October 25, 2024 By Sergey

Backend and Log Parser of Suri Oculus: Standalone Tools for Suricata Management

Suri Oculus Backend documentation image

Suricata is a powerful Intrusion Detection and Prevention System (IDS/IPS) widely used for network security. However, effectively managing it and integrating it into existing infrastructures can be challenging tasks. The Suri Oculus project offers solutions that can significantly simplify these processes.

Suri Oculus: A Brief Overview

Suri Oculus is a high-performance IDS/IPS log management and analysis system based on Suricata technologies and the Pistache (C++) framework, using Redis as its database. The key components of the project are:

  • Backend (API): Developed in C++ using Pistache, it provides event processing, rule management, and access to statistical data.
  • Log Parser (daemonmove service): A daemon service that processes data from the eve.json file, classifying it by event types for convenient access and analysis.

Both components can be used independently, providing developers and administrators with flexible tools to create their own systems and extensions for managing Suricata.

Backend (API): Extensible Capabilities

The Suri Oculus backend offers an extensive set of RESTful APIs, allowing the integration of Suricata’s functionality into various applications and services. Key features include:

  • Event Management: Retrieval, search, and deletion of events based on various parameters, including event types, event_id, and time frames.
  • Rule Management: Viewing, searching, adding, validating, updating, and deleting Suricata rules. The ability to manage rule statuses and handle additional rules.
  • Suricata Management: Commands to restart, stop, and start Suricata, as well as switching between IDS and IPS modes.
  • Working with IoCs (Indicators of Compromise): Integration of up-to-date IoCs to enhance threat detection efficiency and automate incident response.
  • Access to Statistical Data: Access to statistics on packets, alerts, CPU load, and memory usage, allowing performance monitoring of the system.

Log Parser: Efficient Data Processing

The daemonmove service is designed for real-time processing of Suricata logs. Two operation modes are supported:

  1. Standard Mode: Reading logs from the eve.json file.
  2. Redis Mode: Receiving logs directly from the Redis database to increase processing speed.

The parser configuration is flexibly adjusted via the conf.cfg file, allowing you to define keys for event distribution and paths to logs.

Advantages of Using Suri Oculus Components

  • Flexibility and Scalability: Ability to integrate individual components into existing systems without the need to deploy the entire platform.
  • High Performance: Use of C++ and Redis ensures fast data access and low resource consumption.
  • Ease of Integration: The backend’s RESTful API simplifies interaction with other applications and services.
  • Customizability: Ability to adapt functionality to specific network needs and security requirements.

Conclusion

The backend and log parser of Suri Oculus provide powerful tools for developers and security specialists looking to extend Suricata’s capabilities or integrate its functions into their own projects. By using these components, you can create custom solutions for monitoring, analyzing, and managing network security that meet the highest demands of the modern IT landscape.