GeoIP support.

This allows Sagan to use the Maxmind GeoIP country lookup database. This means that Sagan can track log events via geographic location of the source or destination address. GeoIP rules in Sagan include the name "-geoip.rules" within the name. For example, "cisco-geoip.rules". To use these rules, Sagan has to have GeoIP support compiled in. Maxmind allows usage of the C api and country database at no cost. To install the Maxmind IP, you'll need to compile the libGeoIP. This Maxmind GeoIP source can be located at: https://github.com/maxmind/geoip-api-c

You can also download a zip archive from: https://github.com/maxmind/geoip-api-c/archive/master.zip

To install, do the following:

wget https://github.com/maxmind/geoip-api-c/archive/master.zip

or

git clone https://github.com/maxmind/geoip-api-c

Once the files are downloaded and/or unarchived, enter the "geoip-api-c" source directory. Type:"

./bootstrap && ./configure
make && make install

On this completes, download the Maxmind country database and install.

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
gzip -d GeoIP.dat.gz 
mkdir -p /usr/local/share/GeoIP
cp GeoIP.dat /usr/local/share/GeoIP

SMTP support.

This allows Sagan to e-mail events/alerts when they happen. You can either specify a level when you'd like Sagan to e-mail an event or embed the e-mail address within a rule (see https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganRuleReference#email_email_address). For Sagan to support this, you will need libesmtp installed on your system. This library is included in many distributions:

Operating System Commands used to install
Gentoo emerge -av libesmtp
Ubuntu apt-get install libesmtp-dev
FreeBSD cd /usr/ports/mail/libesmtp && make && make install

Source code for libesmtp can be found at: http://www.stafford.uklinux.net/libesmtp/

Pcap / Libpcap supprt

This allows Sagan to "sniff the wire" for logs. Logs that are "sniffed" are then injected back into the Sagan engine. In order for Sagan to do this, it will need to be compiled with libpcap support. Most distributions have packages for libpcap, as it is popular library.

Operating System Commands used to install
Gentoo emerge -av libpcap
Ubuntu apt-get install libpcap-dev
CentOS yum install libpcap

-- Main.ChampClark - 2013-03-13

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r3 - 2014-06-25 - ChampClark
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback