30 open-source projects similar to security-onion-solutions/securityonion, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Securityonion alternative.
Maltrail is a malicious traffic detection system used for network intrusion detection. It consists of a network intrusion sensor for monitoring interfaces, a threat intelligence aggregator for syncing blacklists, and a detection engine that identifies security threats through signature matching and heuristic attack patterns. The system distinguishes itself through a distributed sensor architecture that collects traffic data from multiple remote probes and forwards events to a central analysis server. It employs heuristic behavioral analysis to identify unknown threats, such as port scanning o
OpenEDR is an endpoint detection and response platform designed to collect telemetry and monitor system activity to identify security breaches. It functions as a host-based intrusion detection system and telemetry collector, gathering detailed data on process, network, and file activity. The system includes a dockerized security stack that bundles search, logging, and visualization tools into containers for analyzing endpoint telemetry. It features a security event visualizer that maps process lineage and indexes logs to facilitate root-cause analysis of attacks. The platform provides capabi
Zeek is a network analysis framework and security monitoring tool that transforms raw network packets into high-level semantic logs. It functions as an application protocol analyzer and network intrusion detection system designed to extract meaning from network traffic and monitor for malicious activity. The system focuses on archiving network activity and maintaining historical records of application-layer state for forensic investigation and auditing. It utilizes a combination of modular protocol analyzers and customizable detection policies to perform deep semantic analysis of numerous app
Suricata is an open-source network intrusion detection and prevention engine that analyzes live network traffic in real-time to identify and alert on malicious activity. It operates as a rule-based threat detection system, matching traffic against user-defined signatures to detect known attack patterns and policy violations, and can be placed inline to actively block malicious packets before they reach their target. The engine inspects a wide range of application-layer protocols including HTTP, DNS, TLS, SMB, and MQTT, and supports high-performance packet capture through specialized hardware a
IntelOwl is a threat intelligence platform and security orchestration engine designed to aggregate, analyze, and enrich security observables. It functions as a security incident investigation tool and a threat intelligence aggregator, collecting data on files, domains, and IP addresses from diverse internal and external sources. The system differentiates itself through playbook-based workflow automation, allowing users to define reusable sequences of analysis tasks that trigger subsequent jobs based on prior outputs. It unifies disparate security data into a common schema and utilizes protoco
Logspout is a container log aggregator, forwarder, and routing engine designed to gather logs from Docker containers and route them to centralized external logging systems. It functions as a network-based utility that pipes container output to remote destinations such as syslog or TCP endpoints. The system features a dynamic routing engine that allows the creation and updating of log routing configurations and destination filters in real time via an HTTP interface without restarting the service. It utilizes an adapter-based architecture, enabling the development of custom output modules and t
lnav is a terminal-based log viewer and analyzer designed for aggregating, filtering, and analyzing multiple log files in a single chronological view. It functions as a console application that can replace the system pager, providing syntax highlighting and document navigation for system or application logs. The project distinguishes itself by mapping unstructured log data to virtual SQLite tables, enabling the use of SQL and PRQL for structured data analysis, aggregations, and relational queries. It further differentiates its capability set through native integration for retrieving and taili
Tetragon is an eBPF-based runtime security and observability toolset designed for Linux and Kubernetes environments. It functions as a security policy manager, observability agent, and enforcement engine that hooks into kernel functions and tracepoints to detect privilege escalation, container escapes, and unauthorized system activity. The project distinguishes itself through its ability to perform real-time, in-kernel enforcement, allowing it to synchronously terminate malicious processes or modify function return values before a system call completes. It provides deep Kubernetes integration
This project is the core management framework for a security appliance, providing the primary infrastructure for firewall management, network intrusion prevention, and high-availability networking. It serves as the centralized system for controlling network security policies, filtering traffic, and administering a security appliance dashboard. The system is distinguished by its high-availability capabilities, which include synchronizing configurations and connection state tables across redundant nodes to enable automatic hardware failover. It also features a modular plugin architecture for ex
