- Massive code cleanup. Moved function definitions/declarations to seperate related header files.
- With Rainers (Rsyslog) help, fixed long outstanding issue of compiling Sagan with liblognorm that resulted in a "json.h not found" error. Added pkg-config options for json-c, liblognorm and libetr. This should help Sagan build a lot more cleanly.
- Code is now in "artistic" style of GNU.
- [Bug fix - multiple files]
- Daniel Koopmans & remydb (on github) reported a "output external:" bug that would sometimes corrupt alerts. Upon further investigation, the bug not only affected the external output plugin, but other plugin's as well (unified2, alert log, etc). This was due to "_Sagan_Processor_Info" (in processors/sagan-engine.c, and other files) being called as a global when it did not need to be. Moved the struct local to the function appears to have resolved the issue. This also resolve a memory allocation/leak issue.
Sagan is now much more efficent with memory.
In certain situation Sagan would segmentation fault when reloading it's configuration via a SIGHUP. The processor/sagan-engine.c would try to access memory that was being cleared during the configuration and rule set reload.
- [Bug fix - processors/sagan-track-clients.c & sagan-processors.c]
- In certain situations, sagan-track-client.c would incorrectly report systems as "down" when they where not. Fixed by wrapping the Sagan_Track_Clients() function in a pthread mutex.
- [Minor feature added - sagan-stats.c]
- Added "minutes" to the "client tracking" status screen.
- [New feature - "meta_content" and "meta_nocase"]
allows Sagan to search through multiple dynamic options, rather than have to create multiple content
within a rule. For example, if you wanted to search for "Username: bob", "Username: frank" or "Username: mary" you would typically have multiple rules like thus:
content: "Username|3a| bob";
content: "Username|3a| frank";
content: "Username|3a| mary";
With "meta_content", you can define a variable in the "sagan.conf" with all the user names you wish to search for. For example:
var USERNAMES [bob, frank, mary]
Within your rule, you could then use the USERNAME variable with meta_content like thus:
meta_content: "Username|3a| ", $USERNAMES; meta_nocase;
This allows the rule with meta_content
to do the work of three normal content
rules. Like content
, the meta_nocase
options tells Sagan to ignore the casing of the meta_content.
- [New feature - Flowbit "tracking" added] -
is used to tie multiple logs together to generate an alert. Flowbit "tracking" has been added to track the "where" the alert came from. Upon the set
of a flowbit, Sagan records the source and destination the log message was received from. If the rule uses the isset
options, the source and/or destination can be verified. For more information, see: https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganRuleReference#flowbits_set_unset_isset_isnotset
Flowbit code has also been moved to sagan-flowbit.c / sagan-flowbit.h
- [Deperciated "windows-domains"]
- In Sagan-1.0.0RC2 for the more generic "meta_content".
- [New rule option] - "alert_time"
- This allows alerts to be time sensitve. Example rule syntax is:
alert_time: days 0123456, hours 0800-1400;
"days" is an option of 0-6 (0 = Sunday, 1 = Monday, etc). "hours" is expressed in a 24 hour clock format. For more information on the usage of "alert_time", see: https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganRuleReference#alert_time_days_days_hours_hours
- [New sagan.conf option] - "email_subject"
- Allows you to set a user defined Subject to prepend to a e-mail. Use the "email_subject" option in your sagan.conf
- [New sagan.conf variable] "WINDOWS_DOMAINS"
- Allows you to define Microsoft Windows Domains that are being used within your network. This variable is then passed to rules. An example of a $WINDOWS_DOMAIN variable in use is the "Pass-the-hash" detection rule. See rule https://wiki.quadrantsec.com/twiki/bin/view/Main/5002017
for example usage.
- [Processor Improvement - processor/sagan-track-clients.c] "client tracker"
- The Sagan "client tracker" keep track of systems that are reporting to Sagan. Sagan can then alert when a system stops sending logs. It will also alert when a system that has previously stopped sending logs starts sending logs again. Prior version only tracked client in memory during run time. The client tracker now keep a "cache" of known that can be saved and reloaded and Sagan termination/startup. The format of the Sagan client tracker has also been changed. An example of the new format is:
processor sagan-track-clients: client_timeout=360 host_cache=/var/run/sagan/sagan.cache
- [Bug fix - output-plugins/sagan-snortsam.c] -
Due to code changes, Snortsam no longer functioned properly. This was due to rulestruct[Event->found].fwsam_src_or_dst
not being properly set in sagan-output.c. Snortsam now functions as it should.
- GeoIP look up
- Allows Sagan to do analysis based on geographic location of the source/destination address of the log.
- Various bug fixes.