Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
tree: adba2452e8
Fetching contributors…

Cannot retrieve contributors at this time

355 lines (288 sloc) 13.999 kb
# ,-._,-. Sagan configuration file [http://sagan.quadrantsec.com]
# \/)"(\/ Champ Clark III & The Quadrant InfoSec Team: http://quadrantsec.com
# (_o_) Copyright (C) 2009-2012 Quadrant Information Security., et al.
# / \/)
# (|| ||)
# oo-oo
##############################################################################
# Standard _required_ Sagan options!
##############################################################################
# Sagan reads log entries via a FIFO (First in/First Out). This variable
# lets Sagan know where that FIFO is located.
#
# [Required]
var FIFO /var/run/sagan.fifo
# This variable contains the path of the Sagan rule sets. It is required.
#
# [Required]
var RULE_PATH /usr/local/etc/sagan-rules
# Where Sagan should store it's lock file.
#
# [Optional]
var LOCKFILE /var/run/sagan/sagan.pid
# Where Sagan should store alerts, in a text/alert format.
#
# [Optional]
var ALERTLOG /var/log/sagan/alert
# This is the path where Sagan related files are stored. For example,
# Unified2 output files would be stored under this path.
#
# [Optional]
var SAGANLOGPATH /var/log/sagan
# This is the IP address _of_ the Sagan system. These options are used
# if Sagan is unable to determine a TCP/IP network address and/or port.
#
# [Required]
sagan_host 192.168.0.1
sagan_port 514
# If logging to a Snort/Prelude database and a rule specifies the
# protocol a "any", this is the protocol we default to. This is only
# needed if you are # logging to a Snort/Prelude database.
#
# Defaults to 17 [UDP], which is what normal 'syslog' traffic is. If you
# want TCP to be the desired effect, change this option to "6".
#
# [Optional]
; sagan_proto 17
# Disable DNS warnings. Sagan will warn every time it has to do a DNS lookup
# when attempting to normalize a log entry. You typically don't want to
# do DNS lookups with log analysis. More information can be found at:
# https://wiki.quadrantsec.com/bin/view/Main/SaganDNS. If it's not possible
# to gather the true TCP/IP address information, you can supress these
# warnings here.
; disable_dns_warnings
# README FIRST! - It is very LIKELY you do NOT want to enable this feature.
# If the syslog system is feeding you "hostnames" rather than source IP
# addresses, Sagan can do a DNS lookup of the source host. Sagan will cache
# this information, but there will be a preformance hit. Make _sure_
# your DNS system settings are correct!
; syslog_src_lookup
##############################################################################
# Maximum output threads.
##############################################################################
# Maximum threads that can be used for output plugins. This does _not_ apply
# to unified2 or ASCII alert formats! If this limit is reached, the event
# is dropped. Default = 50
#
# [optional]
; max_output_threads 50
##############################################################################
# Maximum processor threads.
##############################################################################
# Maximum number of processor threads. Process threads do extra analysis
# of log lines that might be CPU intensive and are not related to output
# plug ins
# [optional]
; max_processor_threads 50
##############################################################################
# Snort database specific configurations [Direct SQL access]
##############################################################################
# Sagan "sensor" configuration. If you plan on running Sagan and storing data
# into a Snort database, these options are required. This information gets
# logged to the Snort database's "sensor" table to differentiate between Snort
# IDS/IPS data and log data. We don't really have an "interface", so we create
# one known as "syslog", or what ever you'd like to call it.
#
# [Required if logging directly to a Snort database. Not to be confused with
# Unified2 output]]
; sagan_hostname sagan
; sagan_interface syslog
; sagan_filter none
; sagan_detail 1
# If you plan on logging to a Snort database, this is where you tell Sagan
# where to log to. The options should be pretty clear. Currently Sagan
# supports MySQL and PostgreSQL.
#
# [Required if logging directly to a Snort database]
; output database: log, mysql, user=sagan password=secret dbname=snort_db host=192.168.0.1
; output database: log, postgresql, user=sagan password=secret dbname=snort_db host=192.168.0.1
