altprobe: Events collector for Suricata NIDS, Wazuh HIDS, Modsecurity WAF, Elastic Metricbeat


Altprobe is a component of the Alertflex project, it has functional of a collector according to SIEM/Log Management terminologies. In tandem with Alertflex controller (see AlertflexCtrl repository on this GitHub profile), Altprobe can integrate a Wazuh Host IDS (OSSEC fork) and Suricata Network IDS with Log Management platform Graylog and Threat Intelligence Platform MISP.


Functionalities of Altprobe

  • Reads events in JSON format from Suricata NIDS, Wazuh HIDS, Modsecurity WAF, Elastic Metricbeat through a server Redis
  • Based on filtering policies, Collector retrieves high priority events from data streams created by security sensors, makes aggregation and normalization for these events. This allows to simplify the management of alerts and incidents, reduces noise from minor events.
  • High priority events (alerts) are immediately sent to the central node.
  • All log events, host metrics, statistics are sent to the Controller inside of pre-accumulated and compressed data set, this implements the “Anti-flooding” algorithm to prevent large bursts of events on the controller side.
  • Alerts and log events (NetFlow, DNS and SSH sessions, minor priority events) can be redirected to the Log Management platform via Controller
  • The Collector saves various statistics about IDS and NetFlow events and send it to the Controller.
  • In case of loss of communication between remote and central nodes, the Collector saves all alerts locally in a file
  • Altprobe generates alerts if the network traffic thresholds have been reached the limits (Users can configure the thresholds inside filtering policies of the collector)
  • Generates alerts if the metrics thresholds for hosts (CPU, Memory, HDD, Swap) have been reached the limits
  • Creates reports about network activities of application processes (based on events from Sysmon for Windows and Auditd for Linux). This allows determining the name of the process associated with suspicious network connections.

Type of events, which are generated by Altprobe

  • Alert from Alertflex collector/controller
  • Alert from OSSEC/Wazuh HIDS
  • Alert from OSSEC/Wazuh FIM
  • Alert from Suricata NIDS
  • DNS event from Suricata NIDS
  • SSH event from Suricata NIDS
  • Netflow event from Suricata NIDS
  • Alert from ModSecurity WAF
  • Network activity of linux process from Auditd
  • Network activity of windows process from Sysmon



git clone
cd Altprobe

Graylog statistics about IDS alerts categories, applications protocols and Geo IP netflow map


Copyright (c) 2005 – 2006 Swiss Federal Institute of Technology (ETH Zurich), Department of Computer Science (, Christian Plattner. All rights reserved.