Documentation

Intrufend IDS

v2.04.310

Configuration

Main config file

# /etc/intrufend/config.yaml
capture:
  interface: eth0              # or use: intrufend -i eth0

detection:
  signature:
    rule_dirs:
      - /etc/intrufend/rules   # auto-loads .rules + .yml + .yaml
    vars:
      HOME_NET: "[10.0.0.0/8, 192.168.0.0/16]"

threading:
  workers: 0                   # 0 = auto-detect optimal worker count

output:
  eve_log:
    enabled: true
    log_file: /var/log/intrufend/eve.json

CLI Usage

# Live capture
sudo intrufend -i eth0 -c /etc/intrufend/config.yaml

# PCAP replay
intrufend --replay capture.pcap -c /etc/intrufend/config.yaml

# Self-test
intrufend --self-test

# Version
intrufend -v

Operations

sudo systemctl start intrufend        # Start
sudo systemctl stop intrufend         # Stop
sudo kill -HUP $(pidof intrufend)     # Reload rules (no restart)
sudo intrufend-update-rules           # Download community rules

# View alerts
tail -f /var/log/intrufend/eve.json | jq '.msg'

DPDK — High-speed capture

When to use DPDK

DPDK (Data Plane Development Kit) enables zero-copy packet capture directly from the NIC, bypassing the kernel network stack. Use DPDK when monitoring 1G+ networks where standard pcap capture may drop packets under sustained load.

Install DPDK

# Ubuntu/Debian
sudo apt-get install dpdk dpdk-dev libdpdk-dev

# Verify installation
dpdk-devbind.py --status

Bind NIC to DPDK

# List available NICs
dpdk-devbind.py --status

# Load DPDK driver
sudo modprobe vfio-pci

# Enable IOMMU (add to kernel boot params if not already set)
# GRUB_CMDLINE_LINUX="intel_iommu=on iommu=pt"

# Bring interface down and bind to DPDK
sudo ip link set eth1 down
sudo dpdk-devbind.py --bind=vfio-pci 0000:03:00.0    # use your PCI address

# Verify binding
dpdk-devbind.py --status

Hugepages Setup

# Allocate 1GB hugepages (recommended for high-speed capture)
echo 2048 | sudo tee /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages

# Mount hugepages (if not already mounted)
sudo mkdir -p /dev/hugepages
sudo mount -t hugetlbfs nodev /dev/hugepages

# Make persistent across reboots
echo 'vm.nr_hugepages=2048' | sudo tee -a /etc/sysctl.conf
echo 'nodev /dev/hugepages hugetlbfs defaults 0 0' | sudo tee -a /etc/fstab

Configure Intrufend for DPDK

# /etc/intrufend/config.yaml
capture:
  interface: 0000:03:00.0       # PCI address of DPDK-bound NIC
  backend: dpdk                 # switch from pcap to dpdk

  # DPDK-specific options
  dpdk:
    mempool_size: 65536         # number of mbufs (default: 65536)
    rx_queues: 4                # receive queues (match worker count)
    mtu: 1514                   # maximum frame size

threading:
  workers: 4                    # one worker per RX queue
  # mode: aggressive            # options: aggressive, balanced, conservative

Run with DPDK

# Start with DPDK capture (requires root for hugepage access)
sudo intrufend -i 0000:03:00.0 -c /etc/intrufend/config.yaml

# Or via systemd (edit config.yaml first, then)
sudo systemctl restart intrufend

# Monitor performance
tail -f /var/log/intrufend/eve.json | jq 'select(.event_type == "stats")'

DPDK vs pcap

Protocol support

68 Supported Protocols

File Locations

/usr/bin/intrufend              # Engine binary
/usr/lib/intrufend/plugins/    # Protocol parser plugins
/etc/intrufend/config.yaml     # Configuration
/etc/intrufend/rules/          # Rule files (.rules, .yml)
/var/log/intrufend/eve.json    # Alert output
/var/log/intrufend/intrufend.log  # Engine log