min-width: mobile
min-width: 400px
min-width: 550px
min-width: 750px
min-width: 1000px
min-width: 1200px
NOTICE We have updated our Privacy Policy to include GDPR and the use of cookies. Click "Accept" to continue. ACCEPT

Blog

Sagan rule update!

Posted by Champ Clark on November 07, 2018

This is a large rule update which is long over due.  This rule update  improves the detection,  accuracy and preformance of Sagan.   For more informatin about Sagan see:

https://quadrantsec.com/sagan_log_analysis_engine/

* Sagan Rule ChangeLog - 2018/11/08

* New watchguard.rules! 
https://github.com/beave/sagan-rules/commit/590fb11851d7138cf2fcbff7ec1d815090ad625b

* New dynamic.rules for AS/400, Zscaler, Oracle, Office 365, Watchguard, Zscaler.
   https://github.com/beave/sagan-rules/commit/01a962742c867a279c75d4712476934bd6265ca0

* Various minor rule updates:
https://github.com/beave/sagan-rules/commit/9a67d6227610fea69cf0d829b74f6af23c72e4e7
https://github.com/beave/sagan-rules/commit/6f87a80f7a1662e6fd90bc75f891c1c0637c6e7e
https://github.com/beave/sagan-rules/commit/46d7484e1c66b8ec7362768cad09b65d79c41fa7
https://github.com/beave/sagan-rules/commit/8c8bab01cc4a237d9af44b90067f59e439721f7f

* Better windows-owa-correlated.rules descriptions added.
https://github.com/beave/sagan-rules/commit/53e313525fc98f451a4a25f4e2664e656216f877

 * New and improved su.rules
https://github.com/beave/sagan-rules/commit/712260c64a7a5d3fc078d268d825ef17655ad9c4

* Minor sendmail.rules changes, new local administrator signature added.
https://github.com/beave/sagan-rules/commit/289188972e8cb202ab0e072872e8c7e8ff46f68f

* Disabled "RPD detected an integrity violation" on sid 5003412 due to lack of documentation about the threat from Microsoft.
https://github.com/beave/sagan-rules/commit/75787d96b4dc167831d63b73e829bf30d586af97

* New cisco-amp.rules (Cisco Advanced Malware Protection)
https://github.com/beave/sagan-rules/commit/79dee293db6f0653429a69370ce19ff132b7f5ab

* Disabled a lot of older malware (zeroaccess, etc) and other fixes.
https://github.com/beave/sagan-rules/commit/b25b43334d2b14f4360b9a16ef9408f204325a1b ;

* New office365.rules (Microsoft Office 365!)
https://github.com/beave/sagan-rules/commits/master?before=6f463ef64ea94b680d5335ff8e3373375c5e455d+70
https://github.com/beave/sagan-rules/commit/7249c194ef1508667166c13069bc8a394187441b
https://github.com/beave/sagan-rules/commit/19189443fdd306769c4afd7ab837da316f2690b5

* Updates to sonicwall.rules
https://github.com/beave/sagan-rules/commit/f590bf474bc4baa2876957a49a42d3c074a316ff

* New mcaffee-web-gateway.rules! 
https://github.com/beave/sagan-rules/commit/f1f62f1563531ada58f35661530fe4b2aeef3c92

* New rules to detect "password spraying" attempts.
https://github.com/beave/sagan-rules/commit/b460f86416a3dba8fc0f21e590015da76f35351f
https://github.com/beave/sagan-rules/commit/5d327f43f54d78bde0b12daec44073a77ca57b8f
https://github.com/beave/sagan-rules/commit/7d5b72e58d52168489454f29b3ff23d06bb1281f
https://github.com/beave/sagan-rules/commit/eecd22b5d072f87edcc324169d56fadf302d7357

* New trendmicro.rules!  Other minor modifications.
https://github.com/beave/sagan-rules/commit/16a4a394a07423c5d1891a275f0907631c761d8e

* Modification:  Removed many pcre in favor of meta_content.  This should give a preformance increase to the Sagan engine!
https://github.com/beave/sagan-rules/commit/49177c25e993059435a4523b7f86f347aa338c2f

* New "json-input.map" added.  This is for Sagan to decode JSON coming in from a FIFO. Minor fix for apahce.rules (removed $HTTP_SERVERS variable). 
https://github.com/beave/sagan-rules/commit/e19e9cf62005592f9bd87e88c11d314ac4844c4f
https://github.com/beave/sagan-rules/commit/e82034a21261c74f5df1fbb6a7c98994a4e3814d

* New dynamic.rules for Cisco ISE,  New Windows/LDAP rules.
https://github.com/beave/sagan-rules/commit/a5916e4f43b3ac377a762e6ea38302f889bf7aba

* "xbit: noeve" added to some rules.
https://github.com/beave/sagan-rules/commit/f2d8fc53613118203a3d6d5e888b477dff979be4

* New AS/400 rules! (as400.rules)
https://github.com/beave/sagan-rules/commit/ab06ac4aa5d03d3ddabeda1e2c4f13db5c45cfe5

* New "windows-security.rules".  These rules are based off Microsoft's "what events to monitor" text.   That's located at: 
https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md

https://github.com/beave/sagan-rules/commit/57315a3fcff9a3f1e360ff43934ab4110276a25f
  (Thank's Steve Rawls!)

* Typo fixes in Watchguard rules 
https://github.com/beave/sagan-rules/commit/cd9ede3c5a3a87bd8d558f13f491456b72b3e858
   (Thanks Lillypad@github!)
 
* New rules based off Jack Crook's work.  See https://quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan/
https://github.com/beave/sagan-rules/commit/87080d02714d0cb73b379bfbf4458daae3f6d012

* Minor modification: program is now *Sysmon* in windows-sysmon.rules
https://github.com/beave/sagan-rules/commit/93b186e9c7ee1a4339c90317718ba6e383cc8058

* New PasswordState rules!
https://github.com/beave/sagan-rules/commit/a84b30bd279808b5730b687ae3b16e9f7b85c677

* Rewrite of many -correlated rules to use standalone xbits. 
https://github.com/beave/sagan-rules/commit/0c8af0541024a0effdd924cf0f42840d060f47d9

* Rule modification: Ignore "anonmyous" request in Citrix rules.
https://github.com/beave/sagan-rules/commit/97102417281a36f042cf3eba841e67a29cd9451d

* "Bad Rabbit" rules and HP Procurve normalization.
https://github.com/beave/sagan-rules/commit/2d5c717d99b105f5d23311c7afd20df98498466d

* Minor fixes for vsftpd-correlated.rules
https://github.com/beave/sagan-rules/commit/df9281a5ab10a3239412981460c4b44c4744f695

* New "Bad Rabbit" rules
https://github.com/beave/sagan-rules/commit/8557a59bc4ab1323e39d5ab83ea180750b32c001

* Minor updates to openssh.rules & rsync.rules
https://github.com/beave/sagan-rules/commit/618d8016f5a1430931a1b4d44e466e14ec146527

* New malware & authentication rules.
https://github.com/beave/sagan-rules/commit/618d8016f5a1430931a1b4d44e466e14ec146527

* Added content negation to nessus user agent rule to prevent firing 

https://github.com/beave/sagan-rules/commit/9cfac7b8ab9f665baf624c813449ce6a67659991
   https://github.com/beave/sagan-rules/commit/c04839825088f1fe7a8c117127249737ac65273b
   (thanks Cyber Tao Flow@github!)

Posted in Announcements