Difference: SaganTODO (1 vs. 10)

Revision 102012-12-27 - ChampClark

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
Sagan "TODO" list....

Perfmon support - Which could be good for generating pretty pictures smile

Changed:
<
<
Report non-reporting devices - Processors that sends an "alert" when it "sees" a device stop reporting for X amount of time.
>
>
Report non-reporting devices - Processors that sends an "alert" when it "sees" a device stop reporting for X amount of time . Done with "processor" support.
  More than average - Processor that alerts when an abnormal amount of alerts are being reported.
Line: 17 to 16
  Statistical analysis of events - Many interesting things can be detected by statistical analysis.
Changed:
<
<
Support Snort's Unified2 output - Support for Snort's 'Unified2' output format. This would allow programs like Barnyard2 to read/queue events which could then be fed to a database, other output formats, Sguil, etc. [Completed as of version 0.1.8]
>
>
Support Snort's Unified2 output - Support for Snort's 'Unified2' output format. This would allow programs like Barnyard2 to read/queue events which could then be fed to a database, other output formats, Sguil, etc. [Completed as of version 0.1.8]
 
Changed:
<
<
Logzilla / php-syslog-ng output - Log Sagan events to the Logzilla/php-syslog-ng format. Should be easy to do, and give another type of console for viewing events. [Completed as of Sagan version 0.1.1 (?) ] - Update: Support Dropped in version 0.1.9.
>
>
Logzilla / php-syslog-ng output - Log Sagan events to the Logzilla/php-syslog-ng format. Should be easy to do, and give another type of console for viewing events. [Completed as of Sagan version 0.1.1 (?) ] - Update: Support Dropped in version 0.1.9.
 
Changed:
<
<
Thresholding! - This is probably going to be a badly needed item. There's no sense in being flooding with the same information over and over again! [Completed as of version 0.1.7] (Has 'limit', but no 'threshold')
>
>
Thresholding! - This is probably going to be a badly needed item. There's no sense in being flooding with the same information over and over again! [Completed as of version 0.1.7] (Has 'limit', but no 'threshold')
 
Changed:
<
<
Syslog/UDP replay add on - A program, separate and external to Sagan, that'll 'sniff' the network interface for UDP/514 Syslog traffic. If traffic is seen, capture the packet and reply it to another Syslog server. Such a program is useful in pre-setup syslog environments. [Completed as of version 0.1.8]
>
>
Syslog/UDP replay add on - A program, separate and external to Sagan, that'll 'sniff' the network interface for UDP/514 Syslog traffic. If traffic is seen, capture the packet and reply it to another Syslog server. Such a program is useful in pre-setup syslog environments. [Completed as of version 0.1.8]
 
Changed:
<
<
Mulitple configuration files - For example, a command line --config flag [Completed as of version 0.1.5(?)] Thread search - thread the pcre/content stuff to better use multiple CPUs
>
>
Mulitple configuration files - For example, a command line --config flag [Completed as of version 0.1.5(?)] Thread search - thread the pcre/content stuff to better use multiple CPUs
 
Changed:
<
<
PIX/ASA parser - to extract PIX/ASA IP/Port information [Not needed. Covered by liblognorm support as of version 0.1.8]
>
>
PIX/ASA parser - to extract PIX/ASA IP/Port information [Not needed. Covered by liblognorm support as of version 0.1.8]
 
Changed:
<
<
*Sguil agent - [Probably not needed. Covered by Unified2 output format as of version 0.1.8]
>
>
Sguil agent - *[Probably not needed. Covered by Unified2 output format as of version 0.1.8]
 
Changed:
<
<
*Prelude Framework support [Competed as of version 0.1.7]
>
>
Prelude Framework support *[Competed as of version 0.1.7]
  -- ChampClark - 2010-06-23

Revision 92012-03-23 - ChampClark

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
Sagan "TODO" list....
Changed:
<
<
Snortsam support - Support Snortsam. Add the communications with Snortsam and the "fwsam:" flag, so triggered events can dynamically firewall off. Of course, this would only to be used with rule sets you know will give you valid source information.
>
>
Perfmon support - Which could be good for generating pretty pictures smile

Report non-reporting devices - Processors that sends an "alert" when it "sees" a device stop reporting for X amount of time.

