This is a compilation of some excellent open source security projects. I will continue to update this page. Insert in comments below if you have any good reference projects or open source security tools. I am excluding the obvious ones like Metasploit and Bro for example, in this list.
Platform / Host Security
OSQuery from Facebook
Reference Link: https://osquery.io/
Github link: https://github.com/facebook/osquery
Commercial Comparison: The commercial equivalent functionality is with Tanium.
Description: osquery gives you the ability to query and log things like running processes, logged in users, password changes, usb devices, firewall exceptions, listening ports, and more. It allows you to easily ask questions about your Linux and OSX infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance
Reference link: http://ossec.net/
Github link: https://github.com/ossec/ossec-hids
Description: OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response
SIMP from National Security Agency (NSA)
Reference link: http://simp.readthedocs.org/en/latest/
Github link: https://github.com/NationalSecurityAgency/SIMP
Description: SIMP keeps networked systems compliant with given security standards. It is a configuration management and more importanly a means for automated compliance checking/validation with excellent out of box integration using Puppet, authentication with OpenLDAP, and other update options.
Security Monkey from Netflix
Github link: https://github.com/Netflix/security_monkey
Description: Security Monkey monitors policy changes and alerts on insecure configurations in an AWS account.
GRR from Google
Github link: https://github.com/google/grr
Commercial alternative: FireEye/Mandiant’s MIR incident response platform
Description: GRR Rapid Response is an incident response framework focused on remote live forensics. It has a docker image for you to be up and running in ~2 minutes. It has cross-platform support for Linux, Mac OS X and Windows clients. It can perform live remote memory analysis using open source memory drivers for Linux, Mac OS X and Windows, and the Rekall memory analysis framework.
ThreatExchange from Facebook
Reference link: https://developers.facebook.com/docs/threat-exchange/v2.4
Github link: https://github.com/facebook/ThreatExchange
Description: More than 90 companies are now using Facebook’s cybersecurity platform, ThreatExchange, to share security and threat information. It is a set of RESTful APIs on the Facebook Platform for querying, publishing, and sharing security threat information including exchanging details on malware, phishing pages, and other threats with either specific members of the security community.
MozDef: The Mozilla Defense Platform
Reference link: http://mozdef.readthedocs.org/en/latest/
Github link: https://github.com/jeffbryner/MozDef
Description: The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers. It allows for collaborative incident response, visualizations, and easy integration into other enterprise systems
Scumblr & Sketchy from Netflix
Github link: https://github.com/Netflix/Scumblr/wiki
Github link: https://github.com/Netflix/sketchy
Description: Scubmlr performs periodic searches and storing / taking actions on the identified results. Things to look for include compromised credentials, vulnerability / hacking discussion, attack discussion, security relevant social media discussion, etc. – anything that can help your security team keep tabs on security- and attack-related social media and Internet chatter. Sketchy works well with Scumblr by taking automatic screenshots, text scrapes, and html files before they can be taken offline. Such information can all be stored locally or on a S3 bucket on Amazon.
Skyline from Etsy
Github link: https://github.com/etsy/skyline
Commercial alternative: Anomaly detection system from Nagios
Description: Skyline is an real-time anomaly detection system to help security teams with scalable and passive monitoring of potentially hundreds of thousands of metrics. It is designed to be used wherever there are a large quantity of high-resolution timeseries which need constant monitoring. After Skyline detects an anomalous metric, it surfaces the entire timeseries to the webapp, where the anomaly can be viewed and acted upon.
AnomalyDetection from Twitter
Reference link: https://blog.twitter.com/2015/introducing-practical-and-robust-anomaly-detection-in-a-time-series
Github link: https://github.com/twitter/AnomalyDetection
Description: AnomalyDetection is an open-source R package to detect anomalies which is robust, from a statistical standpoint, in the presence of seasonality and an underlying trend.
RTIR REST API
Reference link: https://isc.sans.edu/diary/Automating+Metrics+using+RTIR+REST+API/20087
Github link: https://github.com/tcw3bb/ISC_Posts/blob/master/RTIR-phish-template.py
Description: RTIR is an open source ticketing system for incident response based on Request Tracker. This system can be built based on the Verizon VERIS taxonomy (to compare against Verizon DRIR reports) by creating custom fields that match the categories. This system supports using a REST API(3) to automate the creation of tickets
Securing the Human
Reference link: http://avasecure.com
Github link: https://github.com/SafeStack/ava
Description: AVA maps the realities of your organisation, its structures, and behaviours. This map of people and interconnected entities can then be tested using a unique suite of customisable on-demand and scheduled information security awareness tests. The results of this combine into a detailed risk profile of your organisation unlike any other tool can provide – from the people up.