Chat with us, powered by LiveChat

Sagan Rule Update!

This is a large rule update which is long over due.  This rule update  improves the detection,  accuracy and preformance of Sagan.   For more informatin about Sagan see:

* Sagan Rule ChangeLog – 2018/11/08

* New watchguard.rules!

* New dynamic.rules for AS/400, Zscaler, Oracle, Office 365, Watchguard, Zscaler.

* Various minor rule updates:

* Better windows-owa-correlated.rules descriptions added.

 * New and improved su.rules

* Minor sendmail.rules changes, new local administrator signature added.

* Disabled “RPD detected an integrity violation” on sid 5003412 due to lack of documentation about the threat from Microsoft.

* New cisco-amp.rules (Cisco Advanced Malware Protection)

* Disabled a lot of older malware (zeroaccess, etc) and other fixes. ;

* New office365.rules (Microsoft Office 365!)

* Updates to sonicwall.rules

* New mcaffee-web-gateway.rules!

* New rules to detect “password spraying” attempts.

* New trendmicro.rules!  Other minor modifications.

* Modification:  Removed many pcre in favor of meta_content.  This should give a preformance increase to the Sagan engine!

* New “” added.  This is for Sagan to decode JSON coming in from a FIFO. Minor fix for apahce.rules (removed $HTTP_SERVERS variable).

* New dynamic.rules for Cisco ISE,  New Windows/LDAP rules.

* “xbit: noeve” added to some rules.

* New AS/400 rules! (as400.rules)

* New “windows-security.rules”.  These rules are based off Microsoft’s “what events to monitor” text.   That’s located at:–
(Thank’s Steve Rawls!)

* Typo fixes in Watchguard rules
(Thanks Lillypad@github!)

* New rules based off Jack Crook’s work.  See

* Minor modification: program is now *Sysmon* in windows-sysmon.rules

* New PasswordState rules!

* Rewrite of many -correlated rules to use standalone xbits.

* Rule modification: Ignore “anonmyous” request in Citrix rules.

* “Bad Rabbit” rules and HP Procurve normalization.

* Minor fixes for vsftpd-correlated.rules

* New “Bad Rabbit” rules

* Minor updates to openssh.rules & rsync.rules

* New malware & authentication rules.

* Added content negation to nessus user agent rule to prevent firing
(thanks Cyber Tao Flow@github!)

We have updated our Privacy Policy to include GDPR and the use of cookies. Click "Accept" to continue.