Verdix
Verdix

A grounded second opinion on every Suricata alert.

Verdix is an open source AI co-pilot for SOC analysts running Suricata. It tails your eve.json, correlates the surrounding flow, enriches the indicators, and produces a verdict backed by evidence. It runs as additional Docker Compose services on the same host.

How it works

The problem

A tuned Suricata deployment can still put hundreds of EVE alerts a day in front of a Tier 1 analyst who can't read Suricata rule syntax fast enough to triage them at speed. Volume isn't even the hard part. Each alert is the same dozen manual steps: correlate the flow_id, read the signature, enrich the indicators, work out the real source and target. Verdix does those steps and shows its work.

How it works

  • Verdix tails eve.json and indexes the surrounding flow / HTTP / DNS / TLS / file events by flow_id.
  • Verdix enriches indicators with DB-IP Community Edition for ASN and country, reverse DNS for IP-to-hostname mapping, live RDAP for domain registration age and registrar, and VirusTotal for reputation (your VirusTotal API key).
  • Verdix assigns initiator and target roles based on how the rule defines traffic direction.
  • Verdix produces a verdict (likely false positive, suspicious, or likely true positive) with confidence, reasoning, and a full evidence chain.
  • Verdix shows an enrichment-source ledger on every alert: what contributed, what's failing, what's not configured.
  • One click to accept or override. docker-compose up and you have a first verdict in under 30 minutes.

Why it's built this way

  • A co-pilot, never an autopilot. Every verdict is a recommendation: no auto-close, no auto-escalate, no auto-suppress.
  • Runs alongside your existing stack. Stop the containers and your environment is exactly as it was.
  • No payload data leaves the host.
  • Open source under AGPL-3.0.
  • Runs on hardware you already own. No GPU required: 16 vCPUs, 32 GB RAM, and 40 GB disk is the recommended spec. Each verdict takes under three minutes on CPU only.

Verdix is in early access. It does triage well; everything else is on the roadmap, shaped by the people running it.