awesome-security

A collection of awesome software, libraries, documents, books, resources and cools stuffs about security.
https://github.com/sbilly/awesome-security

Last synced: 12 days ago
JSON representation

Big Data
- Development
  - hadoop-pcap - Hadoop library to read packet capture (PCAP) files.
  - OpenSOC - OpenSOC integrates a variety of open source big data technologies in order to offer a centralized tool for security monitoring and analysis.
  - Apache Spot (incubating) - Apache Spot is open source software for leveraging insights from flow and packet analysis.
  - binarypig - Scalable Binary Data Extraction in Hadoop. Malware Processing and Analytics over Pig, Exploration through Django, Twitter Bootstrap, and Elasticsearch.
Blue Team Infrastructure Deployment
- Development
  - MutableSecurity - CLI program for automating the setup, configuration, and use of cybersecurity solutions.
Datastores
- Online resources
  - databunker - Databunker is an address book on steroids for storing personal data. GDPR and encryption are out of the box.
  - passbolt - The password manager your team was waiting for. Free, open source, extensible, based on OpenPGP.
  - acra - Database security suite: proxy for data protection with transparent "on the fly" data encryption, data masking and tokenization, SQL firewall (SQL injections prevention), intrusion detection system.
  - blackbox - Safely store secrets in a VCS repo using GPG
  - confidant - Stores secrets in AWS DynamoDB, encrypted at rest and integrates with IAM
  - dotgpg - A tool for backing up and versioning your production secrets or shared passwords securely and easily.
  - redoctober - Server for two-man rule style file encryption and decryption.
  - aws-vault - Store AWS credentials in the OSX Keychain or an encrypted file
  - credstash - Store secrets using AWS KMS and DynamoDB
  - chamber - Store secrets using AWS KMS and SSM Parameter Store
  - Sops - An editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP.
  - passpie - Multiplatform command-line password manager
  - Vault - An encrypted datastore secure enough to hold environment and application secrets.
  - LunaSec - Database for PII with automatic encryption/tokenization, sandboxed components for handling data, and centralized authorization controls.
DevOps
- Development
  - ansible-os-hardening - Ansible role for OS hardening
  - Trivy - A simple and comprehensive vulnerability scanner for containers and other artifacts, suitable for CI.
  - Preflight - helps you verify scripts and executables to mitigate supply chain attacks in your CI and other systems.
  - Teller - a secrets management tool for devops and developers - manage secrets across multiple vaults and keystores from a single place.
  - cve-ape - A non-intrusive CVE scanner for embedding in test and CI environments that can scan package lists and individual packages for existing CVEs via locally stored CVE database. Can also be used as an offline CVE scanner for e.g. OT/ICS.
  - Selefra - An open-source policy-as-code software that provides analytics for multi-cloud and SaaS.
EBooks
- Online resources
  - Holistic Info-Sec for Web Developers - Free and downloadable book series with very broad and deep coverage of what Web Developers and DevOps Engineers need to know in order to create robust, reliable, maintainable and secure software, networks and other, that are delivered continuously, on time, with no nasty surprises
  - Docker Security - Quick Reference: For DevOps Engineers - A book on understanding the Docker security defaults, how to improve them (theory and practical), along with many tools and techniques.
  - How to Hack Like a Pornstar - A step by step process for breaking into a BANK, Sparc Flow, 2017
  - How to Investigate Like a Rockstar - Live a real crisis to master the secrets of forensic analysis, Sparc Flow, 2017
  - Real World Cryptography - This early-access book teaches you applied cryptographic techniques to understand and apply security at every level of your systems and applications.
  - The Art of Network Penetration Testing - Book that is a hands-on guide to running your own penetration test on an enterprise network. (early access, published continuously, final release December 2020)
  - Spring Boot in Practice - Book that is a practical guide which presents dozens of relevant scenarios in a convenient problem-solution-discussion format.. (early access, published continuously, final release fall 2021)
