Skip to content

Sagan 1.0.0RC4
Compare
Choose a tag to compare
@beave beave released this 23 Oct 14:01
· 1122 commits to master since this release
1.0.0RC4
3691afc

-[Feature] - 'offset', 'depth', 'distance', and 'within' support. These options function identical to the Snort options with the same names. These options allow you too parse log message content in different ways. For more information on how they work, see:

http://blog.joelesler.net/2010/03/offset-depth-distance-and-within.html

When you read Joel Esler great artcle, please keep in mind to:
s/Sagan/Snort/g
Sagan's functionality with 'offset', 'depth', 'distance' and 'within' is identifical to Snorts.

  • [Feature] - "Flowbit" allow Sagan to "track" events across multiple log lines. For example, let's say that you would like Sagan to generate an alert when a Microsoft Window's server anti-virus process is stopped. However, you would not like an alert to be generate if the anti-virus is "stopped" due to a reboot. To accomplish this, you would create two rules. The first would be used to detect when a Microsoft Window system is being rebooted.
    alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MISC] System shutdown [FLOWBIT SET]"; content: " 1074|3a| "; program: USER32; flowbits: set, reboot.windows, 60; flowbits: noalert; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002014; sid: 5002014; rev:6;)
    If a Microsoft Windows system "reboot" is detected, Sagan will "set" a flowbit named "reboot.windows". No alert will be generated for this rule.

alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] System protection disabled"; pcre: "/ 7034: | 7035: | 7046: | 7040: | 4689: | 593: /" ; pcre: "/Defender/Anti-Virus/antivirus/i"; content: "stop control"; flowbits: isnotset,by_src,reboot.windows; program: Service_Control_Manager; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002011; sid: 5002011; rev:6;)
This rule monitors for anti-virus products being stopped. If Sagan detects that anti-virus is being stopped and the "reboot.windows" flowbit "issnot", and alert is generated. The anti-virus might be being stopped by a malicious user and/or process. The flowbit code for 1.0.0RC4 was rewritten to add more flexability. The new code now support multiple flowbits within a rule, "&" and "|" operators. For more information see:

https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganRuleReference#flowbits_set_flowbit_name_expire

  • [Feature] - New "output/sagan-perfmon.c" (Perfmon) output tool. This will record Sagan statistics in a CSV format. Useful for preformance tuning, graphing, etc.
  • [Bugfix] - "content", "pcre" and "meta_content" handling changed in sagan.c to increase performance.
  • [Bugfix] - With Rainers (Rsyslog) help, fixed long outstanding issue of compiling Sagan with liblognorm that resulted in a "json.h not found" error. Added pkg-config options for json-c, liblognorm and libetr. This should help Sagan build a lot more cleanly.
  • [Bugfix] - Remove hardcoded UDP 514 in sagan-plog.c check.
  • [Bugfix] - Now treating meta_content like content/pcre (was "special")
  • [Bugfix] - "content", "pcre" and "meta_content" handling changed in sagan.c to increase performance.
Assets 2
Loading