Introducing Oculus Tools: Automated Domain Intelligence for Modern Network Security

Today I want to highlight another important component of the Suri Oculus ecosystem — Oculus Tools, a lightweight but powerful toolkit designed to automate the entire workflow of collecting, filtering, and preparing domain intelligence for security systems.

In modern networks, even small infrastructure generates a massive flow of DNS queries. Ensuring reliable filtering — whether for security, compliance, or content-control — requires not only good rules but also fresh, well-structured domain data. Oculus Tools solves this in a clean, predictable, fully automated way.

What Oculus Tools Does

Oculus Tools is a complete pipeline for transforming publicly available domain lists into curated, Base64-encoded datasets suitable for use in IDS/IPS, firewalls, DNS servers, and filtering proxies.

The workflow consists of four core stages:

1. Downloading Source Lists

The tool fetches domain lists from several security-relevant categories:
• Universal (general malicious and unwanted domains)
• Fake news
• Gambling
• Pornography
• Social networks

This stage is implemented in the Python script download_lists.py, which retrieves each list from trusted open-source sources and saves it locally — for example, universal.lst or social.lst.

2. Prefiltering and Deduplication

Each of the downloaded lists is passed through the prefilter_app (Rust-based), which:

• removes duplicates,

• cleans malformed domain entries,

• extracts meaningful subdomains,

• filters noise and unnecessary fragments.

This step ensures that the dataset is compact, clean, and ready for further processing.

3. Base64 Encoding

Filtered domain lists are then passed into base64coder_app, which converts them into Base64-encoded .blst files.

This format is:

• lightweight

• consistent across systems

• suitable for embedding into APIs, configs, or binary distributions

• optimized for reliable transmission

4. Automated Cleanup

Temporary .tmp and raw .lst files are removed — leaving only the final .blst lists.

The entire workflow is orchestrated by the main shell script make_base_opt.sh, which:

• runs the pipeline step-by-step,

• checks error conditions,

• stops processing if any stage fails.

Why It Matters

Modern network environments need:

• fresh domain intelligence,

• reliable filtering data,

• automated updates,

• consistent machine-readable formats.

Oculus Tools provides all of this out of the box.

The output .blst files integrate seamlessly into:

✔ Suricata-based systems
✔ DNS-level blocking
✔ Firewalls and proxy servers
✔ IoT and router-grade filtering
✔ Custom AI/ML threat-classification pipelines

Even low-powered devices (home routers, micro-servers, compact firewalls) can use these lists effectively — they are small, optimized, and prefiltered.

Practical Use Cases

• Malicious domain blocking in enterprise or small office networks

• Content filtering (gambling, porn, fake news categories)

• SIEM/IDS augmentation — enriching alerts with domain intelligence

• DNS-level protection on micro-devices

• Preprocessing for ML/AI models (e.g., feeding domain features into anomaly detectors)

Looking Ahead

Oculus Tools is evolving together with the rest of the Suri Oculus project. The upcoming updates will include:

• automatic scheduling and incremental updates

• canary validation of upstream sources

• integration with Redis for fast deployment

• optional signing of .blst files

• extended categories and custom user-defined lists

The goal is simple: provide a flexible, reliable, and production-ready domain intelligence pipeline that can run everywhere — from a home router to a data-center-grade Suricata cluster.

If you want to test it

The toolkit is lightweight, fast, and easy to integrate into any security workflow. If your infrastructure relies on domain-level filtering or Suricata analytics, Oculus Tools can save hours of manual work and bring your filtering quality to a new level.

Feel free to reach out if you want to test or integrate it into your environment.