  - Self-Sovereign Identity - A book about how SSI empowers us to receive digitally-signed credentials, store them in private wallets, and securely prove our online identities. (early access, published continuously, final release fall 2021)
  - Data Privacy - A book that teaches you to implement technical privacy solutions and tools at scale. (early access, published continuously, final release January 2022)
  - Secret Key Cryptography - A book about cryptographic techniques and Secret Key methods. (early access, published continuously, final release Summer 2022)
  - The Security Engineer Handbook - A short read that discusses the dos and dont's of working in a security team, and the many tricks and tips that can help you in your day-to-day as a security engineer.
  - Cyber Threat Hunting - Practical guide to cyber threat hunting.
  - Edge Computing Technology and Applications - A book about the business and technical foundation you need to create your edge computing strategy.
  - Spring Security in Action, Second Edition - A book about designing and developing Spring applications that are secure right from the start.
  - Azure Security - A practical guide to the native security services of Microsoft Azure.
  - Node.js Secure Coding: Prevention and Exploitation of Path Traversal Vulnerabilities - Master secure coding in Node.js with real-world vulnerable dependencies and experience firsthand secure coding techniques against Path Traversal vulnerabilities.
  - How to Hack Like a Legend - A hacker’s tale breaking into a secretive offshore company, Sparc Flow, 2018
  - Grokking Web Application Security - A book about building web apps that are ready for and resilient to any attack.
  - Node.js Secure Coding: Defending Against Command Injection Vulnerabilities - Learn secure coding conventions in Node.js by executing command injection attacks on real-world npm packages and analyzing vulnerable code.
  - Edge Computing Technology and Applications - A book about the business and technical foundation you need to create your edge computing strategy.
  - How to Hack Like a Legend - A hacker’s tale breaking into a secretive offshore company, Sparc Flow, 2018
  - AWS Security - This early-access book covers commong AWS security issues and best practices for access policies, data protection, auditing, continuous monitoring, and incident response.
  - Cyber Security Career Guide - Kickstart a career in cyber security by learning how to adapt your existing technical and non-technical skills. (early access, published continuously, final release Summer 2022)
Endpoint
- Anti-Virus / Anti-Malware
  - Linux Malware Detect - A malware scanner for Linux designed around the threats faced in shared hosted environments.
  - ClamAv - ClamAV® is an open-source antivirus engine for detecting trojans, viruses, malware & other malicious threats.
  - Fastfinder - Fast customisable cross-platform suspicious file finder. Supports md5/sha1/sha256 hashs, litteral/wildcard strings, regular expressions and YARA rules. Can easily be packed to be deployed on any windows / linux host.
  - LOKI - Simple Indicators of Compromise and Incident Response Scanner
  - rkhunter - A Rootkit Hunter for Linux
- Authentication
  - google-authenticator - The Google Authenticator project includes implementations of one-time passcode generators for several mobile platforms, as well as a pluggable authentication module (PAM). One-time passcodes are generated using open standards developed by the Initiative for Open Authentication (OATH) (which is unrelated to OAuth). These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238. [Tutorials: How to set up two-factor authentication for SSH login on Linux](http://xmodulo.com/two-factor-authentication-ssh-login-linux.html)
  - Stegcloak - Securely assign Digital Authenticity to any written text
- Configuration Management
  - Fleet device management - Fleet is the lightweight, programmable telemetry platform for servers and workstations. Get comprehensive, customizable data from all your devices and operating systems.
- Content Disarm & Reconstruct
  - DocBleach - An open-source Content Disarm & Reconstruct software sanitizing Office, PDF and RTF Documents.
- Forensics
  - mig - MIG is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security.
  - mig - MIG is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security.
  - grr - GRR Rapid Response is an incident response framework focused on remote live forensics.
  - Volatility - Python based memory extraction and analysis framework.
