OwlH – Network IDS integration

OwlH is an open source project that will help you deploy the right Network Intrusion Detection System in your environment, configure it correctly and keep it updated and adapted to your network specifications that, as you know, will change constantly.

OwlH architecture. Diagram.

What is a Network Intrusion Detection System?

A Network Intrusion Detection System (NIDS) will help detect, in real time, malicious attacks from external systems, infected internal servers or user workstations, incorrect service configurations, or local security policy breaches. Among standard detection capabilities of a network IDS are:

  • Detection of new systems in the network
  • Detection of hidden systems that are using spoofing
  • Detection of unauthorized use of services
  • Prevention mode. Running in Intrusion Prevention System (IPS) mode, a Network IDS may also act by stopping, blocking, or discarding a bad connection as soon as it is detected.

What can OwlH do for you?

  • Threat detection: based on rules or policies, a network IDS will be able to detect two kinds of problems: global problems (malware, phishing, etc) and problems specific to your business.
  • Network behavior visualization: you will be able to visualize the use of your network, such as used network-bandwidth, protocol-use statistics and clear or encrypted traffic.

How OwlH works

  • Choose and deploy the best of breed Open Source NIDS solution: OwlH supports most high-performance open source network IDS processors such as Suricata, Bro and Snort.
  • Configure and fine-tune as your network environment requires: you will need to define your detection capabilities to fit your business requirements.
  • Single pane of glass with Wazuh: collected alerts are integrated with your Wazuh platform, providing a single pane of glass to help you analyze how your network reacts.

OwlH Network IDS Added Value

Network Thread Detection

Using network IDS rulesets will help you detect the most common attacks and malicious network behavior. Vendors update rulesets periodically and OwlH will help you keep your current rulesets synchronized with your NIDS.

Support for multiple environments and platforms

OwlH will help monitor your network wherever it reaches. We have solutions to collect traffic in different environments as OwlH supports different configuration scenarios that can work together.

  • Software TAP: for cloud or isolated systems. Make your servers part of the network analysis process, collect traffic locally on your server and forward it to a central NIDS for analysis.
  • Virtual Environment: for cloud or isolated systems. Make your servers part of the network analysis process, collect traffic locally on your server and forward it to a central NIDS for analysis.
  • On-Premises: listen to traffic directly from your network. Usually, you will perform the typical deployment and configure your NIDS probes to listen to a port Mirror or port Span interface in your network.

Compliance Mapping - PX PCI-DSS v3.2.1

Identify which PCI-DSS controls are impacted by your network traffic. OwlH has mapped a Suricata based ruleset to PCI-DSS controls. This provides visibility about which Network IDS alerts impact which PCI-DSS controls.

Adapt and Response

Define your thread trigger action, collect thread related information and analyze it with your NIDS or by using pCap Tools.

  • Buffered capture. For forensics, store traffic related to your issue in pcap format.
  • Notify external API to run action.

Do you want more information?

You can visit OwlH’s website or OwlH’s documentation to learn more about this tool.

Get Wazuh 4.2.5

Download and deploy Wazuh easily.
Learn more in our documentation.