Date: Thu, 24 Jun 2010 16:22:12 -0400
From: "Champ Clark III [Softwink]" <champ@...twink.com>
To: full-disclosure@...ts.grok.org.uk
Subject: [TOOL] The 'Snort like' Sagan way of deal with
	system logs.


Sagan release version 0.1.0
http://sagan.softwink.com
Written by Champ Clark (AKA 'Da Beave') and the Softwink, Inc team
Date: 06/24/2010

Softwink announces the release of Sagan, the ultimate in Syslog monitoring.

Sagan can alert you when events are occurring in your syslogs that need your
attention right away, in real time!
 
Sagan is a multi-threaded, real time system- and event-log monitoring system,
but with a twist. Sagan uses a "Snort" like rule set for detecting "bad 
things" happening on your network and/or computer systems. If Sagan detects 
a "bad thing" happening, that event can be stored to a Snort database
(MySQL/PostgreSQL) and Sagan will correlate the event with your
Snort Intrusion Detection/Intrusion Prevention (IDS/IPS) system.  Sagan 
is meant to be used in a 'centralized' logging environment,  but will 
work fine as part of a standalone Host IDS system for workstations.

Sagan is fast:  Sagan is written in C and is a multi-threaded application. 
Sagan is threaded to prevent blocking Input/Output (I/O). For example, 
data processing doesn't stop when an SQL query is needed.  It is also meant
to be as efficient as possible in terms of memory and CPU usage. 

Sagan uses a "Snort" like rule set: If you're a user of "Snort" and
understand Snort rule sets, then you already understand Sagan rule sets.
Essentially, Sagan is compatible with Snort rule management utilities, like 
"oinkmaster" for example.

Sagan can log to Snort databases: Sagan will operate as a separate "sensor"
ID to a Snort database. This means that your IDS/IPS events from Snort will
remain separate from your Sagan (syslog/event log) events. Since Sagan can utilize
Snort databases, using Snort front-ends like BASE and Snorby will not only
work with your IDS/IPS event, but also with your syslog events as well!

Sagan output formats:  You don't have to be a Snort user to use Sagan. Sagan
supports multiple output formats, such as a standard output file log format
(similar to Snort), e-mailing of alerts (via libesmtp), Logzilla support and
externally based programs that you can develop using the language you prefer
(Perl/Python/C/etc).

Sagan is actively developed: Softwink, Inc. actively develops and maintains
the Sagan source code and rule sets. Softwink, Inc. uses Sagan to monitor
security related log events on a 24/7 basis. 

Other Features: 

-	Sagan is meant to be easy to install.   The traditional, 
	"./configure && make && make install" works for many installations,
	depending on the functionality needed and configuration.
-	Thresholding of alerts.  Uses the same format as Snort in the 
	Sagan rule set. 
-	Attempts to pull TCP/IP addresses,  port information, and protocol 
	of rule set that was triggered.   This leads to better correlation.
-	Can be used to monitor just about any type of device or system
	(Routers,  firewalls,  managed switches,  IDS/IPS systems, 
	Unix/Linux systems,  Windows event logs,  wireless access points, 
	much more).
-	Works 'out of the box' with Snort front ends like BASE,  Snorby, 
	proprietary consoles,  various Snort based reporting systems. 
-	Sagan is 'open source' and released under the GNU/GPL version 2
	license. 

For more information about Sagan,  please see: 

Sagan web site: http://sagan.softwink.com


-- 
        Champ Clark III | Softwink, Inc | 800-538-9357 x 101
                     http://www.softwink.com

GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7  6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists