Intrusion Detection Products

Product Name


AnaDisk (Sydex)

Search, analyze and copy almost any kind of diskette without regard to type or format. Edit diskette data sector by sector or perform a diagnostic read of a specified diskette track. "Dump" data from a selected range of tracks into a DOS file so that you can examine and manipulate data from non-DOS diskettes. A date- and time-stamped Audit Trail maintains a record of all AnaDisk (LE) operations during a session.

Anzen Flight Jacket (Anzen Computing)

A user-programmable, real-time network monitoring system for intrusion detection and traffic analysis. Anzen Flight Jacket (AFJ) passively examines network traffic, identifying attacks, probes, and other anomalous events in real-time. AFJ's distributed architecture allows for centralized management of remote sensors deployed throughout an enterprise network.

AuditTrack for Netware (WebTrends)

A NetWare Loadable Module (NLM) that installs within minutes on any Novell 3.x, 4.x or 5.0 server. AuditTrack monitors activity at the server and provides complete auditing and reporting functionality that captures all server.

Authd (CERIAS)

Free authentication server daemon software. Makes it easier to trace attackers.

BlackICE Defender (NetworkICE)

A sophisticated application that is designed to run on every PC in your extended enterprise, detecting and protecting your most valuable asset - information.  BlackICE silently monitors communications between your computer and the network.   When suspicious activity occurs, BlackICE immediately springs into action defending your computer, your data, and your business.

bv-LifeLine (BindView Development)

Designed with your worst nightmare in mind. Every aspect of the bv-LifeLine architecture assumes that every other system will fail. If a bv-LifeLine server goes down, the High Availability solution switches to a redundant server.  Not a single notification loses precious time in the escalation, notification, and response process.

Centrax (CyberSafe)

A complete intrusion detection suite that integrates network and host-based intrusion detection, vulnerability assessment, and audit policy management into a single, easy-to-use package. Centrax provides the most effective balance between network and host technologies, providing maximum protection against all threats to an enterprise. The system also includes vulnerability analysis and policy management to complete its comprehensive detection and response capability.

Check Point RealSecure (Check Point Software Technologies)

Unobtrusively analyzes packets of information as they travel across your enterprise network. It recognizes a wide variety of traffic patterns that indicate hostile activity or misuse of network resources, including network attacks and malicious Java™ and ActiveX™ applets. The RealSecure attack recognition engine immediately alerts network managers and administrators of any suspicious activity, logs the session, and can automatically terminate the connection. Events are classified and summarized in order of priority, enabling you to assess conditions at a glance. You can play back sessions at any time for further evaluation or for use as criminal evidence.

Cisco Secure IDS (Cicso Systems)

An enterprise-scale, real-time, intrusion detection system designed to detect, report, and terminate unauthorized activity throughout a network. The industry's first intrusion detection system, The Cisco Secure Intrusion Detection System is the dynamic security component of Cisco's end-to-end security product line.


Free software that detects suspicious network activity.

CMDS Computer Misuse Detection System (

Automatically collects and analyzes data from your devices recognizing over 4,600 different alerts and events. CMDS Enterprise's Analysis Engine combines a powerful expert system and statistical profiling engine that can process gigabytes of event log data per day. Imagine not having to review your audit logs again.

CRCMd5 Data Validation Tool (New Technologies)

This program mathematically creates a unique signature for the contents of one, multiple or all files on a given storage device. Such signatures can be used to identify whether or not the contents of one or more computer files have changed. This tool relies upon 128 bit accuracy and can easily be run from a floppy diskette to benchmark the files on a specific storage device, e.g. floppy diskette, hard disk drive and/or zip disk. This tool can be used as the first step in the implementation of a configuration management policy. Such a policy and related system bench marking can aid computer specialists isolate problems and deal with computer incidents after they occur. The program is also used to document that computer evidence has not been altered or modified during computer evidence processing.

CyberCop Monitor NT (PGP)

Real-time detection agent with a multi-tiered monitoring architecture. Inbound network traffic is monitored along with system events and log file activities providing a single solution with twice the protection.

