🚀 A cutting-edge, real-time security monitoring system designed to revolutionize your network's defense.
- 📚 Table of Contents
- 🎯 Introduction
- 🖼️ Architecture Overview
- 🎯 Motivation & Problem Statement
- ⭐ Key Features (Expanded)
- 🛠️ How It Works
- 🚀 Demo Scenarios
- 🧩 How to Extend
- 🔒 Security & Privacy
- 🚧 Known Limitations & Future Work
- 🛠️ Technologies Used
- 🛡️ INTRUDEX Server
- 📜 Code of Conduct
- ⚖️ License
Intrudex is a state-of-the-art, Sigma-based Intrusion Detection and Prevention System (IPS/IDS), specifically designed for Windows environments. It features a hybrid architecture, combining the efficiency of a C++ Windows client for real-time log monitoring with a Python Flask-based server for centralized management and a web dashboard.
Intrudex leverages Sigma rules to detect threats in Windows Event Logs, providing real-time security alerts and automatic threat response mechanisms.
flowchart TB
%% Client Layer
subgraph "Client Layer"
direction TB
EL["Windows Event Logs"]:::infra
SM["SysmonManager"]:::client
SC["SysmonCollector"]:::client
SE["Sigma Rule Engine"]:::client
AL["Alert"]:::client
HC["HttpClient"]:::client
RE["Response Engine"]:::client
CFG["Client Config & Rules"]:::doc
EL -->|collects events| SC
SC -->|apply rules| SE
SE -->|generate| AL
AL -->|send alert| HC
HC -->|secure REST| API
SM -->|self-healing| WR
SM -->|self-healing| TS
end
%% External infra for client
WR["Windows Registry"]:::infra
TS["Task Scheduler"]:::infra
%% API Layer inside Docker
subgraph "Docker Container"
direction TB
subgraph "REST API Layer"
direction TB
API["Flask REST API"]:::api
API -->|"POST /auth"| AuthAPI
API -->|"POST /logs"| LogsAPI
API -->|"GET /main"| MainAPI
API -->|"error handlers"| ErrorsAPI
end
%% Server Layer
subgraph "Server Layer"
direction TB
SI["App Init"]:::server
DBS["DB Setup & Migrations"]:::server
subgraph "Models"
AUTHM["User Model"]:::server
LOGM["Log Model"]:::server
end
subgraph "Routes"
AuthAPI["/auth endpoints"]:::server
LogsAPI["/logs endpoints"]:::server
MainAPI["/main/dashboard"]:::server
ErrorsAPI["Error Handlers"]:::server
end
subgraph "Views & Assets"
TPL["Jinja2 Templates"]:::view
STA["Static Assets (TailwindCSS)"]:::view
end
CLI["Admin CLI"]:::server
SI -->|loads config| DBS
DBS -->|uses models| AUTHM
DBS -->|uses models| LOGM
AuthAPI -->|CRUD| AUTHM
LogsAPI -->|CRUD| LOGM
MainAPI -->|render| TPL
TPL -->|styles| STA
CLI -->|migrations| DBS
end
%% Database
DB["SQLAlchemy DB"]:::db
DBS -->|connect| DB
API -->|DB ops| DB
end
%% Styles
classDef client fill:#AEDFF7,stroke:#0366D6,color:#000
classDef server fill:#FFDDAA,stroke:#D2691E,color:#000
classDef infra fill:#E2E2E2,stroke:#999,color:#000
classDef api fill:#C8E6C9,stroke:#388E3C,color:#000
classDef db fill:#F3E5F5,stroke:#7B1FA2,color:#000
classDef view fill:#FFF9C4,stroke:#FBC02D,color:#000
classDef doc fill:#D7CCC8,stroke:#5D4037,color:#000
Modern Windows environments are under constant threat from malware, insider attacks, and misconfigurations. Traditional antivirus solutions often miss advanced threats. Intrudex provides a real-time, Sigma rule-based detection and response system, empowering defenders with instant visibility and automated response.
-
Real-Time Log Collection: Collects Windows Event Logs and Sysmon logs with minimal performance impact.
-
Sigma Rule Engine: Converts human-readable Sigma rules into actionable detections.
