Full Disclosure mailing list archives
Sagan 0.2.1 [Security Event/Log Analyzer] Released.
From: Champ Clark III <cclark () quadrantsec com>
Date: Thu, 05 Apr 2012 10:39:20 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sagan version 0.2.1 has been released [http://sagan.quadrantsec.com] ==================================================================== Champ Clark III [cclark () quadrantsec com] http://www.quadrantsec.com What is Sagan? - -------------- Sagan Main Site: http://sagan.quadrantsec.com Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine. It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. The Sagan structure and Sagan rules work similarly to the Sourcefire ?Snort? IDS engine. This was intentionally done to maintain compatibility with rule management software (oinkmaster/pulledpork/etc) and allows Sagan to correlate log events with your Snort IDS/IPS system. Since Sagan can write to Snort IDS/IPS databases via unified2/barnyard2 or direct SQL access, it is compatible with all Snort ?consoles?. For example, Sagan is compatible with Snorby [http://www.snorby.org], Sguil [http://sguil.sourceforge.net] and the Prelude IDS framework! For more information, please visit the Sagan web site: http://sagan.quadrantsec.com. What's new in Sagan? - -------------------- - - Native Snortsam [http://www.snortsam.net] support. Snortsam is a firewall blocking agent for Snort. Sagan can now leverage Snortsam to block attacks based on log analysis and normalization. Snortsam currently supports Checkpoint Firewall-1, Cisco PIX/ASA, Cisco routers, Juniper/Netscreen, ipf/ipfw2 (FreeBSD), pf (OpenBSD), ipchains/iptables/ebtables (Linux), Watchguard, 8signs (Windows), and MS ISA Server (Windows). - - New ?after? rule option ? For example, ?alert me after X number of events?. This works great with thresholding. For example, ?Alert me after X number events, but threshold by the source address when 10 events are reached?. - - New DNS cache system ? Ideally, you will never need this feature but in some environments it can't be avoided. - - Several bug fixes/code clean up (SQL direct write improved, core thread handling changed, etc) What's in the future for Sagan? - ------------------------------- - - New pre-processors for log analysis for better anomaly detection. - - Better documentation. - - New output plug-ins. Where is an online demo? - ----------------------- For an online demo of Sagan and Snorby in action, please go to: http://demo.snorby.org Username: demo () snorby org Password: snorby You'll notice the ?Sagan? sensor online and reporting log data. Questions/Comments: - ------------------ General questions about Sagan should be directed to the Sagan mailing list. This can be found at http://groups.google.com/group/sagan-users. You can also ask question on the Sagan IRC channel (irc.freenode.net #sagan). Author specific questions should be directed to Champ Clark III (cclark () quadrantsec com). Thank you! - -- - - Champ Clark III (cclark () quadrantsec com) Quadrant Information Security (http://quadrantsec.com) Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A GPG Key ID: 0381878A -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPfa6YAAoJENnmXt7Lmc3KavUH/0HyLQLMNKf7aqpgsn3L3yB7 Yh3tqG7yRBLeSrD9B4M0PNSonnKYQNO8Xr/gyoDYlFHqKn6IPL9sM4880ZK+10TE K5EXppdG9Hpvm7B7Xnmr2wn4cNGfC3XmGV7mDXb2QcSB9ZYKMiG/vtxNLtBd+7EI 4ji59n8FEtQzGlqcCTCnJ4/h3hbth2AiPuMXgOjLzTwH86hvisWVWu48INKQGdJ8 41duUfVhdZ3nYe+uGxBCKVjKd2wLSvYakzOcQ0SttYExPptsC5OrPBJiEfGPJC93 h9uyNhGb3Ap7aEl7UfnyJezilpapxp27V5nc9hJNokVDhqU5l1WBpDcWNYPHHrc= =Mk0r -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Sagan 0.2.1 [Security Event/Log Analyzer] Released. Champ Clark III (Apr 05)