  - ir-rescue - *ir-rescue* is a Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
  - Logdissect - CLI utility and Python API for analyzing log files and other data.
  - Meerkat - PowerShell-based Windows artifact collection for threat hunting and incident response.
  - Rekall - The Rekall Framework is a completely open collection of tools, implemented in Python under the Apache and GNU General Public License, for the extraction and analysis of digital artifacts computer systems.
  - Maigret - Maigret collect a dossier on a person by username only, checking for accounts on a huge number of sites and gathering all the available information from web pages.
  - LiME - Linux Memory Extractor
- Mobile / Android / iOS
  - Themis - High-level multi-platform cryptographic framework for protecting sensitive data: secure messaging with forward secrecy and secure data storage (AES256GCM), suits for building end-to-end encrypted applications.
  - dotPeek - Free-of-charge standalone tool based on ReSharper's bundled decompiler.
  - SecMobi Wiki - A collection of mobile security resources which including articles, blogs, books, groups, projects, tools and conferences. *
  - OWASP Mobile Security Testing Guide - A comprehensive manual for mobile app security testing and reverse engineering.
  - OSX Security Awesome - A collection of OSX and iOS security resources
  - Mobile Security Wiki - A collection of mobile security resources.
  - Apktool - A tool for reverse engineering Android apk files.
  - jadx - Command line and GUI tools for produce Java source code from Android Dex and Apk files.
  - enjarify - A tool for translating Dalvik bytecode to equivalent Java bytecode.
  - Android Storage Extractor - A tool to extract local data storage of an Android application in one click.
  - Quark-Engine - An Obfuscation-Neglect Android Malware Scoring System.
  - hardened_malloc - Hardened allocator designed for modern systems. It has integration into Android's Bionic libc and can be used externally with musl and glibc as a dynamic library for use on other Linux-based platforms. It will gain more portability / integration over time.
  - AMExtractor - AMExtractor can dump out the physical content of your Android device even without kernel source code.
  - frida - Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
  - UDcide - Android Malware Behavior Editor.
  - reFlutter - Flutter Reverse Engineering Framework
  - Mobile Security Wiki - A collection of mobile security resources.
Exploits & Payloads
- Development
  - PayloadsAllTheThings - A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Fraud prevention
- Online resources
  - FingerprintJS - Identifies browser and hybrid mobile application users even when they purge data storage. Allows you to detect account takeovers, account sharing and repeated malicious activity.
  - FingerprintJS Android - Identifies Android application users even when they purge data storage. Allows you to detect account takeovers, account sharing and repeated malicious activity.
Network
- Anti-Spam
  - Spam Scanner - Anti-Spam Scanning Service and Anti-Spam API by [@niftylettuce](https://github.com/niftylettuce).
  - SpamAssassin - A powerful and popular email spam filter employing a variety of detection technique.
  - rspamd - Fast, free and open-source spam filtering system.
- Docker Images for Penetration Testing & Security
- Fast Packet Processing
  - PACKET_MMAP/TPACKET/AF_PACKET - It's fine to use PACKET_MMAP to improve the performance of the capture and transmission process in Linux.
  - netmap - netmap is a framework for high speed packet I/O. Together with its companion VALE software switch, it is implemented as a single kernel module and available for FreeBSD, Linux and now also Windows.
  - PFQ - PFQ is a functional networking framework designed for the Linux operating system that allows efficient packets capture/transmission (10G and beyond), in-kernel functional processing and packets steering across sockets/end-points.
  - PACKET_MMAP/TPACKET/AF_PACKET - It's fine to use PACKET_MMAP to improve the performance of the capture and transmission process in Linux.
  - netmap - netmap is a framework for high speed packet I/O. Together with its companion VALE software switch, it is implemented as a single kernel module and available for FreeBSD, Linux and now also Windows.
  - PACKET_MMAP/TPACKET/AF_PACKET - It's fine to use PACKET_MMAP to improve the performance of the capture and transmission process in Linux.