CyberCop Monitor Solaris (PGP)

System based IDS that has the ability to detect network reconnaissance stealth port scanning over many months, warning against even the most determined attacks. CyberCop Monitor's unique system based Intrusion Detection architecture provides both real-time packet analysis and system event analysis. Advanced security features include the detection and alerting of attacks destined not only to the system it is trying to protect, but also when that system is being used as a "jumping off point" to launch attacks against other network assets. Monitor's C2 auditing capabilities produce a more detailed audit report and can create audit logs by user, event and class to integrate with the Solaris Basic Security Mode (BSM) functionality. This capability enables powerful logging of events down to the system call level to counter even the most skillful system misuse.

CyberCop Scanner (PGP)

Allows you to quickly scan and evaluate multiple security scenarios that enable e-business using comprehensive "real-world" resolution data to fix these holes. CyberCop scanner offers a powerful architecture with comprehensive security data, together in a streamlined package that makes e-business security certain.

CyberCop Sting (PGP)

Provides an additional information-gathering device to combat snooping on your network. Found only on your network by running profiling techniques and attack tools, CyberCop Sting appears an enticing target to snoops that normal users would otherwise overlook. Whether the attacks come from inside or outside of your network, CyberCop Sting logs intrusive behavior using advanced analysis tools to collect and log evidence of attack source and techniques.

DesktopSentry (CERIAS)

Free software to allow a Windows NT web surfer to detect when a remote connection is attempted.

DigitalTaggants (IEC)

An intelligent digital identification system. This watermarking system, is transparent to the user and cannot be extracted from the original document or any subsequent generations! It is transparent and requires no special involvement from the end-user.

DiskSearch (New Technologies)

Used to quickly find and document the occurrence of strings of text stored on computer storage devices.

Dragon Sensor (Network Security Wizards)

Watches live network packets and looks for signs of computer crime, network attacks, network misuse and anomalies. When it observes an event, the Dragon Sensor can send pages, email messages, take action to stop the event and record it for future forensic analysis.

Entercept (ClickNet Software)

Provides proactive, real-time, host based Intrusion Prevention. entercept's intelligent self contained agents are distributed across the network providing host protection for NT and Solaris Servers, and NT Workstations enabling companies to securely deploy e-commerce and e-business solutions.

eTrust Internet Defense (Computer Associates)

Delivers state-of-the-art network protection including protection against the deployment and execution of Distributed Denial of Service attacks - an essential capability at a time when networks are susceptible to an increasingly sophisticated array of attacks. A truly comprehensive solution, eTrust Intrusion Detection includes an integrated anti-virus engine with automatic signature updates.

ForensicToolkit (CERIAS)

Free anti-tampering software for Windows NT. The Forensic ToolKit contains several Win32 Command line tools that can help you examine the files on a NTFS disk partition for unauthorized activity.

Gabriel (Los Altos Technologies)

Free port scan detection software. As a public service, Los Altos Technologies, a provider of UNIX system security software, has developed and released Gabriel (TM), a SATAN detector. Gabriel gives the system administrator an early warning of possible network intrusions by detecting and identifying network probing. Gabriel is complete and ready to run. Los Altos Technologies is providing Gabriel to its customers and anyone else who wishes to use it at no charge. It is expected that any future updates, enhancements, and revisions will come from the users.

HP Openview Node Sentry (Hewlett-Packard)

Looks continuously for patterns of misuse. It examines packet headers and data looking for "attack" signatures. And when it finds violations, it raises alarms and removes the offender from the network. And it does so in a way that is transparent to authorized users. With HP OpenView Node Sentry, your network is protected from a wide range of denial of service attacks, webserver vulnerabilities, e-mail attacks, as well as security policy violations.

HP-Tcpdump (CERIAS)

Free packet sniffing tool.

ICEcap (NetworkICE)

Complete security management solution. Features: ICEcap management console centralizes information from BlackICE and ICEscan agents distributed on your network. Review suspicious events across your entire network to spot trends or scans from outsiders. Sophisticated web page user-interface requires no special client-side application installation, only a standard web browser. ICEcap includes its own, secure web server. The ICEcap web services do not interfere with other web services. Generate standard reports or create custom reports to meet your needs.  Powerful device targeting feature allows you to define areas of your network regardless of subnet or location. Flexible policy editor allows you to establish alert priorities and thresholds for reporting and analyzing attacks and vulnerabilities. Fully automatic and customizable pager or e-mail alerts. Automatically propagate defense alerts to BlackICE agents preventing hackers from attacking other systems. Integrates with Microsoft SQL Server 6.5 - 7.0 or Microsoft Access. Open database source allows you to develop your own applications or reports to retrieve information from the ICEcap database. Create multiple reporting accounts to categorize areas of your network for isolated reporting and analysis.

ICEpac (NetworkICE)

Comprehensive suite of Network ICE products.  ICEpac is ideal for any network large or small that needs complete intrusion detection and protection. ICEpac includes the following products: BlackICE Pro: Intrusion detection, monitoring and protection for network workstations. BlackICE Sentry: Intrusion detection and monitoring for non-Windows based systems. ICEcap: Management and information console providing enterprise-wide view of network security. InstallPac: Automatically "pushes" a silent copy of BlackICE Pro on to any Windows-based system on your network.

iD2 Secure Transport (iD2 Technologies)

Allows an organisation to monitor user activity on a local network. With the software installed on a customer or employee PC, the user can be identified to the corporate network as they log-on and access applications and files. iD2 Secure Transport uses the standard client authentication procedure in the SSL protocol.

Ifstatus (CERIAS)

Free interface status monitoring software. Ifstatus checks all network interfaces on the system, and reports any that are in debug or promiscuous mode, which may be a sign of unauthorized access to the system.

Intruder Alert (Axent Technologies)

Monitors systems and networks in real-time to detect security breaches and suspicious activities and will respond automatically according to your established security policy. It works across your entire enterprise including LANs, WANs, intranets and the Internet.

Incident Manager (Strohl Systems)

Organizes all essential recovery details electronically and is designed to help you manage your recovery more effectively by replacing chalkboards, grease boards, flipcharts, and paper updates. You can also use Incident Manager to test the viability of your plans and make necessary adjustments prior to a real-life business disruption. to test the viability of your plans and make necessary adjustments prior to a real-life business disruption.

IP-Watcher (En Garde Systems)

A network security and administration tool which gives the user the ability to monitor and control any login session on his or her network. This makes IP-Watcher an extremely valuable tool for investigating suspicious activity, obtaining evidence of misuse, and even for stopping malicious users before they do any damage.

Kane Security Monitor (

A 24-hour burglar alarm for Windows NT. The KSM continuously reviews and analyzes NT security event logs on hundreds of NT servers and workstations. Using artificial intelligence, the KSM spots obvious violations, such as multiple login failures and can also determine more subtle irregularities in user behavior that can indicate a masquerading user or other potential troublemaker. The KSM alerts the security administrator in real-time via audible alarm, email, pager or other interactive technology.

Klaxon (CERIAS)

Free software to detect port scanner attacks.


Free software to list open files on a UNIX system.

Lucent RealSecure (Lucent Technologies)

Unobtrusively monitors network traffic and responds to suspicious activity instantlyóbefore your network is compromised. Key Benefits: Intercepts and responds to security breaches, from outside or inside the network, before the network is compromised. Terminates, logs or records unauthorized or suspicious activity, and alerts administrators immediately via email, direct page, syslog, SNMP trap, or console message. Recognizes Windows network, email, Web, probing, denial of service and popular service attacks, as well as, FTP exploits and unauthorized network traffic.

Netlog (CERIAS)

Free tool for locating suspicious network traffic, developed at Texas A&M University.