More than average - Processor that alerts when an abnormal amount of alerts are being reported.

Snortsam support - Support Snortsam. Add the communications with Snortsam and the "fwsam:" flag, so triggered events can dynamically firewall off. Of course, this would only to be used with rule sets you know will give you valid source information. In version 0.2.1

  $EXTERNAL_NET/$HOME_NET support - Maybe (?). Not sure if it'd be useful.
Line: 12 to 19
  Support Snort's Unified2 output - Support for Snort's 'Unified2' output format. This would allow programs like Barnyard2 to read/queue events which could then be fed to a database, other output formats, Sguil, etc. [Completed as of version 0.1.8]
Changed:
<
<
Logzilla / php-syslog-ng output - Log Sagan events to the Logzilla/php-syslog-ng format. Should be easy to do, and give another type of console for viewing events. [Completed as of Sagan version 0.1.1 (?) ]
>
>
Logzilla / php-syslog-ng output - Log Sagan events to the Logzilla/php-syslog-ng format. Should be easy to do, and give another type of console for viewing events. [Completed as of Sagan version 0.1.1 (?) ] - Update: Support Dropped in version 0.1.9.
  Thresholding! - This is probably going to be a badly needed item. There's no sense in being flooding with the same information over and over again! [Completed as of version 0.1.7] (Has 'limit', but no 'threshold')

Revision 82011-02-24 - ChampClark

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
Sagan "TODO" list....
Changed:
<
<
Support Snort's Unified2 output - I don't see much point in supporting Unified (v1) output. Doing this will make Sagan compatible with Barnyard2 and the likes.
>
>
Snortsam support - Support Snortsam. Add the communications with Snortsam and the "fwsam:" flag, so triggered events can dynamically firewall off. Of course, this would only to be used with rule sets you know will give you valid source information.
 
Changed:
<
<
Logzilla / php-syslog-ng output - Log Sagan events to the Logzilla/php-syslog-ng format. Should be easy to do, and give another type of console for viewing events. [Added April 23rd, 2010]
>
>
$EXTERNAL_NET/$HOME_NET support - Maybe (?). Not sure if it'd be useful.
 
Changed:
<
<
Snortsam support - Support Snortsam. Add the communications with Snortsam and the "fwsam:" flag, so triggered events can dynamically firewall off. Of course, this would only to be used with rule sets you know will give you valid source information.
>
>
More statistics via sagan-stats.c - For example, top IP addresses reporting, etc.
 
Changed:
<
<
Thresholding! - This is probably going to be a badly needed item. There's no sense in being flooding with the same information over and over again! [Added April 20th, 2010] (Has 'limit', but no 'threshold')
>
>
Statistical analysis of events - Many interesting things can be detected by statistical analysis.
 
Changed:
<
<
$EXTERNAL_NET/$HOME_NET support - Possibly other variables to further identify where the traffic is coming from and what to do with it.
>
>
Support Snort's Unified2 output - Support for Snort's 'Unified2' output format. This would allow programs like Barnyard2 to read/queue events which could then be fed to a database, other output formats, Sguil, etc. [Completed as of version 0.1.8]
 
Changed:
<
<
Syslog/UDP replay add on - A program, separate and external to Sagan, that'll 'sniff' the network interface for UDP/514 Syslog traffic. If traffic is seen, capture the packet and reply it to another Syslog server. Such a program is useful in pre-setup syslog environments.(Idea credited to Bruce Wink). - Added to Sagan 0.1.8
>
>
Logzilla / php-syslog-ng output - Log Sagan events to the Logzilla/php-syslog-ng format. Should be easy to do, and give another type of console for viewing events. [Completed as of Sagan version 0.1.1 (?) ]
 
