LIMEN says MALICIOUS — cosine match to a known Cobalt Strike beacon, confidence 1.0, nine neighbor votes from the pattern store. PCAPR finds the TLS JA3 hash matches the CobaltStrike-default fingerprint and the inter-message gap CV is 0.03, meaning the beaconing interval is absurdly regular. The weighted score hits 4 points. The correlator has seen three flows to the same destination IP within two minutes. An investigation opens, PCAPR runs deep analysis on the pcap slice, and the full report drops into the SIEM alongside every other Suricata alert.
minidet is a network threat detection sidecar for Suricata. It runs alongside an existing IDS, scores every TCP/UDP flow through four signal layers, and emits enriched EVE JSON into the same stream Suricata already produces. No pipeline rewrite, no new console to watch, no separate data format.
Running all four signals on every flow is the obvious design. It’s also wrong.
The four layers are designed around cost, not just capability. LIMEN runs inline on every flow — 200 microseconds, supervised cosine similarity, three possible verdicts. The BPB scorer runs async on a token-bucket sample — unsupervised, flags structural novelty in flows LIMEN hasn’t seen before, complements rather than duplicates LIMEN’s signal. GRIMOIRE runs async only on flows where PE, ELF, or ZIP magic bytes appear in the payload — 7b inference takes 10–30 seconds per binary, so it only fires when there is a binary to analyze. PCAPR runs only when the correlator opens a formal investigation — deep protocol analysis is expensive, and it should only happen when something is already suspicious enough to justify it.
The queue topology keeps LIMEN inline while the slower tools run asynchronously. Each tool reports back via a shared flow_id. The EnvelopeStore collects enrichments from all four layers and emits a unified EVE event when everything has arrived — or after a 60-second TTL if a slow tool is still running.
The correlator watches the score stream and groups events by destination IP using configurable strategies: exact IP match, /24 subnet, /16 subnet, or ASN. When the weighted score sum for a destination crosses a threshold within a sliding window, an InvestigationWorker runs PCAPR on a sliced pcap of the relevant flows. The investigation report lands in the same EVE stream as everything else.
The scoring weights reflect what the signals actually mean. GRIMOIRE calling a binary malicious is worth 3 points — it’s the most specific signal, and it rarely fires. LIMEN match and PCAPR beacon detection are worth 2 each. BPB anomaly and LIMEN UNKNOWN are 1 each — real signals but lower specificity. Alert threshold is 4 points within 15 minutes of event time.
The stack is operational for offline analysis against saved pcaps. Live capture runs via Scapy. The FAISS upgrade for LIMEN’s PatternStore — which unlocks real 1Gbps throughput — is the next piece before calling this production-ready.