEM Functionality

The leading SIEM products, including HP ArcSight, LogRhythm, McAfee ESM, Splunk Enterprise
Security, and IBM QRadar, all incorporate some or all of the following functionality:

Integration of traditional logs with other event sources, such as Threat Intelligence, Identity
and Access Management systems (IAM) Database Activity Monitoring (DAM), NetFlow/DPI, File
Integrity Monitoring and Application logging

Capabilities to support a Security Operations Center

Scalability from SMB to large implementations

Import and export of content (rules, reports, trends)

Multi-value lists (active lists, watch lists)

Expiration times on lists (expire after X number of minutes/hours) and event on

expiration for state table usage

o

Indexed array for event enrichment

What available threat intelligence data can be incorporated?

Ability to create custom log source feeds

Import CSV simply

Open Database Connectivity (ODBC) queries

Regex (regular expression) for file parsers

Aggregation and filtering at the collector level (with selectable fields and summarization of
fields)

Reusable and movable objects

Filters/building blocks -- named reusable objects

Folder/tree structure for rules, network hierarchies

Summarization tables

ArcSight Trends and Splunk data models

Selection of critical fields and scheduled summarization of events

Health status monitoring

What self-monitoring and reporting features are available?

Free space, event rates/device, CPU and memory utilization

Dropped/unparsable events

Redundancy

How do I feed data in from a host through redundant parsers to redundant log
management (compliance/1 year) data stores?

Correlation engines are not required to be redundant

Ability to forward the same log source from a single collection point to multiple
destinations (primary log management, secondary log management, product correlation,
development correlation)

Scalability at the correlation engine level

How many concurrent queries can be run for SOC operations?

How do I scale performance for ad-hoc use?

Concurrency Can I run multiple queries at the same time?

Are overlapping intrusion protection systems supported?

Role-based access controls Can the system be configured for Umpqua access to
specific subsets of data/content with a mix of read and read/write/create permissions?

Can the system be configured in a hierarchy? Correlation engine and log

management locally at each Umpqua, but master/global content pushed and synched from a
managed services group with local content not overridden, but global content incorporated
and overwritten?

Inputs

What log sources are supported natively?

Long term

How do we integrate with a ticketing/workflow system?

How can we integrate with an existing configuration management database (CMDB)

to pull asset tag information?

How can we integrate with Government, Risk, Compliance (GRC) and vulnerability
management to provide a common dashboard?

Source: Kent Saunders, Senior Consultant, Accuvant 2015

"Ideally, companies should also look for the ability to deploy an evaluation or a proof of concept in
their environments to make sure the reports and data they expect are available as well. Even if they
are only able to collect data from a few devices that will be a huge indicator of whether they are
buying a product that solves their specific problems, as opposed to a product that just sounds really
cool," says Turner.

Cloud-Based SIEM Options

One approach that is starting to grow is cloud-based SIEM as a service, says John Howie, founder
of Seattle-based Howie Consulting and the former chief operating officer of the Cloud Security
Alliance. While boutique cloud providers might offer special programs for first-time SIEMaaS

customers, the larger and more established SIEM providers that also offer on-premises SIEM
generally assume the company also has experience with the technology, says Howie.
Howie noted that while the providers he has dealt with recognize that log data is the property of the
client, the clients need to understand that log data potentially can contain personally identifiable
information (PII) or protected health information (PHI). For example, the SIEM could alert on a file
transfer and collect the data from the transfer in a log file. That log file could contain a Social
Security Number or a patient's private data. He recommends that if the company collects protected
data, it should sign a Business Associate Agreement or a similar agreement with the cloud provider
to ensure the data is handled appropriately.
Unlike traditional, on-premises software, cloud-based SIEM generally is billed on a usage model
rather than per server or per user, Howie says. However, if the SIEM software sends all data logs to
the cloud or is otherwise improperly configured, the bandwidth cost from the cloud provider could be
very high and negate other cost efficiencies from the cloud.
"Continually tuning a SIEM as well as looking at the alerts can be a time-consuming task for skilled
professionals," says 451 Research senior security analyst Javvad Malik. "Smaller enterprises may
find greater benefits in utilizing a SaaS-based or managed security services provider (MSSP)
offering that will alleviate some of the ongoing demands."
"SIEMs as a product family set vary tremendously in deployment types, pricing structure, features
and the like. Some may be on-premises, others SaaS, some may charge per device, others by
number of events processed, some have features built into their own offering whilst others partner
with other vendors so comparing pricing and offerings is not a straightforward task," Malik adds.

