I am currently redesigning the rule management subsystem in Suri Oculus, a lightweight Suricata management and analysis platform.
At the moment, the Rules interface already supports:
- enable/disable of rules from the web interface;
- search by SID, action, signature and other parameters;
- detailed rule inspection;
- modification of existing rules;
- creation of local custom rules;
- fast runtime apply and Suricata reload.
One of the main goals now is to improve interaction with suricata-update and make rule state handling more predictable.
The planned changes include:
- persistent enable/disable handling through
disable.confandenable.conf; - separation of upstream rules, IOC-generated rules and local custom rules;
- proper handling of IDS vs IPS operating modes;
- IOC policy management instead of direct editing of generated IOC rules;
- synchronization between runtime rule state and persistent configuration.
I also plan to improve the internal lifecycle handling of rules to avoid conflicts during repeated enable/disable operations and ruleset updates.
The overall goal is to keep the system lightweight and practical, including for low-powered hardware, while still providing a more structured approach to Suricata rule management.
Screenshots below show:
- Rules list and controls
- Detailed rule information
- Rule modification form
