Top five free enterprise network intrusion-detection tools

Snort has long been the leader among network intrusion-detection and intrusion-prevention

    Requires Free Membership to View

tools, and will most likely continue its reign with continued development from the open source community and the ongoing support of its corporate parent, Sourcefire Inc. (For many years, Sourcefire has sold a fully featured commercial version of Snort that includes vendor support and immediate updates, while a limited version of the product remains available for free.)

Snort has influenced other IDS/IPS vendors in a huge way, either by the way they develop their software or by directly using Snort modules in their offering.

Even with Snort's dominance in the market, there are other vendors that offer similar functionality at no cost. Many, if not most, of these intrusion-detection systems (IDS) providers use a combination of engines, some being Snort and other open source software, to create solid, free intrusion-detection services.

Security Onion

Security Onion is an Ubuntu-based Linux distribution for network monitoring and intrusion detection. The image can be distributed as sensors within the network to monitor multiple VLANs and subnets, and works well in VMware and virtual environments. This configuration can be used as an IDS only. It isn't currently supported to be run as an IPS. However, there is the option to run this both as a network and host intrusion-detection deployment, and to utilize services such as Squil, Bro IDS and OSSEC to perform the IDS functions of the service. The wiki and documentation for the site and software is terrific, and defects and bugs are recorded and reviewed. As great as Security Onion is, however, it still needs more assistance with development, which will most likely happen in time.


OSSEC is an open source host intrusion-detection system (HIDS) that does more than detect intrusions. Like most open source IDS offerings, there are multiple additional modules that can be used with the core functionality of IDS. In addition to network intrusion-detection, the OSSEC client has the ability to perform file integrity monitoring and rootkit detection with real-time alerts, all of which are centrally managed with the ability to create different policies, depending on a company's needs. The OSSEC client runs locally on most operating systems, including Linux versions, Mac OSX and Windows. It also offers commercial support via Trend Micro's Global Support Team. This is a very mature offering.


From the editor: More on Intrusion Detection Systems

Intrusion detection and prevention security guide

IDS and IPS implementation and deployment best practices

OpenWIPS-NG is a free wireless IDS/IPS that relies on a server, sensors and interfaces. It runs on commodity hardware. Created by the author of Aircrack-NG, this system uses many of the functions and services already built into Aircrack-NG for scanning, detection and intrusion prevention. OpenWIPS-NG is modular and allows an administrator to download plug-ins for additional features. The documentation isn't as detailed as some systems', but it allows for companies to perform WIPS on a tight budget.


Out of all the IDS/IPS systems that are currently available, Suricata competes most directly with Snort. This system has an architecture that is similar to Snort's, relies on signatures like Snort, and can even use the VRT Snort rules and the same Emerging Threat rule set that Snort itself uses. Being newer than Snort, Suricata has ways to catch up to in this area. If Snort isn't an option in your organization, this is the closest free tool available to run on an enterprise network.


Bro IDS is similar to Security Onion in that it uses more than IDS rules to determine where attacks are coming from. Bro IDS uses a combination of tools. At one point it used Snort-based signatures converted into Bro signatures. This is no longer the case, and it is now possible to write custom signatures for the Bro IDS. This system is highly documented and has been around for over 15 years.

Snort has definitely made its presence known by the influence it has over most of the IDS/IPS market, including freeware and open source IDS/IPS. The systems reviewed here all perform IDS/IPS a little differently, but are suitable, free alternatives that companies on a budget can utilize to more fully protect their network.

About the author
Matthew Pascucci is a senior information security engineer for a large retail company, where he leads the threat and vulnerability management program. He's written for various information security publications, has spoken for many industry companies and is heavily involved with his local InfraGard chapter. You can follow him on Twitter at @matthewpascucci or check out his blog at www.frontlinesentinel.com.

This was first published in January 2013

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.