Enterprise and SMB SIEM Solutions

Companies such as SolarWinds and San Francisco-based Splunk are among the SIEM providers
that specialize in the SMB market. While an enterprise-class HP ArcSight SIEM systems can cost
upwards of hundreds of thousands of dollars, SMBs can enter the market with the SolarWinds Log &
Event Manager for $4,495. This entry-level SIEM is a software-only, virtual security operations center
that can produce reports with what the company calls "audit-proven templates" for Payment Card

Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act of
1996 (HIPAA), Federal Information Security Management Act of 2002 (FISMA), Sarbanes-Oxley Act
of 2002 (SOX) and other compliance standards. The software runs on VMware or Microsoft Hyper-V
virtual machines.
"Any SIEM can do log aggregation," Turner says. "This is a basic feature for a SIEM and often what
a lot of people are looking for in order to check a box for their auditor. Once they have the logs,
though, to get real value they need a solution that will also find problems and help sort through the
massive amounts of data quickly."
Users should see clear categories of activities so they can drill into the ones that are suspicious, he
adds. Event normalization is critical to a powerful SIEM and SolarWinds is starting to see the
emergence of threat intelligence feeds and integration of SIEMs with them. "While this is a great
addition," Turner notes, "it's critical to understand where the value is here and not get fooled into
thinking it equates to 'security in a box' by deploying solutions simply because they claim to have
that functionality."
"If a managed service provider is not an option, several SIEM vendors tailor to the SMB space by
offering solutions that are relatively less expensive and easier to manage when compared with their
full blown offerings," says Kent Saunders, a senior consultant at Accuvant.
These include:

ArcSight Express for SIEM/Correlation functionality and ArcSight Logger for Log
Management;

McAfee ESM (Enterprise Security Manager) appliance handles both SIEM/Correlation and
Log Management;

IBM Security QRadar All in One appliance handles both SIEM/Correlation and Log
Management;

Splunk Enterprise software or virtual machines for log management has ability for a user to
write their own custom correlations and SIEM-like dashboards;

LogRhythm's appliance, software and virtual machines handles both SIEM/Correlation and
Log Management

Here's a more detailed look at HP's ArcSight, LogRhythm, SolarWinds, and Splunk.

ArcSight

Hewlett-Packard's ArcSight is primarily an enterprise-class SIEM offering, although the offering can
scale down for smaller enterprises. The ArcSight Express rack-mount appliance includes a vast
array of built-in capabilities. In addition to the log management capabilities that comprise the raison
dtre for SIEM, the appliance can collect, store and analyze all security data from a single interface.
The software is capable of analyzing millions of security events from firewalls, intrusion protection
systems, end-point devices, and an array of other log- and data-producing devices. It boasts built-in
security dashaboards and audit reports that visualize threats and compliance and is able to protect
against zero-day attacks, advanced persistent threats, breach attempts, insider attacks, malware
and unauthorized user access.
ArcSight Enterprise Security Manager (ESM) is targeted at large-scale, security event management
applications. ArcSight Experess "should be considered for midsize SIEM deployments (while) ESM
is appropriate for larger deployments, as long as sufficient in-house support resources are
available," according to Gartner.
ArcSight Logger can be used for log management capabilities for two-tier deployments. It also has
optional modules that can be used for advanced support for user activity monitoring, identity and
access management integration and fraud management. ArcSight pricing is based on a more
traditional software model that is more complex than SolarWinds or Splunk.

LogRhythm

LogRhythm All-In-One (XM) appliance and software is designed for midsized to large enterprises. It
includes a dedicated event manager, dedicated log manager, dedicated artificial intelligence engine,
site log forwarder and a network monitor. Each of the software components also is available in a

stand-alone appliance as well. LogRhythm's security intelligence platform collects forensics

data from log data, flow data, event data, machine data and vulnerability data. It also generates
independent forensics data for the host and network.
The system can produce real-time processing, machine or forensics analytics in order to create
output for risk-prioritized alerts, real-time dashboards or reports. It also is used for incident response,
including case management and workflow.
In addition to analytics, the company's SIEM offering includes, real-time threat and breach detection
and alerting, advanced correlation and pattern recognition, a variety of behavior anomaly detection
capabilities, data visualization for long-term trending and continuous compliance assurance using
out-of-the-box automation suites. LogRhthym, like ArcSight, uses a more traditional pricing model.