NetProwler (Axent Technologies)

Provides dynamic network intrusion detection that transparently examines network traffic to instantly identify, log and terminate unauthorized use, misuse and abuse of computer systems by internal saboteurs and external hackers. Itís patent-pending SDSI™ virtual processor enable immediate deployment of customized attack signatures to terminate even the most sophisticated security violations.

Network Flight Recorder (Network Flight Recorder)

Captures several types of in-flight network activity. May be used for intrusion detection or computer forensics.

Network Traffic Control (Ashley Laurent)

Standard Edition Features: Allows real-time Activity Tracking by Remote User, Branch Office, or Intranet Host; Allows long term Logging and Archiving according to specific schedules, based on time of day and between specific dates; Includes real-time intrusion detection system which shows the sources and types of Internet Attacks; Includes real-time external access monitor, which shows when internal users are going to unauthorized sites; Includes customizable reports that can print the logging information in various formats.

Patriot IDS (Patriot Technologies)

Real-time network attack recognition and response system. Designed for maximum intrusion detection performance, superior security, and turnkey operations, Patriotís IDS provides the ultimate intrusion detection appliance. Powered by the "best of breed" Intel components and Internet Security Systemsí RealSecure software, Patriotís IDS offers the highest level of protection for your network. The Patriot IDS consists of two components: the Network IDS Console, and the Network IDS Engines.

Peek & Spy (Networking Dynamics)

PEEK & SPY lets a privileged user see exactly what is on another user's terminal and then permits him to either take control of that terminal to fix the problem from his own or let the user have control while he gives any needed instructions. If the PEEK & SPY user chooses to fix it himself, his input can be displayed on the user's screen to show him/her how it was fixed. Now system managers can solve user problems (especially remote ones) without having to go to the user to solve them. Where PEEK informs users they are being watched, SPY doesn't. In addition, SPY gives system managers documented proof of security breaches and provides a tool to lock out unauthorized users. 

Pr0filer (IEC)

Positioned to fulfill two very distinct goals. 1. To produce a publicly accessible enemy profiling database. 2. To refine the techniques for analyzing and rating said data.

RealSecure (ISS)

Integrated network- and host-based intrusion detection and response system. This maximum level of around-the-clock surveillance extends unobtrusively across the enterprise, allowing administrators to automatically monitor network traffic and host logs, detect and respond to suspicious activity, and intercept and respond to internal or external host and network abuse before systems are compromised.

Review (CERIAS)

Free software used to examine tcpdump packet logs.

SafeBack (Sydex)

Create mirror-image backup files of hard disks or make a mirror-image copy of an entire hard disk or partition. Backup image files can be written to any writable magnetic storage device, including SCSI tape backup units. SafeBack preserves all the data on a backed-up or copied hard disk, including inactive or "deleted" data. Cyclical redundancy checksums (CRCs) distributed throughout the backup process enforce the integrity of backup copies. Backup image files can be restored to another system's hard disk. Remote operation via parallel port connection allows the hard disk on a remote PC to be read or written by the master system. A date- and time-stamped audit trail maintains a record of SafeBack operations during a session.

SAM Real Secure (Schumann Security Software)

An automated, real-time intrusion detection and response system for computer networks. SAM/RS provides around-the-clock network surveillance and enables customers to automatically intercept and respond to security breaches and internal network abuse before systems are compromised. SAM/RS unobtrusively monitors network traffic and automatically detects and responds to suspicious activity to provide maximum levels of security across the enterprise.

SCORPIAN (EnsureTek)

Provide any organizations with the ability to effectively and efficiently document, respond to, and investigate any corporate incident. From simple employee policy violations to complex financial fraud and high-tech investigations, SCORPIAN allows for the secure storing, sharing, and analysis of the highly sensitive information involved with these issues. Also, the Digital Notary Services that have been integrated into SCORPIAN will provide your organization with the irrefutable means necessary to prove in the court of law that electronic evidence was confiscated when claimed and not altered since.

Sentry (CERIAS)

Free port scanning detection software.

SilentRunner (SilentRunner)

Network security solution specifically designed to address the insider threat. A passive network discovery LAN engine, consisting of ten major modules, permits the user to view in real-time network topology and activity levels, display individual terminal activity, create and execute Boolean logic alerts and sort and process network data for further detailed visualization and analysis.

SMARTWatch (WetStone Technologies)

Actively monitors a Windows computer system. With SMART Watch, changes to watched resources are detected and reported instantly. While other change detection techniques are based on polling, or must be integrated into the system's scheduler, SMART Watch's self contained, silent operation actually wakes up when a change in the file system is detected. These operating system level changes tell SMART Watch when to verify if a resource is still intact. If a resource has changed or been deleted, SMART Watch can respond within milliseconds. In the case of a file modification or deletion, SMART Watch can actually restore the content of that file immediately! SMART Watch is not just a change detection tool.

Snort (Snort)

Freeware lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.

Tcpdump (CERIAS)

Free Internet trace capability software.

Tcp_wrappers (CERIAS)

Free intrusion detection software. With this package you can monitor and filter incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services.

TextSearch Plus (New Technologies)

TextSearch Plus was specifically designed and enhanced for speed and accuracy in security reviews. This software is used to quickly search hard disk drives, zip disks and floppy diskettes for key words or specific patterns of text. It operates at either a logical or physical level at the option of the user.

Tivoli Cross Site for Security (IBM)

A network-based intrusion detection product that detects, logs and responds to intrusion attempts in realtime. The Tivoli Cross-Site for Security product can protect against the latest varieties of hacker attempts, such as denial of service, port scanning and attacks specific to application services, including telnet, FTP and DNS.

Tklogger (CERIAS)

Free log monitoring software. This is a program that watches log files for certain events and displays them according to certain simple rules in a priority or a normal window.

Tocsin (CERIAS)

Free port-scanning detection software.

Tripwire (Tripwire Security Systems)

Used to build infrastructures of trust in organizations needing assurance that unintentional changes or an unauthorized party has not compromised their critical systems. Tripwire's proven Integrity Assessment (IA) technology gives users the confidence that their systems are the same today as they were yesterday.

T-sight (En Garde Systems)

Manual intrusion detection system. Based on the fact that an intruder must establish connections with other computers to accomplish his or her goal. These connections are an intruder's footprints, and the best way to catch the intruder is to have an advanced visualization of those footprints. With T-sight, you are able to monitor all your network connections (i.e. traffic) in real time and can observe not only when suspicious activity takes place, but the composition of that activity.

TTY-Watcher (CERIAS)

Free user monitoring software.

Vanguard Enforcer (Vanguard Integrity Professionals)

Monitors the security systems and facilities that protect critical data and other resources on your mainframe 24 hours a day seven days a week. Enforcer makes certain that the standards, policies, rules and settings defined by your security experts are in force and stay in force. With Vanguard Enforcer, you will never have to wonder whether the security implementation on your mainframe is protecting your critical resources effectively. This technology ensures that security on your mainframe systems continuously adheres to "best practices" standards and your own security policies.

Veracity (Rocksoft)

A data integrity security tool that provides multiplatform enterprise-wide in-depth security.

ViewDisk (Sydex)

Find hidden or deleted data on computer diskettes regardless of format. ViewDisk analyzes diskettes for content and consistency, checking for instances where a file extension may not be consistent with actual file type. Search any diskette by user-defined values, print data on a physical sector or file basis, and copy almost any kind of diskette without regard to format or type. To guard against accidental tampering with data, ViewDisk requires that scanned diskettes be write-protected. A date- and time-stamped Audit Trail maintains a record of all ViewDisk operations during a session.


"Honey pot" intrusion detection system. Can emulate any existing network. Has active discovery capabilities. Has rapid response capabilities. Provides a platform for network security simulations. Provided as a turnkey solution. Including all hardware, software and training. SANE™ certified for the support of AFIRM (IPSEC, ANSA and OPSEC support spec'd).