Projects / Sagan

Sagan

Sagan is a high performance, real-time log analysis and correlation engine. It uses a multi-threaded architecture to deliver high performance log and event analysis. Its structure and rules are similar to those of the Sourcefire "Snort" IDS/IPS engine. This provides compatibility with rule management software (Oinkmaster, PulledPork, etc.) and allows Sagan to correlate log events with your Snort IDS/IPS system. Sagan can also write to Snort IDS/IPS databases via Unified2/Barnyard2. Sagan is compatible with all Snort "consoles" including Snorby, Sguil, BASE, and the Prelude IDS framework. It supports many different output formats, log normalization (via liblognorm), script execution on event detection, automatic firewall support via "Snortsam", GeoIP detection/alerting, multi-line log support, time sensitive alerting, and much more.

Tags
Licenses
Operating Systems
Implementation

Recent releases

  •  17 Jun 2014 14:37

    Release Notes: Code is now formatted in the GNU "artistic" style. Multiple bugs were fixed. Sagan is much more efficient with memory. New "meta_content" and "meta_nocase" options were provided for multi-searching in a single rule. The "track_clients" processor was fixed and improved. Flowbit tracking 'by_src', 'by_dst', 'both', and 'none' were added for multiple line log support.

    •  30 Apr 2013 17:39

      Release Notes: This release is capable of utilizing all CPUs/cores. This means it can digest, parse, and analyze even higher number of events per/second. Introduction of "processors". Removal of the direct SQL output plugin; to write to a SQL database, use unified2 and Barnyard2. Introduction of port variables in rules. More normalization and parsing options. Sagan currently has over five thousand signatures/rules.

      •  13 Apr 2012 00:16

        Release Notes: This release support Snortsam, a firewall blocking agent for Snort. It can leverage Snortsam to block attacks based on log analysis and normalization. Snortsam currently supports Checkpoint Firewall-1, Cisco PIX/ASA, Cisco routers, Juniper/Netscreen, ipf/ipfw2 (FreeBSD), pf (OpenBSD), ipchains/iptables/ebtables (Linux), Watchguard, 8signs (Windows), and MS ISA Server (Windows). This release adds a new "after" rule option, a new DNS cache system (which shouldn't be used unless 100% necessary), Direct SQL write fixes, and various small bugfixes.

        Recent comments

        17 Jun 2014 14:20 champclark

        Sagan version 1.0.0RC3 has been released!

        This version has a number
        of important improvements.

        The full ChangeLog can be found at
        https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganChangeLog

        * Code is now formatted in the GNU "artistic" style.
        * Multiple bug fixes. Sagan is much more efficient with memory.
        * new "meta_content" and "meta_nocase" for multi-searching in a single rule.
        * Processor "track_clients" fix/improvement.
        * Flowbit tracking 'by_src', 'by_dst', 'both' and 'none' added for
        multiple line log support.
        * Much more!

        12 Apr 2012 23:59 Beave

        Sagan version 0.2.1 has been released. Now with active firewalling support (Cisco/iptables/etc) via Snortsam. Better direct SQL logging. New "after:" rule option introduced. For more information please see: http://groups.google.com/group/sagan-users/browse_thread/thread/f1f66000cc893634

        17 Mar 2011 13:24 Beave

        Sagan version 0.1.8 has been released along with new rule sets. This release includes syslog 'sniffing', Unified2 output and liblognorm (log normalization). Please see http://sagan.softwink.com for more information.

        23 Aug 2010 10:10 Beave

        Sagan version 0.1.5 released along with new rule sets. ChangeLog can be found at https://wiki.softwink.com/bin/view/Main/SaganChangeLog . To download this, and rule sets, please see http://sagan.softwink.com.

        Screenshot

        Project Spotlight

        OpenStack4j

        A Fluent OpenStack client API for Java.

        Screenshot

        Project Spotlight

        TurnKey TWiki Appliance

        A TWiki appliance that is easy to use and lightweight.