There are three primary vectors that an attacker can use to compromise a network — the hardware, the software, and the user. But whatever vector the attacker is using, the key is identifying and stopping the attack quickly and effectively.
Jack Crook uses Splunk and recently the ELK stack for threat “hunting”. At Quadrant, we also use Elasticsearch in similar methods Jack describes in his blog, but I wanted to take this opportunity to see if I could mimic his work with Sagan!
To address these two issues, we made Sagan use “memory mapped” files which allow Sagan to “remember” data between system reboots and process restarts. This also allowed for “Inter-Process Communications” (IPC) between Sagan processes.