v1.0.29 · OT-Sentrymode

Passive IDS.
For OT/ICS.

Header-only packet analysis at the mirror port. Signature detection + ML anomaly engine + self-learning feedback loop.
Zero payload access. Zero blind spots.

Download Brochure Download Latest ISO Access Demosystem → View on GitHub →
✓ Rust sniffer ✓ Isolation Forest ✓ Debian Live ISO ✓ MIT-licensed
PROTECT · DETECT · RESPOND
14
Microservices
128B
Header-only snaplen
~40k
Suricata ET rules
0
Payload access
CAPABILITIES

Built for the real world.

Designed specifically for operational technology networks where availability beats everything else.

Passive Mirror-Port Analysis

Zero network impact. Rust-based sniffer with AF_PACKET/TPACKET_V3 captures traffic at line rate — headers only, no payload, no decryption.

ML Anomaly Detection & Suppression

Isolation Forest with a self-learning feedback loop. Mark alerts as true/false positives and the model retrains automatically. Adaptive suppression downgrades repeat hits on the same rule and bidirectional connection — operators only see real attack patterns, not noise.

OT/ICS Protocol Coverage

Pre-configured rule sets for Modbus TCP, DNP3, EtherNet/IP, BACnet, and S7. OT tags get orange highlighting and auto-escalated severity.

Real-time WebSocket Dashboard

Live alert feed with threat-level gauge, connection graph, PCAP download per alert, enrichment (GeoIP, ASN, DNS), and CSV export.

Suricata Integration

Optional parallel detection engine. ~40,000 Emerging Threats rules plus OT/ICS rule sets from Digital Bond and Positive Technologies — live reloadable.

IRMA Bridge

Integrates external IRMA IDS alerts into the unified feed. REST polling with automatic token renewal — external alarms appear as first-class citizens.

PCAP Evidence Store

Every alert stores a Wireshark-compatible PCAP (headers only) in MinIO — download directly from the alert detail view for forensic investigation.

Host Trust System

Known network and host inventory with CSV bulk import, GeoIP/ASN enrichment, and automatic unknown host alerts — with Redis caching for speed.

Debian Live ISO

Plug in, boot, done. First-boot wizard configures interface, IPs, and passwords. Automatic system updates with ids-update. No OS admin skills needed.

Automatic CMDB Sync

Bidirectional iTop / TeemIP integration — imports subnets, hosts, and CI records into the trust system, and pushes newly-discovered unknown hosts back to the CMDB. Manual entries and DNS overrides are preserved by priority; CMDB assets get the ✓ iTop badge.

Full-Blown Enrichment Service

Every alert is post-processed with reverse DNS, ICMP reachability, MaxMind GeoIP/ASN, known-network containment, and host-trust lookup. Redis-cached for sub-second response and streamed live over WebSocket as alert_enriched updates.

Rich FastAPI · OpenAPI

Complete REST surface with interactive Swagger at /api/docs, ReDoc, and an OpenAPI JSON spec. JWT plus SAML 2.0 auth, long-lived API tokens, CSV bulk endpoints, and live WebSocket events — built for SIEM, automation, and third-party integration.

LIVE DEPLOYMENT

The App at a Glance.

Real alerts, real networks — screenshots captured from a live CYJAN IDS deployment.

https://demo.cyjan.dev
CYJAN IDS dashboard with a live alert feed
Live Alert Feed

Real-time WebSocket stream of every alert — severity, source, destination, tags, and one-click PCAP download.

Threat Level Gauge

Live aggregated threat index — critical / high / medium / low breakdown for an instant read on network health.

Host Trust System

Every host auto-enriched via DNS and GeoIP — unknown devices trigger an alert the moment they appear.

ARCHITECTURE

Event-driven pipeline.

Apache Kafka at the core — every component is independently scalable and replaceable.

Mirror Port
sniffer (Rust)
Apache Kafka
KRaft · 6 topics
flow-aggregator
signature-engine
ml-engine (IsoForest)
alert-manager
enrichment-service
TimescaleDB
FastAPI + WS
React Dashboard
Suricata Bridge — EVE JSON → Kafka → unified alert stream
IRMA Bridge — external IDS REST poll → Kafka → same pipeline
Training Loop — feedback → labelled samples → model retrain
Rust + pcap Apache Kafka 3.7 TimescaleDB Redis 7 MinIO Scikit-learn FastAPI React + Vite + TS Suricata Docker Compose
QUICK START

Up in minutes.

Two paths to production — choose yours.

A
Debian Live ISO
Recommended for production
# Flash to USB
dd if=cyjan-ids-v1.x.x.iso \
  of=/dev/sdX bs=4M status=progress

Boot from USB → First-Boot-Wizard guides you through interface, IP, and password setup. Fully automated thereafter.

Download latest release →
B
Docker Compose
Dev / test mode
# Clone and start in test mode
git clone https://github.com/JxxKal/ids
cd ids
cp .env.example .env
docker compose \
  --profile test up -d

Synthetic traffic via built-in generator. No physical mirror port needed for testing.

100% Open Source.

CYJAN IDS is released under the MIT License — inspect every line, contribute freely, and deploy without restrictions. Security through transparency.

🔍

Auditable

Every component, every rule, every ML model — fully transparent. No black boxes in your security stack.

🔧

Extensible

Add custom Suricata rules, integrate your own alert sources via the IRMA bridge pattern, tune the ML threshold.

🤝

Community

Issues, pull requests, and feature discussions happen in the open on GitHub. Your OT environment knowledge is welcome.

github.com/JxxKal/ids
Companion · Lab use only

CYJANKALI

The offensive sister project — a Kali-based playground that attacks CYJAN to prove the detection actually works. The name is a wink: Cyan + Jan + KaliCyankali (potassium cyanide), the threat the IDS is built to neutralize.

Open the playground