Tom<p>I'm looking for <a href="https://bonequest.net/tags/OSSec" class="mention hashtag" rel="tag">#<span>OSSec</span></a> guidance, I remember when <a href="https://bonequest.net/tags/tripwire" class="mention hashtag" rel="tag">#<span>tripwire</span></a> was suggested for detecting <a href="https://bonequest.net/tags/rootkits" class="mention hashtag" rel="tag">#<span>rootkits</span></a>, but there's so many options, with <a href="https://bonequest.net/tags/Zeek" class="mention hashtag" rel="tag">#<span>Zeek</span></a> and <a href="https://bonequest.net/tags/Maltrail" class="mention hashtag" rel="tag">#<span>Maltrail</span></a>. <a href="https://bonequest.net/tags/HIDS" class="mention hashtag" rel="tag">#<span>HIDS</span></a> <a href="https://bonequest.net/tags/IntrusionDetection" class="mention hashtag" rel="tag">#<span>IntrusionDetection</span></a></p><p>I thought OSSEC with the GUI looked nice, especially if there was a central monitoring server that agents could report to. Zeek looks more like that but looks like it may have to sit at the router, which is annoying, and doesn't detect rootkits at all. My end goal is preventing SIP phone fraud.</p><p><a href="https://linuxsecurity.expert/tools/samhain/alternatives/" target="_blank" rel="nofollow noopener noreferrer" translate="no"><span class="invisible">https://</span><span class="ellipsis">linuxsecurity.expert/tools/sam</span><span class="invisible">hain/alternatives/</span></a></p>