Maltrail is a malicious traffic detection system used for network intrusion detection. It consists of a network intrusion sensor for monitoring interfaces, a threat intelligence aggregator for syncing blacklists, and a detection engine that identifies security threats through signature matching and heuristic attack patterns. The system distinguishes itself through a distributed sensor architecture that collects traffic data from multiple remote probes and forwards events to a central analysis server. It employs heuristic behavioral analysis to identify unknown threats, such as port scanning o
OpenEDR is an endpoint detection and response platform designed to collect telemetry and monitor system activity to identify security breaches. It functions as a host-based intrusion detection system and telemetry collector, gathering detailed data on process, network, and file activity. The system includes a dockerized security stack that bundles search, logging, and visualization tools into containers for analyzing endpoint telemetry. It features a security event visualizer that maps process lineage and indexes logs to facilitate root-cause analysis of attacks. The platform provides capabi
Zeek is a network analysis framework and security monitoring tool that transforms raw network packets into high-level semantic logs. It functions as an application protocol analyzer and network intrusion detection system designed to extract meaning from network traffic and monitor for malicious activity. The system focuses on archiving network activity and maintaining historical records of application-layer state for forensic investigation and auditing. It utilizes a combination of modular protocol analyzers and customizable detection policies to perform deep semantic analysis of numerous app
Suricata is an open-source network intrusion detection and prevention engine that analyzes live network traffic in real-time to identify and alert on malicious activity. It operates as a rule-based threat detection system, matching traffic against user-defined signatures to detect known attack patterns and policy violations, and can be placed inline to actively block malicious packets before they reach their target. The engine inspects a wide range of application-layer protocols including HTTP, DNS, TLS, SMB, and MQTT, and supports high-performance packet capture through specialized hardware a