Suri Oculus — Suricata Event Analysis System (Redis Pipeline + AI) and HBF Roadmap

Community Announcements
1

Colleagues,

we would like to present the current state of the Suri Oculus project — a system for managing and analyzing Suricata data, focused on real-time processing and operation on constrained hardware.

What it is

Suri Oculus is not a SIEM and not just another UI on top of eve.json.

It is a system where:

  • Suricata events are processed without using files

  • a streaming pipeline based on Redis is used

  • a custom event processor (C++ daemon) is implemented

  • data is immediately available for analytics and visualization

Architecture (simplified)

Suricata → Redis → daemonmove → API / UI / AI

Key points:

  • no eve.json (no disk I/O, no file parsing)
  • event classification by type (flow, dns, http, tls, etc.)
  • full JSON storage without data loss
  • designed to run on low-end systems (Celeron / 4GB RAM is a valid target)

What is already implemented

  • REST API (C++ / Pistache + Python / FastAPI for AI)

  • Web UI (plain JavaScript, no heavy frameworks)

  • streaming event processing via Redis

  • basic analytics for:
    flow, dns, http, tls

  • AI-based analysis (Isolation Forest)

  • export and time-based comparison of data

Why this may be relevant

The practical goal of the project:

  • move away from file-based processing (eve.json)

  • build a true streaming pipeline

  • achieve low-latency processing

  • retain full control over the data flow

Roadmap: Host Behavior Fingerprint (HBF)

The next step is the implementation of HBF (Host Behavior Fingerprint).

The idea is to build a behavioral profile of a host based on existing data (flow, tls, http, etc.), without requiring additional sources.

Planned features

  • host profile including:

    • protocols used

    • connection frequency

    • average packet sizes

    • time-based activity patterns

  • baseline (normal behavior)

  • comparison: “baseline vs current”

  • Behavior Delta Score (0–100)

Important detail

HBF will be built only on LAN traffic:

  • interface-aware separation (LAN/WAN/VPN)

  • exclusion of external noise

  • focus on internal host behavior

Current status

The project is actively evolving, and core components are already running in a production-like environment.

Current focus:

  • HBF implementation

  • performance improvements

  • preparation of an extended (commercial) version

Links

Feedback

We would appreciate input from the community:

  • does it make sense to move away from eve.json toward a streaming pipeline?

  • what approaches do you use for real-time processing?

  • is HBF an interesting direction for host-level analytics?

Open to discussion about architecture, implementation details, and practical trade-offs.

1 Like