network IDS at scale

easily manage distributed IDS probes through dispersed traffic sources


an Open Source project to Visualize and Manage Suricata, Zeek & Moloch life cicles

owlh sum

OwlH was born to help security engineers to manage, analyze and respond to network threats and anomalies using Open Source Network IDS Suricata and Zeek, offering:

  • Centralized Rule and Network IDS nodes Configuration Management
  • Software TAP to capture cloud and distributed traffic in cloud and hybrid dispersed environments
  • Centralized Visualization and Forensics
  • Compliance Mapping

Current - v0.8.x

OwlH Components

OwlH NODE - REST API

Networ IDS solutions

Suricata

Zeek

On-premises - Virtualized - Cloud

Plugins

Software TAP (STAP) Modes

Traffic Dispatcher

Threat Intelligence enrichment

Traffic Analysis

OwlH MASTER - REST API

Central Management

Multiple Nodes

Single point of management

Plugins

Traffic Forensics with Moloch

Traffic Dispatcher

Threat Intelligence enrichment

Traffic Analysis


OwlH UI

Nodes Management

Manage & Monitor

Open Rules - Ruleset management

Rulesets based on thirdparty providers

Custom Rulesets

Auto update rulesets

Collect & distribute traffic

Analyze and Enrich

Manage & Visualize

React and Document

Open Rules

Keep your network IDS Suricata probes updated to be able to detect latest threats .

Define multiple rulesets, and apply to a single probe or to a group of probes.

Keep all them updated and sycronized.

Create and manage your threat detection toolset

Ruleset based on 3rd party providers

Integrate your favorite public or comercial ruleset feeds.

Define your schedule to automatically update them.

Custom Rulset

Clone 3rd party rules and customize them.

Create and import your own custom single rules or custom rules files.

Software TAP

Collect Traffic from windows and linux servers when ther is no a port mirror or span port option. Useful for Cloud and virtualized environments and for remote and small locations.

Choose your Software TAP mode:

Software TAP PULL mode

Your traffic is stored locally in your server and OwlH will collect it

Software TAP REALTIME mode

Your server will forward traffic in realtime to the OwlH Node component

Easy deployment

& Easy to keep updated

Just tell us what should be on your instance and we will take care of it.

OwlH Installer will download and install needed packets and will install and update them to the latest version

NEW OwlH Installer

Define your appliance

individual components: OwlH Node, OwlH Master, OwlH UI

OR OwlH all-in-one (node, master and ui)

just define what should be in the appliance and Installer will prepare it

Keep OwlH stuff up-to-date

Define it as scheduled task and installer will keep your OwlH solution updated to latest version

Try it

OwlH all-in-one


help needed? support@owlh.net

current v0.8.x

Install a CentOS 7 based system

Download OwlH Installer

Run installer

Enjoy experience


# wget http://repo.owlh.net/current-centos/owlh-allinone.sh

# bash owlh-allinone.sh

Point your browser https://your.owlh.ip, 
                   https://your.owlh.ip:50001/v1/home 
 
PLEASE - Check your firewall configuration (doc)

OwlH deployment samples

all-in-one for single site and low network bandwidth. [ doc ]

on-premises with multiple locations. Virtual environments and cloud. [ doc ]

Software TAP RealTime configuration for cloud and remote small locations or isolated servers [ doc ]

Traffic dispatcher for central traffic collection and distributed analysis. [ doc ]

There are many other ways to configure OwlH components to meet your traffic analysis and network IDS management needs, drop us an email and we will help. support@owlh.net

Network IDS management

  • Suricata and Zeek support
  • Centralized Management
  • Ruleset and Policies Management
  • Network Interface, Kernel and NIDS Fine Tuning
  • Traffic Capture:
    • Security Alerts.
    • Traffic and Protocol Analysis,
    • Anomalies Detection
  • Integration with ELK and other 3rd party Storage/Visualization Solutions

support@owlh.net

Are you a Wazuh user?

Easily add NIDS visibility to your Wazuh console

Wazuh agent for NIDS output transport

Wazuh decoders/rules for Suricata and Zeek

Single pane of glass - OwlH Dashboards in Kibana as well as Wazuh app

PCI-DSS mapping for Network IDS Alerts

PCI-DSS-3.2-OwlH-mapping.pdf

NIDS rules and PCI-DSS v.3.2 Mapping

see impacted PCI controls

Rules to environment and PCI control customization




Documentation