  - PACKET_MMAP/TPACKET/AF_PACKET - It's fine to use PACKET_MMAP to improve the performance of the capture and transmission process in Linux.
  - PACKET_MMAP/TPACKET/AF_PACKET - It's fine to use PACKET_MMAP to improve the performance of the capture and transmission process in Linux.
  - PACKET_MMAP/TPACKET/AF_PACKET - It's fine to use PACKET_MMAP to improve the performance of the capture and transmission process in Linux.
  - PACKET_MMAP/TPACKET/AF_PACKET - It's fine to use PACKET_MMAP to improve the performance of the capture and transmission process in Linux.
  - PACKET_MMAP/TPACKET/AF_PACKET - It's fine to use PACKET_MMAP to improve the performance of the capture and transmission process in Linux.
  - PACKET_MMAP/TPACKET/AF_PACKET - It's fine to use PACKET_MMAP to improve the performance of the capture and transmission process in Linux.
  - PACKET_MMAP/TPACKET/AF_PACKET - It's fine to use PACKET_MMAP to improve the performance of the capture and transmission process in Linux.
  - PACKET_MMAP/TPACKET/AF_PACKET - It's fine to use PACKET_MMAP to improve the performance of the capture and transmission process in Linux.
  - PACKET_MMAP/TPACKET/AF_PACKET - It's fine to use PACKET_MMAP to improve the performance of the capture and transmission process in Linux.
- Firewall
  - pfSense - Firewall and Router FreeBSD distribution.
  - OPNsense - is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources.
  - fwknop - Protects ports via Single Packet Authorization in your firewall.
- Full Packet Capture / Forensic
  - tcpflow - tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored 'tcpdump' packet flows.
  - Deepfence PacketStreamer - High-performance remote packet capture and collection tool, distributed tcpdump for cloud native environments.
  - Moloch - Moloch is an open source, large scale IPv4 packet capturing (PCAP), indexing and database system. A simple web interface is provided for PCAP browsing, searching, and exporting. APIs are exposed that allow PCAP data and JSON-formatted session data to be downloaded directly. Simple security is implemented by using HTTPS and HTTP digest password support or by using apache in front. Moloch is not meant to replace IDS engines but instead work along side them to store and index all the network traffic in standard PCAP format, providing fast access. Moloch is built to be deployed across many systems and can scale to handle multiple gigabits/sec of traffic.
  - OpenFPC - OpenFPC is a set of tools that combine to provide a lightweight full-packet network traffic recorder & buffering system. It's design goal is to allow non-expert users to deploy a distributed network traffic recorder on COTS hardware while integrating into existing alert and log management tools.
  - Dshell - Dshell is a network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.
  - stenographer - Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets.
- Honey Pot / Honey Net
  - Conpot - ICS/SCADA Honeypot. Conpot is a low interactive server side Industrial Control Systems honeypot designed to be easy to deploy, modify and extend. By providing a range of common industrial control protocols we created the basics to build your own system, capable to emulate complex infrastructures to convince an adversary that he just found a huge industrial complex. To improve the deceptive capabilities, we also provided the possibility to server a custom human machine interface to increase the honeypots attack surface. The response times of the services can be artificially delayed to mimic the behaviour of a system under constant load. Because we are providing complete stacks of the protocols, Conpot can be accessed with productive HMI's or extended with real hardware. Conpot is developed under the umbrella of the Honeynet Project and on the shoulders of a couple of very big giants.
  - T-Pot Honeypot Distro - T-Pot is based on the network installer of Ubuntu Server 16/17.x LTS. The honeypot daemons as well as other support components being used have been containerized using docker. This allows us to run multiple honeypot daemons on the same network interface while maintaining a small footprint and constrain each honeypot within its own environment. Installation over vanilla Ubuntu - [T-Pot Autoinstall](https://github.com/dtag-dev-sec/t-pot-autoinstall) - This script will install T-Pot 16.04/17.10 on a fresh Ubuntu 16.04.x LTS (64bit). It is intended to be used on hosted servers, where an Ubuntu base image is given and there is no ability to install custom ISO images. Successfully tested on vanilla Ubuntu 16.04.3 in VMware.