Add your own rules in YAML format—no code required! -
LOLBins & Suspicious Tool Detection: Instantly detects use of common living-off-the-land binaries (LOLBins) and admin tools, even if attackers try to blend in.
-
Native Windows Notifications: Alerts appear instantly on the desktop, showing event details, rule names, and more.
-
Centralized Web Dashboard: View all alerts, logs, and rule matches in a modern Flask-based dashboard.
-
Self-Healing & Tamper Protection: Uses registry and scheduled tasks to ensure the agent cannot be easily disabled.
-
Easy Integration: REST API for log shipping, remote commands, and integration with SIEM/SOAR platforms.
-
Log Collection: The C++ client subscribes to Windows Event Logs and Sysmon.
-
Rule Matching: Each event is checked against all loaded Sigma rules and a list of suspicious tools (LOLBins).
-
Alerting: On a match, the client:
- Shows a Windows notification
- Sends the event to the Flask server
- Optionally takes automated response actions
-
Dashboard: The Flask server displays all alerts, allows rule management, and provides analytics.
-
Test 1: PowerShell Detection
Open PowerShell and run any command.You’ll see a Windows notification:
“Shell Command Detected: PowerShell or CMD process detected by Sigma rules.” -
Test 2: LOLBin Detection
Runcertutil.exeorwmic.exefrom CMD.Notification:
“Suspicious Tool Detected: certutil.exe” -
Test 3: Sigma Rule Match
Trigger an event that matches a Sigma rule (e.g., failed logon).Notification shows EventID and RuleName.
-
Test 4: Dashboard
Open the web dashboard to view all alerts and logs in real time.
-
Add New Sigma Rules:
Place new YAML files in the rules directory and restart the client. -
Add New Collectors:
Implement a new collector class and register it inmain.cpp. -
Integrate with SIEM:
Use the REST API to forward alerts to your SIEM or SOAR platform.
- All communication between client and server is authenticated and encrypted.
- No sensitive data is stored unencrypted.
- Only authorized users can access the dashboard and API.
- Currently supports only Windows Event Logs and Sysmon.
- Linux/Mac support planned for future versions.
- More advanced response actions (e.g., network isolation) are in development.
| Component | Technology Used |
|---|---|
| Windows Client | C++ (WinAPI, Sigma) |
| Threat Detection | Sigma Rules (YAML) |
| Web Dashboard | Python (Flask, TailwindCSS) |
| Database | SQLite |
| Remote Communication | REST API (Flask) |
| Self-Healing | Windows Registry, Task Scheduler |
| Installer | NSIS / INNO |
The INTRUDEX Server is the server-side component of the Intrusion Detection and Prevention System. It provides a Flask-based REST API and centralized dashboard for monitoring threats, managing Sigma rules, and logging events from Windows clients.
- Python 3.8+
- Git
- NodeJs , NPM
- (Optional) PostgreSQL (if not using SQLite)
git clone https://github.com/ToolsHive/Intrudex.git
cd Intrudex/Intrudex-Serverpython -m venv .venv
./.venv/Scripts/activate # On Windows
# or
source .venv/bin/activate # On Linux/macOSpip install -r requirements.txtCreate a .env file in the root of the project:
FLASK_RUN_PORT=80
FLASK_RUN_HOST=127.0.0.1
FLASK_DEBUG=1
SECRET_KEY=your-super-secret-key
DATABASE_URL=sqlite:///intrudex.sqlite3
SQLALCHEMY_TRACK_MODIFICATIONS=FalseTo switch to PostgreSQL, update the DATABASE_URL:
DATABASE_URL=postgresql://username:password@localhost/intrudexBuild the tailwind Css for the project
npm run buildUse Flask-Migrate to initialize and apply database migrations:
flask db init # Run only once to create the migrations folder
flask db migrate -m "Initial migration"
flask db upgrade # Apply the migration to your database
flask create-adminYou will be prompted to enter:
- Admin username
- Admin password (hidden input)
- Confirm password
Ensure your .env file is ready, then run:
flask runor
python run.py- URL: http://localhost
- Access: Use the credentials set during Migration.
We follow the Contributor Covenant.
Intrudex is released under the MIT LICENSE.
Intrudex – Defend. Detect. Respond.
Empowering your Windows security with real-time intelligence.