wolfSentry Embedded IDPS

wolfSentry is a universal, dynamic, embedded IDPS (intrusion detection and prevention system). At its core, it features an embedded firewall engine (both static and fully dynamic), with optimally efficient lookups. wolfSentry is dynamically configurable, and can arbitrarily associate user-defined events with user-defined actions, contextualized by connection attributes, tracking the evolution of the network transaction profile.

wolfSentry will be fully integrated into the wolfSSL library, wolfMQTT, and wolfSSH, with optional in-tree call-ins and callbacks that give application developers turnkey IDPS across all network-facing wolfSSL products, with a viable zero-configuration option. These integrations will be available via simple --enable-wolfsentry configure options in wolfSSL sibling products.

The wolfSentry engine is dynamically configurable programmatically through an API, or from textual inputs supplied to the engine. Callback and client-server implementations are also under development that will deliver advanced capabilities including remote logging through MQTT or syslog, and remote configuration and status queries, all cryptographically secured.

Notably, wolfSentry is designed from the ground up to function well in resource-constrained, bare-metal, and realtime environments, with algorithms to stay within designated maximum memory footprints and maintain deterministic throughput. Opportunities include RTOS IDPS, and IDPS for ARM silicon and other common embedded CPUs and MCUs. wolfSentry with dynamic firewalling can add as little as 64k to the code footprint, and 32k to the volatile state footprint, and can fully leverage the existing logic and state of applications and sibling libraries.

If you have interest in using wolfSentry or any questions or comments, please contact wolfSSL at

Download Now
Get the latest open source GPLv2 version now!

Version:  1.6.2
Release Date: 1/2/2024


  • Universal, dynamic, embeddable IDPS -- 32/64 bit, bare metal and Unix/Linux, x86, PPC, ARM, etc., written in pure C
  • At a low level, a firewall engine (both static and fully dynamic), with fast thread-optimized (multicore) lookup of known hosts/netblocks
  • Fully extensible logic
  • Designed from the ground up to function well in resource-constrained, bare-metal, and realtime environments, with algorithms to stay within designated maximum memory footprints
  • Deterministic dynamics -- compatible with deadline scheduling and time-sensitive networking use cases
  • Fully unified configuration via JSON, with user-defined address families, user-defined arbitrary key-value pairs, base64-encoded binary configuration objects, and user-defined extended validation logic. Additionally, a generic JSON DOM (random access) facility is included, for use as a helper in user plugins and applications.


  • Native C code designed for embedded use.
  • Single IO callback for hardware SPI interface.
  • No external dependencies.
  • Compact code size and minimal memory use.

What is an Intrusion Detection and Prevention System (IDPS)?

An Intrusion Detection System or IDS "is a device or software application that monitors a network or systems for malicious activity or policy violations" (Wikipedia).

  • IDS is centered on monitoring, logging, and pattern matching, and notifications
  • Can be extremely elaborate
  • Large-scale online databases of events to allow exploration and visualization of conditions, trends, and forensic reconstructions 
  • Vast curated rulesets to identify threat “indicators” and trigger live notifications 
  • Machine learning to characterize normal traffic patterns and detect anomalies 
  • Host-resident and infrastructural traffic monitoring agents, and realtime aggregation of event streams

An Intrusion Detection and Prevention System or IDPS is and IDS that that attempts to block or stop abusive activity.

  • IDPS adds preventative orchestration
    • network-based intervention, via dynamic firewall rules 
    • host-based intervention, via host-resident agents 
    • service-based intervention, via gateways to directory services, e.g. Kerberos, LDAP, DNS, cert revocation APIs, redirector config, etc. 
  • wolfSentry is an IDPS.

Platform and Language Support

wolfSentry is built for maximum portability and is generally very easy to compile on new platforms.  If your desired platform is not listed under the supported operating environments, please contact us.

wolfSentry supports the C programming language as a primary interface. If you have interest in using wolfTPM in another programming language that it does not currently supported, please contact us.

Commercial Support

Support packages for wolfSentry are available on an annual basis directly from wolfSSL.  With three different package options, you can compare them side-by-side and choose the package that best fits your specific needs.  Please see our Support Packages page for more details or contact us with any questions.

wolfSSL Training Course

Interested in getting trained by security experts on subjects related to wolfSSL and SSL/TLS?  Learn more.


  • wolfSentry is designed to integrate directly with network-facing applications/libraries to block bad traffic, and it can optionally integrate with host firewall facilities, via plugins.
  • Support for running on bare metal, in which case the firewall functions can be directly integrated into the network stack of the application via patched-in call-ins, or callbacks installed using host environment interfaces.
  • Fully extensible
    • Dynamically configurable logic hub
    • User-defined rules link app-defined events with app-defined actions via plugins
      • Plugins can be filters, decision logic, and/or orchestration logic
    • Hub and plugins are mainly keyed on network attributes, and track current status
    • Plugins can also track and use fully app-defined data for each network association
  • Fully integrated into wolfSSL, wolfMQTT, and wolfSSH
    • Zero-development IDPS across all network-facing wolfSSL products, using bundled COTS plugins
    • Zero-configuration option
    • Simple --enable-wolfsentry configure options in wolfSSL sibling products
  • Dynamically configurable
    • Programmatically through an API
    • Textual human-readable configuration files, loadable/reloadable at any time
  • Bundled plugins for remote logging, commands, and status queries, secured with TLS
    • MQTT
    • Syslog
    • SMTP
    • Embedded web server with RESTful API
  • Supports systems to fulfill UN R155 requirements
    • Detects and recovers from a denial of service attacks
    • Security controls applied to systems that have remote access
    • Access control techniques and designs are applied to protect system data/code.
    • Prevents and detects unauthorized access
    • Measures to detect malicious internal messages or activity are considered
  • LwIP full firewall integration support

Supported Chipmakers

Supported Operating Environments

  • Platform support for Raspberry Pi, STM32 with CubeMX, Atmel ASF and Barebox.
  • Native support for Microsoft Windows, Linux, and FreeRTOS
  • If you would like to test wolfSentry on another environment, let us know and we’ll be happy to support you.

Licensing and Ordering:

wolfSentry is dual licensed under both the GPLv2 and commercial licensing.  For more information, please see the following links.