Skip to content

Web UI

Package name: intrudect-web

The Web UI collects alerts from agents and provides search, report, and export capabilities for the gathered data. It supports notification delivery via webhooks and e-mail, mirrors IOC and Tor feed data from the IOC Proxy service, and exports as JSON for Wazuh/Elastic.

Important

IOC and Tor feeds are provided by the separate intrudect-iocfeed service, which the Web UI mirrors via the IOCFEED configuration block below. That service must be installed and running, otherwise there is no IOC or Tor feed for the agents.

Note

Command examples shown on page need to be executed in root shell

Note

If mariadb & rsyslog were installed as dependencies, they need to be enabled and started

systemctl --now enable mariadb
systemctl --now enable rsyslog

MaxMind GeoIP

Install

Setup

  • Create free account in https://www.maxmind.com/
  • Add your AccountID and License key into /etc/GeoIP.conf

    AccountID xxxx
    LicenseKey xxxx
    

  • Add Editions to /etc/GeoIP.conf:

    EditionIDs GeoLite2-Country GeoLite2-City GeoLite2-ASN
    

  • Execute geoipupdate (NB it will take 1-2 minutes for your maxmind AccountID and LicenseKey values to populate inside their infrastructure)
    geoipupdate -v
    
  • Add it to crontab as well
    ( crontab -l ; echo "30 05  *  *  * geoipupdate" ) | crontab -
    

Database setup

  • MariaDB server should be already installed as a depency.

  • Create database and user

    mysql
    
    MariaDB> CREATE DATABASE intrudect CHARACTER SET utf8mb4  COLLATE utf8mb4_unicode_ci;
    MariaDB> GRANT ALL PRIVILEGES ON intrudect.* TO 'intrudect'@'localhost' IDENTIFIED BY 'PASSWORD';
    MariaDB> FLUSH PRIVILEGES;
    

  • Allocate as much memory as possible to database.
    In /etc/mysql/mariadb.conf.d/50-server.cnf or /etc/my.cnf.d/mariadb-server.cnf (RedHat)

    [mysqld]
    max_allowed_packet=200M
    innodb_buffer_pool_size = XXG
    

  • Restart MariaDB server after config change

    systemctl restart mariadb.service
    

  • Ensure start on boot

    systemctl enable mariadb.service
    

  • Load timezone tables into MariaDB

    mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root mysql
    
    Verify that output is > 0
    mysql -e 'SELECT COUNT(*) FROM mysql.time_zone;'
    +----------+
    | COUNT(*) |
    +----------+
    |      498 |
    +----------+
    

Configuration

Configuration file is in /opt/intrudect-web/config.json.

  • HOMEURL is used by agents to send alerts and request configuration changes.
  • LISTEN parameter specifies the IP address and port where the web UI listens, and you should forward your reverse proxy traffic to this location. Since the web UI itself does not have support for TLS, you must set up a reverse proxy, like Nginx or Caddy, in front of it in a production environment.

  • DB refers for MariaDB connection URI (refer to setup guide).

