IDS Service - zakharb/labshock GitHub Wiki

Intrusion Detection in Labshock

The IDS (Intrusion Detection System) in Labshock is designed to monitor network traffic and detect suspicious activities in industrial control environments. It helps identify unauthorized access, protocol anomalies, and potential cyber threats targeting SCADA, PLCs, and OT networks.

Labshock integrates IDS solutions for real-time monitoring and security analysis, making it easier to detect and respond to threats in ICS/OT environments.

IDS features in Labshock:

  • Network Traffic Analysis – Monitors packets between SCADA, PLCs, and other devices
  • Rule-based Detection – Uses predefined signatures to detect known threats
  • Anomaly Detection – Identifies unusual activity in OT networks
  • Event Logging – Stores alerts for further investigation



🟨 Network Swiftness

Labshock includes Network Swiftness for real-time network monitoring and analysis in OT environments.

Features:

  • Monitor live network traffic
  • Track active connections
  • Detect and classify protocols
  • Generate network topology maps
  • Capture, analyze and save packets
  • Web based: simple & easy

Use Cases:

  • Gain visibility into OT network activity
  • Identify unauthorized connections and protocol anomalies
  • Analyze SCADA/ICS traffic patterns
  • Save packet data for forensic analysis

🔶 Login

🔶 Filter traffic

  • you can check and filter traffic in real time
  • as example, detect write coils

🔶 Check Sources

  • go to Sources tab to see full list of sources



🟨 Zeek IDS

Zeek IDS is a powerful network security monitoring tool designed to analyze and log network traffic in depth. Unlike traditional intrusion detection systems (IDS) that rely on predefined signatures, Zeek provides a flexible scripting engine to detect anomalies, track protocol behavior, and generate detailed logs for further analysis. This makes it especially useful for OT/ICS environments, where custom detections are often needed. With Zeek, you can monitor industrial protocols, identify suspicious activities, and enhance visibility into your ICS network - helping you secure your environment effectively.

Setup

  • Change IDS service in docker-compose.yml to use zeek official image:
 ids:
    image: zeek/zeek:latest
    network_mode: host
    command: tail -f /dev/null
  • Login to Zeek terminal using bash:
docker exec -it labshock_ids_1 bash
  • Install Nano to change configuration
apt update
apt install nano
nano /usr/local/zeek/etc/node.cfg
  • Change interface to your name with 192.168.3.0/24 network.
  • Enter zeekctl, deploy configuration
zeekctl
deploy
  • Check Zeek logs, for example conn.log:
cat /usr/local/zeek/logs/current/conn.log

logo

⚠️ **GitHub.com Fallback** ⚠️