Changed:
<
<
Need snmptrapd rules - "snmptrapd" write out to syslog. Need rules.
>
>
Thresholding! - This is probably going to be a badly needed item. There's no sense in being flooding with the same information over and over again! [Completed as of version 0.1.7] (Has 'limit', but no 'threshold')
 
Changed:
<
<
--config to use multiple configuration files - Brought up by Brad Doctor on #sagan. Or, make the engine spawn new processing theads per-event?
>
>
Syslog/UDP replay add on - A program, separate and external to Sagan, that'll 'sniff' the network interface for UDP/514 Syslog traffic. If traffic is seen, capture the packet and reply it to another Syslog server. Such a program is useful in pre-setup syslog environments. [Completed as of version 0.1.8]
 
Added:
>
>
Mulitple configuration files - For example, a command line --config flag [Completed as of version 0.1.5(?)]
 Thread search - thread the pcre/content stuff to better use multiple CPUs
Changed:
<
<
Stats - Periodic stats dumped to the /var/log/sagan/sagan.log. Top IP's, SIDs, etc.
>
>
PIX/ASA parser - to extract PIX/ASA IP/Port information [Not needed. Covered by liblognorm support as of version 0.1.8]
 
Changed:
<
<
PIX/ASA parser - to extract PIX/ASA IP/Port information - Being done in 0.1.8 via liblognorm.
>
>
*Sguil agent - [Probably not needed. Covered by Unified2 output format as of version 0.1.8]
 
Changed:
<
<
Sguid agent ... Could be cool?
>
>
*Prelude Framework support [Competed as of version 0.1.7]
  -- ChampClark - 2010-06-23

Revision 72011-02-11 - ChampClark

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
Sagan "TODO" list....
Line: 12 to 12
  $EXTERNAL_NET/$HOME_NET support - Possibly other variables to further identify where the traffic is coming from and what to do with it.
Changed:
<
<
Syslog/UDP replay add on - A program, separate and external to Sagan, that'll 'sniff' the network interface for UDP/514 Syslog traffic. If traffic is seen, capture the packet and reply it to another Syslog server. Such a program is useful in pre-setup syslog environments.(Idea credited to Bruce Wink).
>
>
Syslog/UDP replay add on - A program, separate and external to Sagan, that'll 'sniff' the network interface for UDP/514 Syslog traffic. If traffic is seen, capture the packet and reply it to another Syslog server. Such a program is useful in pre-setup syslog environments.(Idea credited to Bruce Wink). - Added to Sagan 0.1.8
  Need snmptrapd rules - "snmptrapd" write out to syslog. Need rules.
Line: 22 to 22
  Stats - Periodic stats dumped to the /var/log/sagan/sagan.log. Top IP's, SIDs, etc.
Changed:
<
<
PIX/ASA parser - to extract PIX/ASA IP/Port information
>
>
PIX/ASA parser - to extract PIX/ASA IP/Port information - Being done in 0.1.8 via liblognorm.
  Sguid agent ... Could be cool?

Revision 62010-08-23 - ChampClark

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
Sagan "TODO" list....
Line: 18 to 18
  --config to use multiple configuration files - Brought up by Brad Doctor on #sagan. Or, make the engine spawn new processing theads per-event?
Deleted:
<
<
BUG: Nulling out of syslog_msg. Hit's really bad on high message env.
 Thread search - thread the pcre/content stuff to better use multiple CPUs

Stats - Periodic stats dumped to the /var/log/sagan/sagan.log. Top IP's, SIDs, etc.

