藍隊防禦工具蠻多的，順手整理一下，在CDM上建議各類型都評估有沒有一項相對應的產品

Vulnerability Scanner

• NMAP
  • 輕量系統弱掃工具
  • 對應商用產品Nessus
  • https://nmap.org/
• OpenVAS
  • 弱掃平台
  • 報表、資產NMAP較完整
  • 對應商用產品Tenable
  • https://www.openvas.org/

Endpoint (HIDS/EDR)

• Sysmon
  • 被微軟收購的輕量軟體，增加更多EventLog內容，廣義上的EDR
  • https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
  • 商用產品也常用這個工具
• OSquery
  • FB開源的
  • https://osquery.io/
• OSSEC
  • 日誌分析、完整性檢查、Windows 註冊表監控、rootkit檢測
  • https://www.ossec.net/
• Velocidex
  • 近期較成熟的專案，比較偏實時採證鑑識Digital Forensic and Incident Response (DFIR)
  • https://docs.velociraptor.app/

Malware

• ClamAV
  • 老牌防毒，舊Linux常常只有他能安裝
  • https://www.clamav.net/
• Yara Rule
  • 針對惡意軟體特徵寫成Yara Rule，供分享給資安產品掃描偵測用
  • https://virustotal.github.io/yara/
• Cuckoo Sandbox
  • 沙箱
  • https://cuckoosandbox.org/
• Ghidra
  • 美國國家安全局開發用來逆向工程的工具
  • https://ghidra-sre.org/

Network (IDS/IPS/NDR)

需要加解密設備才能發揮效果

• Snort
  • 入侵防禦系統，依靠撰寫snort rule偵測封包特徵
  • https://www.snort.org/
• Suricata
  • 較舊版Snort多線程
  • https://suricata.io/
• Bro/Zeek
  • 相較於Snort/Suricata這些Rule base偵測，比較偏紀錄網路行為
  • https://zeek.org/
  • 延伸 https://corelight.com/about-zeek/zeek-data
• Moloch/Arkime
  • 封包擷取
  • https://arkime.com/

Web Proxy

• Squid
  • 主要用途是做企業內部上網的緩存代理伺服器，不過Web proxy用來防一些網頁攻擊相當有效
  • 對應商用產品Forcepoint
  • https://github.com/squid-cache/squid

Training/模擬

• Atomic

  • Atomic Red Team™ 是一個映射到 MITRE ATT&CK®框架的測試庫。安全團隊可以使用 Atomic Red Team 快速、可移植且可重複地測試他們的環境。
  • https://github.com/redcanaryco/atomic-red-team

• DetectionLab

  • 檢測實驗室
  • https://github.com/clong/DetectionLab

HoneyPot

• OpenCanary
  • https://opencanary.readthedocs.io/en/latest/
• Canarytoken
  • https://canarytokens.org/generate
• Cowrie
  • https://github.com/cowrie/cowrie

Else

• Wazuh

  • The Open Source Security Platform
  • 搭配OSSEC的SIEM 平台
  • https://wazuh.com/

• Security Onion

  • 搭配Snort/Suricata/Zeek... 的SIEM平台 (資源要求很高)
  • https://securityonionsolutions.com/

• MISP (Malware Information Sharing Platform)

  • 開源威脅情報平台
  • https://www.misp-project.org/

• TheHive

  • A scalable, open source and free Security Incident Response Platform, tightly integrated with MISP
  • https://thehive-project.org/

• Sigma

  • Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner.
  • https://github.com/SigmaHQ/sigma

REF

How to Automate Cyber Defense Without Paying a Dime
https://crft.app/blog/how-to-automate-cyber-defense-without-paying-a-dime/

open-source-tools-blue-team
https://hackertarget.com/download/open-source-tools-blue-team.pdf

https://samsclass.info/152/FSIR2021-CCSF.htm

Cyber Defense Matrix: Reloaded
https://www.slideshare.net/sounilyu/cyber-defense-matrix-reloaded