Recent updates introduce ZeroMQ pub/sub support and subscribers for deliery to ElasticSearch, Google BigQuery and Cassandra. See downloads.


The Cyberprobe project is an open-source distributed architecture for real-time monitoring of networks against attack. The software consists of two components:

These components can be used together or separately. For a simple configuration, they can be run on the same host, for more complex environments, a number of probes can feed a single monitor. For more detail, and to see where we are going, read the architecture page.

The probe, cyberprobe has the following features:

The monitor tool, cybermon has the following features:

The cybermon software includes some support for STIX as a threat indicator specification, and can create alerts on the presence of threats on the network.

The code is targeted at the Linux platform, although it is generic enough to be applicable to other UN*X-like platforms.

The easiest way to learn about the software is to follow our Quick Start tutorial.


Github download page
Operating SystemArchitectureDownload
Fedora 27 64-bit 64-bit RPM
Source Source RPM
RHEL 7 / CentOS 7 64-bit 64-bit RPM
Source Source RPM
Debian 8 64-bit Debian package
Ubuntu 64-bit Ubuntu package
Anything else Source Source bundle
Containerised deployment Docker Compose configuration Cybermon, ES, Gaffer
Cyberprobe, snort, ES, Gaffer
Kibana configuration Saved objects JSON