PIX/ASA parser - to extract PIX/ASA IP/Port information

Added:
>
>
Sguid agent ... Could be cool?
 -- ChampClark - 2010-06-23

Revision 52010-07-02 - ChampClark

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
Sagan "TODO" list....
Line: 12 to 12
  $EXTERNAL_NET/$HOME_NET support - Possibly other variables to further identify where the traffic is coming from and what to do with it.
Changed:
<
<
Syslog/UDP reply add on - A program, separate and external to Sagan, that'll 'sniff' the network interface for UDP/514 Syslog traffic. If traffic is seen, capture the packet and reply it to another Syslog server. Such a program is useful in pre-setup syslog environments.(Idea credited to Bruce Wink).
>
>
Syslog/UDP replay add on - A program, separate and external to Sagan, that'll 'sniff' the network interface for UDP/514 Syslog traffic. If traffic is seen, capture the packet and reply it to another Syslog server. Such a program is useful in pre-setup syslog environments.(Idea credited to Bruce Wink).
  Need snmptrapd rules - "snmptrapd" write out to syslog. Need rules.
Line: 20 to 20
  BUG: Nulling out of syslog_msg. Hit's really bad on high message env.
Changed:
<
<
Thread search - thread the pcre/content stuff to better use multiple CPUs
>
>
Thread search - thread the pcre/content stuff to better use multiple CPUs

Stats - Periodic stats dumped to the /var/log/sagan/sagan.log. Top IP's, SIDs, etc.

PIX/ASA parser - to extract PIX/ASA IP/Port information

  -- ChampClark - 2010-06-23 \ No newline at end of file

Revision 42010-07-02 - ChampClark

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
Sagan "TODO" list....
Line: 18 to 18
  --config to use multiple configuration files - Brought up by Brad Doctor on #sagan. Or, make the engine spawn new processing theads per-event?
Added:
>
>
BUG: Nulling out of syslog_msg. Hit's really bad on high message env.

Thread search - thread the pcre/content stuff to better use multiple CPUs

 -- ChampClark - 2010-06-23 \ No newline at end of file

Revision 32010-07-01 - ChampClark

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
Sagan "TODO" list....
Line: 16 to 16
  Need snmptrapd rules - "snmptrapd" write out to syslog. Need rules.
Added:
>
>
--config to use multiple configuration files - Brought up by Brad Doctor on #sagan. Or, make the engine spawn new processing theads per-event?
 -- ChampClark - 2010-06-23 \ No newline at end of file

Revision 22010-06-24 - ChampClark

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
Changed:
<
<
Sagan "TODO" list as of May, 11th 2010
>
>
Sagan "TODO" list....
  Support Snort's Unified2 output - I don't see much point in supporting Unified (v1) output. Doing this will make Sagan compatible with Barnyard2 and the likes.
Line: 14 to 14
  Syslog/UDP reply add on - A program, separate and external to Sagan, that'll 'sniff' the network interface for UDP/514 Syslog traffic. If traffic is seen, capture the packet and reply it to another Syslog server. Such a program is useful in pre-setup syslog environments.(Idea credited to Bruce Wink).
Added:
>
>
Need snmptrapd rules - "snmptrapd" write out to syslog. Need rules.
 -- ChampClark - 2010-06-23 \ No newline at end of file

Revision 12010-06-23 - ChampClark

Line: 1 to 1
Added:
>
>
META TOPICPARENT name="WebHome"
Sagan "TODO" list as of May, 11th 2010

Support Snort's Unified2 output - I don't see much point in supporting Unified (v1) output. Doing this will make Sagan compatible with Barnyard2 and the likes.

Logzilla / php-syslog-ng output - Log Sagan events to the Logzilla/php-syslog-ng format. Should be easy to do, and give another type of console for viewing events. [Added April 23rd, 2010]

Snortsam support - Support Snortsam. Add the communications with Snortsam and the "fwsam:" flag, so triggered events can dynamically firewall off. Of course, this would only to be used with rule sets you know will give you valid source information.

Thresholding! - This is probably going to be a badly needed item. There's no sense in being flooding with the same information over and over again! [Added April 20th, 2010] (Has 'limit', but no 'threshold')

$EXTERNAL_NET/$HOME_NET support - Possibly other variables to further identify where the traffic is coming from and what to do with it.

Syslog/UDP reply add on - A program, separate and external to Sagan, that'll 'sniff' the network interface for UDP/514 Syslog traffic. If traffic is seen, capture the packet and reply it to another Syslog server. Such a program is useful in pre-setup syslog environments.(Idea credited to Bruce Wink).

-- ChampClark - 2010-06-23

 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback