Unified NIDS Management,

Security by network monitoring

An open source project to easily Visualize and Manage Suricata and Zeek at scale .

owlh sum

OwlH is born to help security engineers to manage, analyse and response to threat and anomalies detection by using Open Source Network IDS (Suricata and Zeek) offering:

  • Centralized Rule and Network IDS nodes Configuration Management
  • Software TAP for cloud environments. Capture and analyze traffic in cloud environments or remote servers
  • Centralized Visualization, Big Data Storage and Collection
  • Compliance Mapping and Dashboards

Some default Use Cases

  • Real time thread detection. Based on Suricata based rulesets like Emerging Threat, VRT, others.
  • Protocol analysis and protocol use statistics based on flow info and Zeek analysis.
  • PCI environments - Unencripted traffic detection in PCI environments.
  • Unathorized network devices and new systems detection.
  • Anomalies detection based on ARP behavior, like ARP Poisoning.

... and we will help you with your own use case.

Current - v0.7

Software TAP for AWS and GCLOUD

  • GCLOUD and AWS support
  • Continuous Monitoring
  • Suricata and Zeek support
  • PCAP based traffic storage
  • OwlH Master Orchestration


Network IDS management

  • Suricata and Zeek support
  • Centralized Management
  • Ruleset and Policies Management
  • Network Interface, Kernel and NIDS Fine Tuning
  • Traffic Capture:
    • Security Alerts.
    • Traffic and Protocol Analysis,
    • Anomalies Detection
  • Integration with ELK and other 3rd party Storage/Visualization Solutions


Suricata and Zeek Integration with WAZUH

  • Single pane of glass for HIDS and NIDS alerts
  • Suricata and Zeek alerts integrated in Wazuh panels
  • Default Panels for traffic, security alerts, protocols, anomalies

See our documentation

PCI-DSS mapping for Network IDS Alerts


NIDS ET rules and PCI-DSS v.3.2 Mapping

11.4 and 10.8 controls demonstration

Rules to environment and PCI control customization


On-Demand traffic capture

- Run traffic capture on-demand

- Run after an incident is detected to provide forensic info

- Define Traffic capture parameters like:

  • Time to capture
  • Capture Size
  • Target Traffic using BPF filters

- Run in your Network IDS on-premises or Cloud

- Send captured traffic to forensic storage:

  • Local
  • Cloud (AWS, GCLOUD)


Buffered Traffic Capture for Incident Forensics

- Define targets that you want to monitor

- Define the buffer size for pre-incident traffic

  • Real time Captured traffic is continuously sent to buffer
  • Traffic older than buffer size/time will be discarded

- Define Incidente rule that will trigger full traffic capture

- Full traffic will include buffered traffic and after incident traffic


Using eBPF for Network & Host IDS alerts enrichment:

Network IDS Alert + System Process details enrichment

- Network IDS traffic analysis and alert

- Using eBPF at host for:

-> #OwlH - Host Traffic Capture and related service details

-> #Wazuh - Host IDS alerts with process detail

- Network IDS Alert enrichment with Process details