Rule sets for Sagan
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
.last_used_sid
ChangeLog
README
adtran.rules
apache.rules
apc-emu.rules
arp.rules
artillery.rules
as400.rules
asterisk.rules
attack.rules
barracuda.rules
bash.rules
bind.rules
blacklist.rules
bluedot-categories.conf
bluedot.rules
bonding.rules
bro-bluedot.rules
bro-ids.rules
bro-intel.rules
cacti-thold.rules
carbonblack.rules
cisco-aetas.rules
cisco-amp.rules
cisco-blacklist.rules
cisco-bluedot.rules
cisco-brointel.rules
cisco-correlated.rules
cisco-cucm.rules
cisco-geoip.rules
cisco-ios.rules
cisco-ise-blacklist.rules
cisco-ise-bluedot.rules
cisco-ise-brointel.rules
cisco-ise-geoip.rules
cisco-ise.rules
cisco-malware.rules
cisco-meraki.rules
cisco-pixasa.rules
cisco-prime.rules
cisco-sdee.rules
cisco-wlc.rules
citrix-blacklist.rules
citrix-bluedot.rules
citrix-brointel.rules
citrix-correlated.rules
citrix-geoip.rules
citrix.rules
classification.config
courier-bluedot.rules
courier-correlated.rules
courier-geoip.rules
courier.rules
cylance.rules
deleted.rules
digitalpersona.rules
dovecot.rules
dynamic.rules
f5-big-ip-bluedot.rules
f5-big-ip-geoip.rules
f5-big-ip.rules
fatpipe-aetas.rules
fatpipe-bluedot.rules
fatpipe-correlated.rules
fatpipe-geoip.rules
fatpipe.rules
fipaypin.rules
fortinet-aetas.rules
fortinet-bluedot.rules
fortinet-correlated.rules
fortinet-geoip.rules
fortinet-malware.rules
fortinet.rules
ftpd.rules
gen-msg.map
grsec.rules
honeyd.rules
hordeimp.rules
hostapd.rules
huawei.rules
imapd-bluedot.rules
imapd-correlated.rules
imapd-geoip.rules
imapd.rules
incapsula.rules
ipop3d.rules
json-input.map
juniper-aetas.rules
juniper-bluedot.rules
juniper-geoip.rules
juniper.rules
kismet.rules
knockd.rules
linux-kernel.rules
mcafee-web-gateway.rules
milter.rules
mongodb.rules
mysql.rules
nexpose.rules
nfcapd-malware.rules
nfcapd.rules
nginx.rules
normalization.rulebase
ntp.rules
nxlog.rules
office365.rules
openssh-aetas.rules
openssh-bluedot.rules
openssh-correlated.rules
openssh-geoip.rules
openssh.rules
openvpn.rules
oracle.rules
ossec-mi.rules
ossec.rules
palo-alto-geoip.rules
palo-alto.rules
passwordstate.rules
php.rules
postfix.rules
postgresql.rules
pptp.rules
procurve.rules
proftpd-aetas.rules
proftpd-bluedot.rules
proftpd-geoip.rules
proftpd.rules
protocol.map
proxy-malware.rules
pure-ftpd.rules
racoon.rules
reference.config
riverbed-aetas.rules
riverbed-bluedot.rules
riverbed-geoip.rules
riverbed.rules
roundcube.rules
rsa-dpm.rules
rsync.rules
sagan-sid-msg.map
samba.rules
sendmail.rules
snort-bluedot.rules
snort-geoip.rules
snort.rules
solaris.rules
sonicwall.rules
squid.rules
ssh-tectia-server-aetas.rules
ssh-tectia-server-bluedot.rules
ssh-tectia-server-correlated.rules
ssh-tectia-server-geoip.rules
ssh-tectia-server.rules
su.rules
symantec-ems.rules
syslog.rules
tcp.rules
telnet.rules
trendmicro.rules
tripwire.rules
vmpop3d.rules
vmware-bluedot.rules
vmware-correlated.rules
vmware-geoip.rules
vmware.rules
vpopmail.rules
vsftpd-bluedot.rules
vsftpd-correlated.rules
vsftpd-geoip.rules
vsftpd.rules
watchguard-geoip.rules
watchguard.rules
web-attack.rules
weblabrinth.rules
windows-aetas.rules
windows-applocker.rules
windows-auth.rules
windows-blacklist.rules
windows-bluedot.rules
windows-brointel.rules
windows-correlated.rules
windows-emet.rules
windows-geoip.rules
windows-malware.rules
windows-misc.rules
windows-mssql.rules
windows-owa-blacklist.rules
windows-owa-bluedot.rules
windows-owa-brointel.rules
windows-owa-correlated.rules
windows-owa-geoip.rules
windows-owa.rules
windows-security.rules
windows-sysmon.rules
windows.rules
wordpress.rules
xinetd.rules
yubikey.rules
zeus.rules
zimbra-geoip.rules
zimbra.rules
zscaler-bluedot.rules
zscaler.rules

README

Welcome to the "Sagan Rules" README file
----------------------------------------

This is the Git repository for the Sagan engine rule sets.  You 
probably won't find these useful unless you're actually using Sagan!
For more information,  check out the Sagan main web site at:

http://sagan.quadrantsec.com

Github related site:

http://github.com/beave/sagan

What is Sagan? 
--------------

Sagan is an open source (GNU/GPLv2) high performance, real-time log 
analysis & correlation engine.  It is written in C and uses a 
multi-threaded architecture to deliver high performance log & event 
analysis. The Sagan structure and Sagan rules work similarly to the 
Sourcefire "Snort" IDS engine. This was intentionally done to maintain 
compatibility with rule management software (oinkmaster/pulledpork/etc)
and allows Sagan to correlate log events with your Snort IDS/IPS 
system. Since Sagan can write to Snort IDS/IPS databases via 
unified2/barnyard2, it is compatible with all Snort "consoles". For 
example, Sagan is compatible with Snorby [http://www.snorby.org], 
Sguil [http://sguil.sourceforge.net], BASE, and the Prelude IDS 
framework! (to name a few).

Sagan supports many different output formats,  log normalization 
(via liblognorm),  script execution on event and automatic firewall
support via "Snortsam" (see http://www.snortsam.net).  

For more information, please visit the Sagan web site: 
http://sagan.quadrantsec.com.