Technical Specifications

Under the Hood (details you probably don’t want to know!)

CyberFox current runs on Raspberry Pi Model B. We have perfected it and tested it extensively and we will offer the product initially in a nice custom box enclosure with the Raspberry Pi inside. Our vision is using the kickstarter funding to manufacture CyberFox Generation II with own circuit which will allows us to lower the cost significantly (as you know Raspberry Pi Model B is quite expensive) and will also allow us to come up with a highly innovative design.

The CyberFox software is based on the open source Open Information Security Foundation (OISF) Suricata Next Generation Intrusion Detection and Prevention Engine – funded by the Department of Homeland Security and by the Department of Defense. It is distributed under a GPLv2 license – which means it is free for everyone to use. The internal architecture enables the unique and automated sharing of cyber threat indicators and malware between the device and cyber sensors with minimal latency.

CyberFox is specifically designed for home and small office network forensics and cyber threat incident response. It supports OpenFPC, the capability to have a full transcript of the network traffic, enabling you to see the entire “conversation” surrounding the network traffic.

CyberFox automatically recognizes the most common protocols as the network stream starts. Off port HTTP CnC channels, which normally slide right by most cyber protection systems, are fully supported. Furthermore, dedicated keywords enable matching on protocol fields which range from http URI to a SSL certificate identifier.

CyberFox can identify thousands of file types while crossing your network. Not only can they be identified, but can be looked at further by tagging them for extraction and the file would be written to disk with a meta data file describing the capture situation and flow. The file’s MD5 checksum is calculated on the fly, enabling a custom list of md5 hashes to be kept in or out of the network.


  • Network Intrusion Detection System (NIDS) engine
  • Network Intrusion Prevention System (NIPS) engine
  • Network Security Monitoring (NSM) engine
  • Off line analysis of PCAP files
  • Traffic recording using pcap logger
  • Unix socket mode for automated PCAP file processing


  • Scalable flow engine
  • Full IPv6 support
  • Tunnel decoding: Teredo, IP-IP, IP6-IP4, IP4-IP6, GRE, TCP stream engine, tracking sessions, stream reassembly, target based stream reassembly,
  • IP Defrag engine – target based reassembly

Protocol Parsers

  • Support for packet decoding of IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE, as well as Ethernet, PPP, PPPoE, Raw, SLL, VLAN, QINQ
  • App layer decoding of:HTTP, SSL, TLS, SMB, SMB2, DCERPC, SMTP, FTP, SSH, DNS


  • Stateful HTTP parser built on libhtp
  • HTTP request logger
  • File identification, extraction and logging
  • Per server settings — limits, personality, etc
  • Keywords to match on (normalized) buffers:ouri and raw uri, headers and raw headers, cookie, user-agent, request body and response body, method, status and status code, host


  • Protocol keywords
  • PCRE support
  • fast_pattern
  • Rule profiling
  • File matching – file magic, file size, file name and extension, file MD5 checksum scales up to millions of checksums
  • Multiple pattern matcher algorithms that can be selected
  • Extensive tuning options
  • Live rule reloads — use new rules w/o restarting Suricata
  • Delayed rules initialization
  • CUDA GPU acceleration for pattern matching
  • Lua scripting


  • Eve log, all JSON alert and event output
  • HTTP request logging
  • TLS handshake logging
  • Unified2 output — compatible with Barnyard2
  • Alert fast log
  • Alert debug log — for rule writers
  • Traffic recording using pcap logger
  • Pcap info — for integration into wireshark via suriwire
  • Prelude support
  • Drop log — netfilter style log of dropped packets in IPS mode
  • Syslog — alert to syslog
  • Stats — engine stats at fixed intervals
  • File logging including MD5 checksum in JSON format
  • Extracted file storing to disk
  • DNS request/reply logger

Alert/Event Filtering

  • Per rule alert filtering and thresholding
  • Global alert filtering and thresholding
  • Per host/subnet thresholding and rate limiting settings

Packet Acquisition

  • High performance capture – AF_PACKET, PF_RING
  • Standard capture – PCAP
  • IPS mode – Netfilter based on Linux
  • Fail open support – ipfw based on FreeBSD and NetBSD, AF_PACKET based on Linux
  • Capture cards and specialized devices – Endace, Napatech, Tilera

IP Reputation

  • Loading of large amounts host based reputation data
  • Matching on reputation data in the rule language using the “iprep” keyword
  • Live reload support