Welcome To The Sagan Wiki:
What is Sagan:
"Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine that run under *nix operating systems (Linux/FreeBSD/OpenBSD/etc). It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan's structure and rules work similarly to the Sourcefire "Snort" IDS/IPS engine. This was intentionally done to maintain compatibility with rule management software (oinkmaster/pulledpork/etc) and allows Sagan to correlate log events with your Snort IDS/IPS system. Sagan can also write to Snort IDS/IPS databases via Unified2/Barnyard2."
Sagan Wiki Pages:
Sagan; How to install
- Step by step instructions on "howto" install and configure Sagan.
Sagan Rule Reference
- Reference to Sagan rule options.
Sagan with Netflow Data
- Using Sagan with Netflow data.
http://en.wikipedia.org/wiki/Sagan_(software) - Sagan Wikipedia page.
Sagan Related Blog/Links/Postings:
- Sagan flowbits.
- Using Sagan with Bro Intelligence feeds.
- Sagan output to other SIEMs.
- Detecting the advesary with Sagan and GeoIP
- What the Sagan log analysis engine is.. and what it is not.
- Log, Log, Log Everything Remotely.
- Analyzing Bro Logs with Sagan.
: Syslog monitoring (for powershell shells) using Sagan/Bro.
- Detecting, and the problems detecting, MS Windows "Pass The Hash" attacks.
- How Sagan uses the Websense Threatseeker network to detect network anomalies through log analysis.
- "Sagan as a Log Normalizer" (Nov 16th, 2013)
- Sagan with the ELSA console (Jan, 2013)
- Champ Clark's guest posting on Rainer's (author of rsyslog) blog about Sagan and log anaylsis.
- Installing Sagan onCentOS 5/6 (Linux) for log monitoring.
- Article written by Champ Clark about using Kismet, Snort and Sagan to build wireless IDS monitoring device.
- Linux Pro Magazine article that discusses using Sagan for log monitoring.
- Sagan was one of the "top security tools" & won a "Bossie Award" from Infoworld.com.
- HOWTO build Sagan on FreeBSD
Sagan related videos from conferences, user group meetings, etc.
- Champ Clark talks about Sagan on "Pauldotcom Security weekly" - December, 12th, 2013.
- "Taking a bite out of logs with Sagan"
. HOPE (Hackers on Planet Earth) # 9, July 2012.
- "The Sagan Log Analysis Engine"
- At the Jacksonville Linux user group meeting. November, 17th 2012.
- "Sagan (Log Correlation In Snort Like Way)"
- North Florida ISSA meeting. Sept. 18th, 2010 (information covered in this video is a bit out dated).
External (Non-Wiki) Pages:
Sagan main web site
- The main Sagan website.
Sagan source code download directory
- Sagan "stable" source code.
Sagan "development" source code
- Sagan development branch.
Sagan rule sets directory
- "Stable" Sagan rules.
Sagan "development" rules
- Sagan rule under development.
Sagan bugs & issues tracker
- Submit & track bugs.
- "Securing your Mikrotik Network" by Andrew Thrift (Presentation)
- "Defending the Homeland: Logging and Monitoring at home" by @nullthreat
- IPSS.ca "Course objectives"
- "Centralized and structured log file analysis with Open Source and Free Software tools" Bachelor Thesis by Jens Kühnel.
Older/Outdate Sagan Pages:
Sagan Rule Tips
- First ISC/SANS post on Sagan [OLD]