Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Free/inexpensive tools for monitoring systems/networks - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Free/inexpensive tools for monitoring systems/networks

Tom wrote in to the handlers list today and asked a question that I think our readers can help with (especially since we've gotten so many great ideas from the diary asking for suggestions for Cyber Security Month).  He is looking for tools to allow for more proactive monitoring of his systems, but given shrinking budgets (he works in government, but the situation isn't much better anywhere else), he's looking for something free or, at least, inexpensive. What are you using to monitor patch status? application versions? A/V? behavior? strange files? network devices? anything else?  Is it centrally managed?  Does it scale?

Jim Clausing, jclausing --at-- isc [dot] sans (dot) org
FOR408 Computer Forensics Essentials coming to central OH in Sept, see

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS DFIR Summit & Training 2022


423 Posts
ISC Handler
Aug 9th 2010
Secunia PSI for patch status/app versions. Every PC user needs that! Strange files and network devices? Don't have one to do that, but would like to be able to.

21 Posts
RANCID for network switch configuration changes, Nagios for uptime, NMAP and Nessus for patch and application versions...

34 Posts
Helix for your Forensics lab;
ngrep for your network forensics;
syslog-ng for your log aggregation;
tcpdump and tshark with some cron kungfu are you friends for capture;
IPTABLES/NETFILTER for your firewalling;
and last but NOT least snort for your IDS.
3 Posts
I miss Big Brother... at least the Big Brother before it was bought by Quest.

262 Posts
ISC Handler
Just a quick note: Backtrack 4 R1 was just released to the public for immediate download in ISO and VM editions.
3 Posts
ZenOSS is decent, it can do network discovery(find those unknown devices), show some application versions on Windows(via WMI). OSSEC for strange files.

17 Posts
Try NetWitness Investigator freeware, great for network forensics and you could build some parsers to detect OS, Browser versions and application types etc.
1 Posts
We have a network of about 14k users, and we have implemented Zabbix for availability monitoring for our security gear. It has a bit of a learning curve but it has worked really well for Windows, Linux and network infrastructure. It's open-source and extremely configurable.
1 Posts
I use Spiceworks for general system monitoring.
Very comprehensive set of tools to deal with network and system monitoring.
2 Posts
Shell scripts running hourly to test ping, SSH login (ssh and client-side key), DNS (dig), SSL certificate validity (openssl s_client), free disk space, CPU load average and much more. When you have lots of tests in place, you often identify issues that you didn't set up an explicit test for.

For SMTP, an hourly email is sent from a remote site, and 5 minutes later I test to ensure it was received, and also that it hasn't hit any new SpamAssassin tests (which has often identified DNS or configuration issues at either end).

For something more flexible I've been moving most tests to 'mon', but some (such as ping and HTTP) are even better done from 'SmokePing', giving historical RRD graphs of reliability and performance.
Steven C.

171 Posts
Cacti for historical stats.
Superscan, Nmap, Backtrack.
Solarwinds also has some good free tools - although newer versions more bloated and full of ads
Steven C.
2 Posts
Used to use OpenNMS but now we use Zenoss to monitor services, diskspace and Windows Events logs via WMI.
Steven C.
1 Posts
FireGen for firewall reporting is pretty inexpensive (about $200) and has worked well for us.
Steven C.
3 Posts
- Backtrack 4 for Investigation/Assessments
- Nessus and Metasploit
- DVL for continued education
- Smokeping for uptime/graph stats
- Open Systems Wireless Auditor Assistant for Wireless, Bluetooth, RFID testing.
- Various (too many to list) scripts for specific tests.

65 Posts
I regularly see Secunia PSI recommended and it is a great tool but it should be remembered that the 'P' stands for Personal and use in a commercial environment is strictly prohibited. Unfortunately, this is not obvious from the Web site so, unless people read the EULA when they install it, they often do not realise.

Secunia do have a network version for business users but that is not free.

35 Posts
Concur with Gilbert. Secunia PSI and absolute must. Use the advanced'll be shocked at what you find and what needs to be fixed.
I also use spiceworks as it provides fairly detailed information about systems on your network.

for Windows security updates WSUS is free from MS if you can deploy it.

69 Posts
Spiceworks. Used now for two years as detail asset tool and doubles as a lite security monitor (a/v status & naughty app installs). WSUS, as well (but not in love (or even in like) w/ it)
1 Posts
OSSEC HIDS (now owned by Trend Micro). It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response on Linux and Windows platforms.

Nagios for network monitoring/management.
5 Posts
We should all remember that free tools may only be free for home/single PC users.

I would suggest making sure that all of the tools which have been paid for are being used to their limits. There is no sense installing and configuring a tool for some type of management X when that management already exists in something you have paid for.

2 Posts

Sign Up for Free or Log In to start participating in the conversation!