network IDS at scale

easily manage distributed IDS probes 

through dispersed traffic sources

an Open Source project to Visualize and Manage Suricata, Zeek & Arkime life cycles

Flexible, scalable, no vendor lock-in and no license cost. Join us on Slack

We will help you to be successful with your Owlh first deployment

Become part of our Open Source  Community or access our professional support and services.

OwlH was  born to help security engineers to manage, analyze and respond to network threats and anomalies using Open Source Network IDS Suricata and Zeek, offering: 

Current - v0.11.x

How to manage multiple probes

When you have multiple probes, multiple sites, multiple security levels, or do you manage multiple companies, there are different ways to manage your Network IDS probes


Define each probe as an stand-alone system

Manage probes configuration individually


Create groups of nodes 

share rulesets and services configurations between nodes in a same group


Use REST API to manage and configure your probes,  

No user Interface, just your app and our API

OwlH Components


Networ IDS solutions



On-premises - Virtualized - Cloud


Software TAP (STAP) Modes

Traffic Dispatcher

Threat Intelligence enrichment

Traffic Analysis


Central Management

Multiple Nodes

Single point of management


Traffic Forensics with Moloch

Traffic Dispatcher

Threat Intelligence enrichment

Traffic Analysis


Nodes Management

Manage & Monitor 

Open Rules - Ruleset management

Rulesets based on thirdparty providers

Custom Rulesets

Auto update rulesets

Collect & distribute traffic

Analyze and Enrich

Manage & Visualize

React and Document

Open Rules

Create and manage your threat detection toolset

Ruleset based on 3rd party providers

=> Integrate/import your favorite public or comercial ruleset feeds.

=> Define your scheduled tasks to automatically update them.

Your Custom Rulesets

=> Clone 3rd party rules and customize them.

=> Create and/or import your own custom single rules or custom rules files.

=> Edit, Enable, Disable, your Rules from the User Interface

Software TAP 

Software TAP helps to collect Traffic from windows and linux servers when there is no a port mirror or span port option. 

Useful for Cloud and virtualized environments and for remote and small locations.

Choose your Software TAP mode: 

Software TAP PULL mode

Your traffic is stored locally in your server and OwlH will collect it

Software TAP REALTIME mode

Your server will forward traffic in realtime to the OwlH Node component

Easy deployment

& Easy to keep updated

Just tell us what should be on your instance and we will take care of it. 

OwlH Installer will download and install needed packets and will install and update them to the latest version

OwlH Installer

Define your appliance

individual components: OwlH Node, OwlH Master, OwlH UI

OR OwlH all-in-one (node, master and ui)

 just define what should be in the appliance and Installer will prepare it

Keep OwlH stuff up-to-date

Define it as scheduled task and installer will keep your OwlH solution updated to latest version

Install OwlH

OwlH all-in-one

help needed? 

current v0.11.x

Install a CentOS 7 based system

Download OwlH Installer

Run installer

Enjoy experience

# wget

# bash

Point your browser https://your.owlh.ip, 



PLEASE - Check your firewall configuration (doc)

OwlH deployment samples

all-in-one for single site and low network bandwidth. [ doc ]

Multiple locations. On-premises, Virtual, Cloud, or Hybrid environments . [ doc ]

Software TAP RealTime configuration for cloud and/or remote small locations or isolated servers [ doc ]

Traffic dispatcher for centralized traffic collection and distributed analysis. [ doc ]

OwlH custom configurations

There are many other ways to configure OwlH components to meet your traffic analysis, forensics and network IDS management needs.

Send us an email and we will help you. 

Few samples are:

Traffic forwarding and Forensics analysis with Moloch.

Collect your traffic, analyze it and forward it to a central console to be able to forensics your traffic with Moloch.

Cloud based PCAP analysis. 

you don't need to have your Network IDS locally. Just upload your PCAP to your OwlH Cloud environment and see results in your Wazuh SaaS

Network IDS management

Are you a Wazuh user?

OwlH is now a Wazuh Partner

PCI-DSS mapping for Network IDS Alerts


NIDS rules and PCI-DSS v.3.2.1 Mapping 

see impacted PCI controls 

Rules to environment and PCI control customization