  • IOCFEED points the Web UI at the intrudect-iocfeed proxy and mirrors its per-category feeds into the local database so agents always pull from the Web UI. Each field is a full feed URL (leave a URL empty to disable that feed). BEARERTOKEN is optional and, when set, is sent as an Authorization: Bearer header on every fetch. INTERVALMIN is the mirror poll cadence in minutes (default 30). This block is set once in config.json and shown read-only in the UI. See the IOC Proxy component page for the service itself.
  • GEOIP folder of geoip database files (Ubuntu - /var/lib/GeoIP/, RedHat - /usr/share/GeoIP/)
  • HTTPS set to true when the web UI is behind a TLS-terminating reverse proxy. Ensures secure cookie flags and correct protocol handling. Note: with this enabled, session cookies are marked Secure and will only work over HTTPS — accessing the web UI over plain HTTP will prevent login/sessions from working.
  • REALIPHEADER and TRUSTEDPROXIES are two different ways to recover the client's real IP address when the web UI runs behind a reverse proxy (used for the audit log and for recording the source address of agent requests). They are not the same — set the one that matches how your proxy passes the client IP:
    • REALIPHEADER — the name of a single header your proxy sets with the real client IP (e.g. X-Real-IP, or CF-Connecting-IP behind Cloudflare). Its value is trusted verbatim and checked first, so the web UI must be reachable only through that proxy. Leave empty if unused.
    • TRUSTEDPROXIES — the list of proxy addresses/CIDRs whose X-Forwarded-For header may be trusted. Only hops coming from these addresses are believed, so clients cannot spoof their IP. When empty, all proxies are trusted.
  • WEBAUTHN enables passkey/hardware key authentication. RPID is your domain name, RPORIGINS lists the allowed origins, and RPDISPLAYNAME is shown to users during registration.
  • LDAP enables Active Directory / LDAP authentication. When enabled, the login page shows a "Domain Login" tab alongside the local account login. See the AD/LDAP authentication section below for details.
{
  "HOMEURL": "https://example.com",
  "LISTEN": "127.0.0.1:8080",
  "TIMEZONE": "Europe/Tallinn",
  "HTTPS": true,
  "REALIPHEADER": "X-Real-IP",
  "TRUSTEDPROXIES": ["127.0.0.1"],
  "DB": {
    "MYSQL": "mysql://intrudect:PASSWORD@tcp(localhost)/intrudect?charset=utf8mb4&collation=utf8mb4_unicode_ci",
    "TCPLOGMAXDAYS": 90,
    "UDPLOGMAXDAYS": 90,
    "DNSLOGMAXDAYS": 90,
    "DHCPLOGMAXDAYS": 90,
    "HTTPLOGMAXDAYS": 90
  },
  "GEOIP": "/var/lib/GeoIP/",
  "IOCFEED": {
    "IPURL": "http://127.0.0.1:8084/open/ip.txt",
    "DNSURL": "http://127.0.0.1:8084/open/dns.txt",
    "RULESURL": "http://127.0.0.1:8084/open/rules.rules",
    "TORURL": "http://127.0.0.1:8084/open/tor/relays.json",
    "BEARERTOKEN": "",
    "INTERVALMIN": 30
  },
  "WEBAUTHN": {
    "RPID": "yourdomain.com",
    "RPORIGINS": ["https://yourdomain.com"],
    "RPDISPLAYNAME": "Intrudect"
  },
  "LDAP": {
    "Enabled": true,
    "URL": "ldaps://dc.yourdomain.com:636",
    "BindPattern": "%[email protected]",
    "InsecureSkipVerify": false,
    "StartTLS": false,
    "GroupPrefix": "intrudect",
    "AutoProvision": true
  }
}

AD/LDAP authentication

The web UI supports authenticating users against Active Directory or an LDAP server. When enabled, users see a "Domain Login" tab on the login page. Local account login remains available alongside domain login.

LDAP configuration fields

Field Description
Enabled Set to true to enable LDAP authentication.
URL LDAP server URL. Use ldaps:// for TLS (port 636) or ldap:// for plain (port 389).
BindPattern Template for constructing the bind identity. %s is replaced with the username. Use UPN format (%[email protected]) for Active Directory or DN format (uid=%s,ou=people,dc=example,dc=com) for OpenLDAP.
InsecureSkipVerify Skip TLS certificate verification. Set to false (default) to verify certificates, true to skip verification. Only use true for testing with self-signed certificates.
StartTLS Upgrade to TLS after connecting on a plain ldap:// connection. Has no effect when using ldaps://.
GroupPrefix Prefix for AD/LDAP group names that control access. The web UI checks membership in {prefix}-admins and {prefix}-users groups.
AutoProvision Automatically create a user account on first successful LDAP login. If set to false, an administrator must create the user locally before they can log in via LDAP.

Active Directory groups

Create two security groups in Active Directory matching your configured GroupPrefix:

  • {GroupPrefix}-admins — members receive full administrator permissions
  • {GroupPrefix}-users — members receive read-only permissions (except integrations)

For example, with "GroupPrefix": "intrudect", create groups intrudect-admins and intrudect-users. Users not in either group are denied access.

Note

Group membership is checked on every login. If a user's AD group membership changes (e.g. promoted from user to admin), the updated permissions take effect on their next login.

