Proper Suricata Configuration for Suri Oculus

3. Verifying Rule Loading

After startup, the log should show something like:

48709 rules successfully loaded

48714 signatures processed

If suricata -T does not display this in the console, check:

/var/log/suricata/suricata.log

4. Critical Section: rule-files

Your Suricata configuration must contain a properly structured rule-files section:

default-rule-path: /var/lib/suricata/rules

rule-files:
– suricata.rules
– additional.rules
# – ioc_url.rules
# – ioc_ip.rules
# – ioc_domain.rules

This is essential.

Explanation:

suricata.rules

The main aggregated ruleset (e.g., ET Open).

additional.rules

Custom rules managed by Suri Oculus.

ioc_*.rules

Automatically generated by Suri Oculus based on IOC intelligence feeds.

5. The additional.rules File

This file contains custom DNS filtering rules using Suricata datasets.

Example:

drop dns $HOME_NET any -> any any (msg:”Oculus Social DNS Query”;
dns.query;
dataset:isset, social.blst, type string, load /var/lib/suricata/social.blst, memcap 10mb, hashsize 1024;
classtype:trojan-activity;
sid:2000003; rev:1;)

Purpose

Block social media domains
Block adult content
Block gambling domains
Block fake news sources
Apply custom DNS blacklists

Why use datasets?

High performance
Efficient memory handling
Dynamic updates without rule recompilation

Dataset files (*.blst) are updated via Oculus tools.

6. IOC Integration

The following files:

ioc_url.rules
ioc_ip.rules
ioc_domain.rules

Are generated automatically by Suri Oculus from its IOC database.

This ensures:

Threat intelligence integration
Automatic signature updates
Centralized policy control

If these lines are commented out, IOC rules will not be loaded.

7. HOME_NET — A Critical Parameter

If scan detection or FTP alerts seem weak, the most common cause is an incorrect HOME_NET.

Example:

vars:
address-groups:
HOME_NET: “[10.10.10.0/24]”
EXTERNAL_NET: “!$HOME_NET”

For lab testing only:

HOME_NET: “any”

8. Verifying Detection in Real Time

Check runtime counters:

suricatasc -c dump-counters

Monitor events:

tail -f /var/log/suricata/eve.json

9. Organizing Test Attacks

Recommended structured testing sequence:

Ping
nmap -sS
nmap -p-
siege or ab
hydra (FTP test)
Short hping3 burst
nikto

This validates:

ET SCAN signatures
FTP detection
HTTP parsing
Flow logging
Threshold rules
HOME_NET correctness

10. Verify Traffic Visibility

Suricata must actually see the traffic.

Check with:

tcpdump -ni enp2s0

If tcpdump does not see traffic, Suricata will not see it either.

11. Why This Matters for Suri Oculus

Suri Oculus is more than a simple IDS interface. It provides:

Traffic visualization
Rule management
IOC integration
Behavioral analytics
Host Behavior Fingerprint
Baseline comparison

If Suricata is misconfigured:

AI receives distorted data
Flow statistics become unreliable
WAN → LAN correlation breaks

Conclusion

Proper Suricata configuration for Suri Oculus requires:

AF_PACKET with tpacket-v3
snaplen 65535
Correct HOME_NET
suricata.rules enabled
additional.rules enabled
Optional IOC rules
Active eve-log output
Confirmed traffic visibility

Only with this foundation does Suricata become a reliable IDS/IPS engine — and Suri Oculus a powerful analytical and management platform.

Before production deployment, thoroughly test your configuration.
The integrity of your entire detection system depends on it.