Hi everyone !
Today I would like to introduce Suricatavel, a tool to manage a distributed fleet of Suricata sensors without “fumbling with cables”, but in a clear, measurable and repeatable operation, which should ease managing it at scale by reinforcing consistency and reducing configuration drifting.
This solution is based on 3 pillars:
- Automated lifecycle
- Leveraging Ansible, we intend to reduce time to detection for new nodes, from initial provisioning to atomic ruleset management, all from the same web interface.
- Rule management is conveyed from feeds to automatic deployment on each node through configurable policies.
- High-performance ingestion
- Prepared for high throughput of events, we offer an inhouse-built logging agent, which guarantees correct behaviour even during saturation peaks.
- For enterprise-level loads, we baked in Apache Kafka integration (“at-least-once” delivery), for deployments that need even more delivery performance.
- Our ingestion pipeline relies on Laravel Octane to handle massive eve.json event streams with low latency.
- Actionable intelligence and response
- Enrichment providers bring automatic metadata decoration vía known services such as AbuseIPDB, MaxMind’s GeoIP, URLHaus, Shodan, VirusTotal and WHOIS.
- A dedicated query engine delivers results in nearly instantaneous time (sub-second), helping analysts investigations and correlations.
- Firewall integrations with popular products like OPNSense, pfSense or even OpenWRT allow the user to rapidly block an attacker from within the web interface.
This project is under active development, so stay tuned to find out news to come !
Poke around the demo and explore what else Suricatavel has to offer: https://demo.suricatavel.org
Get your nose into the docs: https://docs.suricatavel.org