Mastodon AEGIS SOC — Universal Threat Intelligence Platform | Centuria Labs

Centuria Labs · Security Operations Center

AEGIS Universal Threat Intelligence Platform

A production-grade SOC that protects any connected device — smartphones, tablets, Android Auto, Apple CarPlay, IoT, servers. One stack. Everything under surveillance.

↓ Explore Architecture Centuria Labs →
8
Active services
7
Event sources
Events / second
0
Manual restarts

01 · Protected Devices

If it has an IP,
AEGIS watches it.

AEGIS is not a mobile-only platform. Mobile is simply where it excels first. The architecture is device-agnostic — anything that routes through the gateway falls under full SOC coverage. That includes the phone in your pocket, the tablet on your desk, and the car in your garage.

Android
Smartphones · Tablets
Full DNS-level ad and tracker blocking. Network traffic inspected by Suricata and Zeek in real time. C2 callbacks sinkholed before they connect.
iOS / iPadOS
iPhone · iPad
iOS traffic is opaque by design — AEGIS works at the network perimeter, not the device. DNS sinkhole and IDS catch what the OS does not expose.
Your Car
Android Auto · Apple CarPlay · In-vehicle OS
Modern cars are always-online attack surfaces. AEGIS monitors every packet from your vehicle's infotainment, navigation, and OTA update channels.
Desktops
Windows · macOS · Linux
Workstations and laptops benefit from the same DNS sinkhole and IDS coverage. Lateral movement attempts and data exfiltration attempts surface in the event stream.
IoT
Smart Home · Embedded · Industrial
The devices that can't protect themselves. AEGIS is their only layer of defense — blocking botnet C2, firmware update hijacking, and rogue DNS queries.

Your car is a
network endpoint.

Android Auto and Apple CarPlay turn your vehicle into an extension of your phone's network. Every map lookup, music stream, and voice assistant query is a packet on your network — and a potential attack vector.

In-vehicle infotainment systems run Linux, QNX, or Android AOSP variants with minimal patching cycles. OTA update channels are increasingly targeted. AEGIS monitors all of it passively, without touching the vehicle.

Route your car's hotspot or tethered connection through the AEGIS gateway and every byte is subject to the same IDS, DNS sinkhole, and anomaly detection as your phone.

Known threat vectors — in-vehicle
  • HIGH OTA update channel hijack DNS + Suricata
  • HIGH C2 callback via infotainment app DNS sinkhole
  • MED Android Auto data exfiltration Zeek + Suricata
  • MED Rogue NTP / DNS on vehicle hotspot DNS intercept
  • MED CarPlay mirror session interception Zeek SSL log
  • INFO Map / telemetry beacon tracking DNS sinkhole
  • INFO Voice assistant cloud telemetry Zeek HTTP log

02 · Architecture

Every layer
covered.

DNS Layer
🛡️
AEGIS DNS
Sinkholing DNS resolver on port 53. Blocks known malware C2, phishing, and ad domains before any packet leaves the device. Custom blocklists with per-query logging.
IDS / IPS
Suricata
Deep packet inspection in AF-packet passive mode. Signature-based alerts, protocol anomaly detection, file extraction to filestore, and ClamAV AV scanning of captured files.
Network Security Monitor
🔭
Zeek
Passive NSM on enp0s3. Logs HTTP transactions, TLS certificates, DNS queries, file transfers, and connection metadata. Detects protocol-level anomalies across all flows.
Web Application Firewall
🔒
ModSecurity
Apache + ModSecurity with OWASP Core Rule Set 4.22. Engine in full enforcement mode. Blocks SQLi, XSS, RFI, LFI, and protocol violations. Parsed JSONL log stream to orchestrator.
Intrusion Prevention
🚫
Fail2Ban
Automated IP banning based on authentication failures, port-scan signatures, and custom AEGIS rules. Integrated with iptables for sub-second response to brute-force campaigns.
System Audit
📋
Auditd
Linux kernel audit subsystem. Tracks file accesses, privilege escalations, process executions, and system calls. Full audit trail for forensic analysis and compliance reporting.

03 · Features

Built for
operators.

