Sagan
Sagan is a high performance, real-time log analysis and correlation engine. It uses a multi-threaded architecture to deliver high performance log and event analysis. Its structure and rules are similar to those of the Sourcefire "Snort" IDS/IPS engine. This provides compatibility with rule management software (Oinkmaster, PulledPork, etc.) and allows Sagan to correlate log events with your Snort IDS/IPS system. Sagan can also write to Snort IDS/IPS databases via Unified2/Barnyard2. Sagan is compatible with all Snort "consoles" including Snorby, Sguil, BASE, and the Prelude IDS framework. It supports many different output formats, log normalization (via liblognorm), script execution on event detection, automatic firewall support via "Snortsam", GeoIP detection/alerting, multi-line log support, time sensitive alerting, and much more.
| Tags | Syslog windows events snmp-trap |
|---|---|
| Licenses | GPLv2 |
| Operating Systems | Linux FreeBSD OpenBSD |
| Implementation | C |
Recent releases
- 17 Jun 2014 14:37
Release Notes: Code is now formatted in the GNU "artistic" style. Multiple bugs were fixed. Sagan is much more efficient with memory. New "meta_content" and "meta_nocase" options were provided for multi-searching in a single rule. The "track_clients" processor was fixed and improved. Flowbit tracking 'by_src', 'by_dst', 'both', and 'none' were added for multiple line log support.
- 30 Apr 2013 17:39
Release Notes: This release is capable of utilizing all CPUs/cores. This means it can digest, parse, and analyze even higher number of events per/second. Introduction of "processors". Removal of the direct SQL output plugin; to write to a SQL database, use unified2 and Barnyard2. Introduction of port variables in rules. More normalization and parsing options. Sagan currently has over five thousand signatures/rules.
- 13 Apr 2012 00:16
Release Notes: This release support Snortsam, a firewall blocking agent for Snort. It can leverage Snortsam to block attacks based on log analysis and normalization. Snortsam currently supports Checkpoint Firewall-1, Cisco PIX/ASA, Cisco routers, Juniper/Netscreen, ipf/ipfw2 (FreeBSD), pf (OpenBSD), ipchains/iptables/ebtables (Linux), Watchguard, 8signs (Windows), and MS ISA Server (Windows). This release adds a new "after" rule option, a new DNS cache system (which shouldn't be used unless 100% necessary), Direct SQL write fixes, and various small bugfixes.
Recent comments
Sagan version 1.0.0RC3 has been released!
This version has a number
of important improvements.
The full ChangeLog can be found at
https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganChangeLog
* Code is now formatted in the GNU "artistic" style.
* Multiple bug fixes. Sagan is much more efficient with memory.
* new "meta_content" and "meta_nocase" for multi-searching in a single rule.
* Processor "track_clients" fix/improvement.
* Flowbit tracking 'by_src', 'by_dst', 'both' and 'none' added for
multiple line log support.
* Much more!
Sagan version 0.2.1 has been released. Now with active firewalling support (Cisco/iptables/etc) via Snortsam. Better direct SQL logging. New "after:" rule option introduced. For more information please see: http://groups.google.com/group/sagan-users/browse_thread/thread/f1f66000cc893634
Sagan version 0.1.8 has been released along with new rule sets. This release includes syslog 'sniffing', Unified2 output and liblognorm (log normalization). Please see http://sagan.softwink.com for more information.
Sagan version 0.1.5 released along with new rule sets. ChangeLog can be found at https://wiki.softwink.com/bin/view/Main/SaganChangeLog . To download this, and rule sets, please see http://sagan.softwink.com.