Hayabusa is a Windows event log analyzer, threat hunting tool, and forensic timeline generator. It functions as a detection engine that applies threat patterns to logs to identify suspicious behavior and security threats. The project distinguishes itself through the ability to synchronize detection rules from remote repositories and tune risk levels to prioritize critical alerts. It also provides specialized forensic capabilities, such as extracting event log data into chronological records for incident response investigations. The tool's broader capabilities include security log enrichment
Arkime is a distributed packet analysis platform and full packet capture system designed for recording raw network traffic, indexing metadata, and performing network forensics. It functions as a network traffic indexer and security tool that enables the monitoring, querying, and browsing of large-scale network traffic across multi-cluster architectures. The platform distinguishes itself through its ability to manage distributed capture clusters from a centralized administrative dashboard. It integrates external data feeds with internal traffic logs to identify known threats and provides a pro
Falco is an eBPF runtime security monitor and cloud native detection engine that identifies abnormal behavior and security threats across hosts and containers. It functions as a Linux kernel event auditor, capturing system calls and kernel events in real-time to detect malicious activity. The system distinguishes itself through a rule-based threat detection model that evaluates system activity against a library of community-maintained rules and custom security definitions. It enriches raw kernel events with container and Kubernetes metadata to provide observability into isolated environments
OpenCanary is a network service simulator and honeypot designed for network intrusion detection. It functions as a security decoy that creates fake server personalities and open ports to identify unauthorized users scanning a private network. The system uses deception technology to mimic various server protocols, luring attackers into revealing their presence and activity. When a simulated service is accessed, it acts as an intrusion alerting gateway, transmitting notifications via email or webhooks. The project covers internal network monitoring and intrusion source tracking to identify the
Tracee is a cloud-native runtime security and forensics tool that uses eBPF to capture system calls and kernel events in real time. It operates as a standalone binary or a Helm-deployable agent for Kubernetes, normalizing system calls, network events, and container activities into a unified event pipeline for consistent analysis. The tool distinguishes itself through policy-driven event filtering using YAML-based rules, allowing users to target specific workloads and reduce noise during monitoring. It includes built-in threat detection signatures that flag suspicious behavioral patterns witho
GOAD is an Ansible-based automation tool and infrastructure orchestrator used to deploy pre-configured networks of vulnerable Windows virtual machines. It serves as a security training environment for practicing Active Directory penetration testing, privilege escalation, and lateral movement across various cloud platforms and local virtualization hypervisors. The project distinguishes itself through a multi-provider infrastructure model and a system of infrastructure recipes that simulate intentional security misconfigurations. It supports the deployment of varied attack scenarios, including
Ecapture is a suite of specialized auditing tools designed to capture plaintext database queries, log executed shell commands, forward packet captures, and decrypt TLS traffic. The system extracts plaintext content from encrypted communications and TLS master secrets without requiring CA certificates. It further monitors data interactions by capturing SQL queries from database instances and recording commands from shell environments for host-level auditing. The toolset includes capabilities for network traffic analysis, exporting captured data to pcapng files, and forwarding events to extern
nDPI is a deep packet inspection toolkit and network protocol classifier designed to identify protocols and detect security threats through packet payload inspection. It functions as a network security monitor and a traffic analysis framework used to determine the services originating network flows. The system utilizes a modular dissector architecture and a sequence-based dissector chain to interpret network traffic. It supports custom protocol definition and protocol dissector extensions, allowing for the identification of proprietary or new network protocols. The toolkit provides capabilit
ThreatHunter-Playbook is a structured framework for managing threat hunting playbooks, detection engineering workflows, and adversary tradecraft modeling. It provides a system for organizing behavioral patterns and detection rules into tactical groups to develop security monitoring hypotheses. The project features an interactive security notebook environment that combines analytics and validation queries to test threat hypotheses against telemetry datasets. It includes a mapping tool for organizing these patterns based on the MITRE ATT&CK security framework. The framework covers the full thr
