@@@@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@ @@! @@! @@! @@! @@! @@! @@@ Quadrant Information Security @!! !!@ @!@ @!!!:! @!!!:! @!@!!@a https://quadrantsec.com !!: !!: !!: !!: !!: :!a Copyright (C) 2018-2023 : : : :: :: : :: :: : : :
Meer "Read The Docs! https://meer.readthedocs.io
"Meer" is a dedicated data broker for the Suricata <https://suricata-ids.org>_ IDS/IPS systems and the Sagan <https://sagan.io/> log analysis engine.
Meer takes EVE data (JSON) from Suricata or Sagan (via an input-plugin), augments it by enriching it
with DNS, GeoIP, and other information (via the meer-core), and then pushes the data to a database (via a output-plugin) of your choice.
Meer is written in C which makes it fast and very light weight. This makes is suitable for processing data on systems with limited resource.
Meer input-plugins that are currently supported are Suricata/Sagan EVE ("spool") files and Redis.
Meer output-plugins that are currently supported are Elasticsearch, Opensearch, Zincsearch
(https://github.com/zinclabs/zinc), Redis, named pipes, files, and "external" programs. Meer release 1.0.0
supports SQL (MariaDB, MySQL and PostgreSQL) that is compatible with older "Barnyard2" systems. Meer versions
after 1.0.0 do not support SQL.
-
file - Meer can read ("follow") data files generated by Suricata or Sagan
-
Redis - Meer can connect to and read data via a Redis PUB/SUB.
-
Redis - Meer can write store data to a Redis database similar to Suricata (list/lpush, rpush, channel/publish or set).
-
"elasticsearch" support - This allows Meer to write Sagan & Suricata EVE (JSON) data to Elasticsearch search.
-
"external" support - This allows you to call your own program. When an event happens and if the signature specifies the option, Meer will 'call' your program. The EVE/JSON is handed to your program via stdin. This can be useful to build custom firewall routines, customer reactions to events, custom ways to store data, etc.
-
"pipe" support - This allows Meer to write EVE/JSON data to a Unix "named pipe" or FIFO. Meer acts as a pipe "writer" and you can have a consumer (reader) on the other side of the "pipe". For example, you might use a program like "Sagan" (https://sagan.io) to analyze the data received via a named pipe.
- Meer can "enrich" EVE/JSON data! For example, Meer can add DNS records, do OUI (hardware manufacturer) on MAC addresses, add GeoIP data and more!
- Meer is written in C and has a very small memory footprint (only several meg of RAM). It also CPU efficient.
- Fast startup times (under one second).
- Simple command line and configuration syntax. Meer uses a YAML configurations similar to Suricata and Sagan.
- Out of the box IPv6 support.
- Meer can do reverse DNS/PTR record lookups. Meer has an internal DNS cache system so to not overburden DNS servers with repeated queries.
- Supports "fingerprint" rule set. These are special Suricata & Sagan signatures that allow you to collect data about devices in your network and store them in a Redis database. See https://github.com/quadrantsec/fingerprint-rules for more information.
- Supports "client stats" for Meer when injecting Sagan EVE/JSON data. This allows give you statistics about who and what is sending Sagan data within an environment.
- Meer can generated "non-repetitive" data which can be useful for fast Indicator of Compromise (IoC) searches. This is known as "Network Data Points" or NDP.
Meer is under development. This is our brief "road-map" of what we would like to see Meer do. If you have any ideas or requests, please let us know via our "issues" page (https://github.com/quadrantsec/meer/issues).
- Syslog support (JSON, decoded, etc).
-
Need help getting started or looking for documentation? Go to https://meer.readthedocs.org !
-
Have a question or comment about Meer? Please post to the Meer mailing at https://groups.google.com/forum/#!forum/meer-users. You can also visit the Sagan/Meer Discord channel by going to https://discord.gg/VS6jTjH4gW
-
If you need to report a bug, please post that in our Github "issues" page. That is at https://github.com/quadrantsec/meer/issues