-[Feature] - 'offset', 'depth', 'distance', and 'within' support. These options function identical to the Snort options with the same names. These options allow you too parse log message content in different ways. For more information on how they work, see:
When you read Joel Esler great artcle, please keep in mind to:
Sagan's functionality with 'offset
' and 'within
' is identifical to Snorts.
- [Feature] - "Flowbit" allow Sagan to "track" events across multiple log lines. For example, let's say that you would like Sagan to generate an alert when a Microsoft Window's server anti-virus process is stopped. However, you would not like an alert to be generate if the anti-virus is "stopped" due to a reboot. To accomplish this, you would create two rules. The first would be used to detect when a Microsoft Window system is being rebooted.
alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MISC] System shutdown [FLOWBIT SET]"; content: " 1074|3a| "; program: USER32; flowbits: set, reboot.windows, 60; flowbits: noalert; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002014; sid: 5002014; rev:6;)
If a Microsoft Windows system "reboot" is detected, Sagan will "set" a flowbit named "reboot.windows". No alert will be generated for this rule.
alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] System protection disabled"; pcre: "/ 7034: | 7035: | 7046: | 7040: | 4689: | 593: /" ; pcre: "/Defender/Anti-Virus/antivirus/i"; content: "stop control"; flowbits: isnotset,by_src,reboot.windows; program: Service_Control_Manager; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002011; sid: 5002011; rev:6;)
This rule monitors for anti-virus products being stopped. If Sagan detects that anti-virus is being stopped and the "reboot.windows" flowbit "issnot", and alert is generated. The anti-virus might be being stopped by a malicious user and/or process. The flowbit code for 1.0.0RC4 was rewritten to add more flexability. The new code now support multiple flowbits within a rule, "&" and "|" operators. For more information see:
- [Feature] - New "output/sagan-perfmon.c" (Perfmon) output tool. This will record Sagan statistics in a CSV format. Useful for preformance tuning, graphing, etc.
- [Bugfix] -
" and "meta_content
" handling changed in sagan.c to increase preformance.
- With Rainers (Rsyslog) help, fixed long outstanding issue of compiling Sagan with liblognorm that resulted in a "json.h not found" error. Added pkg-config options for json-c, liblognorm and libetr. This should help Sagan build a lot more cleanly.
- [Bugfix] - Remove hardcoded UDP 514 in sagan-plog.c check.
- [Bugfix] - Now treating meta_content like content/pcre (was "special")
- [Bugfix] -
"content", "pcre" and "meta_content" handling changed in sagan.c to increase preformance.
- Code is now in "artistic" style of GNU.
- [Bug fix - multiple files]
- Daniel Koopmans & remydb (on github) reported a "output external:" bug that would sometimes corrupt alerts. Upon further investigation, the bug not only affected the external output plugin, but other plugin's as well (unified2, alert log, etc). This was due to "_Sagan_Processor_Info" (in processors/sagan-engine.c, and other files) being called as a global when it did not need to be. Moved the struct local to the function appears to have resolved the issue. This also resolve a memory allocation/leak issue.
Sagan is now much more efficent with memory.
In certain situation Sagan would segmentation fault when reloading it's configuration via a SIGHUP. The processor/sagan-engine.c would try to access memory that was being cleared during the configuration and rule set reload.
- [Bug fix - processors/sagan-track-clients.c & sagan-processors.c]
- In certain situations, sagan-track-client.c would incorrectly report systems as "down" when they where not. Fixed by wrapping the Sagan_Track_Clients() function in a pthread mutex.
- [Minor feature added - sagan-stats.c]
- Added "minutes" to the "client tracking" status screen.
- [New feature - "meta_content" and "meta_nocase"]
allows Sagan to search through multiple dynamic options, rather than have to create multiple content
within a rule. For example, if you wanted to search for "Username: bob", "Username: frank" or "Username: mary" you would typically have multiple rules like thus:
content: "Username|3a| bob";
content: "Username|3a| frank";
content: "Username|3a| mary";
With "meta_content", you can define a variable in the "sagan.conf" with all the user names you wish to search for. For example:
var USERNAMES [bob, frank, mary]
Within your rule, you could then use the USERNAME variable with meta_content like thus:
meta_content: "Username|3a| ", $USERNAMES; meta_nocase;
This allows the rule with meta_content
to do the work of three normal content
rules. Like content
, the meta_nocase
options tells Sagan to ignore the casing of the meta_content.
- [New feature - Flowbit "tracking" added] -
is used to tie multiple logs together to generate an alert. Flowbit "tracking" has been added to track the "where" the alert came from. Upon the set
of a flowbit, Sagan records the source and destination the log message was received from. If the rule uses the isset
options, the source and/or destination can be verified. For more information, see: https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganRuleReference#flowbits_set_unset_isset_isnotset
Flowbit code has also been moved to sagan-flowbit.c / sagan-flowbit.h
- [Deperciated "windows-domains"]
- In Sagan-1.0.0RC2 for the more generic "meta_content".
- [New rule option] - "alert_time"
- This allows alerts to be time sensitve. Example rule syntax is:
alert_time: days 0123456, hours 0800-1400;
"days" is an option of 0-6 (0 = Sunday, 1 = Monday, etc). "hours" is expressed in a 24 hour clock format. For more information on the usage of "alert_time", see: https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganRuleReference#alert_time_days_days_hours_hours
- [New sagan.conf option] - "email_subject"
- Allows you to set a user defined Subject to prepend to a e-mail. Use the "email_subject" option in your sagan.conf
- [New sagan.conf variable] "WINDOWS_DOMAINS"
- Allows you to define Microsoft Windows Domains that are being used within your network. This variable is then passed to rules. An example of a $WINDOWS_DOMAIN variable in use is the "Pass-the-hash" detection rule. See rule https://wiki.quadrantsec.com/twiki/bin/view/Main/5002017
for example usage.
- [Processor Improvement - processor/sagan-track-clients.c] "client tracker"
- The Sagan "client tracker" keep track of systems that are reporting to Sagan. Sagan can then alert when a system stops sending logs. It will also alert when a system that has previously stopped sending logs starts sending logs again. Prior version only tracked client in memory during run time. The client tracker now keep a "cache" of known that can be saved and reloaded and Sagan termination/startup. The format of the Sagan client tracker has also been changed. An example of the new format is:
processor sagan-track-clients: client_timeout=360 host_cache=/var/run/sagan/sagan.cache
- [Bug fix - output-plugins/sagan-snortsam.c] -
Due to code changes, Snortsam no longer functioned properly. This was due to rulestruct[Event->found].fwsam_src_or_dst
not being properly set in sagan-output.c. Snortsam now functions as it should.
- GeoIP look up
- Allows Sagan to do analysis based on geographic location of the source/destination address of the log.
- Various bug fixes.