YARA
YARA YARA is the pattern-matching Swiss Army knife for malware hunting, defining rules with hex/strings/regex to scan files or memory for IOCs like suspicious APIs or C2 domains. Write rules in its simple DSL, compile for fast scans via CLI, and integrate into scripts for automated threat detection. Open-source from VirusTotal, it's the rule crafter for pentesters templating signatures into repeatable hunts.
Explore →Sigma
Sigma Sigma is the cross-SIEM rule language for defining detection patterns in YAML, abstracting queries for logs like failed logons or beaconing to translate across tools without recoding. Craft rules for ATT&CK tactics, convert via CLI to Splunk/ELK formats, and test against samples for universal coverage. Open-source from community, it's the pattern port for analysts standardizing hunts across environments.
Explore →Snort
Snort Snort is the network IDS with rule-based pattern matching for signatures like exploit payloads or anomalous ports, inspecting traffic in real-time for alerts and logging. Edit rules in its text format, reload configs via CLI, and tune preprocessors for evasion resistance in scans. Open-source from Cisco, it's the packet patroller for network pentesters templating defenses into inline protection.
Explore →Suricata
Suricata Suricata is the high-performance NIDS with multi-threaded pattern matching via rules for protocols like HTTP or DNS, detecting anomalies with Lua scripting for custom logic. Load YAML rulesets, run in IDS mode for pcap scans, and output EVE JSON for SIEM feeds. Open-source from OISF, it's the protocol profiler for analysts matching threats in high-volume traffic.
Explore →OSSEC
OSSEC OSSEC is the HIDS with regex-based log decoders for pattern matching on syslogs, auditing file changes or rootkit signs with decoder rules for normalized alerts. Configure rules in XML, deploy agents for endpoint scans, and query archives for incident timelines. Open-source from Atomicorp, it's the log listener for pentesters templating host-based detections into compliance watches.
Explore →Falco
Falco Falco is the eBPF/auditd matcher for runtime patterns in containers, defining rules in YAML for syscalls like unauthorized mounts or crypto ops in K8s clusters. Tune thresholds for noise reduction, stream alerts to Kafka, and script extensions for custom behaviors. Open-source from Sysdig, it's the syscall sentinel for cloud pentesters pattern-matching threats in container drifts.
Explore →Wazuh
Wazuh Wazuh is the SIEM extension with decoder rules for log patterns, matching anomalies like brute-force or fileless attacks across endpoints with decoders for 1000+ formats. Edit XML rules for custom signatures, integrate with Elastic for dashboards, and automate responses via active modules. Open-source fork of OSSEC, it's the decoder dynamo for analysts templating unified detections.
Explore →OSQuery
OSQuery OSQuery is the SQL-powered endpoint query engine for pattern matching on processes, files, or network sockets, templating hunts with packs for scheduled anomaly detection. Write queries in its schema, run via CLI for ad-hoc scans, and export results to SIEMs for correlation. Open-source from Facebook, it's the endpoint interrogator for pentesters querying patterns across fleets.
Explore →Zeek (Bro)
Zeek (Bro) Zeek is the network analysis framework with scriptable patterns for protocol behaviors, matching anomalies like unusual TLS handshakes or HTTP anomalies in pcap streams. Define events in ZeekScript, replay captures for retro hunts, and output logs for integration. Open-source from corelight, it's the protocol patterner for network forensics pros templating detections in traffic.
Explore →Ripgrep