  - HoneyDrive - HoneyDrive is the premier honeypot Linux distro. It is a virtual appliance (OVA) with Xubuntu Desktop 12.04.4 LTS edition installed. It contains over 10 pre-installed and pre-configured honeypot software packages such as Kippo SSH honeypot, Dionaea and Amun malware honeypots, Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot SCADA/ICS honeypot, Thug and PhoneyC honeyclients and more. Additionally it includes many useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, DionaeaFR, an ELK stack and much more. Lastly, almost 90 well-known malware analysis, forensics and network monitoring related tools are also present in the distribution.
  - HoneyPy - HoneyPy is a low to medium interaction honeypot. It is intended to be easy to: deploy, extend functionality with plugins, and apply custom configurations.
  - Conpot - ICS/SCADA Honeypot. Conpot is a low interactive server side Industrial Control Systems honeypot designed to be easy to deploy, modify and extend. By providing a range of common industrial control protocols we created the basics to build your own system, capable to emulate complex infrastructures to convince an adversary that he just found a huge industrial complex. To improve the deceptive capabilities, we also provided the possibility to server a custom human machine interface to increase the honeypots attack surface. The response times of the services can be artificially delayed to mimic the behaviour of a system under constant load. Because we are providing complete stacks of the protocols, Conpot can be accessed with productive HMI's or extended with real hardware. Conpot is developed under the umbrella of the Honeynet Project and on the shoulders of a couple of very big giants.
  - Amun - Amun Python-based low-interaction Honeypot.
  - Glastopf - Glastopf is a Honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications. The principle behind it is very simple: Reply the correct response to the attacker exploiting the web application.
  - Kippo - Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.
  - HonSSH - HonSSH is a high-interaction Honey Pot solution. HonSSH will sit between an attacker and a honey pot, creating two separate SSH connections between them.
  - HoneyDrive - HoneyDrive is the premier honeypot Linux distro. It is a virtual appliance (OVA) with Xubuntu Desktop 12.04.4 LTS edition installed. It contains over 10 pre-installed and pre-configured honeypot software packages such as Kippo SSH honeypot, Dionaea and Amun malware honeypots, Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot SCADA/ICS honeypot, Thug and PhoneyC honeyclients and more. Additionally it includes many useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, DionaeaFR, an ELK stack and much more. Lastly, almost 90 well-known malware analysis, forensics and network monitoring related tools are also present in the distribution.
  - Cuckoo Sandbox - Cuckoo Sandbox is an Open Source software for automating analysis of suspicious files. To do so it makes use of custom components that monitor the behavior of the malicious processes while running in an isolated environment.
  - T-Pot Honeypot Distro - T-Pot is based on the network installer of Ubuntu Server 16/17.x LTS. The honeypot daemons as well as other support components being used have been containerized using docker. This allows us to run multiple honeypot daemons on the same network interface while maintaining a small footprint and constrain each honeypot within its own environment. Installation over vanilla Ubuntu - [T-Pot Autoinstall](https://github.com/dtag-dev-sec/t-pot-autoinstall) - This script will install T-Pot 16.04/17.10 on a fresh Ubuntu 16.04.x LTS (64bit). It is intended to be used on hosted servers, where an Ubuntu base image is given and there is no ability to install custom ISO images. Successfully tested on vanilla Ubuntu 16.04.3 in VMware.
  - Kojoney - Kojoney is a low level interaction honeypot that emulates an SSH server. The daemon is written in Python using the Twisted Conch libraries.
- IDS / IPS / Host IDS / Host IPS
  - Snort - Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS)created by Martin Roesch in 1998. Snort is now developed by Sourcefire, of which Roesch is the founder and CTO. In 2009, Snort entered InfoWorld's Open Source Hall of Fame as one of the "greatest [pieces of] open source software of all time".
  - Zeek - Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