Unified Event Stream
All sources — DNS, Suricata, Zeek, WAF, Fail2Ban, Auditd, Shadowsocks — feed into one normalized event bus via the Rust orchestrator. Single API, consistent schema.
Auto-Heal & Watchdog
Health checks every 10 seconds. Any failed service is automatically restarted. Zero-downtime recovery without operator intervention.
Anti-DDoS Engine
Dynamic iptables rule injection for offending IPs. Rate-based detection with configurable thresholds. Whitelist-aware to prevent self-ban scenarios.
ClamAV File Scanning
Suricata-extracted files from the network filestore are automatically queued for ClamAV scanning. Malware detections surface immediately in the event stream.
REST + WebSocket API
Full REST API and real-time WebSocket feed. Dashboard-ready. Query events by source, severity, category, IP, or time range.
Shadowsocks Proxy Telemetry
Three-port Shadowsocks instance with per-connection logging integrated into the event bus. Traffic correlation between proxy use and network anomalies.
Event Stream — Live Feed LIVE
08:14:02aegis_dnsBLOCK tracking.malware-c2.ru → sinkhole [DENY]
08:14:05suricataALERT ET SCAN Nmap SYN 203.0.113.47 :22
08:14:06fail2banBAN 203.0.113.47 ssh-bruteforce
08:14:09zeekSSL cert mismatch 198.51.100.12 CN=*.evil.cc
08:14:11mod_securityBLOCK SQLi 192.0.2.88 [941100]
08:14:14aegis_dnsALLOW api.centurialabs.pl [PASS]
08:14:18suricataFILEINFO PDF extracted 10.0.0.8 → ClamAV queue
08:14:20systemHEALTH all services OK [8/8]
08:14:22zeekHTTP POST 198.51.100.9 /wp-login.php WEIRD
08:14:25mod_securityWARN XSS attempt 192.0.2.99 [score:6]
08:14:28aegis_dnsBLOCK cdn.adtrack.io → sinkhole [DENY]
08:14:31suricataANOMALY TCP stream gap 10.0.0.31
08:14:34systemANTIDDOS threshold check no new bans
08:14:37zeekNOTICE port scan 203.0.113.12 47 ports/5s
08:14:39fail2banBAN 203.0.113.12 portscan

04 · Technology Stack

Production
components.

Rust
Orchestrator Core
The AEGIS orchestrator is written in Rust for zero-cost abstractions, memory safety, and high-throughput async I/O via Tokio.
Suricata
IDS / File Extraction
AF-packet passive mode on the primary interface. EVE JSON output with filestore enabled for ClamAV scanning pipeline.
Zeek
Network Security Monitor
Full NSM with conn, http, ssl, files, dns, weird, and notice log streams. Custom script support for mobile-specific protocol detection.
ModSec
WAF — OWASP CRS 4.22
Apache2 + ModSecurity with OWASP CRS 4.22 in full enforcement. Parsed JSONL tail piped to orchestrator in real time.
React
SOC Dashboard
Vite + React dashboard consuming the orchestrator REST and WebSocket APIs. Tabs for DNS, Suricata, Zeek, WAF, Files, and Reports.
ClamAV
Antivirus Scanner
Integrated with the Suricata filestore. Files captured from network traffic are queued and scanned asynchronously with results surfaced in the event stream.
Fail2Ban
Intrusion Prevention
Pattern-based IP banning with iptables backend. Custom jails for SSH, HTTP abuse, and AEGIS-specific threat patterns.
iptables
Packet Filtering
Statically configured with persistent rules. Dynamic injection by anti-DDoS engine and Fail2Ban. Minimal attack surface — no NFQUEUE inline mode.
05 · Orchestrator

One binary.
Everything connected.

The AEGIS Orchestrator is a single Rust binary that aggregates log streams from every security service, normalizes them into a unified event schema, and exposes them via REST and WebSocket.

It also watches over the entire stack — if any service crashes, it restarts it automatically. If traffic anomalies exceed thresholds, it bans the source at the kernel level.

  • Tail-follows all log sources concurrently with async I/O
  • Normalizes to AegisEvent schema (source, level, category, ts)
  • Health check loop every 10 seconds across all 8 services
  • Anti-DDoS engine injects iptables DROP rules dynamically
  • ClamAV scanner watches Suricata filestore asynchronously
  • REST + WebSocket on 127.0.0.1:9096 — tunnel-accessible

06 · Centuria Labs Network

Part of a
wider ecosystem.