Sagan v0.3.0 Released

Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine that run under *nix operating systems (Linux/FreeBSD/ OpenBSD/etc). It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis.

Sagan’s structure and rules work similarly to the Sourcefire “Snort” IDS/IPS engine. This was intentionally done to maintain compatibility with rule management software (oinkmaster/pulledpork /etc) and allows Sagan to correlate log events with your Snort IDS/IPS system. Sagan can also write to Snort IDS/IPS databases via Unified2/Barnyard2. Sagan is compatible with all Snort “consoles”. For example, Sagan is will work with Snorby (, Sguil (, BASE, the Prelude IDS framework ( and proprietary consoles! (to name a few).

Changelog v0.3.0

  • The biggest change is that Sagan is now capable of utilizing all CPUs/cores. While Sagan has always been multi-threaded to prevent I/O blocking, previous versions could only utilize one core for event analysis. This is no longer the case–Sagan will now use any and all CPUs available, which means that Sagan can digest, parse and analyze even higher number of events per/second.
  • Introduction of “processors.” Processors provide Sagan the ability to analyze logs using methods other than traditional signature based technology.

Current Processors are:

  • Blacklist – Search log messages for blacklisted IP addresses.
  • Search – Search logs for keyword terms (ie – domain names, etc)
  • Track Clients – Informs you when systems aren’t logging properly.
  • Websense Threatseeker – Queries the Websense Threatseeker network for reputation data (Not include with the GPLv2 release).

More processors are currently in development.

  • The direct SQL output plugin has been removed, in order to maintain full compatibility with Snort. To write to a SQL database, use Unified2 output and Barnyard2.
  • Introduction of port variables ($SSH_PORT, $DNS_PORT) in rules.
  • More normalization and parsing options (parse_src_ip, parse_proto, etc).
  • Sagan currently has over five thousand signatures/rules.

More Information: here

Download Sagan v0.3.0

Thank you Champ Clark III, for sharing this tool with us. 😉

MaxiSoler @maxisoler