Free Intrusion Detection (IDS) and Prevention (IPS) Software

Tools to Monitor Your Network for Suspicious or Malicious Activity

Computer Keyboard with symbolic lock key
Hamza TArkkol/E+/Getty Images

Intrusion Detection Systems (IDS) were developed in response to the increasing frequency of attacks on networks. Typically, IDS software inspects host configuration files for risky settings, password files for suspect passwords and other areas to detect violations that could prove dangerous to the network. It also sets in place ways for the network to record suspicious activities and potential attack methods and to report them to an administrator.

An IDS is similar to a firewall, but in addition to guarding against attacks from outside the network, an IDS identifies suspicious activity and attacks from within the system.

Some IDS software can also respond to intrusions it detects. Software that can respond is usually referred to as Intrusion Prevention System (IPS) software. It recognizes and responds to known threats, following a large body of criteria. 

In general, an IDS shows you what is happening, while an IPS acts on known threats. Some products combine both features. Here are a few free IDS and IPS software options.

Snort for Windows

Snort for Windows is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts and much more.

Suricata

Suricata is open source software that has been called "Snort on steroids." It delivers real-time intrusion detection, intrusion prevention, and network monitoring. Suricata uses a rules and signature language and Lua scripting to detect complex threats. It is available for Linux, macOS, Windows and other platforms.

The software is free, and there are several fee-based public training events scheduled each year for developer training. Dedicated training events are also available from the Open Information Security Foundation (OISF), which owns the Suricata code. 

Bro IDS

Bro IDS is often deployed in conjunction with Snort. Bro's domain-specific language does not rely on traditional signatures. It logs everything it sees in a high-level network activity archive. The software is particularly useful for traffic analysis and has a history of use in scientific environments, major universities, supercomputing centers and research labs for securing their systems. The Bro Project is part of the Software Freedom Conservancy. 

Prelude OSS

Prelude OSS is the open source version of Prelude Siem, an innovative hybrid intrusion detection system that is designed to be modular, distributed, rock solid and fast. Prelude OSS is suitable for limited-size IT infrastructures, research organizations and for training. It is not intended for large-size or critical networks. Prelude OSS performance is limited but serves as an introduction to the commercial version.

Malware Defender 

Malware Defender is a free Windows-compatible IPS program with network protection for advanced users.

It handles intrusion prevention and malware detection. It is well-suited for home use, although its instructional material is complicated for average users to understand. Formerly a commercial program, Malware Defender is a host intrusion prevention system (HIPS) that monitors a single host for suspicious activity.