|Project Name||Stars||Downloads||Repos Using This||Packages Using This||Most Recent Commit||Total Releases||Latest Release||Open Issues||License||Language|
|Wazuh||7,042||5 hours ago||2,610||other||C|
|Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.|
|Crowdsec||7,039||13||a day ago||250||July 31, 2023||157||mit||Go|
|CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.|
|Awesome Threat Intelligence||6,463||17 days ago||20||apache-2.0|
|A curated list of Awesome Threat Intelligence resources|
|Misp||4,644||6 hours ago||2,312||agpl-3.0||PHP|
|MISP (core software) - Open Source Threat Intelligence and Sharing Platform|
|Open Cyber Threat Intelligence Platform|
|Gau||3,106||1||4 days ago||29||July 23, 2022||13||mit||Go|
|Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.|
|Awesome Threat Detection||2,930||2 days ago||15|
|✨ A curated list of awesome threat detection and hunting resources 🕵️♂️|
|Securityonion||2,304||7 hours ago||43||Shell|
|Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It includes our own interfaces for alerting, dashboards, hunting, PCAP, and case management. It also includes other tools such as Playbook, osquery, CyberChef, Elasticsearch, Logstash, Kibana, Suricata, and Zeek.|
|Rita||2,268||14 days ago||45||March 25, 2020||84||gpl-3.0||Go|
|Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.|
|Awesome K8s Security||1,729||4 months ago||1|
|A curated list for Awesome Kubernetes Security resources|
💃 This is a community-driven project, we need your feedback.
CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on fail2ban's philosophy but is IPV6 compatible and 60x faster (Go vs Python), it uses Grok patterns to parse logs and YAML scenarios to identify behaviors. CrowdSec is engineered for modern Cloud / Containers / VM-based infrastructures (by decoupling detection and remediation). Once detected you can remedy threats with various bouncers (firewall block, nginx http 403, Captchas, etc.) while the aggressive IP can be sent to CrowdSec for curation before being shared among all users to further improve everyone's security. See FAQ or read below for more.
Installing it through the Package system of your OS is the easiest way to proceed. Otherwise, you can install it from source.
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash sudo apt-get update sudo apt-get install crowdsec
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.rpm.sh | sudo bash sudo yum install crowdsec
sudo pkg update sudo pkg install crowdsec
wget https://github.com/crowdsecurity/crowdsec/releases/latest/download/crowdsec-release.tgz tar xzvf crowdsec-release.tgz cd crowdsec-v* && sudo ./wizard.sh -i
Crowdsec is an open-source, lightweight software, detecting peers with aggressive behaviors to prevent them from accessing your systems. Its user-friendly design and assistance offer a low technical barrier of entry and nevertheless a high security gain.
The architecture is as follows :
Once an unwanted behavior is detected, deal with it through a bouncer. The aggressive IP, scenario triggered and timestamp are sent for curation, to avoid poisoning & false positives. (This can be disabled). If verified, this IP is then redistributed to all CrowdSec users running the same scenario.
By sharing the threat they faced, all users are protecting each-others (hence the name Crowd-Security). Crowdsec is designed for modern infrastructures, with its "Detect Here, Remedy There" approach, letting you analyze logs coming from several sources in one place and block threats at various levels (applicative, system, infrastructural) of your stack.
CrowdSec ships by default with scenarios (brute force, port scan, web scan, etc.) adapted for most contexts, but you can easily extend it by picking more of them from the HUB. It is also easy to adapt an existing one or create one yourself.
CrowdSec is not a SIEM, storing your logs (neither locally nor remotely). Your data are analyzed locally and forgotten.
Signals sent to the curation platform are limited to the very strict minimum: IP, Scenario, Timestamp. They are only used to allow the system to spot new rogue IPs, and rule out false positives or poisoning attempts.
Crowdsec is available for various platforms :
Or look directly at installation documentation for other methods and platforms.
This repository contains the code for the two main components of crowdsec :
crowdsec: the daemon a-la-fail2ban that can read, parse, enrich and apply heuristics to logs. This is the component in charge of "detecting" the attacks
cscli: the cli tool mainly used to interact with crowdsec : ban/unban/view current bans, enable/disable parsers and scenarios.
If you wish to contribute to the core of crowdsec, you are welcome to open a PR in this repository.
If you wish to add a new parser, scenario or collection, please open a PR in the hub repository.
If you wish to contribute to the documentation, please open a PR in the documentation repository.