Docs · Tools
IDS Monitor
IDS Monitor puts a passive Suricata sensor on your network so known attack signatures — exploits, scanners, malware traffic — raise an alert the moment they appear on the wire.
- Category
- Defense & Hardening
- Powered by
suricata- Edition
- Pro
- Where
- Desktop → IDS Monitor tab
What it does
Suricata inspects traffic against a signature ruleset and flags matches. IDS Monitor wraps it in the Nexus UI so you can start a passive sensor, watch alerts stream in, and triage them without touching the command line.
How to use it
1
Pick an interface
Choose the network interface to watch. Passive monitoring does not interrupt traffic.
2
Start the sensor
IDS Monitor runs Suricata against the live feed and surfaces each signature match as an alert.
3
Triage the alerts
Review matches by severity; pivot to the source IP and block it via the Firewall Advisorif it is hostile.
What you get
Signature-based alerts for traffic crossing your sensor. This is the signature half of network defense; the SecOps NDR pillar adds the behavioral half — detecting C2 beaconing, port scans and connections to known-bad IOCs that have no signature — see /docs/secops/ndr.
Tips
- Place the sensor where it can see the traffic you care about (a span/mirror port is ideal).
- Combine signature IDS here with behavioral NDR in the Fleet for full coverage.
Passive by design. IDS Monitor watches traffic; it does not block it inline. Use it for visibility, and pair it with active response when you want to act on a detection.