Sagan is a multi-threaded, real time system and event log monitoring system, but with a twist. Sagan uses a "Snort" like rule set for detecting bad things happening on your network and/or computer systems. If Sagan detects a "bad thing" happening, that event can be stored to a Snort database (MySQL/PostgreSQL) and Sagan will attempt to correlate the event with your Snort Intrusion Detection/Intrusion Prevention (IDS/IPS) system.
Read more: Sagan
- Sagan is fast - Sagan is written in C and is a multi-threaded application. Sagan is threaded to prevent blocking Input/Output (I/O). For example, data processing doesn't stop when an SQL query is needed.
- Sagan uses a "Snort" like rule set - If you're a user of "Snort" and understand Snort rule sets, then you already understand Sagan rule sets. Essentially, Sagan is compatible with Snort rule management utilities. For example, "oinkmaster" and "pulledpork".
- Sagan can log to Snort databases - Sagan will operate as a separate "sensor" ID to a Snort database. This means, your IDS/IPS events from Snort will remain separate from your Sagan (syslog/event log). Since Sagan can utilize Snort databases, using Snort front-ends like BASE and Snorby will not only work with your IDS/IPS event, but also with your syslog/events as well!
- Sagan output formats - You don't have to be a Snort user to use Sagan. Sagan supports multiple output formats, such as a standard output file log format (similar to Snort), e-mailing of alerts (via libesmtp), Logzilla support and external based programs that you can develop using the language you prefer (Perl/Python/C/etc).
- Sagan is actively developed - Softwink, Inc. actively develops and maintains the Sagan source code and rule sets. Softwink, Inc. uses Sagan to monitor security related log events on a 24/7 basis.
Read more: Sagan
Posts
0 comments:
Post a Comment