Sagan 0.2.1 Released!
Champ Clark III
Hash: SHA1
Sagan version 0.2.1 has been released [http://sagan.quadrantsec.com]
====================================================================
Champ Clark III [ccl...@quadrantsec.com]
http://www.quadrantsec.com
What is Sagan?
- --------------
Sagan Main Site: http://sagan.quadrantsec.com
Sagan is an open source (GNU/GPLv2) high performance, real-time log
analysis & correlation engine. It is written in C and uses a
multi-threaded architecture to deliver high performance log & event
analysis. The Sagan structure and Sagan rules work similarly to the
Sourcefire ?Snort? IDS engine. This was intentionally done to maintain
compatibility with rule management software
(oinkmaster/pulledpork/etc) and allows Sagan to correlate log events
with your Snort IDS/IPS system. Since Sagan can write to Snort IDS/IPS
databases via unified2/barnyard2 or direct SQL access, it is
compatible with all Snort ?consoles?. For example, Sagan is compatible
with Snorby [http://www.snorby.org], Sguil
[http://sguil.sourceforge.net] and the Prelude IDS framework! For
more information, please visit the Sagan web site:
http://sagan.quadrantsec.com.
What's new in Sagan?
- --------------------
- - Native Snortsam [http://www.snortsam.net] support. Snortsam is a
firewall blocking agent for Snort. Sagan can now leverage Snortsam to
block attacks based on log analysis and normalization. Snortsam
currently supports Checkpoint Firewall-1, Cisco PIX/ASA, Cisco
routers, Juniper/Netscreen, ipf/ipfw2 (FreeBSD), pf (OpenBSD),
ipchains/iptables/ebtables (Linux), Watchguard, 8signs (Windows), and
MS ISA Server (Windows).
- - New ?after? rule option ? For example, ?alert me after X number of
events?. This works great with thresholding. For example, ?Alert me
after X number events, but threshold by the source address when 10
events are reached?.
- - New DNS cache system ? Ideally, you will never need this feature but
in some environments it can't be avoided.
- - Several bug fixes/code clean up (SQL direct write improved, core
thread handling changed, etc)
What's in the future for Sagan?
- -------------------------------
- - New pre-processors for log analysis for better anomaly detection.
- - Better documentation.
- - New output plug-ins.
Where is an online demo?
- -----------------------
For an online demo of Sagan and Snorby in action, please go to:
http://demo.snorby.org
Username: de...@snorby.org
Password: snorby
You'll notice the ?Sagan? sensor online and reporting log data.
Questions/Comments:
- ------------------
General questions about Sagan should be directed to the Sagan mailing
list. This can be found at
http://groups.google.com/group/sagan-users. You can also ask question
on the Sagan IRC channel (irc.freenode.net #sagan). Author specific
questions should be directed to Champ Clark III (ccl...@quadrantsec.com).
Thank you!
- --
- - Champ Clark III (ccl...@quadrantsec.com)
Quadrant Information Security (http://quadrantsec.com)
Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJPfat1AAoJENnmXt7Lmc3KwwQH/2z4Q45oU0jz7AqArS1gn4M6
UPtz210WRNbNYrSxb683QA3smo0dNQqg9+Wo+f1ZPnEPrRqUGI3DRKwIlntakPdp
fKAXFbzGNWjc6iii2YCqw0LLQlK7tej1FY7M7DK/pKzoiEoKwfHELECjckWznMwW
lAQ60c1Nys3tKSlcLCUz3Hh0OtPqxvbebTknbGojIe6iDUaxQR59wTyWZ/757WbD
Rahc0cgEmthgzSzGE/bk54cxKb1w8ocsdb8qwYR6+T237dfb+AR5G5uY34S7snK/
XcAef9WGGmjq/UXDEwujmpG0NsPTmZN7iP2THO8AkVhSUyfReLf53mtQJ9htu5I=
=8g6b
-----END PGP SIGNATURE-----
Pierre Chifflier
> Sagan version 0.2.1 has been released [http://sagan.quadrantsec.com]
Hi,
The tarball for the 0.2.1 release contains unwanted files like the .git
directory and stuff generated by the configure script. It may be a
good idea not to generate a new (clean) tarball ;)
Cheers,
Pierre
> ====================================================================
> Champ Clark III [ccl...@quadrantsec.com]
> http://www.quadrantsec.com
>
> What is Sagan?
> --------------
>
> Sagan Main Site: http://sagan.quadrantsec.com
>
> Sagan is an open source (GNU/GPLv2) high performance, real-time log
> analysis & correlation engine. It is written in C and uses a
> multi-threaded architecture to deliver high performance log & event
> analysis. The Sagan structure and Sagan rules work similarly to the
> Sourcefire ?Snort? IDS engine. This was intentionally done to maintain
> compatibility with rule management software
> (oinkmaster/pulledpork/etc) and allows Sagan to correlate log events
> with your Snort IDS/IPS system. Since Sagan can write to Snort IDS/IPS
> databases via unified2/barnyard2 or direct SQL access, it is
> compatible with all Snort ?consoles?. For example, Sagan is compatible
> with Snorby [http://www.snorby.org], Sguil
> [http://sguil.sourceforge.net] and the Prelude IDS framework! For
> more information, please visit the Sagan web site:
> http://sagan.quadrantsec.com.
>
> What's new in Sagan?