SolarWinds

SolarWinds' Log & Event Manager is targeted at the SMB market but can scale for to larger
businesses. The offering has prepackaged templates and an automated log management system.
Among the features the company identifies as must-haves for a SIEM offering is the ability to collect
data from network devices, machine data and cloud logs, as well as in-memory event correlation for
real-time threat detection. Additional must-have features include a flexible deployment option for
scalable log collection and analysis, out-of-the-box reporting for security, compliance and operations,
forensic analysis, and built-in active response for automated remediation.
Other features the company identifies as essential are the ability to do internal data loss protection,
embedded file integrity monitoring for threat detection and compliance support, plus high
compression and encryption for secure long archival and long management. SolarWinds is using
node-based pricing.

Splunk

Like other SIEM products, the core of Splunk Enterprise monitors and manages application logs,
business process logs, configuration files, web access and web proxy logs, Syslog data, database

audit logs and tables, filesystem audit logs, and operating system metrics, status and diagnostic
commands. But at Splunk, the focus is on machine data -- the data generated by all of the systems
in the data center, the connected "internet of things," and other personal and corporate devices that
get connected to the corporate network.
Splunk offers three versions of its product:

Splunk Free that caps indexing to 500MB per day and a limited feature set;

Splunk Enterprise for on-premises SIEM with all of the company's features;

Splunk Cloud, which can scale up to multiple terabytes per day and offers the full feature set
with the exception of the distributed management console and multi-site clustering. The
clustering option is available on request for the cloud package.

Although the product has "enterprise" in its name, Splunk says the solution can be used by SMBs as
well and has been architected for use by non-SIEM experts. Non-SIEM engineers will be able to use
the event pattern detection, instant Pivot interface that enables users to discover relationships in
data without mastering the search language, and dashboards that can share pre-built panels that
integrate multiple charts and views over time.
Splunk Enterprise offers both a perpetual license that starts at $4,500 for 1 GB/day plus support and
a term license that starts at $1,800 per year and includes support.

Questions To Ask SIEM Vendors

Here is a list of questions organizations should ask the SIEM vendors in a Request for Information or
a Request for Proposal:
1.

How well does the platform handle the log sources? Will it work out of the box or will there be
a lot of custom development work required?

2.

What out of the box reports are available for security and compliance?

3.

What is the cost of maintenance?

4.

What is the cost of the SIEM product (license or subscription)?

5.

What is the cost of training?

6.

How well do they do post-sale technical support?

7.

What is the speed of access to log data?

8.

Does it use a dedicated appliance, customer-provided hardware, VMs or cloud?

9.

How easy is it to integrate with third-party platforms?

10.

Will it integrate with your current ticketing system?

11.

How much report/dashboard/alert customization options are available?

12.

Is there a desire for the product to have an operational role rather than be specific to
security?

13.

Is there a packet capture or flow option?

14.

How does the product handle older data that has been archived off-box?

15.

How good is the product documentation?

16.

What does the product do in the event of a license violation?

Additionally, here are some questions potential clients should ask that generally are not asked:
1.

How many of the original product developers are still with the company?

2.

What is your average first contact time as well as the time to resolution for support tickets of
each ticket priority level?

3.

How many full time employees will I need for a deployment of this size?

4.

How do you do log tiers: Log (Splunk Enterprise, ArcSight logger, Log Logic) > SIEM (Splunk
Enterprise Security, ArcSight, QRadar, McAfee ESM (Enterprise Security Manager) >
Automation (automatically run a script, open a ticket, take a VM snapshot, etc) > Data
(Hadoop storage)

Source: Jordan Perks, consultant, Accuvant, 2015

Few more SIEM Tools

Security Information And Event Management

Systems Overview and Vendor List
Although 99% of IT security solutions satisfy some parts of compliance,
most of them would be bought into an organisation regardless. An example
would be a firewall, email and web filtering solutions.
However IT security professionals usually invest in policy auditors, web
application firewalls, vulnerability managers, file integrity software, archiving
application control and SIEM solutions to satisfy regulatory compliance and
showing due diligence.

