Introduction

Introduction #

In an age where network security is paramount, organizations need robust and efficient tools to monitor, analyze, and respond to potential threats. Enter Suri Oculus, a high-performance Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) log management and analysis solution. Built upon the powerful Suricata technology and leveraging the Pistache (C++) framework, Suri Oculus stands out from its contemporaries by utilizing Redis as its database. This combination ensures exceptional speed and resource efficiency, making it an ideal choice for both high-end servers and resource-constrained devices such as routers and switches.

Key Features #

Suri Oculus offers a comprehensive suite of features designed to enhance network security:

1. Suricata Event Handling: Access, analyze, and search through Suricata logs effortlessly, with quick retrieval of the fast.log file contents for immediate event display.

2. Suricata Rule Management: Customize your security setup by adding, editing, deleting, and blocking rules, tailoring Suricata to meet specific network requirements.

3. Custom Rules: Implement additional rules to block particular sites and connections, including social networks and advertising platforms.

4. Indicators of Compromise (IoC): Integrate current IoCs to bolster threat detection and automate incident response.

5. Statistics and Analytics: View and analyze detailed statistical data on network traffic, attacks, and threats to assess and enhance your security posture.

6. Updates Management: Manage Suricata rule updates automatically or manually, generating new rules based on observed activity and threats.

7. Suricata Management: Control Suricata operations with commands for restarting, stopping, and switching between IDS and IPS modes.

Technical Properties #

Performance and Efficiency #

At the core of Suri Oculus is its high-performance architecture, primarily developed in C++ and Rust. This choice of programming languages ensures rapid data processing and low resource consumption. By leveraging Redis as the database, Suri Oculus achieves lightning-fast data access, enhancing overall system performance. These characteristics make it suitable for deployment on devices with varying specifications, including low-power routers and switches.

Linux OS Support #

Suri Oculus is optimized for the Linux operating system family, ensuring seamless integration and robust performance in diverse network environments.

Resource Efficiency #

Designed with resource efficiency in mind, Suri Oculus operates with minimal memory consumption, making it an ideal solution for devices with limited hardware capabilities.

Scalability and Flexibility #

The architecture of Suri Oculus allows for easy expansion and customization, enabling it to meet individual network requirements and scale according to the needs of growing organizations.

System Components #

Log Parser #

Suri Oculus employs an innovative log parsing approach to process Suricata logs in two modes: Standard Mode and Redis Mode. The Standard Mode processes logs written to a regular JSON format file, while the Redis Mode (the primary mode for Suri Oculus) sends logs directly to the Redis database. This flexibility ensures efficient log management and rapid data retrieval.

Backend #

Developed in C++ using the Pistache framework, the backend handles event processing, rule management, and access to statistical data, ensuring efficient and reliable operation.

Frontend #

The web interface, implemented using HTML, JavaScript, and Rust, provides a user-friendly platform for interacting with Suricata, offering full access to the system’s functionality.

Oculus Tools #

A suite of tools developed in Rust for rule management, new rule generation, and dataset handling, ensuring performance and security.

Log Parsing with Redis #

A standout feature of Suri Oculus is its advanced log parsing method using Redis. In Redis Mode, Suricata logs are sent directly to the Redis database, allowing for real-time processing and analysis. This method enhances the speed and efficiency of log management, setting Suri Oculus apart from traditional systems that rely on standard file-based log processing.

Configuration #

The daemonmove and daemonparser services are configured to handle log processing in Redis Mode and Standard Mode, respectively. The configuration file for daemonmove, located in the /etc/redismove directory, defines the main operating parameters, including event distribution keys and paths to log and temporary files. This ensures the system is correctly set up and optimized for Suri Oculus operations.

Conclusion #

Suri Oculus represents a leap forward in network security, offering a high-performance, resource-efficient solution for IDS/IPS log management and analysis. By leveraging C++, Rust, and Redis, Suri Oculus provides unparalleled speed and efficiency, making it an ideal choice for organizations seeking to enhance their network security, regardless of their hardware capabilities. With its comprehensive feature set and innovative log parsing method, Suri Oculus is poised to become a critical tool in the arsenal of modern network security solutions.