Development of the Suri Oculus project continues — a platform for visualization, management, and analysis of Suricata events.
One of the main areas of development is the Events Viewer — an interface for viewing, filtering, and investigating Suricata events in near real-time.
In the current implementation, the system uses Redis as an intermediate transport and event storage layer instead of relying on the traditional workflow based on large eve.json files.
This approach makes it possible to:
- reduce overhead;
- accelerate event processing;
- simplify event routing;
- provide fast access to different event categories;
- build additional analytical modules on top of the event stream.
Redis-Based Event Pipeline
In the current architecture, Suricata events are delivered to Redis, after which the backend distributes them into separate event-type queues.
For example:
- alert
- flow
- dns
- http
- tls
- dhcp
- fileinfo
- stats
This approach allows independent processing of different event types and reduces frontend workload.
The backend is implemented in C++, while the frontend is built with plain JavaScript without heavy SPA frameworks.
The main architectural goal is low resource consumption and the ability to run on relatively modest systems.
Event viewer interface with event-type selection, filtering, and event list.
Events Viewer
The Events Viewer is designed for fast analysis of Suricata events without the need to constantly work with raw JSON or text logs.
The interface supports:
- switching between event categories;
- search and filtering;
- pagination;
- data refresh;
- detailed event inspection.
When an event is selected, the system displays a structured representation of Suricata data, significantly simplifying network activity analysis.
Current development efforts are focused on improving support for multi-interface environments, where events may simultaneously originate from:
- LAN;
- WAN;
- VPN;
- other network segments.
Additional mechanisms for device behavior analysis and network behavior profiling are also being tested.
Statistical event graph and detailed inspection window for a selected event.
fast.log Viewer
Despite the availability of graphical interfaces, traditional text logs remain an important part of the workflow when investigating IDS/IPS events.
Suri Oculus includes an integrated fast.log viewer that allows quick inspection of text-based alert events directly through the web interface.
This is useful for:
- rapid signature verification;
- diagnostics;
- event correlation;
- remote analysis.
Integrated fast.log viewer.
Current Development
Current development is focused on:
- event processing optimization;
- improved multi-interface support;
- behavioral profiling;
- anomaly detection modules;
- statistical analysis of network activity.
An AI-based analysis subsystem is also being developed for investigating anomalous device behavior and network flows.
The project continues to evolve actively.
Feedback, suggestions, and testing results from Suricata users are welcome.