SIEM Overview
Some vendors combine SIEM with a combination of vulnerability
management, file integrity, policy auditing and IPS as options. Other vendors
integrate SIEM into their Identity and Access management solutions and and
some vendors provide SIEM as a point solution on its own.
SIEM as a product is a combination of Information Management, Event
Management and network behaviour analysis tools providing a complete

vision of log data and real time events. Some companies only require one or
the other (Information Management or Event Management). Information
Management is used for historical and compliance purposes and Event
Management for real time attack analysis. Some vendors also provide these
as separate products.

Alert Logic is a cloud solutions vendor and offer a cloud based Incident and
Event Log Monitoring service.

AlienVault Professional SIEM is offered as an appliance and virtual

platform. AlientVault also have intrusion detection and vulnerability
management functionality built in to its SIEM product. AlienVault is a
dedicated SIEM vendor.

Astaro have a log management module built in their security gateway

appliance. The actual log management is a system based in the cloud. This
is a basic log management service.

Computer Associates (CA) is a large vendor with many enterprise class IT

solutions. CA have a security division and offer their enterprise log manager
which comes in software platform.

Correlog offer log management and security correlation and provide

integrity monitoring for common OS platforms.

elQnetworks specialise in visibility and awareness of IT information.

elQnetworks has a focus on SIEM, file integrity, vulnerability management
and network behaviour analysis solutions.

Enterasys Security Information and Event Management solution

provides Log Management and Network Behavioral Analysis capabilities.
Enterasys is a provider of routing and switching, wireless and network
management and security solutions.

FairWarning specialise in information protection and awareness in the

health industry. Their appliance based solution protects the privacy of patient
health records.

GFI Software is a vendor focussed on IT solutions for small and mediumsized businesses. GFI offer their centralised event log monitoring and
management solution known as GFIEventsManager.

HP Compliance Log Warehouse is an SIEM appliance based solution that

comes with some useful compliance reporting tools such as PCI DSS, HIPPA
and more.
ArcSight who have been acquired by HP is a provider of security and
compliance management solutions. They have a huge focus on SIEM and
have many options in their portfolio depending on user requirements.

IBM ISS have an SIEM product in Tivoli Security Information and Event
Manager. IBM also has other log and event management solutions.

Juniper Networks has an SIEM in their Security Threat Response Manager

that comes in various appliance models for all network sizes.

LogLogic is a vendor specialising in a suite of log management and security

management products. Their solutions come in appliance and virtual
platforms.

LogMatrix is an SIEM vendor with an appliance based offering known as

NerveCenter.

LogRhythm is an SIEM vendor with a number of options and solutions.

Their SIEM solution also includes file integrity monitoring.

netForensics is a vendor with specialties in security threats and

compliance. netForensics provides SIEM as a product solution as well as a
service hosted in the cloud.

netIQ portfolio includes solutions for managing security and compliance,

identity and access and performance and availability. netIQ have a number
of offerings in their SIEM portfolio.

NitroSecurity is an SIEM vendor who have been acquired by Mcafee and

offer a number of options. Nitro Security also specialises in IPS products.

Novell have a large portfolio of IT solutions. Novell integrates its SIEM

solution with their identity and access management solution.

Prism Microsystems is an SIEM vendor. EventTracker Enterprise is Prisms

SIEM solution.

Q1 Labs have a number of SIEM options. Their flagship product is known as

QRador SIEM.

Quest Software provide a range of IT solutions including SIEM in their

InTrust products. InTrust collects stores and reports data on Windows, Unix
and Linux platforms.

RSA (EMC) is a well known security vendor and a division of EMC. RSA is a
market leader for their 2 factor authentication solutions. RSA also has an
SIEM product ranked highly in their RSA Envision product.

SenSage have strengthened their SIEM offerings by becoming Mcafee

Innovation partners. Their product integrates into Mcafee Epolicy
Orchestrator. This is great for customer looking for consolidation and single
point of management for all their products.

Splunk is a dedicated SIEM vendor.

Symantec is a large security, storage and systems management vendor.

Symantec has an SIEM solution known as Symantec Security Information
Manager.

S21sec provides SIEM solutions as well as Cyber security services.

Tango/04 provides monitoring, auditing and reporting of data through their

Visual product solutions.
.

Tenable SecurityCenter provides SIEM, vulnerability manager and some

aspects of DLP in one product.

Tier-3 is an Australian based company that specialise in security, data

protection and compliance. Tier-3 have an SIEM product portfolio known as
Huntsman.