  - Stealth - File integrity checker that leaves virtually no sediment. Controller runs from another machine, which makes it hard for an attacker to know that the file system is being checked at defined pseudo random intervals over SSH. Highly recommended for small to medium deployments.
  - AIEngine - AIEngine is a next generation interactive/programmable Python/Ruby/Java/Lua packet inspection engine with capabilities of learning without any human intervention, NIDS(Network Intrusion Detection System) functionality, DNS domain classification, network collector, network forensics and many others.
  - Lynis - an open source security auditing tool for Linux/Unix.
  - Suricata - Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF and its supporting vendors.
  - zeek2es - An open source tool to convert Zeek logs to Elastic/OpenSearch. You can also output pure JSON from Zeek's TSV logs!
  - sshwatch - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log.
  - SSHGuard - A software to protect services in addition to SSH, written in C
  - CrowdSec - CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on Fail2Ban's philosophy but is IPV6 compatible and 60x faster (Go vs Python), uses Grok patterns to parse logs and YAML scenario to identify behaviors. CrowdSec is engineered for modern Cloud / Containers / VM based infrastructures (by decoupling detection and remediation). Once detected, you can remedy threats with various bouncers (firewall block, nginx http 403, Captchas, etc.) while the aggressive IPs can be sent to CrowdSec for curation before being shared among all users to further strengthen the community
  - Denyhosts - Thwart SSH dictionary based attacks and brute force attacks.
  - Fail2Ban - Scans log files and takes action on IPs that show malicious behavior.
  - DrKeithJones.com - A blog on cyber security and network security monitoring.
- Monitoring / Logging
  - Falco - The cloud-native runtime security project and de facto Kubernetes threat detection engine now part of the CNCF.
  - BoxyHQ - Open source API for security and compliance audit logging.
  - justniffer - Justniffer is a network protocol analyzer that captures network traffic and produces logs in a customized way, can emulate Apache web server log files, track response times and extract all "intercepted" files from the HTTP traffic.
  - passivedns - A tool to collect DNS records passively to aid Incident handling, Network Security Monitoring (NSM) and general digital forensics. PassiveDNS sniffs traffic from an interface or reads a pcap-file and outputs the DNS-server answers to a log file. PassiveDNS can cache/aggregate duplicate DNS answers in-memory, limiting the amount of data in the logfile without loosing the essens in the DNS answer.
  - sagan - Sagan uses a 'Snort like' engine and rules to analyze logs (syslog/event log/snmptrap/netflow/etc).
  - Fibratus - Fibratus is a tool for exploration and tracing of the Windows kernel. It is able to capture the most of the Windows kernel activity - process/thread creation and termination, file system I/O, registry, network activity, DLL loading/unloading and much more. Fibratus has a very simple CLI which encapsulates the machinery to start the kernel event stream collector, set kernel event filters or run the lightweight Python modules called filaments.
  - opensnitch - OpenSnitch is a GNU/Linux port of the Little Snitch application firewall
  - wazuh - Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of monitoring file system changes, system calls and inventory changes.
  - Matano
  - VAST - Open source security data pipeline engine for structured event data, supporting high-volume telemetry ingestion, compaction, and retrieval; purpose-built for security content execution, guided threat hunting, and large-scale investigation.
  - Substation - Substation is a cloud native data pipeline and transformation toolkit written in Go.
  - ngrep - ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.
  - Sigma2KQL - A repository of all SIGMA rules converted to KQL that runs on a weekly schedule to update the repository and align with the up to date version of the SIGMA rules repository.
  - Sigma2SPL - A repository of all SIGMA rules converted to SPL that runs on a weekly schedule to update the repository and align with the up to date version of the SIGMA rules repository.