> --------------------
>
> - Native Snortsam [http://www.snortsam.net] support. Snortsam is a
> firewall blocking agent for Snort. Sagan can now leverage Snortsam to
> block attacks based on log analysis and normalization. Snortsam
> currently supports Checkpoint Firewall-1, Cisco PIX/ASA, Cisco
> routers, Juniper/Netscreen, ipf/ipfw2 (FreeBSD), pf (OpenBSD),
> ipchains/iptables/ebtables (Linux), Watchguard, 8signs (Windows), and
> MS ISA Server (Windows).
>
> - New ?after? rule option ? For example, ?alert me after X number of
> events?. This works great with thresholding. For example, ?Alert me
> after X number events, but threshold by the source address when 10
> events are reached?.
>
> - New DNS cache system ? Ideally, you will never need this feature but
> in some environments it can't be avoided.
>
> - Several bug fixes/code clean up (SQL direct write improved, core
> thread handling changed, etc)
>
> What's in the future for Sagan?
> -------------------------------
>
> - New pre-processors for log analysis for better anomaly detection.
> - Better documentation.
> - New output plug-ins.
>
> Where is an online demo?
> -----------------------
>
> For an online demo of Sagan and Snorby in action, please go to:
>
> http://demo.snorby.org
> Username: de...@snorby.org
> Password: snorby
>
> You'll notice the ?Sagan? sensor online and reporting log data.
>
> Questions/Comments:
> ------------------
>
> General questions about Sagan should be directed to the Sagan mailing
> list. This can be found at
> http://groups.google.com/group/sagan-users. You can also ask question
> on the Sagan IRC channel (irc.freenode.net #sagan). Author specific
> questions should be directed to Champ Clark III (ccl...@quadrantsec.com).
>
> Thank you!
>
>
> --
Champ Clark III
Hash: SHA1
Thank you Pierre,
I need to sit down an make a "check off" list of what needs to be done
when a new release comes out. I obviously forgot to do that! I'll
make a new release/tarball today that'll have that stuff removed.
Thank you for noticing and letting me know!
- --
- - Champ Clark III (ccl...@quadrantsec.com)
Quadrant Information Security (http://quadrantsec.com)
Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJPjByDAAoJENnmXt7Lmc3KxucIAIQ+KJaA8dxpJlPE48/EadZ9
dWe2WPmp3IYHn5lTL6fXJdZDY0OYPducpZ1SM6uAGZ+2qwg6iKMcTjbfi1DrylHZ
jrobhpxao+oBEFCc5QXT9TmrtuEQjQmYPcJM7km/Uhv2eXxP6g1ADttv9IrrvDcN
NS7criLuYsoHuITYxFVoIa7ZR4MBTYkTULVLr1BEITK5sl6iPmB58v0Jsn6QBMr/
jah4Ch/uR1V5HIeXOq4Pszns9jL6tQBU1jVP91GW2wKorO9qjj269GKes1Wa4zq+
MyZmlLzsT3SJP7nZ7ijFHU2nbwiFNTHK3E1qu+tGl8AjUVgl0kOWo9YwFf7fIWw=
=kou9
-----END PGP SIGNATURE-----
Gary
my build problems on CentOS/RHEL!
-Gary
Champ Clark III
Hash: SHA1
Just saw that myself, that's great to see. Let me know how it works
out for you!
- --
- - Champ Clark III (ccl...@quadrantsec.com)
Quadrant Information Security (http://quadrantsec.com)
Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJPjEEXAAoJENnmXt7Lmc3K8lYH/R2qZGy7Mf04X7hheNG6HEzw
dKqA1GNcghp5KgowVUx+IjkTFAhr0Lb8oJ+KECyDOtjZQz+SyHt7jjm7tmNO5ng3
rBHeUoGLqQQMTPMIFHg/85JfbhBmY5WBRya2M0Sh8y7CreQARXUeky6Q8gBhAfoD
Z1azJ5urGPhxE/7vzdtMdOwICQ56ve8c25sIjro8NBTwmIPZYCsDj5LJaPFrDE+o
dAHSpVVAIoElK8bwROimBUcMNsFHQUExITVyoLoeLSWz2LDuVKvnRGKNSU4HEcVx
fjXU7xYolvpntgzrcTrp12ClB0pkc5LlAP0+R/axUK7QZNGGcDAxHBlsG6zSabk=
=fUpW
-----END PGP SIGNATURE-----
Champ Clark
Hash: SHA1
Thank again Pierre,
I've cleaned it up and re-packaged it as "sagan-0.2.1-r1.tar.gz"
(linked to sagan-current.tar.gz). Cleared out the .git and autoconf
mess.
Let me know if you see any other issues.
- --
Quadrant Information Security [http://quadrantsec.com]
Champ Clark III [ccl...@quadrantsec.com]
o: 904.253.7856
c: 850.443.2440
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJPjGKFAAoJENnmXt7Lmc3KCo8H/3MI83Urklh5E8XeR5YukI/x
Paj3sQFEBLZGtU7PcZhu2OJHQS4JPbG5lnXmVq0pItxF5n0hqdIkIe5FOQSVCsD5
jqoXQhna8j4j+pGD+WY1uq7bzyls/kJuRfmIZyZAty76hVKS7ZqcvVwHD5oYZOnb
WrA+9L6xC29LTBrtRXr8+9Tbv3dn6u50XBPnQJzlRRpyqr/4Xm2dkjA/l4w+ECy1
d7mrkYpzlJmCi7m4cys9v1HSPzmoiKaaBZmFnMvvA2Xx/4GRhTYOMLamqSjGQhKq
oqK5bXWjKuTDeqEthm8Sj0VH89wIGemLUHxAj9WIo0Psr/+031RDUOs+NRPYmBU=
=xTcD
-----END PGP SIGNATURE-----