TriGeo Security Information Manager is targeted towards the mid

market and has the ability to pick up data from USB devices as well through
their USB-Defender product.

Trustwave is a security vendor with a range of security solutions including

Trustwave SIEM products.

Wallix is a French based vendor and a provider of IT security solutions.

Wallix deliver a product known as LOGBOX which is a log collection solution
from a central appliance.

MALWARE DETECTION TOOLS:

9.8 Visit

$39.99

Rate it! (7923)

$19.9
9

$29.99

Rate it! (653)

$19.9
9

All-encompassing protection for your system and

communication, with an impressive features list.

$29.99

Rate it! (781)

$23.9
6

$69.95

Rate it! (333)

Safe, simple and secure antivirus protection; with

extremely low impact on your system.

Excellent PC protection that includes powerful

$22.4
9

Offers very strong protection for both online and

offline.

$31.99

Rate it! (327)

McAfee
Review

More
Products
>>

9.4

Visit
Site
>>

Norton
Review

More
Products
>>

9.1

Visit
Site
>>

BullGuard
Review

More
Products
>>

8.7

Visit
Site
>>

$18.9 antivirus and award-winning firewall. Reliable and easy

to use.
ZoneAlarm
5
Review

$51.99

Rate it! (471)

Site
>>

Outstanding protection against viruses and privacy

threats, with premium features for low prices.

with minimal impact on your

$21.9 Top notch virus protectiondevice.
9

More
Products
>>

8.3

Visit
Site
>>

Avira
Review

More
Products
>>

8.3 Visit
Site
Panda
Security
Review

>>
More
Products
>>

$39.99

Rate it! (617)

$19.9
9

User-friendly, innovative and forward-thinking

protection for your entire online and offline activity.

Eset Review

$34.95

Rate it! (527)

$24.9
5

Feature-rich antivirus, using the cloud to maximize its

performance against malware and more.

$59.95

Rate it! (736)

Premium, business-level protection for low prices.

Outstanding performance and maximum security.

$24.9
5

$59.95

Rate it! (1739)

$38.9
7

8.1

The most award winning software by independent tests

on the market.

7.8

Visit
Site
>>
More
Products
>>

Visit
Site
>>

Trend Micro More

Review
Products
>>

7.5

Visit
Site
>>

Bitdefender More
Review
Products
>>

7.3

Visit
Site
>>

Kaspersky
Review

More
Products
>>

Recommended Site
Disclaimer: We work hard to offer you valu

STATIC CODE ANALYSIS TOOLS:

What Is Static Code Analysis?

Static code analysis refers to analyzing source code without executing it. Generally it is
used to find bugs or ensure conformance to coding guidelines. While a compiler

may find lexical, syntactic and semantic defects, if you are relying too heavily on your
compiler to identify coding defects, you may find your code isnt maintainable or
transferable. Even code that compiles without warnings may have errors associated
with the implementation of the requirements.

HP Fortify Software Static Code Analyzer Helps developers identify software security
vulnerabilities in C, C++, Java, JSP, .NET, ASP.NET, classic Active Server Pages (ASP),
ColdFusion, PHP, Visual Basic 6, VBScript, JavaScript, PL/SQL, T-SQL, Python, Objective-C
and COBOL and configuration files

IBM Rational AppScan Source Edition Analyzes source code to identify security
vulnerabilities while integrating security testing with software development processes and
systems. Supports C, C++, .NET, Java, JSP, JavaScript, ColdFusion, Classic ASP, PHP, Perl,
Visual Basic 6, PL/SQL, T-SQL, and COBOL

Black Duck Software Suite Analyzes the composition of software source code and binary
files, searches for reusable code, manages open source and third-party code approval,
honors the legal obligations associated with mixed-origin code, and monitors related security
vulnerabilities.

Compuware Topaz for Program Analysis [1] A static code analysis for PL/I and COBOL.
Produces visual displays of structure charts and logic/data flow and shows dependencies across
programs.

CAST Application Intelligence Platform Detailed, audience-specific dashboards to measure

quality and productivity. Cross-tier, cross-technology analysis of 50+ languages, C, C++,
Java, .NET, Oracle, PeopleSoft, SAP, Siebel, Spring, Struts, Hibernate and all major
databases.

