HIGH · SCAN_001 · 192.168.1.10 → 10.0.0.1 · TCP SYN Portscan | MED · ML_ANOMALY · Isolation Forest score 0.87 · Unusual flow pattern detected | CRIT · MODBUS_001 · OT/ICS · Unauthorized Modbus write to PLC | LOW · UNKNOWN_HOST_001 · New device 10.10.5.42 on OT segment | EXT · IRMA · DNP3_ANOMALY · External source · high severity | HIGH · SCAN_001 · 192.168.1.10 → 10.0.0.1 · TCP SYN Portscan | MED · ML_ANOMALY · Isolation Forest score 0.87 · Unusual flow pattern detected | CRIT · MODBUS_001 · OT/ICS · Unauthorized Modbus write to PLC | LOW · UNKNOWN_HOST_001 · New device 10.10.5.42 on OT segment | EXT · IRMA · DNP3_ANOMALY · External source · high severity
CYJAN INTRUSION DETECTION SYSTEM PROTECT · DETECT · RESPOND
Open Source · MIT License

Passive IDS
for OT/ICS environments

Header-only packet analysis at the mirror port. Signature detection + ML anomaly engine + self-learning feedback loop.
Zero payload access. Zero blind spots.

Quick Start View on GitHub Brochure PDF
SCADA Modbus TCP DNP3 EtherNet/IP BACnet S7 TCP/IP DNS ICMP
14
Microservices
128B
Header-only snaplen
~40k
Suricata ET rules
0
Payload access
CAPABILITIES

Built for the real world.

Designed specifically for operational technology networks where availability beats everything else.

Passive Mirror-Port Analysis

Zero network impact. Rust-based sniffer with AF_PACKET/TPACKET_V3 captures traffic at line rate — headers only, no payload, no decryption.

ML Anomaly Detection

Isolation Forest with self-learning feedback loop. Mark alerts as true/false positives and the model retrains automatically — getting smarter over time.

OT/ICS Protocol Coverage

Pre-configured rule sets for Modbus TCP, DNP3, EtherNet/IP, BACnet, and S7. OT tags get orange highlighting and auto-escalated severity.

Real-time WebSocket Dashboard

Live alert feed with threat-level gauge, connection graph, PCAP download per alert, enrichment (GeoIP, ASN, DNS), and CSV export.

Suricata Integration

Optional parallel detection engine. ~40,000 Emerging Threats rules plus OT/ICS rule sets from Digital Bond and Positive Technologies — live reloadable.

IRMA Bridge

Integrates external IRMA IDS alerts into the unified feed. REST polling with automatic token renewal — external alarms appear as first-class citizens.

PCAP Evidence Store

Every alert stores a Wireshark-compatible PCAP (headers only) in MinIO — download directly from the alert detail view for forensic investigation.

Host Trust System

Known network and host inventory with CSV bulk import, GeoIP/ASN enrichment, and automatic unknown host alerts — with Redis caching for speed.

Debian Live ISO

Plug in, boot, done. First-boot wizard configures interface, IPs, and passwords. Automatic system updates with ids-update. No OS admin skills needed.

ARCHITECTURE

Event-driven pipeline.

Apache Kafka at the core — every component is independently scalable and replaceable.

Mirror Port
sniffer (Rust)
Apache Kafka
KRaft · 6 topics
flow-aggregator
signature-engine
ml-engine (IsoForest)
alert-manager
enrichment-service
TimescaleDB
FastAPI + WS
React Dashboard
Suricata Bridge — EVE JSON → Kafka → unified alert stream
IRMA Bridge — external IDS REST poll → Kafka → same pipeline
Training Loop — feedback → labelled samples → model retrain
Rust + pcap Apache Kafka 3.7 TimescaleDB Redis 7 MinIO Scikit-learn FastAPI React + Vite + TS Suricata Docker Compose
QUICK START

Up in minutes.

Two paths to production — choose yours.

A
Debian Live ISO
Recommended for production
# Flash to USB
dd if=cyjan-ids-v1.x.x.iso \
  of=/dev/sdX bs=4M status=progress

Boot from USB → First-Boot-Wizard guides you through interface, IP, and password setup. Fully automated thereafter.

Download latest release →
B
Docker Compose
Dev / test mode
# Clone and start in test mode
git clone https://github.com/JxxKal/ids
cd ids
cp .env.example .env
docker compose \
  --profile test up -d

Synthetic traffic via built-in generator. No physical mirror port needed for testing.

SERVICE ENDPOINTS (test mode)

Dashboard
:3000
API + Swagger
:8001/api/docs
Kafka UI
:8080
MinIO Console
:9001
Default login
admin / changeme

100% Open Source.

CYJAN IDS is released under the MIT License — inspect every line, contribute freely, and deploy without restrictions. Security through transparency.

🔍

Auditable

Every component, every rule, every ML model — fully transparent. No black boxes in your security stack.

🔧

Extensible

Add custom Suricata rules, integrate your own alert sources via the IRMA bridge pattern, tune the ML threshold.

🤝

Community

Issues, pull requests, and feature discussions happen in the open on GitHub. Your OT environment knowledge is welcome.

github.com/JxxKal/ids
PDF

Product Brochure

Everything about CYJAN IDS in one document — architecture overview, feature list, deployment options, and OT/ICS protocol coverage. Share with your team or management.

Download Brochure (PDF)