Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Full Disclosure: Full-Disclosure

Sagan 0.2.1 [Security Event/Log Analyzer] Released.

 

 

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded


cclark at quadrantsec

Apr 5, 2012, 7:39 AM

Post #1 of 1 (223 views)
Permalink
Sagan 0.2.1 [Security Event/Log Analyzer] Released.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sagan version 0.2.1 has been released [http://sagan.quadrantsec.com]
====================================================================
Champ Clark III [cclark [at] quadrantsec]
http://www.quadrantsec.com

What is Sagan?
- --------------

Sagan Main Site: http://sagan.quadrantsec.com

Sagan is an open source (GNU/GPLv2) high performance, real-time log
analysis & correlation engine. It is written in C and uses a
multi-threaded architecture to deliver high performance log & event
analysis. The Sagan structure and Sagan rules work similarly to the
Sourcefire ?Snort? IDS engine. This was intentionally done to maintain
compatibility with rule management software
(oinkmaster/pulledpork/etc) and allows Sagan to correlate log events
with your Snort IDS/IPS system. Since Sagan can write to Snort IDS/IPS
databases via unified2/barnyard2 or direct SQL access, it is
compatible with all Snort ?consoles?. For example, Sagan is compatible
with Snorby [http://www.snorby.org], Sguil
[http://sguil.sourceforge.net] and the Prelude IDS framework! For
more information, please visit the Sagan web site:
http://sagan.quadrantsec.com.

What's new in Sagan?
- --------------------

- - Native Snortsam [http://www.snortsam.net] support. Snortsam is a
firewall blocking agent for Snort. Sagan can now leverage Snortsam to
block attacks based on log analysis and normalization. Snortsam
currently supports Checkpoint Firewall-1, Cisco PIX/ASA, Cisco
routers, Juniper/Netscreen, ipf/ipfw2 (FreeBSD), pf (OpenBSD),
ipchains/iptables/ebtables (Linux), Watchguard, 8signs (Windows), and
MS ISA Server (Windows).

- - New ?after? rule option ? For example, ?alert me after X number of
events?. This works great with thresholding. For example, ?Alert me
after X number events, but threshold by the source address when 10
events are reached?.

- - New DNS cache system ? Ideally, you will never need this feature but
in some environments it can't be avoided.

- - Several bug fixes/code clean up (SQL direct write improved, core
thread handling changed, etc)

What's in the future for Sagan?
- -------------------------------

- - New pre-processors for log analysis for better anomaly detection.
- - Better documentation.
- - New output plug-ins.

Where is an online demo?
- -----------------------

For an online demo of Sagan and Snorby in action, please go to:

http://demo.snorby.org
Username: demo [at] snorby
Password: snorby

You'll notice the ?Sagan? sensor online and reporting log data.

Questions/Comments:
- ------------------

General questions about Sagan should be directed to the Sagan mailing
list. This can be found at
http://groups.google.com/group/sagan-users. You can also ask question
on the Sagan IRC channel (irc.freenode.net #sagan). Author specific
questions should be directed to Champ Clark III (cclark [at] quadrantsec).

Thank you!

- --
- - Champ Clark III (cclark [at] quadrantsec)
Quadrant Information Security (http://quadrantsec.com)
Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPfa6YAAoJENnmXt7Lmc3KavUH/0HyLQLMNKf7aqpgsn3L3yB7
Yh3tqG7yRBLeSrD9B4M0PNSonnKYQNO8Xr/gyoDYlFHqKn6IPL9sM4880ZK+10TE
K5EXppdG9Hpvm7B7Xnmr2wn4cNGfC3XmGV7mDXb2QcSB9ZYKMiG/vtxNLtBd+7EI
4ji59n8FEtQzGlqcCTCnJ4/h3hbth2AiPuMXgOjLzTwH86hvisWVWu48INKQGdJ8
41duUfVhdZ3nYe+uGxBCKVjKd2wLSvYakzOcQ0SttYExPptsC5OrPBJiEfGPJC93
h9uyNhGb3Ap7aEl7UfnyJezilpapxp27V5nc9hJNokVDhqU5l1WBpDcWNYPHHrc=
=Mk0r
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.