Welcome To The Sagan Wiki:

What is Sagan:

"Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine that run under *nix operating systems (Linux/FreeBSD/OpenBSD/etc). It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan's structure and rules work similarly to the Sourcefire "Snort" IDS/IPS engine. This was intentionally done to maintain compatibility with rule management software (oinkmaster/pulledpork/etc) and allows Sagan to correlate log events with your Snort IDS/IPS system. Sagan can also write to Snort IDS/IPS databases via Unified2/Barnyard2."

Sagan Wiki Pages:

Sagan; How to install - Step by step instructions on "howto" install and configure Sagan.

Sagan Rule Reference - Reference to Sagan rule options.

Sagan with Netflow Data - Using Sagan with Netflow data.

http://en.wikipedia.org/wiki/Sagan_(software) - Sagan Wikipedia page.

Sagan Related Blog/Links/Postings:

https://quadrantsec.com/about/blog/sagan_flowbit/ - Sagan flowbits.

https://quadrantsec.com/about/blog/using_sagan_with_bro_intelligence_feeds/ - Using Sagan with Bro Intelligence feeds.

https://quadrantsec.com/about/blog/sagan_output_to_other_siems/ - Sagan output to other SIEMs.

https://quadrantsec.com/about/blog/detecting_adversary_with_sagan_geoip/ - Detecting the advesary with Sagan and GeoIP.

https://quadrantsec.com/about/blog/what_the_sagan_log_analysis_engine_is...and_what_it_is_not/ - What the Sagan log analysis engine is.. and what it is not.

http://handlers.sans.org/gbruneau/papers/Guy_Bruneau_BSides_Ottawa_2014.pdf - Log, Log, Log Everything Remotely.

http://blog.bro.org/2015/09/analyzing-bro-logs-with-sagan.html - Analyzing Bro Logs with Sagan.

https://www.fox-it.com/nl/vacancies/protact-syslog-monitoring-powershell-shells-using-saganbro/ - ProtACT: Syslog monitoring (for powershell shells) using Sagan/Bro.

https://quadrantsec.com/about/blog/detecting_pass_the_hash_attacks_with_sagan_in_real_time/ - Detecting, and the problems detecting, MS Windows "Pass The Hash" attacks.

https://quadrantsec.com/about/blog/sagan_log_analysis_with_websense_threatseeker_integration/ - How Sagan uses the Websense Threatseeker network to detect network anomalies through log analysis.

https://isc.sans.edu/forums/diary/Sagan+as+a+Log+Normalizer/17039 - "Sagan as a Log Normalizer" (Nov 16th, 2013)

http://infosecmatters.blogspot.com/2013/01/elsa-with-sagan.html - Sagan with the ELSA console (Jan, 2013)

http://blog.gerhards.net/2010/10/sagan-and-rsyslog-guest-posting.html - Champ Clark's guest posting on Rainer's (author of rsyslog) blog about Sagan and log anaylsis.

http://linuxdrops.com/installing-sagan-ids-on-centos-5-or-6-monitor-your-logs/ - Installing Sagan onCentOS 5/6 (Linux) for log monitoring.

http://sagan.quadrantsec.com/papers/wireless-ids/ - Article written by Champ Clark about using Kismet, Snort and Sagan to build wireless IDS monitoring device.

http://www.linux-magazine.com/w3/issue/129/072-073_kurt.pdf - Linux Pro Magazine article that discusses using Sagan for log monitoring.

http://www.infoworld.com/slideshow/65285/bossie-awards-2012-the-best-open-source-networking-and-security-software-202548#slide17 - Sagan was one of the "top security tools" & won a "Bossie Award" from Infoworld.com.

https://github.com/shadowbq/sagan-extras/blob/master/sagan_freebsd.howto.md - HOWTO build Sagan on FreeBSD

Sagan related videos from conferences, user group meetings, etc.

http://traffic.libsyn.com/pauldotcom/PaulDotCom-356-Part1.mp3 - Champ Clark talks about Sagan on "Pauldotcom Security weekly" - December, 12th, 2013.

http://www.youtube.com/watch?v=pMlAmteCjQo - "Taking a bite out of logs with Sagan". HOPE (Hackers on Planet Earth) # 9, July 2012.

http://www.youtube.com/watch?v=rySjNnEpjbI - "The Sagan Log Analysis Engine" - At the Jacksonville Linux user group meeting. November, 17th 2012.

http://www.securitytube.net/video/1206 - "Sagan (Log Correlation In Snort Like Way)" - North Florida ISSA meeting. Sept. 18th, 2010 (information covered in this video is a bit out dated).

External (Non-Wiki) Pages:

Sagan main web site - The main Sagan website.

Sagan source code download directory - Sagan "stable" source code.

Sagan "development" source code - Sagan development branch.

Sagan rule sets directory - "Stable" Sagan rules.

Sagan "development" rules - Sagan rule under development.

Sagan bugs & issues tracker - Submit & track bugs.


http://sagan.io/pdf/2_andrew.pdf - "Securing your Mikrotik Network" by Andrew Thrift (Presentation)

http://sagan.io/pdf/BlackLodgeNSMOverview-Nullthreat.pdf- "Defending the Homeland: Logging and Monitoring at home" by @nullthreat. (Presentation)

http://sagan.io/pdf/Network-Intrusion-Analyst-Hands-On-2014-DOCUMENT-full.pdf - IPSS.ca "Course objectives"

http://sagan.io/pdf/bachelor.pdf - "Centralized and structured log file analysis with Open Source and Free Software tools" Bachelor Thesis by Jens Kühnel.

Older/Outdate Sagan Pages:

Sagan Rule Tips


https://isc.sans.edu/forums/diary/SAGAN+An+open-source+event+correlation+system+-+Part+1+Installation/9184 - First ISC/SANS post on Sagan [OLD]

Edit | Attach | Watch | Print version | History: r14 < r13 < r12 < r11 < r10 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r14 - 2016-11-15 - RobertNunley
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback