Sagan is a high performance, real-time log analysis and correlation engine. It uses a multi-threaded architecture to deliver high performance log and event analysis. Its structure and rules are similar to those of the Sourcefire "Snort" IDS/IPS engine. This provides compatibility with rule management software (Oinkmaster, PulledPork, etc.) and allows Sagan to correlate log events with your Snort IDS/IPS system. Sagan can also write to Snort IDS/IPS databases via Unified2/Barnyard2. Sagan is compatible with all Snort "consoles" including Snorby, Sguil, BASE, and the Prelude IDS framework. It supports many different output formats, log normalization (via liblognorm), script execution on event detection, automatic firewall support via "Snortsam", GeoIP detection/alerting, multi-line log support, time sensitive alerting, and much more.
|Tags||Syslog windows events snmp-trap|
|Operating Systems||Linux FreeBSD OpenBSD|
Release Notes: Code is now formatted in the GNU "artistic" style. Multiple bugs were fixed. Sagan is much more efficient with memory. New "meta_content" and "meta_nocase" options were provided for multi-searching in a single rule. The "track_clients" processor was fixed and improved. Flowbit tracking 'by_src', 'by_dst', 'both', and 'none' were added for multiple line log support.
Release Notes: This release is capable of utilizing all CPUs/cores. This means it can digest, parse, and analyze even higher number of events per/second. Introduction of "processors". Removal of the direct SQL output plugin; to write to a SQL database, use unified2 and Barnyard2. Introduction of port variables in rules. More normalization and parsing options. Sagan currently has over five thousand signatures/rules.
Release Notes: This release support Snortsam, a firewall blocking agent for Snort. It can leverage Snortsam to block attacks based on log analysis and normalization. Snortsam currently supports Checkpoint Firewall-1, Cisco PIX/ASA, Cisco routers, Juniper/Netscreen, ipf/ipfw2 (FreeBSD), pf (OpenBSD), ipchains/iptables/ebtables (Linux), Watchguard, 8signs (Windows), and MS ISA Server (Windows). This release adds a new "after" rule option, a new DNS cache system (which shouldn't be used unless 100% necessary), Direct SQL write fixes, and various small bugfixes.