Snort v2.9
Snort v3.0

All Sums


All Sums



Cisco Projects

Daemonlogger™ is a packet logger and soft tap developed by Martin Roesch. The libpcap-based program has two runtime modes:

  1. It sniffs packets and spools them straight to the disk and can daemonize itself for background packet logging. By default the file rolls over when 2 GB of data is logged.
  2. It sniffs packets and rewrites them to a second interface, essentially acting as a soft tap. It can also do this in daemon mode.

These two runtime modes are mutually exclusive, if the program is placed in tap mode (using the -I switch) then logging to disk is disabled.

Make SURE you read the included COPYING file so that you understand how this file is licensed by Cisco, even though it's under the GPL v2 there are some clarifications that we have made regarding the licensing of this program.

PE Sig is a tool written in Ruby that generates ClamAV® signatures for portable executable files.

Project Razorback™ is an undertaking by Talos. Razorback is a framework for an intelligence driven security solution. It consists of a Dispatcher at the core of the system, surrounded by Nuggets of varying types.

Pulled_Pork is tool written in perl for managing Snort rule sets. Pulled_Pork features include:

  • Automatic rule downloads using your Oinkcode
  • MD5 verification prior to downloading new rulesets
  • Full handling of Shared Object (SO) rules
  • Generation of so_rule stub files
  • Modification of ruleset state (disabling rules, etc)
  • The project is run by JJ Cummings

Tool for parsing and generating usable information from Snort's performance metric output.

SnoGE is a Snort unified reporting tool, it processes your unified files (that’s Snort’s output format), and represents them as place-marks on Google Earth. It can operate in a few modes, Real-time, refresh, and one-time.

Dumbpig is an automated bad-grammar[sik] detector for snort rules. It parses each rule in a file and reports on badly formatted entries, incorrect usage, and alerts to possible performance issues. It should be considered as work in progress and all users should only work with the latest code available.

OfficeCat™ is a command line utility developed by Talos that can be used to process Microsoft Office Documents to determine the presence of potential exploit conditions in the file. OfficeCat is available for Windows and Linux. While this software has been incorporated into Razorback, you can still find the officecat download in the nuggets section.

Snort-vim is the configuration for the popular text based editor VIM, to make Snort configuration files and rules appear properly in the console with syntax highlighting. This has been merged into VIM, and can be accessed via "vim filetype=hog".

3rd Party Projects

Barnyard2 provides the following enhancements to the original

  • Parsing of the new unified2 log files.
  • Maintains majority of the command syntax of barnyard.
  • Addressed all associated bug reports and feature requests arising since barnyard-0.2.0.
  • Completely rewritten code based on the GPLv2 Snort making it entirely GPLv2.
  • SnortSam functionality

Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! For more information, or to contact the author, please see

Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides access to real time events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).

This tool is a small Linux Daemon that greps the Snort Alert file and blocks the offending hosts via iptables for a given amount of time. iBlock supports the whitelisting of IP addresses so those IPs will never be blocked.

This tool is a script that will graph the output of the Pattern Matching system from Snortdiv

BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.

OSSIM stands for Open Source Security Information Management. Its goal is to provide a comprehensive compilation of tools which, when working together, grant a network/security administrator with detailed view over each and every aspect of his networks/hosts/physical access devices/server/etc

Snorby is a new, open source front-end for Snort. The basic fundamental concepts behind Snorby are simplicity and power. The project goal is to create a free, open source and highly competitive application for network monitoring for both private and enterprise use. To download Snorby visit the project site.

PacketFence is a fully supported, Free and Open Source network access control (NAC) system. PacketFence is actively maintained and has been deployed in numerous large-scale institutions over the past years. It can be used to effectively secure networks - from small to very large heterogeneous networks. PacketFence has been deployed in production environments where thousands of users are involved.

SNEZ is a web interface to the popular open source IDS program SNORT® . The main design feature of SNEZ is the ability to filter (or dismiss) alerts without having to delete.

bProbe is a Snort IDS that is configured to run in packet logger mode. It can be installed on a pc and inserted at a key juncture in a network to monitor and collect network activity data. The data collected is sent to a central "receiver" server (not included), which is any software capable of interpreting IDS data such as Snort or its variants.

bProbe uses Snort, Barnyard2, and Pulled_Pork, which are provided pre-configured on a Linux Centos 64-bit cd to save you time and maintenance.

EasyIDS is an easy to install intrusion detection system configured for Snort. Based upon Patrick Harper's Snort installation guide and modeled after the trixbox installation cd, EasyIDS is designed for the network security beginner with minimal Linux experience.

NST is a bootable ISO live CD/DVD is based on Fedora. The toolkit was designed to provide easy access to best-of-breed Open Source Network Security Applications and should run on most x86 platforms.

This tool is used to query and view IDS alert data stored in a Sguil database. The design philosophy is somewhat.. OK, loosely, analogous to reading a newspaper.

Zeroshell is a Linux distribution for servers and embedded devices aimed at providing the main network services a LAN requires. It is available in the form of Live CD or Compact Flash image and you can configure and administer it using your web browse