Suricata & Meer

Hello all !!

Sometime ago I started a project named “Meer”. Meer is basically a “spooler” for Suricata EVE (JSON) files and data.

What does that mean? It means that Meer will “follow” (think “tail -f”) an EVE file and stick the data into a location that you find useful. Meer can store data to MySQL/MariaDB, PostgreSQL, Redis, and Elasticsearch. It can execute an “external” script, write alert JSON to a named pipe. It can store the data based on the Suricata data “types” (alert, flow, dns, etc).

Meer can also augment or enhance your EVE data. For example, as Meer reads in a spool file, it can preform DNS & GeoIP lookups and add that data to the alert JSON.

For those familiar with the old Barnyard2/Unified2 concept, Meer is a more modern version of that type of system.

Meer is very light on system resources and fast.

I am going to be speaking at Suricon 2021 in Boston about Meer and I’m hoping to push for a 1.0.0 release. With this in mind, I would love for people to test Meer! Right now I’m most interested in stress testing the new Elasticsearch and Redis support.

I would love any feedback.

I am still in the process of “catching up” on the documentation (https://meer.readthedocs.io) but the Meer YAML file should guide you in the right direction. The projects Github page is at:

I hope this light weight spooler is useful to people. Please let me know if you have any questions or comments! Thank you.

3 Likes

This is a very great tool that makes Suricata better to use

1 Like