Example: Active Directory with LDAPS

"LDAP": {
    "Enabled": true,
    "URL": "ldaps://dc.corp.local:636",
    "BindPattern": "%[email protected]",
    "InsecureSkipVerify": false,
    "StartTLS": false,
    "GroupPrefix": "intrudect",
    "AutoProvision": true
}

Example: Active Directory with StartTLS

"LDAP": {
    "Enabled": true,
    "URL": "ldap://dc.corp.local:389",
    "BindPattern": "%[email protected]",
    "InsecureSkipVerify": false,
    "StartTLS": true,
    "GroupPrefix": "intrudect",
    "AutoProvision": true
}

Example: OpenLDAP with DN bind

"LDAP": {
    "Enabled": true,
    "URL": "ldaps://ldap.example.com:636",
    "BindPattern": "uid=%s,ou=people,dc=example,dc=com",
    "InsecureSkipVerify": false,
    "StartTLS": false,
    "GroupPrefix": "intrudect",
    "AutoProvision": true
}

Note

LDAP users can also enroll TOTP or WebAuthn as a second factor. When 2FA is configured, the user is prompted for their second factor after a successful domain login.

Start & enable service

systemctl restart intrudect-web
systemctl enable intrudect-web

Logfile

Web server writes additional info to /var/log/intrudect-web.log

Inital user

Before launching the web UI, an initial user and password must be created using the command-line utility.

cd /opt/intrudect-web
./intrudect-cli -cmd add -type admin -username <username> -password <passowrd>

Initial settings

  • Define network names and address ranges in "Site->Networks"
  • Review different module settings underr "Monitoring" menu.
  • Authorized DNS servers "Monitoring->DNS"
  • Authorized DHCP servers "Monitoring->DHCP"
  • Admin workstation addresses/subnets "Monitoring->Admin protocols"

  • Add alerting integrations under "Settings->Integrations"

API keys

Public API keys are created in the web UI under "User->API Keys". API keys act as the current user account and can only use that user's existing permissions. See the API Reference for authentication, permissions, request formats, and endpoint details.

Metadata search and reports

The web UI stores retained metadata in protocol-specific views:

  • TCP log and UDP log provide flow search by time range, agent, source, destination, source port, destination port, destination country, and ASN.
  • TCP and UDP flow views support CSV/XLS export plus reports for top IPs, services, ASN, pairs, map, volume, and interval statistics.
  • UDP metadata appears only when UDP flow collection is enabled in the Network Agent configuration (UDPFlow.Remote for central logging).
  • DNS, DHCP, and HTTP metadata use their own log pages and exports.

Add agents

Point your browser to the web UI hostname and log in. Navigate to "Agents" and select the specific agent configuration from the menu.

After adding an agent, you can use "Download Config" to download its configuration file. This file now includes the agent’s login credentials for the web UI. Save the configuration file on the server where this particular agent is running.

download config

Configuration files are located at /opt/intrudect-<agentname>/etc/config.json

Adding external communication platforms

The web UI supports alert delivery to external channels via webhooks and e-mail. This allows users to receive real-time notifications based on their defined rules.

integrations

Wazuh integration (optional)

  • Install Wazuh agent into the server.
  • Append to /var/ossec/etc/ossec.conf

    <!-- intrudect -->
    <ossec_config>
      <localfile>
        <log_format>json</log_format>
        <location>/var/log/intrudect-wazuh.json</location>
      </localfile>
    </ossec_config>
    

  • Restart Wazuh agent

    systemctl restart wazuh-agent
    

  • On the Wazuh server, create a rule group and rules in the file: /var/ossec/etc/rules/local_rules.xml
    For example, one rule to catch all events:

    <group name="intrudect">
      <rule id="100010" level="12">
        <decoded_as>json</decoded_as>
        <field name="type">useragent</field>
        <description>$(description)</description>
      </rule>
    </group>
    
    Or multiple rules with custom levels:
    Possible TYPE values: honeypot,egress,dhcp,ioc,tor,arp,dns_txt,dns_ptr,dns_a,dns_aaaa,dns_dga,dns,ldap,portscan,smb,useragent,adm_protocol,newdevice,n2n,pwd_brute
    <group name="intrudect">
      <rule id="100010" level="12">
        <decoded_as>json</decoded_as>
        <field name="type">TYPE1</field>
        <description>$(description)</description>
      </rule>
      <rule id="100011" level="12">
        <decoded_as>json</decoded_as>
        <field name="type">TYPE2</field>
        <description>$(description)</description>
      </rule>
      / ... /
    </group>
    

  • Restart Wazuh

    systemctl restart wazuh-manager