Difference: SaganTODO (8 vs. 9)

Revision 92012-03-23 - ChampClark

Line: 1 to 1

META TOPICPARENT	name="WebHome"

Sagan "TODO" list....

Changed:

<
<

Snortsam support - Support Snortsam

. Add the communications with Snortsam and the "fwsam:" flag, so triggered events can dynamically firewall off. Of course, this would only to be used with rule sets you know will give you valid source information.

>
>

Perfmon support - Which could be good for generating pretty pictures smile

Report non-reporting devices - Processors that sends an "alert" when it "sees" a device stop reporting for X amount of time.

More than average - Processor that alerts when an abnormal amount of alerts are being reported.

Snortsam support - Support Snortsam. Add the communications with Snortsam and the "fwsam:" flag, so triggered events can dynamically firewall off. Of course, this would only to be used with rule sets you know will give you valid source information. In version 0.2.1

$EXTERNAL_NET/$HOME_NET support - Maybe (?). Not sure if it'd be useful.

Line: 12 to 19

Support Snort's Unified2 output - Support for Snort's 'Unified2' output format. This would allow programs like Barnyard2 to read/queue events which could then be fed to a database, other output formats, Sguil, etc. [Completed as of version 0.1.8]

Changed:

<
<

Logzilla / php-syslog-ng output - Log Sagan events to the Logzilla/php-syslog-ng format. Should be easy to do, and give another type of console for viewing events. [Completed as of Sagan version 0.1.1 (?) ]

>
>

Thresholding! - This is probably going to be a badly needed item. There's no sense in being flooding with the same information over and over again! [Completed as of version 0.1.7] (Has 'limit', but no 'threshold')

View topic | History: r10 < r9 < r8 < r7 | More topic actions...