Awesome

Join the Meer Discord channel

Meer Documentation

Meer "Read The Docs! https://meer.readthedocs.io

What is “Meer”.

"Meer" is a dedicated data broker for the Suricata <https://suricata-ids.org>_ IDS/IPS systems and the Sagan <https://sagan.io/> log analysis engine.

Meer takes EVE data (JSON) from Suricata or Sagan (via an input-plugin), augments it by enriching it with DNS, GeoIP, and other information (via the meer-core), and then pushes the data to a database (via a output-plugin) of your choice.

Meer is written in C which makes it fast and very light weight. This makes is suitable for processing data on systems with limited resource.

Meer input-plugins that are currently supported are Suricata/Sagan EVE ("spool") files and Redis.

Meer output-plugins that are currently supported are Elasticsearch, Opensearch, Zincsearch (https://github.com/zinclabs/zinc), Redis, named pipes, files, and "external" programs. Meer release 1.0.0 supports SQL (MariaDB, MySQL and PostgreSQL) that is compatible with older "Barnyard2" systems. Meer versions after 1.0.0 do not support SQL.

Input Plugins

• file - Meer can read ("follow") data files generated by Suricata or Sagan

• Redis - Meer can connect to and read data via a Redis PUB/SUB.

Output Plugins:

• Redis - Meer can write store data to a Redis database similar to Suricata (list/lpush, rpush, channel/publish or set).

• "elasticsearch" support - This allows Meer to write Sagan & Suricata EVE (JSON) data to Elasticsearch search.

• "external" support - This allows you to call your own program. When an event happens and if the signature specifies the option, Meer will 'call' your program. The EVE/JSON is handed to your program via stdin. This can be useful to build custom firewall routines, customer reactions to events, custom ways to store data, etc.

• "pipe" support - This allows Meer to write EVE/JSON data to a Unix "named pipe" or FIFO. Meer acts as a pipe "writer" and you can have a consumer (reader) on the other side of the "pipe". For example, you might use a program like "Sagan" (https://sagan.io) to analyze the data received via a named pipe.

Current Features:

• Meer can "enrich" EVE/JSON data! For example, Meer can add DNS records, do OUI (hardware manufacturer) on MAC addresses, add GeoIP data and more!
• Meer is written in C and has a very small memory footprint (only several meg of RAM). It also CPU efficient.
• Fast startup times (under one second).
• Simple command line and configuration syntax. Meer uses a YAML configurations similar to Suricata and Sagan.
• Out of the box IPv6 support.
• Meer can do reverse DNS/PTR record lookups. Meer has an internal DNS cache system so to not overburden DNS servers with repeated queries.
• Supports "fingerprint" rule set. These are special Suricata & Sagan signatures that allow you to collect data about devices in your network and store them in a Redis database. See https://github.com/quadrantsec/fingerprint-rules for more information.
• Supports "client stats" for Meer when injecting Sagan EVE/JSON data. This allows give you statistics about who and what is sending Sagan data within an environment.
• Meer can generated "non-repetitive" data which can be useful for fast Indicator of Compromise (IoC) searches. This is known as "Network Data Points" or NDP.

Future "output" support:

Meer is under development. This is our brief "road-map" of what we would like to see Meer do. If you have any ideas or requests, please let us know via our "issues" page (https://github.com/quadrantsec/meer/issues).

• Syslog support (JSON, decoded, etc).

Support:

• Need help getting started or looking for documentation? Go to https://meer.readthedocs.org !

• Have a question or comment about Meer? Please post to the Meer mailing at https://groups.google.com/forum/#!forum/meer-users. You can also visit the Sagan/Meer Discord channel by going to https://discord.gg/VS6jTjH4gW

• If you need to report a bug, please post that in our Github "issues" page. That is at https://github.com/quadrantsec/meer/issues