Welcome To The Sagan Wiki:
What is Sagan:
"Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine that run under *nix operating systems (Linux/FreeBSD/OpenBSD/etc). It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan's structure and rules work similarly to the Sourcefire "Snort" IDS/IPS engine. This was intentionally done to maintain compatibility with rule management software (oinkmaster/pulledpork/etc) and allows Sagan to correlate log events with your Snort IDS/IPS system. Sagan can also write to Snort IDS/IPS databases via Unified2/Barnyard2."
Sagan Wiki Pages:
Sagan; How to install - Step by step instructions on "howto" install and configure Sagan.
Sagan Rule Reference - Reference to Sagan rule options.
Sagan with Netflow Data - Using Sagan with Netflow data.
http://en.wikipedia.org/wiki/Sagan_(software)
- Sagan Wikipedia page.
Sagan Related Blog/Links/Postings:
https://quadrantsec.com/about/blog/sagan_flowbit/
- Sagan flowbits.
https://quadrantsec.com/about/blog/using_sagan_with_bro_intelligence_feeds/
- Using Sagan with Bro Intelligence feeds.
https://quadrantsec.com/about/blog/sagan_output_to_other_siems/
- Sagan output to other SIEMs.
https://quadrantsec.com/about/blog/detecting_adversary_with_sagan_geoip/
- Detecting the advesary with Sagan and
GeoIP.
https://quadrantsec.com/about/blog/what_the_sagan_log_analysis_engine_is...and_what_it_is_not/
- What the Sagan log analysis engine is.. and what it is not.
http://handlers.sans.org/gbruneau/papers/Guy_Bruneau_BSides_Ottawa_2014.pdf
- Log, Log, Log Everything Remotely.
http://blog.bro.org/2015/09/analyzing-bro-logs-with-sagan.html
- Analyzing Bro Logs with Sagan.
https://www.fox-it.com/nl/vacancies/protact-syslog-monitoring-powershell-shells-using-saganbro/
-
ProtACT: Syslog monitoring (for powershell shells) using Sagan/Bro.
https://quadrantsec.com/about/blog/detecting_pass_the_hash_attacks_with_sagan_in_real_time/
- Detecting, and the problems detecting, MS Windows "Pass The Hash" attacks.
https://quadrantsec.com/about/blog/sagan_log_analysis_with_websense_threatseeker_integration/
- How Sagan uses the Websense Threatseeker network to detect network anomalies through log analysis.
https://isc.sans.edu/forums/diary/Sagan+as+a+Log+Normalizer/17039
- "Sagan as a Log Normalizer" (Nov 16th, 2013)
http://infosecmatters.blogspot.com/2013/01/elsa-with-sagan.html
- Sagan with the ELSA console (Jan, 2013)
http://blog.gerhards.net/2010/10/sagan-and-rsyslog-guest-posting.html
- Champ Clark's guest posting on Rainer's (author of rsyslog) blog about Sagan and log anaylsis.
http://linuxdrops.com/installing-sagan-ids-on-centos-5-or-6-monitor-your-logs/
- Installing Sagan onCentOS 5/6 (Linux) for log monitoring.
http://sagan.quadrantsec.com/papers/wireless-ids/
- Article written by Champ Clark about using Kismet, Snort and Sagan to build wireless IDS monitoring device.
http://www.linux-magazine.com/w3/issue/129/072-073_kurt.pdf
- Linux Pro Magazine article that discusses using Sagan for log monitoring.
http://www.infoworld.com/slideshow/65285/bossie-awards-2012-the-best-open-source-networking-and-security-software-202548#slide17
- Sagan was one of the "top security tools" & won a "Bossie Award" from Infoworld.com.
https://github.com/shadowbq/sagan-extras/blob/master/sagan_freebsd.howto.md
- HOWTO build Sagan on
FreeBSD
Sagan related videos from conferences, user group meetings, etc.
http://traffic.libsyn.com/pauldotcom/PaulDotCom-356-Part1.mp3
- Champ Clark talks about Sagan on "Pauldotcom Security weekly" - December, 12th, 2013.
http://www.youtube.com/watch?v=pMlAmteCjQo
-
"Taking a bite out of logs with Sagan". HOPE (Hackers on Planet Earth) # 9, July 2012.
http://www.youtube.com/watch?v=rySjNnEpjbI
-
"The Sagan Log Analysis Engine" - At the Jacksonville Linux user group meeting. November, 17th 2012.
http://www.securitytube.net/video/1206
-
"Sagan (Log Correlation In Snort Like Way)" - North Florida ISSA meeting. Sept. 18th, 2010
(information covered in this video is a bit out dated).
External (Non-Wiki) Pages:
Sagan main web site
- The main Sagan website.
Sagan source code download directory
- Sagan "stable" source code.
Sagan "development" source code
- Sagan development branch.
Sagan rule sets directory
- "Stable" Sagan rules.
Sagan "development" rules
- Sagan rule under development.
Sagan bugs & issues tracker
- Submit & track bugs.
Presentations/PDFs
http://sagan.io/pdf/2_andrew.pdf
- "Securing your Mikrotik Network" by Andrew Thrift (Presentation)
http://sagan.io/pdf/BlackLodgeNSMOverview-Nullthreat.pdf
- "Defending the Homeland: Logging and Monitoring at home" by
@nullthreat
. (Presentation)
http://sagan.io/pdf/Network-Intrusion-Analyst-Hands-On-2014-DOCUMENT-full.pdf
- IPSS.ca "Course objectives"
http://sagan.io/pdf/bachelor.pdf
- "Centralized and structured log file analysis with Open Source and Free Software tools" Bachelor Thesis by Jens Kühnel.
Older/Outdate Sagan Pages:
Sagan Rule Tips
Sagan HOWTO
https://isc.sans.edu/forums/diary/SAGAN+An+open-source+event+correlation+system+-+Part+1+Installation/9184
- First ISC/SANS post on Sagan [OLD]