Sagan Mailing List | Sagan IRC/Online Chat | Sagan HOWTO | Sagan FAQ | Sagan Rule Tips | Sagan TODO List | Sagan via Twitter

Sagan Developers List | Download Sagan | Download Sagan Rulesets | Submit a Sagan Ruleset | Bugs & Issues | Sagan Git

Sagan is a multi-threaded, real time system and event log monitoring system, but with a twist. Sagan uses a "Snort" like rule set for detecting bad things happening on your network and/or computer systems. If Sagan detects a "bad thing" happening, that event can be stored to a Snort database (MySQL/PostgreSQL) and Sagan will attempt to correlate the event with your Snort Intrusion Detection/Intrusion Prevention (IDS/IPS) system. Sagan is basically a SIEM (Security Information & Log Management) system. Sagan is fast - Sagan is written in C and is a multi-threaded application. Sagan is threaded to prevent blocking Input/Output (I/O). For example, data processing doesn't stop when an SQL query is needed. Sagan uses a "Snort" like rule set - If you're a user of "Snort" and understand Snort rule sets, then you already understand Sagan rule sets. Essentially, Sagan is compatible with Snort rule management utilities. For example, "oinkmaster" and "pulledpork". Sagan can log to Snort databases - Sagan will operate as a separate "sensor" ID to a Snort database. This means, your IDS/IPS events from Snort will remain separate from your Sagan (syslog/event log). Since Sagan can utilize Snort databases, using Snort front-ends like BASE and Snorby will not only work with your IDS/IPS event, but also with your syslog/events as well! Sagan output formats - You don't have to be a Snort user to use Sagan. Sagan supports multiple output formats, such as a standard output file log format (similar to Snort), e-mailing of alerts (via libesmtp), Unified2 output support and external based programs that you can develop using the language you prefer (Perl/Python/C/etc). Sagan log normalization - Sagan uses various methods to "normalize" logs. This allows Sagan to extract useful information for log messages for better correlation. For example, Sagan uses liblognorm and other techniques for log normalization. Sagan is actively developed - Quadrant Information Security actively develops and maintains the Sagan source code and rule sets. Quadrant Information Security uses Sagan to monitor security related log events on a 24/7 basis.

(Sagan version 0.1.7-svn startup screen) (Sagan version 0.1.7-svn interactive statistics) (Screen shots of Snorby, BASE and 'Prewikka' (Prelude) with Sagan data can be found here.) Sagan News: [04/05/2012] Sagan 0.2.1 released! Release notes are at http://groups.google.com/group/sagan-users/browse_thread/thread/f1f66000cc893634. [10/11/2011] It appears that Sagan made it in the Gentoo Portage tree! You should be able to "emerge -p sagan sagan-rules". It also appears that you'll be able to get Sagan in Ubuntu 11.10 (ie - "apt-get install sagan"). At least that's what it looks like! [08/22/2011] Sagan 0.2.0 released! Release notes are at: http://quadrantsec.com/about/blog/sagan_version_0_2_0_released/ [04/18/2011] Sagan 0.1.9 released. This fixes some minor compatibility problems with liblognorm & other minor bug fixes. [04/16/2011] The Sagan mailing lists have migrated to Google Group. You can find the Sagan user mailing list at http://groups.google.com/group/sagan-users. The Sagan developers mailing list is located at http://groups.google.com/group/sagan-dev. We've also moved the offical Sagan IRC channel to irc.freenode.net #sagan. Come join us! [03/17/2011] Sagan 0.1.8 is released! Now with Unified2 output, Syslog 'sniffing' and liblognorm goodness :) Also, new rules for Sagan have been released! See the Sagan download page and Sagan rules page. [02/18/2011] I've committed to SVN the source for Sagan to write Snort's Unified2 output format. This opens a lot of doors for Sagan. Sagan can now support natively and via Unified2 MySQL, PostgreSQL, MS-SQL, Oracle, ODBC, Sguil, Prelude, alert_cef, log_ascii, log_tcpdump, and alert_fast. This new functionality is still being tested, and is only avaliable via SVN. [01/18/2011] We now have the Sagan rules via SVN avaliable. For more information, please see SaganSVN Wiki. [11/30/2010] Small article on running Sagan on your workstation/laptop/netbook [11/11/2010] Sagan-0.7.1 released! This release includes many bug fixes and the new Prelude framework output format! [11/11/2010] Champ Clark's (Da Beave) article, Building wireless IDS systems using opensource released! [10/21/2010] New rule set released. This includes tweaks done to the kismet.rules, the new hostapd.rules and new rsync.rules. [10/21/2010] I just noticed the Sagan 'online chat' function has been broken. Sorry about that. It's since been fixed. I typically idle in the irc.2600.net #sagan channel, which is where the 'Sagan IRC/Chat' menu option will connect you to. You can also point your favorite IRC client to irc.2600.net #sagan. Hope to see you there! [10/07/2010] Sagan can now utilize Syslog-NG or Rsyslog! For more information, please see Sagan HOWTO. More specifically, the Sagan HOWTO 'Rsyslog Configuration. [10/05/2010] Sagan 0.1.6 released. Minor bug fixes. Support added for external program 'drop' and 'alert' rules. For more information, please see our Sagan ChangeLOg [09/23/2010] Champ Clark (Da Beave) did a presentation for the Northeast Florida ISSA. The video of that presentation is above. I've also made a directory with links to the presentation material. That can be found at: https://www.quadrantsec.com/papers/Sagan-NFISSA. [08/22/2010] Sagan rule set update! This is directly related to the Sagan-0.1.5 release! See the ChangeLog for more information! [08/22/2010] Sagan version 0.1.5 released! Bug fixes and enhancements. Also a change in the way rule sets handle TCP/IP addresses and ports. For more information, please check out the ChangeLog. [08/22/2010] Good Sagan HOWTO (in Spanish) written by "Muchikon" for Debian "Squeeze". Check it out Here! [07/29/2010] Sagan version 0.1.4 released. This fixed many bugs! Thanks to muchikon in #sagan on irc.2600.net for lots of testing. This release fixed the Snort DB NULL timestamp issues and message alignment problems. For more information see the ChangeLog. This also means the Sagan SVN will move to 0.1.5. [07/28/2010] Put our SVN (Subversion) server online. This is the repo where code is actively being developed. For more information, see the Sagan SVN wiki. [07/22/2010] New Sagan rule set released. FortiOS [Fortigate, etc] support and more Snort support. [07/21/2010] Sagan 0.1.3 released. Lots of changes and bugs have been fixed. For more information, see the ChangeLog. [07/07/2010] Rule set update. Added support for bro-IDS and more Juniper networks gear (thanks Brad Doctor). Added a few additional rules for detecting logins from 'disabled' accounts. [06/01/2010] Sagan-0.1.2 released. Minor compile fixes. See the ChangeLog for more detailed information. [06/28/2010] Sagan-0.1.1 released. Fixed minor compile bug [06/28/2010] Released rule set updated. Add much support for Cisco PIX/ASA gear.