PaulDotCom mailing list archives
Sagan 0.3.0 log analysis engine released!
From: Champ Clark III <cclark () quadrantsec com>
Date: Tue, 30 Apr 2013 13:18:10 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What is Sagan? ~~~~~~~~~~~~~~ Sagan main site: http://sagan.quadrantsec.com Sagan is an open source (GNU/GPLv2) high-performance, real-time log analysis & correlation engine that runs under *nix operating systems (Linux/FreeBSD/OpenBSD/etc). Sagan is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan's structure and rules work similarly to the Sourcefire "Snort" IDS/IPS engine. Designing Sagan to function similarly to Snort provides numerous benefits, including compatibility with rule management software (oinkmaster/pulledpork/etc), output to Snort databases via Unified2/Barnyard2, and advanced correlation capabilities between log events and existing Snort IDS/IPS data. Additionally, Sagan is compatible with ALL Snort consoles: Snorby (http://www.snorby.org), Sguil (http://sguil.sourceforge.net), BASE, the Prelude IDS framework, and even proprietary consoles! Sagan supports many different output formats, log normalization (via liblognorm), script execution on event detection, automatic firewall support via "Snortsam" (see http://www.snortsam.net), and much more. What is new with Sagan 0.3.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - The biggest change is that Sagan is now capable of utilizing all CPUs/cores. While Sagan has always been multi-threaded to prevent I/O blocking, previous versions could only utilize one core for event analysis. This is no longer the case. Sagan will now use any and all CPUs available, which means that Sagan can digest, parse and analyze even higher number of events per/second. - - Introduction of "processors." Processors provide Sagan the ability to analyze logs using methods other than traditional signature based technology. Current Processors are: * Blacklist - Search log messages for blacklisted IP addresses. * Search - Search logs for keyword terms (ie - domain names, etc) * Track Clients - Informs you when systems aren't logging properly. * Websense Threatseeker - Queries the Websense Threatseeker network for reputation data (Not include with the GPLv2 release). More processors are currently in development. - - The direct SQL output plugin has been removed, in order to maintain full compatibility with Snort. To write to a SQL database, use Unified2 output and Barnyard2 (https://github.com/firnsy/barnyard2). - - Introduction of port variables ($SSH_PORT, $DNS_PORT) in rules. - - More normalization and parsing options (parse_src_ip, parse_proto, etc). - - Sagan currently has over five thousand signatures/rules (https://github.com/beave/sagan-rules). ****************************************************************************** * Sagan is used as part of Quadrant Information Security services. For more * * information about those services, please see https://quadrantsec.com * ****************************************************************************** - -- - - Quadrant Information Security Champ Clark III o: 800.538.9357 x 101 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRf/zSAAoJENnmXt7Lmc3KhscH/jjm/iTxvl+ZPMsTzmoArWZ6 w3D0Yj6WrCYJNDiyGESSlKwwAO6/qW3Xk6khA8TvDyGO/CSlmhT9vqugfDcmDDt8 AwAIjt8No5M4zeCACUuW0M5pas7XPvsvuZyervx+jdQmi+TrdmG2AC4OP3qqVfDO JYAtYmCwRAnSMV3y14dAnJdzwEdfKzNjtew2eg/4o9xd2RxNMuvA2f5vGcUtB6pu bKcoAb/yE0NWae1OYKo57iMu6k4lhgymuoWXzujeA4sNmQjO92puEdL4MGaPszvd hmt8LKmGr1uinREXVLpu5hrMxElzl2GtS7mTWKlaCcCtfqovfolWRpD6VLJM+1w= =NPO+ -----END PGP SIGNATURE----- _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Sagan 0.3.0 log analysis engine released! Champ Clark III (Apr 30)