Difference: SaganInstall (13 vs. 14)

Revision 142014-06-25 - ChampClark

Line: 1 to 1
 

Line: 14 to 14
 
  • Writing alerts to a SQL database with Barnyard2.
Sagan is capable of much, much more. However, this document will only cover the above. If you are interested in other Sagan capabilities, see the SaganPrerequisites.
Changed:
<
<

2. Sagan Prerequisites (library requirements, etc).

>
>

2. "Compiling and installing Sagan" - Youtube video.

Much of this document is covered in the "Compiling and installing Sagan video".

3. Sagan Prerequisites (library requirements, etc).

  For this document, we'll need to install three Sagan prerequisites. They are:

  • PCRE - libpcre is used for rules that have regular expressions
  • LibLogNorm - Used to extract useful information from logs.
  • libdnet - This is used for Unified2 output, which is used with Barnyard2 & writing to SQL databases.
Changed:
<
<

2.1 Installing PCRE.

>
>

3.1 Installing PCRE.

  That is PCRE (http://www.pcre.org) (libpcre). With only the PCRE library dependency meant, this will get the Sagan engine up and running with the most basic fuctionality.
Line: 30 to 36
 
Ubuntu apt-get install libpcre3-dev libpcre3
FreeBSD/OpenBSD cd /usr/ports/devel/pcre && make && make install
CentOS / Redhat yum install pcre-devel
Changed:
<
<

2.2 Installing LibLogNorm.

>
>

3.2 Installing LibLogNorm.

  LibLogNorm helps Sagan extract useful information for log messages. Sagan will operate without this library, but it may not always extract important information you may want. I the majority of cases, you probably want LibLogNorm installed.
Line: 43 to 49
 Note: liblognorm version 1.0.0 is required for Sagan! Make sure your distribution is version 1.0.0 or higher! If it is not, consider building liblognorm from source!

If you distribution doesn't have LibLogNorm, consider building from source. See the LibLogNorm for more information about building from source.

Changed:
<
<

2.3 Installing libdnet.

>
>

3.3 Installing libdnet.

  An optional, but typically desired dependency is the ability to write alerts to a SQL database. This is also required if you want to view Sagan events in consoles link Snorby, Squil, etc. This also lets Sagan correlate log events with your Snort or Suricata. In order to do this, you'll want Sagan to have the ability to write alerts in a Unified2 output format. In order to do this, Sagan requires libdnet (http://libdnet.sf.net).
Line: 56 to 62
  If you require Sagan to other action on alerting (e-mailing, etc), check out the SaganPrerequisites page.

Changed:
<
<

3. Compiling and installing Sagan.

>
>

4. Compiling and installing Sagan.

  We will need to download the Sagan source code. There are two locations of the Sagan source code. The development tree that is located on Github and the stable branch that is located on the main Sagan site (http://sagan.quardrantsec.com). For this document, we'll be building the development branch.
Line: 90 to 96
  We are now ready to move on to the Sagan configuration file!

Changed:
<
<

4. The Sagan configuration file (sagan.conf).

>
>

5. The Sagan configuration file (sagan.conf).

  The Sagan configuration file, which by default is located in the /usr/local/etc/sagan.conf, has quite a few options in it. Rather than going over all possible configuration options, we'll be going over the nessesary to accomplish our goal. That is to have Sagan up and running with signatures, writing a unified2 output file for alerts and having Barnyard2 store those alerts into a SQL database. After you have Sagan up and running, you may then want to go back and read about more advanced configuration option. Sagan can do some pretty interesting and nifty things with logs, let's get the basics up and running first.
Line: 127 to 133
  Well, this will get the basic setup running. Once you have Sagan up and running, go back and review the other options in the Sagan configuration. There likely other options that you can benifit from. However, for the basic setup, this should get you up and running.
Changed:
<
<

5. Downloading and using Sagan rules.

>
>

6. Downloading and using Sagan rules.

  You'll not need rules to tell Sagan "what" to trigger on. There are two branches of rules. The stable branch and the development branch. For this document, we'll be using the development branch.
cd /usr/local/etc
Line: 138 to 144
 
Note: if you don't have "git" installed, you can download the source with wget. Type "wget https://github.com/beave/sagan-rules/archive/master.zip"
Changed:
<
<

6. Configuring the syslog-ng/rsyslog daemon.

6.1 Basic Syslog-ng configuration.

>
>

7. Configuring the syslog-ng/rsyslog daemon.

7.1 Basic Syslog-ng configuration.

  http://sagan.quadrantsec.com/syslog-ng.conf.txt
Line: 155 to 161
 
Changed:
<
<

6.2 Basic "rsyslog" configuration.

>
>

7.2 Basic "rsyslog" configuration.

 

Line: 167 to 173
 . |/var/run/sagan.fifo;sagan
Changed:
<
<

6.3 FIFO and testing

>
>

7.3 FIFO and testing

 

Once your syslog daemon has been configured, you'll need to create a FIFO for it to write to. To do this, issue the following commands as "root":

Line: 176 to 182
  Now restart your syslog daemon. Once it has been restarted, you can test it by type "cat /var/run/sagan.fifo". If you see events coming in, then your syslog daemon is correctly setup and you're ready to move on to the next step! If you don't receive any logs via the FIFO, then you'll need to correct this before moving on to the next step. The FIFO is used for Sagan to receive logs in real time. Without it, Sagan will not be able to receive logs!
Changed:
<
<

7. Unified2 for database output.

>
>

8. Unified2 for database output.

  If you want to log Sagan information to a SQL database, you'll need Barnyard2. Barnyard2 is a "dedicated spooler" unified2 binary output format. Sagan writes alerts to the unified2 file, just like Snort does. In order for these alerts to make there way into the SQL database, you'll need to use Barnyard2 to read in this file and write them to the database. The first step is to install Barnyard2:
Line: 208 to 214
  To run "barnyard2" in the background, simply append the "-D" switch.
Changed:
<
<
-- ChampClark - 2014-01-27
>
>
-- ChampClark - 2014-06-25
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback