Sagan gets bigger teeth -> Snortsam integrated into Sagan.

[Champ Clark III [Quadrant]]

Hello, 

I just pushed the Sagan/Snortsam code to the git repository.   If you're not familiar with what "Snortsam" is,  I'll briefly explain.  

Snortsam is a client/server firewall communication system.  The "client",  which is now built into Sagan,  can communicate with Snortsam "servers".  Snortsam servers

can communicate with various firewalls.  For example;  Checkpoint,  Cisco PIX/ASA/routers,  Netscreen/Juniper firewalls, FreeBSDs ipfw2, OpenBSDs

pf,  Linux iptables/ipchange/ebtables,  Watchguard,  8signs (Windows firewall),  MS ISA Server (Windows firewall/proxy) and CHX packet filter.

Picture this scenario.   Sagan detects something via log analysis that is considered a creditable threat.  Sagan can not only "alert" you of the information,  but can now

take proactive steps.   Sagan can send,  via Snortsam,  a block message (firewall) to your network perimeter equipment.     

This is a pretty interesting add on to Sagan,  as we can now block based on log analysis on the local machine or network wide!  I'm not aware of any SIEM that's capable of this. 

At the moment,  the output-plugin (sagan-snortsam) is pretty new and needs much more testing.  Right now,  there are no rules enabled with the fwsam (snortsam) flag.   If you'd 

like to try it out,  you'll need to add the fwsam: flag to your rules.  For example:

fwsam: src, 1 week;

This tells Sagan,  if the rule is triggered,  so send a block based on the source address for a duration of 1 week.   Over the next few weeks I plan on working on more documentation about this

and other Sagan features.  

If you have any questions, please let me know.   For more information on how to play with the latest source,  please see:

https://wiki.quadrantsec.com/bin/view/Main/SaganGIT

Champ Clark III
(office) 904.253.7856

(mobile) 850.443.2440 

(SOC) 800.538.9357 ext 101

ccl...@quadrantsec.com
www.quadrantsec.com