Skip to content
Capturing, analysing and responding to cyber attacks
C++ C Shell Python Lua M4 Other
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
certs Example certificate creation Jan 1, 2017
config Fixed non-alignment with recent API changes: e.json -> e:json() Sep 19, 2019
debian Fix liblua invocation in control file Jul 3, 2019
docs Finish eventstream-service documentation. Sep 7, 2019
include Make use of pcap_set_timeout conditional on its existence in the PCAP Nov 16, 2019
init Tidied docs, out-dated references Apr 24, 2019
m4 Committed latest output of autoconf May 1, 2019
protos Address details are structured, rather than list of strings Aug 7, 2019
src Fixes after trying a particular PCAP file: Sep 26, 2019
stix Tidied docs, out-dated references Apr 24, 2019
subscribers Fixed non-alignment with recent API changes: e.json -> e:json() Sep 19, 2019
tests Restructure resource files into namesapce subdirs Sep 8, 2019
utils All Python to v3 Apr 23, 2019
.gitignore Fixed non-alignment with recent API changes: e.json -> e:json() Sep 19, 2019
.travis.yml Turn off Travis notification to Slack Oct 2, 2017
AUTHORS Very minor documentation tidy. Oct 1, 2013
COPYING More autoconf hacking, aiming to get it to recognise LUA version. Sep 28, 2013
ChangeLog Updated packaging version to 0.61. Updated documentation. Feb 2, 2015
INSTALL Tidied docs, out-dated references Apr 24, 2019
LICENCE Changed version number to 0.80 Jan 3, 2017
LICENSE Get make distcheck to work Sep 6, 2019
NEWS Automake support added. Sep 28, 2013
README.containers Changed so that config files containing version numbers are derived Aug 27, 2017
README.etsi - Added support for reporting the 'target' IP address on ETSI delivery. Jul 31, 2013
README.linux Prepped for 2.2.0, version number incremented, version referenced in … Jul 22, 2019
README.mac Fix Mac compilation docs. Dec 12, 2017 Add more links to README Aug 16, 2019
README.smtp Added thoughts on compiling this on the mac. Aug 25, 2014
README.version-numbers Changed so that config files containing version numbers are derived Aug 27, 2017
ar-lib Tidied docs, out-dated references Apr 24, 2019
compile Tidied docs, out-dated references Apr 24, 2019
config.json Tidy up config files, cyberprobe man-page references JSON Jul 22, 2019 Version to 2.3.14 Nov 16, 2019 Fix bug caused by unbundling the include files, version is 2.3.9 Sep 7, 2019
depcomp Tidied docs, out-dated references Apr 24, 2019
install-sh Tidied docs, out-dated references Apr 24, 2019 Committed latest output of autoconf May 1, 2019
lua-geoip.patch Added GeoIP information. Oct 24, 2014
missing Tidied docs, out-dated references Apr 24, 2019 Fix makefile problem on Debian [ch1639] Aug 29, 2017
py-compile Tidied docs, out-dated references Apr 24, 2019


The full documentation is at


Cyberprobe is a network packet inspection toolkit (Deep Packet Inspection) for real-time monitoring of networks. This has applications in network monitoring, intrusion detection, forensic analysis, and as a defensive platform. Cyberprobe packet inspection works on physical networks, and also in cloud VPCs. There are features that allow cloud-scale deployments.

This is not a single, monolithic intrusion detection toolkit which does everything you want straight out of the box. If that’s what you need, I would suggest you look elsewhere. Instead, Cyberprobe is a set of flexible components which can combined in many ways to manage a wide variety of packet inspection tasks. If you want to build custom network analytics there are many interfaces that make this straightforward.

The project maintains a number of components, including:

  • cyberprobe, which collects data packets and forwards them a network stream protocol in real time. Packet collection can be target with IP addresses, CIDR ranges or full-take. Collected packets are tagged with a device identifier. cyberprobe can be integrated with Snort to allow dynamic targeting of IP addresses in response to a Snort rule hitting.
  • cybermon, which receives collected packet streams, performs stateful processing and creates a stream of observations describing network events. The events can be consumed in many different ways e.g. the events can be delivered to a pub/sub system, or presented to a gRPC service. The event handling is implemented as a function written in Lua, so you can add your own custom event handling.
  • a set of subscribers which can be used to do things with the captured data e.g. store to ElasticSearch, BigQuery or Gaffer.


The probe, cyberprobe has the following features:

  • Can be tasked to collect packets from an interface and forward any which match a configurable address list. The address list can be individual IP addresses, CIDR ranges, or collect-all tasking (‘’).
  • Can be configured to receive Snort alerts. In this configuration, when an alert is received from Snort, the IP source address associated with the alert is dynamically targeted for a configurable period of time. This is useful for e.g. collecting data from any network actor who triggers a snort rule and is thus identified as a potential attacker.
  • Can optionally offer a management API which allows remote interrogation of the state, and alteration of the configuration. This allows dynamic alteration of the targeting map, and integration with other systems.
  • Can be configured to deliver on one of two standard stream protocols.
  • Can insert a packet collection delay line of configurable duration. This can be useful e.g. with snort alert triggering to make sure all packets which trigger an alert are collected.


The monitor tool, cybermon has the following features:

  • Analyses packets delivered in the ETSI stream protocol from one or more cyberprobe instances.
  • Decodes a number of packet protocols to detect network events, which are delivered to your configuration in near-real-time.
  • Decoded information is made available to user-configurable logic (written in Lua) to define how the decoded data is handled. Sample configuration files are provided to deliver to RabbitMQ in JSON, a gRPC endpoint, and deliver to a redis queue.
  • Packet forgery techniques are included, which allow resetting TCP connections, and forging DNS responses. This can be invoked from your Lua configuration.
  • Supports IP, TCP, UDP, ICMP, HTTP, DNS, SMTP, FTP, TLS and more. The code is targeted at the Linux platform, although it is generic enough to be applicable to other UN*X-like platforms.


The event stream from cybermon can be presented to RabbitMQ in a JSON form, which can then be delivered to further analytics:

  • cybermon-alert reports indicator hits in events to standard output.
  • cybermon-bigquery loads events into GCP BigQuery.
  • cybermon-cassandra loads events into Cassandra.
  • cybermon-detector studies events for the presence of indicators. Events are annotated with indicator hits of any are observed.
  • cybermon-dump dumps raw event JSON to standard output.
  • cybermon-elasticsearch loads events into ElasticSearch.
  • cybermon-gaffer loads network information into Gaffer (a graph database).
  • cybermon-geoip looks up IP addresses in GeoIP and annotates events with location information.
  • cybermon-monitor outputs event information to standard output.


The architecture has support for AWS Traffic Mirroring, and supports cloud-scale deployments:

  • Multiple cyberprobe instances can load-share across multiple cybermon instances behind a load-balancer.

  • The event stream from cybermon can be delivered to a pub/sub system to distribute load and permit scale-up.

More information

The easiest way to learn about the software is to follow our Quick Start tutorial.

You can’t perform that action at this time.