Chat with us, powered by LiveChat
min-width: mobile
min-width: 400px
min-width: 550px
min-width: 750px
min-width: 1000px
min-width: 1200px
NOTICE We have updated our Privacy Policy to include GDPR and the use of cookies. Click "Accept" to continue. ACCEPT


Sagan rule update!

Posted by Champ Clark on November 07, 2018

This is a large rule update which is long over due.  This rule update  improves the detection,  accuracy and preformance of Sagan.   For more informatin about Sagan see:

* Sagan Rule ChangeLog - 2018/11/08

* New watchguard.rules!

* New dynamic.rules for AS/400, Zscaler, Oracle, Office 365, Watchguard, Zscaler.

* Various minor rule updates:

* Better windows-owa-correlated.rules descriptions added.

 * New and improved su.rules

* Minor sendmail.rules changes, new local administrator signature added.

* Disabled "RPD detected an integrity violation" on sid 5003412 due to lack of documentation about the threat from Microsoft.

* New cisco-amp.rules (Cisco Advanced Malware Protection)

* Disabled a lot of older malware (zeroaccess, etc) and other fixes. ;

* New office365.rules (Microsoft Office 365!)

* Updates to sonicwall.rules

* New mcaffee-web-gateway.rules!

* New rules to detect "password spraying" attempts.

* New trendmicro.rules!  Other minor modifications.

* Modification:  Removed many pcre in favor of meta_content.  This should give a preformance increase to the Sagan engine!

* New "" added.  This is for Sagan to decode JSON coming in from a FIFO. Minor fix for apahce.rules (removed $HTTP_SERVERS variable).

* New dynamic.rules for Cisco ISE,  New Windows/LDAP rules.

* "xbit: noeve" added to some rules.

* New AS/400 rules! (as400.rules)

* New "windows-security.rules".  These rules are based off Microsoft's "what events to monitor" text.   That's located at:
  (Thank's Steve Rawls!)

* Typo fixes in Watchguard rules
   (Thanks Lillypad@github!)
* New rules based off Jack Crook's work.  See

* Minor modification: program is now *Sysmon* in windows-sysmon.rules

* New PasswordState rules!

* Rewrite of many -correlated rules to use standalone xbits.

* Rule modification: Ignore "anonmyous" request in Citrix rules.

* "Bad Rabbit" rules and HP Procurve normalization.

* Minor fixes for vsftpd-correlated.rules

* New "Bad Rabbit" rules

* Minor updates to openssh.rules & rsync.rules

* New malware & authentication rules.

* Added content negation to nessus user agent rule to prevent firing
   (thanks Cyber Tao Flow@github!)

Posted in Announcements