Sagan
is an open source (
GNU
GNU () is an extensive collection of free software (383 packages as of January 2022), which can be used as an operating system or can be used in parts with other operating systems. The use of the completed GNU tools led to the family of operat ...
/
GPLv2
The GNU General Public License (GNU GPL or simply GPL) is a series of widely used free software licenses that guarantee end users the four freedoms to run, study, share, and modify the software. The license was the first copyleft for general us ...
)
multi-threaded
In computer science, a thread of execution is the smallest sequence of programmed instructions that can be managed independently by a scheduler, which is typically a part of the operating system. The implementation of threads and processes dif ...
, high performance, real-time
log analysis
In computer log management and intelligence, log analysis (or ''system and network log analysis'') is an art and science seeking to make sense of computer-generated records (also called log or audit trail records). The process of creating such reco ...
& correlation engine developed by Quadrant Information Security that runs on
Unix
Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and ot ...
operating systems. It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan's structure and rules work similarly to the
Sourcefire
Sourcefire, Inc was a technology company that developed network security hardware and software. The company's Firepower network security appliances were based on Snort, an open-source intrusion detection system (IDS). Sourcefire was acquired b ...
Snort IDS/IPS engine. This allows Sagan to be compatible with
Snort or
Suricata rule management softwares and give Sagan the ability to correlate with Snort IDS/IPS data.
Sagan supports different output formats for reporting and analysis, log normalization, script execution on event detection, GeoIP detection/alerting and time sensitive alerting.
See also
*
Host-based intrusion detection system comparison Comparison of host-based intrusion detection system components and systems.
Free and open-source software
As per the Unix philosophy a good HIDS is composed of multiple packages each focusing on a specific aspect.
Proprietary software
Proprie ...
References
Sagan User ManualSagan Resources "Centralized and structured log file analysis with Open Source and Free Software tools" Bachelor Thesis by Jens KühnelIPSS.ca "Course objectives""Securing your Mikrotik Network" by Andrew Thrift (Presentation) HOWTO build Sagan on FreeBSD Sagan was one of the "top security tools" & won a "Bossie Award" from Infoworld.com. Installing Sagan onCentOS 5/6 (Linux) for log monitoring.IPSS.ca "Course objectives"Champ Clark talks about Sagan on "Pauldotcom Security weekly" - December, 12th, 2013.Linux Pro Magazine article that discusses using Sagan for log monitoring.Article written by Champ Clark about using Kismet, Snort and Sagan to build wireless IDS monitoring device.*
ttp://handlers.sans.org/gbruneau/papers/Guy_Bruneau_BSides_Ottawa_2014.pdf Log, Log, Log Everything Remotely.Using Sagan with Bro Intelligence feeds.What the Sagan Log Analysis Engine Is...and What It Is Not (Aug 2016)Easing the Compliance Burden :: Sagan Technology & PCI Compliance (Feb 2016)JunOS/ScreenOS Vulnerability Helps to Emphasize the Importance of Remote Log Storage (Dec 2015)Using Sagan with Netflow data.Reference to Sagan rule options
External links
About SaganOfficial Sagan WikiSagan flowbitsUsing Sagan with Bro Intelligence feedsSagan output to other SIEMs.
{{DEFAULTSORT:Sagan (Software)
Free security software
Computer security software
Linux security software
Unix network-related software
Intrusion detection systems