Sagan "TODO" list....
Support Snort's Unified2 output - I don't see much point in supporting Unified (v1) output. Doing this will make Sagan compatible with Barnyard2 and the likes.
Logzilla / php-syslog-ng output - Log Sagan events to the Logzilla/php-syslog-ng format. Should be easy to do, and give another type of console for viewing events. [Added April 23rd, 2010]
Snortsam support - Support
Snortsam
. Add the communications with Snortsam and the "fwsam:" flag, so triggered events can dynamically firewall off. Of course, this would only to be used with rule sets you
know will give you valid source information.
Thresholding! - This is probably going to be a badly needed item. There's no sense in being flooding with the same information over and over again! [Added April 20th, 2010] (Has 'limit', but no 'threshold')
$EXTERNAL_NET/$HOME_NET support - Possibly other variables to further identify where the traffic is coming from and what to do with it.
Syslog/UDP replay add on - A program, separate and external to Sagan, that'll 'sniff' the network interface for UDP/514 Syslog traffic. If traffic is seen, capture the packet and reply it to another Syslog server. Such a program is useful in pre-setup syslog environments.
(Idea credited to Bruce Wink).
Need snmptrapd rules - "snmptrapd" write out to syslog. Need rules.
--config to use multiple configuration files - Brought up by Brad Doctor on #sagan. Or, make the engine spawn new processing theads per-event?
Thread search - thread the pcre/content stuff to better use multiple CPUs
Stats - Periodic stats dumped to the /var/log/sagan/sagan.log. Top IP's, SIDs, etc.
PIX/ASA parser - to extract PIX/ASA IP/Port information
Sguid agent ... Could be cool?
--
ChampClark - 2010-06-23