Network IDS / NSM — Suricata, Zeek, Snort
Signature + anomaly + protocol-aware traffic monitoring.
Network intrusion detection and network security monitoring catch what endpoints miss: lateral movement, exfil patterns, beacons, protocol abuse. The 2024–26 mainstream is Suricata + Zeek as a pair (they complement each other) often bundled in Security Onion. For SIEM ingestion see SIEM (Wazuh / Graylog). For runtime / k8s side see Runtime Security. For honeypots see Honeypots (T-Pot).
Signature-based IDS / IPS
- ★ ★ Suricata (OISF) — multi-threaded; signature + script + Lua + protocol-aware; supports Snort 2 + Snort 3 rules; can run inline (IPS); high-throughput. Free OSS — the contemporary default.
- Snort 3 (Cisco) — the original IDS, rewritten; multi-threaded; rule-compatible with Snort 2.x; free OSS + paid Talos rule subscription.
- Snort 2 / 2.9 — legacy but still pervasive.
- OPNsense / pfSense Suricata package — turnkey on a router.
Behaviour / protocol-aware NSM
- ★ ★ Zeek (formerly Bro) — protocol-aware network analyser; emits structured logs (
conn.log,dns.log,http.log,ssl.log,x509.log,files.log,notice.log); extensible scripts. Free. The reference NSM tool. - Zeek packages — the
zeek-packages(a.k.a. zkg) ecosystem; community detection scripts. - Corelight — paid commercial Zeek + curated signal.
- Brim / Zui — pcap + Zeek log explorer.
Distros / bundles
- ★ Security Onion — Linux distro that bundles Suricata + Zeek + Stenographer + ElasticSearch + Wazuh + TheHive + CyberChef. The "NSM in a day" choice. Free.
- SELKS (Stamus Networks) — Suricata + ELK + Scirius management UI; another bundled distro.
- OPNsense + Suricata — for network-edge IDS at home / SMB.
- pfSense / OPNsense + Sensor mode — common SOHO stack.
Capture / pcap infrastructure
- Stenographer (Google) — full-packet capture with retention rotation.
- Arkime (formerly Moloch) — full-packet capture indexer + query UI; free OSS.
- netsniff-ng — high-performance capture toolset.
- PF_RING (ntop) — high-throughput capture; free / Pro.
- dpdk-based capture — for 40 G+.
Wireshark and friends (link)
- Wireshark — analysis GUI; the reference.
- tshark — CLI Wireshark.
- NetworkMiner — file extraction / session reconstruction.
- Brim / Zui — fast pcap-to-Zeek triage.
NetFlow / sFlow / IPFIX
- nfdump / nfcapd — classic.
- softflowd / pmacct — exporters.
- ntopng (ntop) — flow + DPI dashboards; free + paid.
- Akvorado — flow visualisation.
- Elastiflow — paid.
- Kentik — paid SaaS.
DNS-side detection
- Zeek dns.log — easiest passive DNS export.
- Pi-hole / AdGuard Home — DNS-level block at edge; see DNS Infrastructure.
- DNS RPZ (Response Policy Zones) — sinkhole malicious domains; BIND / Knot supported.
- Sigma DNS rules — see Detection (Sigma / YARA / ATT&CK).
Beacon detection / C2 hunting
- RITA (Active Countermeasures) — Real Intelligence Threat Analytics; Zeek-log-based beacon hunting. Free.
- AC-Hunter (Active Countermeasures) — paid; productised RITA.
- JA3 / JA4 — TLS client fingerprints; in Suricata/Zeek and many IDS rules.
- JA4+ ecosystem (FoxIO 2024) — modern fingerprint suite for TLS / HTTP / SMB / SSH / CDN.
ICS / OT-aware
- Suricata + ICS rule packs — Modbus / DNP3 / S7 / IEC101.
- Zeek + Dragos / Nozomi packages.
- Malcolm (Idaho National Lab) — ICS-flavour Security-Onion-like.
- Conpot — ICS honeypot; see Honeypots (T-Pot).
Putting it together
Standard SOC stack 2026:
- TAP / SPAN port mirror or eBPF capture → Suricata (alerts) + Zeek (NSM logs) → Filebeat / Vector → OpenSearch / Wazuh → TheHive case creation on critical alerts.
Edge / SMB:
- OPNsense + Suricata IPS inline + Zeek if box is meaty enough.
Cloud:
- VPC mirroring (AWS) / vTAP (Azure) → Suricata in containers → S3-archived Zeek logs.
Pick this if…
- Default IDS engine: Suricata.
- Default NSM logging engine: Zeek.
- Best of both, bundled: Security Onion.
- Beacon / long-tail C2 hunting on Zeek logs: RITA.
- Full-packet capture: Arkime + Stenographer.
- Edge router IPS: OPNsense + Suricata.
- Cisco shop / Snort heritage: Snort 3 with Talos rules.