Sagan uses a 'Snort like' engine and rules to analyze logs (syslog/event log/snmptrap/netflow/etc)
C M4 Perl Assembly Shell Makefile Other
Latest commit a67fa9a Mar 23, 2017 Champ Clark III Credits update for @3vilJohn

README

Welcome to the README file
--------------------------

What is Sagan? 

Sagan is an open source (GNU/GPLv2) high performance, real-time log 
analysis & correlation engine.  It is written in C and uses a 
multi-threaded architecture to deliver high performance log & event 
analysis. The Sagan structure and Sagan rules work similarly to the 
Sourcefire "Snort" IDS engine. This was intentionally done to maintain 
compatibility with rule management software (oinkmaster/pulledpork/etc)
and allows Sagan to correlate log events with your Snort IDS/IPS 
system. Since Sagan can write to Snort IDS/IPS databases via 
unified2/barnyard2, it is compatible with all Snort "consoles". 
For example, Sagan is compatible with Snorby [http://www.snorby.org],
Sguil [http://sguil.sourceforge.net], BASE, and the Prelude IDS 
framework! (to name a few).

Sagan supports many different output formats,  log normalization 
(via liblognorm),  GeoIP detection, script execution on event and
automatic firewall support via "Snortsam" 
(see http://www.snortsam.net).  

Sagan uses the GNU "artisic style". 

For more information, please visit the Sagan web site: 
http://sagan.quadrantsec.com. 

If you're looking for Sagan rules on Github,  they are located at:

https://github.com/beave/sagan-rules