- [New rule option] - "alert_time"
- This allows alerts to be time sensitve. Example rule syntax is:
alert_time: days 0123456, hours 0800-1400;
"days" is an option of 0-6 (0 = Sunday, 1 = Monday, etc). "hours" is expressed in a 24 hour clock format. For more information on the usage of "alert_time", see: https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganRuleReference#alert_time_days_days_hours_hours
- [New sagan.conf option] - "email_subject"
- Allows you to set a user defined Subject to prepend to a e-mail. Use the "email_subject" option in your sagan.conf
- [New sagan.conf variable] "WINDOWS_DOMAINS"
- Allows you to define Microsoft Windows Domains that are being used within your network. This variable is then passed to rules. An example of a $WINDOWS_DOMAIN variable in use is the "Pass-the-hash" detection rule. See rule https://wiki.quadrantsec.com/twiki/bin/view/Main/5002017
for example usage.
- [Processor Improvement - processor/sagan-track-clients.c] "client tracker"
- The Sagan "client tracker" keep track of systems that are reporting to Sagan. Sagan can then alert when a system stops sending logs. It will also alert when a system that has previously stopped sending logs starts sending logs again. Prior version only tracked client in memory during run time. The client tracker now keep a "cache" of known that can be saved and reloaded and Sagan termination/startup. The format of the Sagan client tracker has also been changed. An example of the new format is:
processor sagan-track-clients: client_timeout=360 host_cache=/var/run/sagan/sagan.cache
- [Bug fix - output-plugins/sagan-snortsam.c] -
Due to code changes, Snortsam no longer functioned properly. This was due to rulestruct[Event->found].fwsam_src_or_dst
not being properly set in sagan-output.c. Snortsam now functions as it should.
- GeoIP look up
- Allows Sagan to do analysis based on geographic location of the source/destination address of the log.
- Various bug fixes.