Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

awesome-blueteam


https://github.com/0xZipp0/awesome-blueteam

Last synced: 5 days ago
JSON representation

  • Automation

      • Clevis - Plugable framework for automated decryption, often used as a Tang client.
      • DShell - Extensible network forensic analysis framework written in Python that enables rapid development of plugins to support the dissection of network packet captures.
      • Dev-Sec.io - Server hardening framework providing Ansible, Chef, and Puppet implementations of various baseline security configurations.
      • peepdf - Scriptable PDF file analyzer.
      • PyREBox - Python-scriptable reverse engineering sandbox, based on QEMU.
      • Watchtower - Container-based solution for automating Docker container base image updates, providing an unattended upgrade experience.
      • Ansible Lockdown - Curated collection of information security themed Ansible roles that are both vetted and actively maintained.
    • Code libraries and bindings

      • MultiScanner - File analysis framework written in Python that assists in evaluating a set of files by automatically running a suite of tools against them and aggregating the output.
      • Posh-VirusTotal - PowerShell interface to VirusTotal.com APIs.
      • censys-python - Python wrapper to the Censys REST API.
      • libcrafter - High level C++ network packet sniffing and crafting library.
      • python-dshield - Pythonic interface to the Internet Storm Center/DShield API.
      • python-stix2 - Python APIs for serializing and de-serializing Structured Threat Information eXpression (STIX) JSON content, plus higher-level APIs for common tasks.
      • python-sandboxapi - Minimal, consistent Python API for building integrations with malware sandboxes.
    • Security Orchestration, Automation, and Response (SOAR)

      • Shuffle - Graphical generalized workflow (automation) builder for IT professionals and blue teamers.
  • Cloud platform security

    • Security Orchestration, Automation, and Response (SOAR)

      • Scout Suite - Open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.
      • gVisor - Application kernel, written in Go, that implements a substantial portion of the Linux system surface to provide an isolation boundary between the application and the host kernel.
      • asecure.cloud/tools
      • Checkov - Static analysis for Terraform (infrastructure as code) to help detect CIS policy violations and prevent cloud security misconfiguration.
      • Falco - Behavioral activity monitor designed to detect anomalous activity in containerized applications, hosts, and network packet flows by auditing the Linux kernel and enriched by runtime data such as Kubernetes metrics.
      • Kata Containers - Secure container runtime with lightweight virtual machines that feel and perform like containers, but provide stronger workload isolation using hardware virtualization technology as a second layer of defense.
    • Kubernetes

      • Managed Kubernetes Inspection Tool (MKIT) - Query and validate several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster.
      • kube-forensics - Allows a cluster administrator to dump the current state of a running pod and all its containers so that security professionals can perform off-line forensic analysis.
      • KubeSec - Static analyzer of Kubernetes manifests that can be run locally, as a Kuberenetes admission controller, or as its own cloud service.
      • Linkerd - Ultra light Kubernetes-specific service mesh that adds observability, reliability, and security to Kubernetes applications without requiring any modification of the application itself.
      • Polaris - Validates Kubernetes best practices by running tests against code commits, a Kubernetes admission request, or live resources already running in a cluster.
      • kube-hunter - Open-source tool that runs a set of tests ("hunters") for security issues in Kubernetes clusters from either outside ("attacker's view") or inside a cluster.
    • Distributed observability and tracing

      • OpenTelemetry - Observability framework for cloud-native software, comprising a collection of tools, APIs, and SDKs for exporting application performance metrics to a tracing backend (formerly maintained by the OpenTracing and OpenCensus projects).
      • Jaeger - Distributed tracing platform backend used for monitoring and troubleshooting microservices-based distributed systems.
      • Zipkin - Distributed tracing system backend that helps gather timing data needed to troubleshoot latency problems in service architectures.
    • Service meshes

      • ServiceMesh.es
      • Istio - Open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.
  • Communications security (COMSEC)

    • Service meshes

      • GPG Sync - Centralize and automate OpenPGP public key distribution, revocation, and updates amongst all members of an organization or team.
      • GlobaLeaks - Free, open source software enabling anyone to easily set up and maintain a secure whistleblowing platform.
      • SecureDrop - Open source whistleblower submission system that media organizations and NGOs can install to securely accept documents from anonymous sources.
  • DevSecOps

    • Service meshes

      • awesome-devsecops
      • Bane - Custom and better AppArmor profile generator for Docker containers.
      • BlackBox - Safely store secrets in Git/Mercurial/Subversion by encrypting them "at rest" using GnuPG.
      • Git Secrets - Prevents you from committing passwords and other sensitive information to a git repository.
      • Trivy - Simple and comprehensive vulnerability scanner for containers and other artifacts, suitable for use in continuous integration pipelines.
      • Cilium - Open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes.
      • DefectDojo - Application vulnerability management tool built for DevOps and continuous security integration.
      • Gauntlt - Pentest applications during routine continuous integration build pipelines.
      • Snyk - Finds and fixes vulnerabilities and license violations in open source dependencies and container images.
      • Vault - Tool for securely accessing secrets such as API keys, passwords, or certificates through a unified interface.
      • git-crypt - Transparent file encryption in git; files which you choose to protect are encrypted when committed, and decrypted when checked out.
      • SOPS - Editor of encrypted files that supports YAML, JSON, ENV, INI and binary formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, and PGP.
      • Clair - Static analysis tool to probe for vulnerabilities introduced via application container (e.g., Docker) images.
    • Fuzzing

      • Awesome-Fuzzing
      • FuzzBench - Free service that evaluates fuzzers on a wide variety of real-world benchmarks, at Google scale.
      • OneFuzz - Self-hosted Fuzzing-as-a-Service (FaaS) platform.
      • Atheris - Coverage-guided Python fuzzing engine based off of libFuzzer that supports fuzzing of Python code but also native extensions written for CPython.
    • Policy enforcement

      • Tang - Server for binding data to network presence; provides data to clients only when they are on a certain (secured) network.
      • OpenPolicyAgent - Unified toolset and framework for policy across the cloud native stack.
    • Application or Binary Hardening

      • DynInst - Tools for binary instrumentation, analysis, and modification, useful for binary patching.
      • DynamoRIO - Runtime code manipulation system that supports code transformations on any part of a program, while it executes, implemented as a process-level virtual machine.
      • Egalito - Binary recompiler and instrumentation framework that can fully disassemble, transform, and regenerate ordinary Linux binaries designed for binary hardening and security research.
    • Compliance testing and reporting

      • Chef InSpec - Language for describing security and compliance rules, which become automated tests that can be run against IT infrastructures to discover and report on non-compliance.
      • OpenSCAP Base - Both a library and a command line tool (`oscap`) used to evaluate a system against SCAP baseline profiles to report on the security posture of the scanned system(s).
  • Honeypots

    • Policy enforcement

      • CanaryTokens - Self-hostable honeytoken generator and reporting dashboard; demo version available at [CanaryTokens.org](https://canarytokens.org/).
      • awesome-honeypots
      • Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
      • Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
      • Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
      • Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
      • Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
      • Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
      • Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
      • Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
      • Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
      • Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
      • Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
      • Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
      • Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
      • Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
      • Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
      • Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
      • Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
    • Tarpits

      • Endlessh - SSH tarpit that slowly sends an endless banner.
  • Host-based tools

    • Tarpits

      • Artillery - Combination honeypot, filesystem monitor, and alerting system designed to protect Linux and Windows operating systems.
      • Crowd Inspect - Free tool for Windows systems aimed to alert you to the presence of malware that may be communicating over the network.
      • Open Source HIDS SECurity (OSSEC) - Fully open source and free, feature-rich, Host-based Instrusion Detection System (HIDS).
    • Sandboxes

      • Dangerzone - Take potentially dangerous PDFs, office documents, or images and convert them to a safe PDF.
      • Firejail - SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.
  • Incident Response tools

  • Network perimeter defenses

    • Evidence collection

      • fwknop - Protects ports via Single Packet Authorization in your firewall.
    • Firewall appliances or distributions

  • Phishing awareness and reporting

    • Firewall appliances or distributions

      • Gophish - Powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing.
  • Preparedness training and wargaming

    • Firewall appliances or distributions

      • Atomic Red Team - Library of simple, automatable tests to execute for testing security controls.
      • BadBlood - Fills a test (non-production) Windows Domain with data that enables security analysts and engineers to practice using tools to gain an understanding and prescribe to securing Active Directory.
  • Security monitoring

    • Endpoint Detection and Response (EDR)

      • Wazuh - Open source, multiplatform agent-based security monitoring based on a fork of OSSEC HIDS.
    • Network Security Monitoring (NSM)

      • awesome-pcaptools
      • OwlH - Helps manage network IDS at scale by visualizing Suricata, Zeek, and Moloch life cycles.
      • Snort - Widely-deployed, Free Software IPS capable of real-time packet analysis, traffic logging, and custom rule-based triggers.
      • Suricata - Free, cross-platform, IDS/IPS with on- and off-line analysis modes and deep packet inspection capabilities that is also scriptable with Lua.
      • Zeek - Powerful network analysis framework focused on security monitoring, formerly known as Bro.
      • netsniff-ng - Free and fast GNU/Linux networking toolkit with numerous utilities such as a connection tracking tool (`flowtop`), traffic generator (`trafgen`), and autonomous system (AS) trace route utility (`astraceroute`).
    • Security Information and Event Management (SIEM)

      • Prelude SIEM OSS - Open source, agentless SIEM with a long history and several commercial variants featuring security event collection, normalization, and alerting from arbitrary log input and numerous popular monitoring tools.
    • Service and performance monitoring

      • Icinga - Modular redesign of Nagios with pluggable user interfaces and an expanded set of data connectors, collectors, and reporting tools.
      • Locust - Open source load testing tool in which you can define user behaviour with Python code and swarm your system with millions of simultaneous users.
      • Zabbix - Mature, enterprise-level platform to monitor large-scale IT environments.
  • Threat intelligence

    • Threat hunting

  • Transport-layer defenses

    • Threat signature packages and collections

      • Certbot - Free tool to automate the issuance and renewal of TLS certificates from the [LetsEncrypt Root CA](https://letsencrypt.org/) with plugins that configure various Web and e-mail server software.
      • OpenVPN - Open source, SSL/TLS-based virtual private network (VPN).
  • Windows-based defenses

    • Threat signature packages and collections

      • awesome-windows#security - windows-domain-hardening](https://github.com/PaulSec/awesome-windows-domain-hardening).
      • Sandboxie - Free and open source general purpose Windows application sandboxing utility.