What is Sagan?

Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine. It is written in C and uses a multi-threaded architecture to deliver high-performance log & event analysis. The Sagan structure and Sagan rules work similarly to the Sourcefire “Snort” IDS engine. This was intentionally done to maintain compatibility with rule management software (oinkmaster/pulledpork/etc) and allows Sagan to correlate log events with your Snort IDS/IPS system. Since Sagan can write to Snort IDS/IPS databases via unified2/barnyard2, it is compatible with all Snort “consoles”. For example, it is compatible with Snorby [http://www.snorby.org], Sguil [http://sguil.sourceforge.net], BASE, and the Prelude IDS framework! (to name a few).

Sagan supports many different output formats, log normalization (via liblognorm), GeoIP detection, script execution on the event and automatic firewall support via “Snortsam” (see http://www.snortsam.net).

Features

• Sagan’s multi-threaded architecture allows it to use all CPUs / cores for real-time log processing.
• Sagan’s CPU and memory resources are lightweight.
• It uses a similar rule syntax to Cisco’s “Snort” which allows for easy rule management and correlation with Snort or Suricata IDS / IPS systems.
• It can store alert data in Cisco’s “Snort” native “unified2” binary data format or Suricata’s JSON format for easier log-to-packet correlation.
• It is compatible with popular graphical-base security consoles like Snorby, BASE, Sguil, and EveBox.
• It can easily export data from other SIEMs via syslog.
• It can track events based on geographic locations via IP address source or destination data (e.g., identifying logins from strange geographic locations).
• It can monitor usage based on time of day (e.g., writing a rule to trigger when an administrator logs in at 3:00 AM).
• It has multiple means of parsing and extracting data through liblognorm or built-in parsing rule options like parse_src_ip, parse_dst_ip, parse_port, parse_string, parse_hash (MD5, SHA1, SHA256).
• It can query custom blacklists,  Bro Intel subscriptions like Critical Stack and “Bluedot”,  Quadrant Information Security threat intelligence feeds by IP address,  hashes (MD5, SHA1, SHA256),  URLs,  emails,  usernames, and much more.
• Sagan’s “client tracking” can inform you when machines start or stop logging.   This helps you verify that you are getting the data you need.
• It uses “xbits” to correlate data between log events which allows Sagan to “remember” and flag events across multiple log lines and sources.
• It uses Intra-Process communications between Sagan processes to share data.   Sagan can also use Redis (beta) to share data between Sagan instances within a network.
• To help reduce “alert fatigue”,  Sagan can “threshold” or only alert “after” certain criteria have been met.

Changelog v1.2

• * “meta_content” size limitation/truncation issue fixed.
• * Added new “parse-ip” option to the sagan.yaml. These help control how “parse_src_ip” and “parse_dst_ip” function. New options are “ipv6” (enabled by default) and “ipv4-mapped-ipv6” (disabled by default). This converts IPv4 mapping in IPv6 (for example ffff::192.168.2.1 becomes 192.168.2.1).
• * New Bluedot TTL/Host option to prevent overloading DNS servers.
• * Better “stripping” of hashes when using the “parse_hash” rule option.
• * Fixed issue with “flow.c” when dealing with many flows. Thanks to Michael Riggs!
• * A lot of processors/bluedot.c fixes that would result in a segfault under extreme loads.
• * Fixed unsigned char[MAXIPBIT] data alignment issues in various places that might lead to a failure of IP comparisons to fail.
• * Removed some left behind “debug” code.

Install

git clone https://github.com/beave/sagan
cd sagan
./configure
sudo make
sudo make install

Usage

Author: Champ Clark III (champ@quadrantsec.com)

Source: https://github.com/beave/