• United States




5 open source intrusion detection systems for SMBs

Nov 13, 20205 mins
Intrusion Detection SoftwareSecurity

If you don’t have a lot of budget at your disposal, these open-source intrusion detection tools are worth a look.

radar grid / computer circuits / intrusion detection / scanning
Credit: Peterscode / Getty Images

As businesses grapple with the pandemic, millions of workers are no longer working in the traditional office behind the traditional perimeter. They are working from home, accessing data and network resources using unauthorized devices, unauthorized software and unsecured WiFi.

Research has revealed that almost 50% of US businesses have been hit by a Covid-related attack that has impacted the business. This is where intrusion detection systems (IDS) come in.

As the name implies, an IDS monitors the network for suspicious behavior and issues alerts when such activities are discovered. IDS is able to detect malware (for example trojans, backdoors, rootkits etc.), is also able to detect social engineering attacks (for example man in the middle attacks and phishing) that trick users into disclosing sensitive information. It can also help detect malicious insiders. 

Types of IDS

IDS can be broadly divided into two groups: signature-based and anomaly-based.

A signature-based IDS scans for known malicious signatures and issues alerts when it discovers them. Malware signatures are rapidly evolving, so signature-based IDS needs to be updated regularly with the latest signatures.

An anomaly-based IDS focuses on identifying unusual behaviors or patterns of activities. Anomaly-based IDS is good at identifying a cybercriminal that is probing the network and flags anything that might be considered abnormal, like multiple failed login attempts.

Top 5 open source intrusion detection systems

While most large enterprises have enterprise-grade technology in place, intrusion detection systems are also crucial for small and medium businesses to protect users, internal servers and public cloud environments. If you don’t have a lot of budget at your disposal, open-source intrusion detection tools are worth looking at.

Here are the five best open-source intrusion detection systems on the market currently:

  1. Snort
  2. Zeek
  3. OSSEC
  4. Suricata
  5. Security Onion

Snort Snort is the oldest IDS and almost a de-facto standard IDS in the open-source world. Even though it doesn’t have a real GUI, it offers a high level of customization, which makes it the IDS of choice for organizations. It can be used to detect a variety of attacks like buffer overflows, stealth port scans, CGI attacks, OS fingerprinting attempts, and more. The Snort community thrives on the backbone of passionate source developers that provide support for the software. Snort is available for Linux, Windows, Fedora, Centos, and FreeBSD. While the interface isn’t very user-friendly, there are several applications available in the market such as Snorby, BASE, Squil, and Anaval that can perform in-depth analysis on the data collected by Snort. 

Zeek Formerly known as Bro, Zeek is a powerful network monitoring tool that focuses on general traffic analysis. It uses a domain-specific language that does not rely on traditional signatures. This means that you can design tasks for its policy engine. For example, you can configure the tool to automatically download suspicious files, send them for analysis, notify relevant authorities if anything is uncovered, blacklist the source and shut down the device that downloaded it. Zeek runs on Unix, Linux, Free BSD, and Mac OS X and can detect suspicious signatures and anomalies. Zeek’s user community is supported by some well known universities, supercomputing centers, research labs, and also lots of open-science communities.

OSSEC OSSEC is an open-source host-based IDS system that performs log analysis, file integrity monitoring, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response. OSSEC runs on all major operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows. It has a client/server architecture that sends alerts and logs to a centralized server for analysis even if the host system is fully compromised. The OSSEC installer is extremely light (under 1MB) and the majority of analysis occurs on the server making OSSEC very light on CPU usage. Another advantage of the architecture is ease of use as the administrator can centrally manage all agents from a single server.

Suricata Suricata is a robust network threat detection engine that is capable of real time intrusion detection, inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Even though the architecture of Suricata is different from Snort, it behaves like Snort and can use the same signatures. While Snort is single thread, meaning it can only use one CPU at a time, Suricata is multi-threaded, able to take advantage of all available CPUs. It also has built-in hardware acceleration technology that can leverage the power of graphic cards to inspect network traffic. Suricata has the ability to invoke Lua scripts which can be used to peer into traffic or decode malware. Suricata is available on Linux, FreeBSD, OpenBSD, macOS / Mac OS X, and Windows and has very loyal community support.

Security Onion Security Onion is an open-source tool designed for threat hunting, intrusion detection, enterprise security monitoring and log management. The interesting part of this tool is that it combines the power of other security tools like Snort, Kibana, Zeek, Wazuh, CyberChef, NetworkMiner, Suricata, and Logstash. This feature makes it highly comprehensive and versatile, covering pretty much every angle of IT security. Setting-up and working with multiple tools can be complicated but Security Onion features an intuitive set-up wizard that simplifies the set-up process. One of the drawbacks of this tool is that some of the tools have overlapping capabilities and navigating between tools can be tricky.

With small businesses involved in 28% of the breaches in 2020, SMBs need to be extra vigilant in protecting their digital infrastructure and home-working employees. When resources are tight and you’re looking for an effective security solution, open source security software can certainly help keep up your defenses.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author