Quadrant Information Security is proud to release Sagan version 0.2.0!
What is Sagan?
Sagan is multi-threaded, real-time system and event-log monitoring software,
but with a twist. Sagan uses a “Snort” like rule set for detecting nefarious
events happening on your network and/or computer systems. If Sagan detects a
“bad thing” happening, it can do a number of things with that information. For
example, Sagan can store the information to a Snort MySQL database for viewing
with utilities like Snorby [http://www.snorby.org], it can send e-mail(s)
about the event to the appropriate personnel, it can store to a Prelude back
end, it can also spawn external utilities, as well as numerous other things.
Sagan can also correlate the events with your Intrusion Detection/Intrusion
Prevention (IDS/IPS) system and basically acts like an SIEM (Security
Information & Log Management) system.
Release/ChangeLog:
– Removed Logzilla support from based code. It was decided that Logzilla is outside of the scope of the Sagan SEIM system.
– Removed –program functionality. This only worked with syslog-ng and wasn’t terribly efficient.
– Restructured the way some data was handled. Namely _SaganConfig, _SaganSigArgs, _SaganDebug, etc.
– Resolved some bugs with direct Snort database writes missing IP information.
– Moved Sagan source code away from SVN to github. See https://github.com/beave/sagan & https://github.com/beave/sagan-rules
– Fix –chroot handling. This wasn’t working correctly and was confusing.
– Many, many small bug fixes
Development Road Map:
– Sagan 0.2.1 future development goals: Sagan with Snortsam support!
Big special thanks to Merlyn Cousins (AKA – DrForbin) with bug stomping/patches/
development. He’s submitted a lot of patches and time on Sagan.
To download Sagan, please see: http://sagan.quadrantsec.com
