Published on September 1st, 2012 | by NJ Ouchn0
Sagan v0.2.2 r2 released
Sagan is a multi-threaded, real time system and event log monitoring system, but with a twist. Sagan uses a “Snort” like rule set for detecting bad things happening on your network and/or computer systems. If Sagan detects a “bad thing” happening, that event can be stored to a Snort database (MySQL/PostgreSQL) and Sagan will attempt to correlate the event with your Snort Intrusion Detection/Intrusion Prevention (IDS/IPS) system. Sagan is basically a SIEM (Security Information & Log Management) system.
- Sagan is fast – Sagan is written in C and is a multi-threaded application. Sagan is threaded to prevent blocking Input/Output (I/O). For example, data processing doesn’t stop when an SQL query is needed.
- Sagan uses a “Snort” like rule set – If you’re a user of “Snort” and understand Snort rule sets, then you already understand Sagan rule sets. Essentially, Sagan is compatible with Snort rule management utilities. For example, “oinkmaster” and “pulledpork”.
- Sagan can log to Snort databases – Sagan will operate as a separate “sensor” ID to a Snort database. This means, your IDS/IPS events from Snort will remain separate from your Sagan (syslog/event log). Since Sagan can utilize Snort databases, using Snort front-ends like BASE and Snorbywill not only work with your IDS/IPS event, but also with your syslog/events as well!
- Sagan output formats – You don’t have to be a Snort user to use Sagan. Sagan supports multiple output formats, such as a standard output file log format (similar to Snort), e-mailing of alerts (via libesmtp), Unified2 output support and external based programs that you can develop using the language you prefer (Perl/Python/C/etc).
- Sagan log normalization – Sagan uses various methods to “normalize” logs. This allows Sagan to extract useful information for log messages for better correlation. For example, Sagan uses liblognormand other techniques for log normalization.
- Sagan is actively developed – Quadrant Information Security actively develops and maintains the Sagan source code and rule sets. Quadrant Information Security uses Sagan to monitor security related log events on a 24/7 basis.