Suricata, the open source IDS, IPS and network security monitoring engine, with current threat intelligence fetched on first boot rather than frozen into the image.
Suricata is a high performance network threat detection engine developed by the Open Information Security Foundation. It reads frames directly off a network interface, reassembles the traffic into flows, evaluates them against a signature set, and writes both alerts and rich protocol metadata to a structured event log that downstream tooling can consume. It is one of the most widely deployed open source intrusion detection systems in the world, and it runs as an IDS, an inline IPS, or a pure network security monitor depending on how you place it.
This image is deliberate about two things that decide whether an intrusion detection system is actually useful. The first is freshness: no signature set is baked into the image, because rules frozen at build time are stale the moment they ship, and a sensor with stale rules reports perfectly healthy while missing everything published since. The current Emerging Threats Open ruleset is fetched on your own machine at first boot and refreshed daily thereafter, so your rules come from the provider, under the provider's terms, and are current on day one. The second is honesty about scope. Suricata's core mechanism, inspecting the packets it is handed, works exactly as designed on an Azure virtual network. What the platform constrains is visibility: a virtual network interface receives only the frames addressed to it, and Azure Virtual Network TAP never reached general availability. This appliance therefore cannot passively monitor a subnet the way a physical network tap or a SPAN port can, and the guide says so plainly rather than leaving you to discover it. What it does do is documented and real: it inspects this machine's own traffic out of the box with no configuration, it inspects everything you deliberately route through it once you enable IP forwarding and point a user defined route at it, and it reads packet captures taken elsewhere for offline forensics.
cloudimg delivers Suricata installed from the vendor's own package origin, so the engine keeps receiving security updates through the normal unattended upgrade path instead of being pinned at whatever version happened to be current at build time. The configuration is fail closed by design: the address range to protect and the capture interface are facts about your machine, not ours, so the shipped configuration is a template the engine deliberately refuses to start on until first boot has rendered it against this instance's own interface and network. Two independent levers enforce that, and both are tested to fail closed rather than assumed to work. The appliance has no login, no web interface and no network listening management port, so there is no bootstrap credential anywhere in the image to leak and the only port open is SSH, using the key you supplied. Every build ships fully patched with a single current kernel, and no build time traffic, alerts or packet captures survive into your image. Backed by 24/7 expert support.