PENETRATION TESTING:
2. Aircrack-ng is a comprehensive set of network security tools that includes, aircrack-ng
(which can cracks WEP and WPA Dictionary attacks), airdecap-ng (which can decrypts WEP or
WPA encrypted capture files), airmon-ng (which places network cards into monitor mode, for
example when using the Alfa Security Scanner with rtl8187), aireplay-ng (which is a packet
injector), airodump-ng (which is a packet sniffer), airtun-ng (which allows for virtual tunnel
interfaces), airolib-ng (which stores and manages ESSID and password lists), packetforge-ng
(which can create encrypted packets for injection), airbase-ng (which incorporates techniques
for attacking clients) and airdecloak-ng (which removes WEP cloaking). Other tools include
airdriver-ng (to manage wireless drivers), airolib-ng (to store and manages ESSID and password
lists and compute Pairwise Master Keys), airserv-ng (which allows the penetration tester to
access the wireless card from other computers). Airolib-ng is similiar to easside-ng which allows
the user to run tools on a remote computer, easside-ng (permits a means to communicate to
an access point, without the WEP key), tkiptun-ng (for WPA/TKIP attacks) and wesside-ng (which
an an automatic tool for recovering wep keys).
Like most of the security tools in our list, Aircrack also has a GUI interface called Gerix Wifi
Cracker. Gerix is a freely licensed security tool under the GNU General Public License and is
bundled within penetration testing Linux distributions such as BackTrack and Backbox. The
Gerix GUI has several penetration testing tools that allow for network analysis, wireless packet
capturing, and SQL packet injection.

Metasploit is huge. Developed by Rapid7 and used by every pentester and ethical hacker in the
world. Period. The Metasploit Project is a security project which delivers information about
security vulnerabilities and helps penetration testing and Intrusion detection. The open source
project known as the Metasploit Framework, is used by security professionals to execute
exploit code against a remote target machine for penetration testing of course!
Another cool project is Metasploitable which is an intentionally vulnerable version of Ubuntu
Linux built on purpose for testing security tools, like all of ones listed here, and demonstrating
common vulnerabilities.

7. Nessus is another giant a security tool that

focuses on vulnerability scanning. There is a free and paid version free for personal use.
Started in 1998 by Renaud Deraison is has evolved into one of the worlds most popular
security tools particularly as a vulnerability scanner. The organization behind Nessus, Tenable
Security, estimates that it is used by over 75,000 organizations worldwide.
Essentially Nessus scans for various types of vulnerabilities: ones that check for holes that
hackers could exploit to gain control or access a computer system or network. Furthermore,
Nessus scans for possible misconfiguration (e.g. open mail relay, missing security patches, etc.).
The tools also scans for default passwords and common passwords which is can use execute
through Hydra (an external tool) to launch a dictionary attack. Other vulnerability scans include
denials of service against the TCP/IP stack.

8. Nmap is another massive giant of a security

tool which has been around for forever and is probably the best known. Nmap has featured on
many movies including the Matrix just Google it and youll see what we mean. Written in C, C+
+, Python, Lua by Gordon Lyon (Fyodor) starting from 1997, Nmap (Network Mapper) is the
defacto security scanner which is used to discover hosts and services on a computer network.
To discover hosts on a network Nmap sends specially built packets to the target host and then

analyzes the responses. The program is really sophisticated because unlike other port scanners
out there, Nmap sends packets based upon network conditions by taking into account
fluctuations, congestion and more.

9. Kismet is a wireless network detector, sniffer,

and intrusion detection security pentesting tool. Kismet can monitor and sniff 802.11b, 802.11a,
802.11g, and 802.11n traffic. There are many sniffing tools out there but what makes Kismet
different and very popular is the fact that it works passively meaning that the program does
not send any loggable packets whilst being able to monitor wireless access points and wireless
clients. It is open source and widely used.

10. Wireshark Wireshark has been around for

ages and is extremely popular. Wireshark allows the pentester to put a network interface into a
promiscuous mode and therefore see all traffic. This tool has many features such as being able
to capture data from live network connection or read from a file that saved already-captured
packets. Wireshark is able to read data from a wide variety of networks, from Ethernet, IEEE

802.11, PPP, and even loopback. Like most tools in our 2013 Concise Courses Security List the
captured network data can be monitored and managed via a GUI which also allows for plugins to be inserted and used. Wireshark can also capture VoIP packets (like Cain & Able see tool
3) and raw USB traffic can also be captured.