This chapter presented several free, open source tools for implementing intrusion prevention and active response at the network, system and application level. These tools were discovered via Web searches and from the authors own experiences with the tools. Open source tools tend to vary in terms of features, documentation, support, and maintenance; however, they are often adaptable to your specific needs and offer a low cost means of testing and utilizing technology.

When examining the tools presented in this chapter, there are several key points to note. First, most of the tools are UNIX/Linux-based. There were no open source Windows-based IPS or active response tools discovered. Another point that stands out is that several of the tools work with the Snort IDS. This should be of no surprise since Snort is an advanced, community-supported open source effort. The tools discovered are mostly still focused on signature matching and string matching. They are also not utilizing many of the advanced packet inspection methods, such as awareness of protocol standards compliance and usage, discussed in earlier chapters. There were also no open source anomaly- or behavioral-based detection tools discovered. Although all of the tools discussed can integrate and augment commercial solutions, only one solution actually interacts with commercial products. Lastly, all of the tools offer minimal active response choices. Most just perform session disconnects or create firewall rules.

All of the tools discussed in this chapter offer some level of use for simple environments; however, none offer full enterprise protection. Some...