Logstash is a JVM-based event processor and extract, transform, load system designed for log data processing pipelines. It functions as a plugin-based data ingestor that collects, transforms, and delivers logs and event data from multiple sources to various destinations. The system utilizes a modular architecture of interchangeable input, filter, and output components to handle real-time data ingestion and enterprise log aggregation. Users can extend the pipeline's functionality by developing custom plugins to support unique data sources or specific transformation logic. The platform covers
ClamAV - Documentation is here: https://docs.clamav.net
ActivityWatch is an open-source, privacy-focused time tracking platform that automatically records computer usage patterns to provide a comprehensive history of personal digital activity. It functions as a background service that monitors system metrics, application focus, and user input to build a detailed log of how time is allocated across various tasks and projects. The platform distinguishes itself through a local-first architecture that stores all activity data as structured files on the user's machine, ensuring that sensitive usage history remains private and accessible offline. It sup
log.io is a real-time log monitoring system designed for streaming and visualizing system logs in a web browser as they are generated. It consists of a TCP log aggregator that collects formatted messages from remote sources and a file-based log streamer that monitors local files for changes. The system provides a web-based log viewer capable of ad-hoc visualization, allowing users to route specific active log streams to different screens for targeted monitoring. This is supported by a centralized message broker that redistributes incoming logs to web clients. The platform covers centralized
Seatbelt is a C# offensive security framework and host security auditor designed to perform endpoint surveys on Windows systems. It functions as a modular tool for identifying vulnerabilities, misconfigurations, and security-relevant artifacts on both local and remote hosts. The project distinguishes itself through a module-based check system that allows for the integration of custom security command units. It features a security event log parser to track logon and process activity, alongside a credential extraction utility for gathering browser history, saved passwords, and cloud credentials
ClamAV is an open-source antivirus engine and malware detection scanner. It identifies trojans, viruses, and other malicious software by scanning files and data streams against a database of known signatures. The system functions as a signature-based threat detector, allowing for the implementation of threat intelligence by turning malware samples into actionable signatures. It supports the creation of custom malware signatures to identify specific or specialized security threats. The engine provides capabilities for endpoint security monitoring and comprehensive malware detection scanning a
T-Pot is a multi-honeypot orchestration platform and threat intelligence collector. It utilizes a Docker-based security sandbox to deploy and manage a collection of diverse decoy services that simulate vulnerable targets to lure attackers and record their activity. The system features a distributed sensor network where remote nodes capture attack logs and transmit them via encrypted communication to a central hub. This central hub employs an analytics stack to transform raw logs into geographic maps and interactive dashboards for adversary behavior visualization. To increase the realism of si
Logan is a cross-platform mobile logging framework that collects, stores, and uploads client-side logs from iOS, Android, Web, and Flutter environments for centralized debugging and analysis. It provides a complete pipeline from client-side log buffering and file-based local storage through to server-side ingestion and a visual browser for inspecting parsed logs. The system uses a structured binary protocol to encode log entries with content, type, timestamp, and thread metadata, enabling consistent parsing across platforms. A log receiving server handles uploaded files, while a web-based int
Fluentd is a unified logging layer and distributed event router that collects, parses, and routes log data from diverse sources to various storage backends. It functions as a log forwarding agent and pipeline orchestrator, transforming raw unstructured log strings into formatted objects using structured log parsing. The project utilizes a plugin-based pipeline architecture to route data through independent input, filter, and output stages. It differentiates itself through tag-based event routing, which uses regular expression patterns to direct specific data streams to their intended destinat
This project is a security hardening guide and privacy configuration manual for macOS. It provides a comprehensive set of instructions for configuring system settings to improve privacy, reduce the attack surface, and implement a malware defense framework. The guide covers technical methods for validating software notarization, verifying application sandboxing, and auditing system activity. It distinguishes itself by providing detailed workflows for restricting high-risk features and applying advanced security configurations to protect the operating system. The documentation covers several k