Sagan 2.1 git updates.

12 views

Skip to first unread message

Champ Clark III [Quadrant]

unread,

Nov 17, 2011, 9:34:33 PM11/17/11

to saga...@googlegroups.com

- Fixed segfault. Issues was when Sagan was unable to drop priv's (setuid). Rather than displaying the error and exiting, it would segfault. (found when grsec stopped Sagan from setuid because it thought it was a 'brute force' setuid attempt. Cool new log message, however :)

- Added a EPS (Events Per Second) to the statistics screen/logs. Does sampling for 60 seconds. Good for finding out the average number of EPS.

- config->sagandrop (dropped messages) wasn't being incremented when a malformed message was received. Fixed.

Champ Clark III
(office) 904.253.7856

(mobile) 850.443.2440

(SOC) 800.538.9357 ext 101

ccl...@quadrantsec.com
www.quadrantsec.com

Champ Clark III

unread,

Mar 9, 2012, 9:30:44 PM3/9/12

to saga...@googlegroups.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------
Had a situation where a syslog forwarder was sending both source IP
information _and_ hostname information. I wrote into Sagan a new flag:

syslog_src_lookup (in the sagan.conf file)

This flag tells Sagan to:

1) Verify the inbound syslog message has a valid "IP address".

2) If the source IP address is not valid, it's likely a hostname.
Check current Sagan DNS cache to see if a lookup has been preformed
before.

3) If found in Sagan cahce, use the cached value.

4) If value is not found in Sagan cache, preform a DNS lookup. Stick
DNS lookup value into Sagan cache.

5) If DNS lookup fails, replace the syslog host IP with
config->sagan_host (Sagan's host IP address)

Note: README README README. In a properly setup environment you
won't need this option. DO NOT USE IT, unless you have no other
choice! For example, you don't have control of a syslog forwarder or
the syslog forwarder is broken.

Also - keep in mind, this has nothing to do with syslog normalization
via liblognorm. Liblognorm will over-ride these options when
possible. Liblognorm is usually more accurate when determining true
IP addresses.
- -----------------------

If syslog_src_lookup is _not_ set, we trust that the syslog server is
sending us valid values. In older code, Sagan only checked that the
syslog source IP was not NULL. We now test to make sure that it's not
NULL and is a valid IP address. If it is not a valid IP address, we
replace the value with config->sagan_host.

- - Champ Clark III (ccl...@quadrantsec.com)
Quadrant Information Security (http://quadrantsec.com)
Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPWrzUAAoJENnmXt7Lmc3KisQH/iiSba3gunpcJ/+j0UwxintS
DDQuSKSE9LRW8imiEvbu8UdcQzNvuFX3e7um2aBwRwnlw7n5nQ1Zr8AoALNP9sVS
1mcIIC8no3/HArENl/+uRKaOmyGPB5m8+bkrMRe/UR5fy9IDS9qhfrAd6VZ1ZcoQ
9j4C/nFP5iNQ/tBMsJnO5ekp5GbLM0QwkhpxqaFd0WdKGy9eQHgrqTNDk4ySDwZK
U0qV6Bctzou1JGPeDzAuIlctCqjQbuhDakZ/882HUJneWiW5DS1ZgtGNtu2xh4dN
14usxRU63xYO4sjEr8AvDB5xBH2SvXixnWB7YDF/sQQhTn5s6e4Dm1wa4NPA/MU=
=44aP
-----END PGP SIGNATURE-----

Reply all

Reply to author

Forward

0 new messages