  - TerraSigma - A repository of all SIGMA rules converted to Microsoft Sentinel Terraform Scheduled analytic resources. The repository runs on a weekly schedule to update the repository and align with the up to date version of the SIGMA rules repository. Proper entity mapping is completed for the rules to ensure the repo is plug-and-play.
  - justniffer - Justniffer is a network protocol analyzer that captures network traffic and produces logs in a customized way, can emulate Apache web server log files, track response times and extract all "intercepted" files from the HTTP traffic.
- Network architecture
  - Network-segmentation-cheat-sheet - This project was created to publish the best practices for segmentation of the corporate network of any company. In general, the schemes in this project are suitable for any company.
- Scanning / Pentesting
  - Kali - Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. Kali Linux is preinstalled with numerous penetration-testing programs, including nmap (a port scanner), Wireshark (a packet analyzer), John the Ripper (a password cracker), and Aircrack-ng (a software suite for penetration-testing wireless LANs).
  - tsurugi - heavily customized Linux distribution that designed to support DFIR investigations, malware analysis and OSINT activities. It is based on Ubuntu 20.04(64-bit with a 5.15.12 custom kernel)
  - Anevicon - The most powerful UDP-based load generator, written in Rust.
  - Metasploit Framework - A tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research.
  - pig - A Linux packet crafting tool.
  - Pompem - Pompem is an open source tool, which is designed to automate the search for exploits in major databases. Developed in Python, has a system of advanced search, thus facilitating the work of pentesters and ethical hackers. In its current version, performs searches in databases: Exploit-db, 1337day, Packetstorm Security...
  - Finshir - A coroutines-driven Low & Slow traffic generator, written in Rust.
  - Legion - Open source semi-automated discovery and reconnaissance network penetration testing framework.
  - Sublist3r - Fast subdomains enumeration tool for penetration testers
  - RustScan - Faster Nmap scanning with Rust. Take a 17 minute Nmap scan down to 19 seconds.
  - Boofuzz - Fuzzing engine and fuzz testing framework.
  - monsoon - Very flexible and fast interactive HTTP enumeration/fuzzing.
  - Netz - Discover internet-wide misconfigurations, using zgrab2 and others.
  - Deepfence ThreatMapper - Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless.
  - Deepfence SecretScanner - Find secrets and passwords in container images and file systems.
  - Cognito Scanner - CLI tool to pentest Cognito AWS instance. It implements three attacks: unwanted account creation, account oracle and identity pool escalation
  - Nmap - Nmap is a free and open source utility for network discovery and security auditing.
  - Amass - Amass performs DNS subdomain enumeration by scraping the largest number of disparate data sources, recursive brute forcing, crawling of web archives, permuting and altering names, reverse DNS sweeping and other techniques.
  - Lonkero - Enterprise-grade web vulnerability scanner with 60+ attack modules, built in Rust for penetration testing and security assessments.
  - scapy - Scapy: the python-based interactive packet manipulation program & library.
- Security Information & Event Management
  - Prelude - Prelude is a Universal "Security Information & Event Management" (SIEM) system. Prelude collects, normalizes, sorts, aggregates, correlates and reports all security-related events independently of the product brand or license giving rise to such events; Prelude is "agentless".
  - FIR - Fast Incident Response, a cybersecurity incident management platform.
  - LogESP - Open Source SIEM (Security Information and Event Management system).

Programming Languages

Python 46 Go 23 C 8 Rust 8 TypeScript 7 JavaScript 6 Java 6 C++ 5 Shell 4 Ruby 2

awesome-security

Big Data

Development

Blue Team Infrastructure Deployment

Development

Datastores

Online resources

DevOps

Development

EBooks

Online resources

Endpoint

Anti-Virus / Anti-Malware

Authentication

Configuration Management

Content Disarm & Reconstruct

Forensics

Mobile / Android / iOS

Exploits & Payloads

Development

Fraud prevention

Online resources

Network

Anti-Spam

Docker Images for Penetration Testing & Security

Fast Packet Processing

Firewall

Full Packet Capture / Forensic

Honey Pot / Honey Net

IDS / IPS / Host IDS / Host IPS

Monitoring / Logging

Network architecture

Scanning / Pentesting

Security Information & Event Management