December 5, 2025 By Sergey

How to Configure Suricata and Suri Oculus: A Complete Guide

Suricata is a powerful open-source IDS/IPS engine widely used in enterprise networks and security monitoring systems.
Suri Oculus is a high-performance management and visualization platform built on top of Suricata, providing fast log processing, advanced analytics, AI-based anomaly detection, and convenient rule management.

This guide walks you through the full installation and configuration process for Suricata and Suri Oculus, including performance optimization, rule configuration, IoC integration, and service setup.

1. Installing Suricata

1.1 Debian / Ubuntu

sudo apt update
sudo apt install suricata suricata-update jq
sudo systemctl enable suricata
sudo systemctl start suricata

1.2 Fedora / RHEL / CentOS

sudo dnf install suricata
sudo systemctl enable suricata
sudo systemctl start suricata

1.3 Routers and ARM-based Devices

Suricata can run on:

OpenWRT
Debian ARM / Ubuntu ARM
Raspberry Pi, Orange Pi, and similar devices

OpenWRT installation:

opkg update
opkg install suricata

Suri Oculus is optimized for low-power hardware and performs well even on systems with 1–2 GB RAM.

After installing Suricata, you can monitor events through the Suricata dashboard in Suri Oculus.

Learn more: https://suri-oculus.com/suricata-dashboard

Suricata — official site https://suricata.io

Suricata installation documentation https://docs.suricata.io/en/latest/install.html

2. Configuring Suricata

2.1 Configure Suricata to Output Logs to Redis

Suri Oculus reads Suricata events directly from Redis.
Enable Redis output in the eve-log section:

eve-log:

  enabled: yes

  filetype: redis   # Options: regular | syslog | unix_dgram | unix_stream | redis

  filename: eve.json

This eliminates the need for large eve.json files and significantly improves performance.

3. Starting Required Services

Once Suricata is configured, start the underlying services.

3.1 Redis

sudo systemctl enable redis
sudo systemctl start redis

3.2 Suricata

sudo systemctl enable suricata
sudo systemctl start suricata

3.3 Daemonmove

Daemonmove processes domain lists, generates datasets, and updates IoC structures:

sudo systemctl enable daemonmove
sudo systemctl start daemonmove

4. Network Capture Configuration

Suricata supports several traffic acquisition modes.

4.1 AF_PACKET — recommended mode

af-packet:
  - interface: eth0
    threads: auto
    cluster-id: 98
    cluster-type: cluster_flow
    defrag: yes

Suitable for both IDS and IPS.

4.2 NFQUEUE — IPS mode

Used with iptables/nftables:

nfq:
  mode: repeat
  batchcount: 20
  fail-open: yes

Redirect packets:

iptables -I FORWARD -j NFQUEUE --queue-num 0

4.3 PCAP — passive mode

5. Performance Optimization

Suricata benefits from proper tuning, especially on constrained hardware.

5.1 Detection engine tuning

detect-engine:
  - profile: medium

5.2 Thread configuration

threading:
  set_cpu_affinity: yes

5.3 Memory limits

5.4 Disable unused protocol parsers

app-layer:
  protocols:
    krb5: no
    ntp: no

5.5 Optimization for low-power devices

reduce logged fields
disable TLS fingerprinting if unnecessary
disable noisy rule categories
use Redis instead of writing large eve.json files

Performance & Tuning

https://docs.suricata.io/en/latest/performance/index.html

6. Suricata Rules Management

Suricata provides a flexible rule system, and Suri Oculus enhances this by offering rule management directly through the web interface.

6.1 Rule file configuration

Recommended configuration:

rule-files:

  - suricata.rules

  - additional.rules

# - ioc_url.rules

# - ioc_ip.rules

# - ioc_domain.rules

6.2 The additional.rules file

This file contains custom Suri Oculus rule sets, for example:

#drop dns $HOME_NET any -> any any (msg:"Oculus Universal DNS Query...";

# dns.query; dataset:isset, universal.blst, type string,

# load /var/lib/suricata/universal.blst; ...)

Categories include:

social
adult
gambling
fakenews
universal domain lists

These lists are dynamically updated by Oculus Tools.

6.3 IoC rule integration

Suri Oculus generates:

ioc_url.rules
ioc_ip.rules
ioc_domain.rules

These rules bring current Indicators of Compromise into Suricata detection logic.

7. Configuring Suri Oculus

7.1 Starting the backend service

sudo oculus-server

The backend handles:

communication with Suricata
Redis operations
IoC processing
REST API for the frontend

7.2 Starting the web interface

cd /opt/suri-oculus-front

sudo ./suri-oculus-front

Frontend is available at:

http://IP:9090

7.3 The new config.js file (important)

/opt/suri-oculus-front/config.js

Contents:

export const backendUrl = 'http://backend_ip:8080';

This parameter must correctly point to the backend server.

7.4 Suricata → Redis → Oculus architecture

Suricata pushes eve-log events into Redis
Daemonmove processes datasets and IoC files
Oculus backend reads logs from Redis
The frontend visualizes traffic and alerts in real time

Advantages:

minimal latency
extremely high log processing speed
very low CPU usage

8. Verification and Diagnostics

8.1 Validate Suricata configuration

sudo suricata -T

8.2 List loaded rules

suricata --list-rules

8.3 Test IDS mode

curl http://testmynids.org/uid/index.html

8.4 Test IPS mode (NFQUEUE)

Drop rules should trigger as expected.

8.5 Check Suri Oculus dashboards

The interface should display:

alert events
anomalies
DNS/Flow/TLS logs
drop events
rule actions

Conclusion

The Suricata + Suri Oculus stack provides a powerful, fast, and flexible security monitoring system suitable for both enterprise environments and low-power devices.
Suricata ensures accurate detection and prevention of threats, while Suri Oculus delivers advanced visualization, rule control, IoC integration, and AI-driven analytics.

With proper configuration and optimization, this platform becomes a comprehensive IDS/IPS management solution tailored to your infrastructure.