An open source threat intel and sharing platform. Lots of ad-hoc visualization methods are available to make sense of data. Includes lots of taxonomies to organize data and do some of the work for you.

You can store your IOCs in a structured manner, and thus enjoy the correlation, automated exports for IDS, or SIEM, in STIX or OpenIOC and synchronize to other MISPs. You can now leverage the value of your data without effort and in an automated manner. The primary goal of MISP is to be used. This is why simplicity is the driving force behind the project. Storing and especially using information about threats and malware should not be difficult. MISP is there to help you get the maximum out of your data without unmanageable complexity. MISP will make it easier for you to share with, but also to receive from trusted partners and trust-groups. Sharing also enabled collaborative analysis and prevents you from doing the work someone else already did before.

Threat Intelligence is much more than Indicators of Compromise. This is why MISP provides metadata tagging, feeds, visualization and even allows you to integrate with other tools for further analysis thanks to its open protocols and data formats. Having access to a large amount of Threat information through MISP Threat Sharing communities gives you outstanding opportunities to aggregate this information and take the process of trying to understand how all this data fits together telling a broader story to the next level. We are transforming technical data or indicators of compromise (IOCs) into cyber threat intelligence. MISP comes with many visualization options helping analysts find the answers they are looking for.

Github: https://github.com/MISP/

Of interest:

• MISP/MISP is the core platform (the analytics and dashboard part)
• MISP/misp-galaxy looks like the correlation engine
• MISP/PyMISP is the supported Python module for interacting with the API
• MISP/misp-taxonomies are used for organizing information
• MISP/misp-galaxy does the work of clustering data points to find patterns
• MISP/misp-modules are additional functional units (because of course there are)
• MISP/misp-warninglists looks like sets of known false positives for cutting things down a bit.

There are more repos but I haven't gone through them yet.

Schnoz is a tool that I wrote in Python to monitor network traffic and analyze potential threats. I compiled all of the small scripts regarding network analysis to create a multirange tool. Please make sure that you have scapy installed. Implements active network sniffing, pulling from pcap files, alerting on specific traffic parameters, and analysis of captured HTTP traffic.

Suricata IDS is a free intrusion detection/prevention system and network security monitoring engine. This is a list of awesome things that go with it.

Log configurations and scripts for host intrusion detection system. iptables, syslog and psad configs are here because they are becoming hard to otherwise manage. Configs for various systemd units, rsyslog, psad, logrotate, iptables. Tabkey completion files for bash. Manpages. A couple of scripts for managing running settings.

A daemon that runs on a *nix machine that simulates a network of other systems (of many different operating systems) for the purposes of catching and monitoring intruders.