Suri Oculus — Current Project Progress and New Analytics Direction

Community Announcements
1

Colleagues,

we would like to briefly share the current state of Suri Oculus — a system for analyzing and visualizing Suricata data, focused on real-time event processing without requiring heavy infrastructure.

Brief Project Overview

Suri Oculus is being developed as a practical analytics layer on top of Suricata with focus on:

  • streaming event processing via Redis

  • custom C++ backend

  • web UI without heavy frontend frameworks

  • operation on low-end systems

  • fast access to flow / dns / http / tls events

The main idea is minimal infrastructure complexity with maximum operational value.

Work on the New Version

Development of a new Suri Oculus version is currently in progress.

The primary focus of this stage is a redesign of the network module:

  • improved stream processing stability

  • performance optimization

  • more flexible interface handling (LAN / WAN / VPN)

  • preparing the foundation for advanced analytics

This is an important architectural step before the next generation of platform features.

New Direction: Extended Analytics

At the same time, a new extension is being developed, focused not only on events, but also on host and network behavior.

Core Concept — Host Behavior Fingerprint (HBF)

A compact behavioral profile is built for each host:

  • protocols used

  • connection frequency

  • time-based activity patterns

  • average traffic sizes

  • typical events and alerts

This makes it possible to compare:

  • normal behavior vs current behavior

  • before / after an incident

  • stable hosts vs anomalous hosts

This is a host-centric rather than purely alert-centric approach.

Additional Concepts Under Development

The following capabilities are also being evaluated.

Baseline Diff

Automatic answer to:

What changed in the network over the last 24 hours?

Examples:

  • new alert types

  • new external ASN activity

  • sudden NXDOMAIN growth

  • previously unseen TLS fingerprints

Confidence Score for Alerts

Prioritizing alerts not only by rule severity, but also by context:

  • recurrence

  • correlation with anomalies

  • behavior of the affected host

Explainable Analytics

Showing why an event is considered suspicious:

  • new JA3 fingerprint

  • sudden increase in flow size

  • unusual HTTP method

  • unexpected activity time

Guided Analysis

Operational hints for analysts:

  • anomaly volume is above normal today

  • a new external IP appeared

  • TLS activity should be reviewed

Why This Direction Matters

Many systems can show what happened, but it is harder to understand:

  • what changed

  • how important it is

  • what should be reviewed first

This is the problem the new extension is intended to solve.

A Note on Collaboration

If this direction is relevant to professionals working with Suricata in real environments, it would be valuable to discuss:

  • testing in different infrastructures

  • practical use cases

  • architectural ideas

  • joint development of selected modules

An external technical perspective is always useful.

Links

Open to discussion and exchange of practical experience.