Unified NIDS Management

An open source project to easily Visualize and Manage Suricata and BroIDS at scale.

owlh sum

OwlH is born to help security engineers to manage, analyse and response to threat detection of Open Source Network IDS (Suricata and BroIDS) offering:

  • Centralized Rule and Network IDS nodes Configuration Management
  • Software TAP for cloud environments. Capture and analyze traffic in cloud environments or remote servers
  • Centralized Visualization, Big Data Storage and Collection
  • Compliance Mapping and Dashboards
  • Cloud Network IDS support and on-demand capture
  • Incident Response Automation

Current - v0.4 - what are we working on?

Software TAP for AWS and GCLOUD

- GCLOUD and AWS support

- Continuous Monitoring

- Suricata and Bro support

- TcpReplay for PCAP injection

- OwlH Master Orchestration

- Suricata and Bro ready


Network IDS management

- Suricata and Bro IDS support

- Centralized Management

- Ruleset and Policies Management

- Network Interface, Kernel and NIDS Fine Tuning

- Network IDS dashboards (Kibana)

- Integration with ELK and other 3rd party Storage/Visualization Solutions

- Incident Response


Suricata and Bro Integration with WAZUH

- Single pane of glass for HIDS and NIDS alerts

- Suricata and Bro alerts integrated in Wazuh

- Network IDS dashboards

See our documentation

PCI-DSS mapping for Network IDS Alerts


NIDS ET rules and PCI-DSS v.3.2 Mapping

11.4 and 10.8 controls demonstration

Rules to environment and PCI control customization


On-Demand traffic capture

- Run traffic capture on-demand

- Run after an incident is detected to provide forensic info

- Define Traffic capture parameters like:

  • Time to capture
  • Capture Size
  • Target Traffic using BPF filters

- Run in your Network IDS on-premises or Cloud

- Send captured traffic to forensic storage:

  • Local
  • Cloud (AWS, GCLOUD)


Buffered Traffic Capture for Incident Forensics

- Define targets that you want to monitor

- Define the buffer size for pre-incident traffic

  • Real time Captured traffic is continuously sent to buffer
  • Traffic older than buffer size/time will be discarded

- Define Incidente rule that will trigger full traffic capture

- Full traffic will include buffered traffic and after incident traffic


Using eBPF for Network & Host IDS alerts enrichment:

Network IDS Alert + System Process details enrichment

- Network IDS traffic analysis and alert

- Using eBPF at host for:

-> #OwlH - Host Traffic Capture and related service details

-> #Wazuh - Host IDS alerts with process detail

- Network IDS Alert enrichment with Process details