Today I would like to introduce Suricatavel, a tool to manage a distributed fleet of Suricata sensors without “fumbling with cables”, but in a clear, measurable and repeatable operation, which should ease managing it at scale by reinforcing consistency and reducing configuration drifting.
This solution is based on 3 pillars:
Automated lifecycle
Leveraging Ansible, we intend to reduce time to detection for new nodes, from initial provisioning to atomic ruleset management, all from the same web interface.
Rule management is conveyed from feeds to automatic deployment on each node through configurable policies.
High-performance ingestion
Prepared for high throughput of events, we offer an inhouse-built logging agent, which guarantees correct behaviour even during saturation peaks.
For enterprise-level loads, we baked in Apache Kafka integration (“at-least-once” delivery), for deployments that need even more delivery performance.
Our ingestion pipeline relies on Laravel Octane to handle massive eve.json event streams with low latency.
Actionable intelligence and response
Enrichment providers bring automatic metadata decoration vía known services such as AbuseIPDB, MaxMind’s GeoIP, URLHaus, Shodan, VirusTotal and WHOIS.
A dedicated query engine delivers results in nearly instantaneous time (sub-second), helping analysts investigations and correlations.
Firewall integrations with popular products like OPNSense, pfSense or even OpenWRT allow the user to rapidly block an attacker from within the web interface.
This project is under active development, so stay tuned to find out news to come !
Is this a commercial offering?
Is there an open source project?
Having built a similar system around ansible I was curious to explore your art and look for opportunities to make a meaningful contribution but alas I seem to be blocked by cloudflare regardless of browser, JS support, tracking cookie acceptance, or geo (tried north and south america).
It’s not a commercial offering at this stage, but it’s also not open source.
Suricatavel is source-available: the code can be downloaded and used freely for personal, research, and evaluation purposes. Commercial use would currently require a separate license.
Right now I’m keeping development centralized while the project evolves, but I’m very interested in feedback from the community, will consider open-sourcing it in the future.
Now, I’ve checked Cloudflare to relax security a bit, please try again and feel free to reach me directly to get this access issue sorted out
We already operate Aegis in our environment, and we have also implemented DNS control through Cloudflare Zero Trust using DoH/Gateway-based enforcement. In practice, that gives us centralized DNS policy control, category-based filtering, and a cleaner way to standardize protection across distributed users and sites.
So I’m looking at Suricatavel from the standpoint of an existing production environment where core security controls and operational workflows are already in place, rather than from a greenfield deployment.
The three pillars you highlight — lifecycle automation, high-throughput ingestion, and integrated response — are absolutely the right areas to focus on for distributed Suricata operations. The main question for teams like ours is how Suricatavel differentiates itself operationally from a stack that already combines Aegis, centralized policy enforcement, and established automation.
What would be especially valuable to see is:
how policy-based rule deployment is governed across larger sensor fleets,
how the ingestion layer behaves under sustained load and degraded conditions,
how much operational visibility and auditability exist around automated changes,
and how the response model integrates with existing DNS/security enforcement layers already in production.
Promising concept overall. For mature environments, adoption will likely depend on whether the platform can demonstrate measurable gains in consistency, scalability, and response efficiency beyond what is already achievable with a well-integrated internal stack.
