Skip to content

Instantly share code, notes, and snippets.

@mdenzel

mdenzel/open-source-SOC.md

Last active September 6, 2023 08:16
Show Gist options
  • Save mdenzel/ecf38b6ddea84c66963aa2f6579d6db6 to your computer and use it in GitHub Desktop.
Save mdenzel/ecf38b6ddea84c66963aa2f6579d6db6 to your computer and use it in GitHub Desktop.
Download ZIP
Open-source tools to build a SOC
Raw
open-source-SOC.md

Low-Budget SOC

I always get complaints from my customers, that security is expensive.

So, this is the attempt to create a Security Operations Center (SOC) on a budget.

I assume a server is available and security personnel. (without people, there's no company...)

Product Open Source Tools
Firewall pfsense [1], iptables [2]
Antivirus (ClamAV [3])
Vulnscanner OpenVAS [4]
SIEM/HIDS ELK [5], Wazuh [6]
Sandbox cuckoo [7]
Ticket-Tool osTicket [8], uvdesk [9]
Threat-Intel MISP [10]
Incident Response velociraptor [11], Cortex/TheHive [12]
Acquisition Kansa [13], LinuxTriage [14]
HD-Forensics Autopsy [15], log2timeline [16]
RAM-Forensics volatility [17], LiME [18], winpmem [19]
NIDS SecurityOnion [20], Zeek [21], Suricata [22]
Reversing radare2 [23], cutter [24], Ghidra [25], Manalyze [26]
Honeypot T-Pot [27], Cowrie [28], Dionaea [29]
Asset-Database snipe-it [30]

Conclusion

ClamAV is missing up-to-date signatures and is usually a bit behind other professional antivirus solutions. However, most companies have an antivirus already and in Windows environments there is Windows Defender.

Apart from the antivirus, all tools needed to have a SOC (and halfway decent security) are available open source and free.

References

[1] https://github.com/Recruit-CSIRT/LinuxTriage

[2] https://git.netfilter.org/iptables/ (or in any Linux distribution)

[3] https://github.com/Cisco-Talos/clamav

[4] https://github.com/greenbone/openvas-scanner

[5] https://github.com/elastic/elasticsearch, https://github.com/elastic/logstash, https://github.com/elastic/kibana

[6] https://github.com/wazuh/wazuh

[7] https://github.com/cuckoosandbox/cuckoo

[8] https://github.com/osTicket/osTicket

[9] https://github.com/uvdesk/community-skeleton

[10] https://github.com/MISP/MISP

[11] https://github.com/Velocidex/velociraptor

[12] https://github.com/TheHive-Project/Cortex, https://github.com/TheHive-Project/Cortex

[13] https://github.com/davehull/Kansa

[14] https://github.com/Recruit-CSIRT/LinuxTriage

[15] https://github.com/sleuthkit/autopsy

[16] https://github.com/log2timeline/plaso

[17] https://github.com/volatilityfoundation/volatility3

[18] https://github.com/504ensicsLabs/LiME

[19] https://github.com/Velocidex/WinPmem

[20] https://github.com/Security-Onion-Solutions/securityonion

[21] https://github.com/zeek/zeek

[22] https://github.com/OISF/suricata

[23] https://github.com/radareorg/radare2

[24] https://github.com/rizinorg/cutter.re

[25] https://github.com/NationalSecurityAgency/ghidra

[26] https://github.com/JusticeRage/Manalyze

[27] https://github.com/telekom-security/tpotce

[28] https://github.com/cowrie/cowrie

[29] https://github.com/DinoTools/dionaea

[30] https://github.com/snipe/snipe-it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment