Sagan 0.3.0 log analysis engine released!

[Champ Clark III <cclark () quadrantsec com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What is Sagan?
~~~~~~~~~~~~~~

Sagan main site: http://sagan.quadrantsec.com

Sagan is an open source (GNU/GPLv2) high-performance, real-time log
analysis & correlation engine that runs under *nix operating systems
(Linux/FreeBSD/OpenBSD/etc).  Sagan is written in C and uses a
multi-threaded architecture to deliver high performance log & event
analysis.  Sagan's structure and rules work similarly to the Sourcefire
"Snort" IDS/IPS engine.  Designing Sagan to function similarly to Snort
provides numerous benefits, including compatibility with rule management
software (oinkmaster/pulledpork/etc), output to Snort databases via
Unified2/Barnyard2, and advanced correlation capabilities between log
events and existing Snort IDS/IPS data.  Additionally, Sagan is
compatible with ALL Snort consoles: Snorby (http://www.snorby.org),
Sguil (http://sguil.sourceforge.net), BASE, the Prelude IDS framework,
and even proprietary consoles!

Sagan supports many different output formats, log normalization (via
liblognorm), script execution on event detection, automatic firewall
support via "Snortsam" (see http://www.snortsam.net), and much more.

What is new with Sagan 0.3.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- - The biggest change is that Sagan is now capable of utilizing all
CPUs/cores.  While Sagan has always been multi-threaded to prevent I/O
blocking,  previous versions could only utilize one core for event
analysis. This is no
  longer the case. Sagan will now use any and all CPUs available, which
means that Sagan can digest, parse and analyze even higher number of
events per/second.

- - Introduction of "processors."  Processors provide Sagan the ability
to analyze logs using methods  other than traditional signature based
technology.

  Current Processors are:

  * Blacklist - Search log messages for blacklisted IP addresses.
  * Search - Search logs for keyword terms (ie - domain names, etc)
  * Track Clients - Informs you when systems aren't logging properly.
  * Websense Threatseeker - Queries the Websense Threatseeker network
for reputation data (Not include with the GPLv2 release).

  More processors are currently in development.

- - The direct SQL output plugin has been removed, in order to maintain
full compatibility with Snort.  To write to a SQL database,  use
  Unified2 output and Barnyard2 (https://github.com/firnsy/barnyard2).

- - Introduction of port variables ($SSH_PORT, $DNS_PORT) in rules.

- - More normalization and parsing options (parse_src_ip, parse_proto, etc).

- - Sagan currently has over five thousand signatures/rules
(https://github.com/beave/sagan-rules).

******************************************************************************
* Sagan is used as part of Quadrant Information Security services.  For
more *
* information about those services, please see
https://quadrantsec.com         *
******************************************************************************

- -- 
- - Quadrant Information Security
  Champ Clark III
  o: 800.538.9357 x 101
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRf/zSAAoJENnmXt7Lmc3KhscH/jjm/iTxvl+ZPMsTzmoArWZ6
w3D0Yj6WrCYJNDiyGESSlKwwAO6/qW3Xk6khA8TvDyGO/CSlmhT9vqugfDcmDDt8
AwAIjt8No5M4zeCACUuW0M5pas7XPvsvuZyervx+jdQmi+TrdmG2AC4OP3qqVfDO
JYAtYmCwRAnSMV3y14dAnJdzwEdfKzNjtew2eg/4o9xd2RxNMuvA2f5vGcUtB6pu
bKcoAb/yE0NWae1OYKo57iMu6k4lhgymuoWXzujeA4sNmQjO92puEdL4MGaPszvd
hmt8LKmGr1uinREXVLpu5hrMxElzl2GtS7mTWKlaCcCtfqovfolWRpD6VLJM+1w=
=NPO+
-----END PGP SIGNATURE-----

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com