Intrusion detection for
industrial networks
High-performance IDS purpose-built for OT/ICS and IT networks. Architected for Tbps-scale throughput, 68 protocol parsers, and native YAML rules for industrial security.
Tbps
Throughput
scale with DPDK
3.1s
Startup
8x faster
68
Protocols
OT/ICS + IT
49K+
Community Rules
Suricata-compatible
The Gbps era is over
Detect threats in Terabits per second of traffic. For free.
Traditional IDS engines were built for Gigabit networks. Intrufend is architected from the ground up for Tbps-scale detection — linear multi-core scaling, zero-contention architecture, and DPDK zero-copy capture. No per-core licensing. No traffic caps. Free Community Edition.
Quick start
Install on Ubuntu/Debian
sudo dpkg -i intrufend_2.4.310_amd64.deb sudo intrufend-update-rules sudo systemctl start intrufend
Capabilities
Built for industrial-grade detection
68 Protocol Parsers
Deep inspection for Modbus, DNP3, IEC 104, S7comm, EtherNet/IP, OPC UA, BACnet, HTTP, DNS, TLS, and 58 more. Purpose-built for OT/ICS visibility.
High-Speed Detection
Advanced multi-pattern matching engine delivering 130K+ packets per second per core. Optimized for large rulesets with minimal latency.
Flexible Rule Format
Native YAML rules with field-level matching for every OT protocol. Also fully compatible with Suricata .rules format and 49K+ community rules.
Unified Pipeline
Single processing path for live capture and replay. Integrated flow tracking, TCP reassembly, protocol parsing, detection, and asset discovery.
Tbps-Scale Capture
Zero-copy DPDK capture with linear multi-core scaling. Architected for Terabit-per-second deployments across clustered nodes. Auto-sized buffers ensure zero packet loss.
File Extraction
Automatic extraction and hashing of files transferred over the network. Forensic-ready filenames with timestamps and source information.
Benchmarks
Performance
Same hardware, same rules, same traffic. Full three-way comparison with Suricata and Snort.
| Metric | Intrufend | Suricata 7.0.3 |
|---|---|---|
| Detection throughput | 130K+ PPS | ~71K PPS |
| Live capture throughput | 1.6 Gbps | ~215 Mbps |
| Startup time | 3.1s | 25.7s |
| Live capture drops | 0% | 52.3% |
| Rule formats | Suricata + YAML | Suricata only |
| Protocol parsers | 68 (Rust plugins) | ~20 built-in |
Editions
Choose your edition
Community
Free
- ✓10 protocol parsers (IT + Modbus/DNP3)
- ✓49K+ community detection rules
- ✓Native YAML rule format
- ✓DPDK + file extraction
- ✓Internal use license
OEM
Commercial
- ✓All 68 protocols (S7comm, IEC104, ENIP, OPC UA, ...)
- ✓36 OT/ICS + all vendor-specific parsers
- ✓White-label / appliance / MSSP
- ✓Redistribution rights + commercial support
- ✓Custom protocol development
Architecture
Unified packet pipeline
Every packet flows through a single optimized pipeline — the same code path for live capture and forensic replay. No shortcuts, no blind spots.
Flow Tracking
Bidirectional flow association with stateful session management
TCP Reassembly
Full stream reconstruction for accurate protocol analysis
Protocol Parsing
68 Rust-based parsers with deep field extraction
Detection Engine
Multi-pattern matching across all protocol fields
File Extraction
Automatic file carving with cryptographic hashing
TLS Inspection
Certificate validation, version enforcement, fingerprinting
Asset Discovery
Passive device identification and inventory tracking
Alert Output
Real-time JSON, syslog, and PCAP dump of matching traffic