##############################################################################
# External program/system calls configurations specifics
##############################################################################
# This option calls an external program when an event is triggered by a rule.
# Sagan basically makes a thread and calls the execl() system call.
# Data is supplied to the program being called via standard in (stdin).
# Data can be sent in a "parsable" or "alert" format. "parsable" will be
# probably easier for your external program to parse.
#
; output external: /home/sagan/myprogram parsable
##############################################################################
# libesmtp (SMTP/E-mail) specific configuration options
##############################################################################
# If you'd like Sagan to e-mail triggered events to you, then you'll want
# to configure the below.
# If min_email_priority is set, then Sagan will _only_ e-mail events equal to
# or less than this priority event. If left commented our or set to 0,
# Sagan will e-mail _all_ events. This option does _not_ over ride rules
# with the "email:" option set!
; min_email_priority 5
# This is where alerts will be sent if a rule _does not_ have a "email:"
# option. If a rule does have "email:" option, then the rules e-mail address
# will over ride this option. If this option is not set, then only
# rules with the "email:" option will be sent.
; send-to sagan-alerts@example.com
# Server information. This tells Sagan "who" to send e-mail as and where
# the SMTP server to relay is. This must be set if the "send-to" option
# set, or you have rules with the "email:" option!
#
; output email: smtpserver=192.168.0.1:25 from=sagan-alert@example.com
##############################################################################
# Prelude (IDMEF) output plug in
##############################################################################
# This lets Sagan send alert to the Prelude security framework. They can
# then be viewed in the "Prewikka" console. The Prelude framework is useful
# in correlating events from multiple sources. Prelude uses fhe Intrusion
# Detection Message Exchange Format (IDMEF) format, which also might be
# useful.
#
# more information, please see: http://www.prelude-technologies.com
; output prelude: profile=sagan
##############################################################################
# Unified2 output plug in
##############################################################################
# This lets Sagan log the Snort's 'Unified2' output format. This allows
# events generated by Sagan to be read and queued for external programs
# like Barnyard2 (http://www.securixlive.com/barnyard2/). Barnyard2 can
# the record events in various formats (Prelude, alert_fast, log_ascii,
# log_tcpdump, Sguil, MySQL, PostgreSQL, ODBC, MS-SQL and Oracle).
; output unified2: filename sagan.u2, limit 128, nostamp
; output unified2: filename sagan.u2, limit 128
##############################################################################
# Sagan syslog "Sniffier" mode. (PLOG). Promiscuous syslog injector
##############################################################################
# This lets Sagan "listen" on a network interface via pcap/bpf and "suck"
# up UDP syslog messages. When it "finds" a syslog message within a packet,
# it injects it into /dev/log. Basically, it 'sniffs' syslog messages and
# injects them to your syslog daemon (for archival purposes) and Sagan
# (for analysis). Good for environments you can't reconfigure syslog
# services. For more information, see src/sagan-plog.c.
# Network interface to "sniff" traffic on.
; plog_interface eth0
# Syslog "port" to listen on...
; plog_port 514
# Where to inject "found" messages to.
; plog_logdev /dev/log
#############################################################################
# Sagan "Snortsam" configuration.
#############################################################################
#
# This allows Sagan to send block information Snortsam agents. If a rule
# has the fwsam: option in it, the offending IP address can be
# firewall/blocked. For example, if a rule is triggered with the fwsam:
# option, Sagan can instruct a firewall (iptables/ebtable/pf/iwpf/Cisco/
# Checkpoint/etc) to firewall off the source or destination.
#
# In order for Sagan to send a blocking request to the SnortSam agent,
# that agent has to be listed, including the port it listens on,
# and the encryption key it is using. The statement for that is:
#
# output alert_fwsam: {SnortSam Station}:{port}/{password}
#
# {SnortSam Station}: IP address or host name of the host where SnortSam is running.
# {port}: The port the remote SnortSam agent listens on.
# {password}: The password, or key, used for encryption of the
# communication to the remote agent.
#
# At the very least, the IP address or host name of the host running SnortSam
# needs to be specified. If the port is omitted, it defaults to TCP port 898.
# If the password is omitted, it defaults to a preset password.
# (In which case it needs to be omitted on the SnortSam agent as well)
#
# More than one host can be specified, but has to be done on the same line.
# Just separate them with one or more spaces.
#
# Examples:
#
# output alert_fwsam: firewall/idspassword
# output alert_fwsam: fw1.domain.tld:898/mykey
# output alert_fwsam: 192.168.0.1/borderfw 192.168.1.254/wanfw
; output alert_fwsam: 127.0.0.1/mypassword
##############################################################################
# Sagan rule sets! Arrgh Villains! Sagan neither takes nor gives mercy!
##############################################################################
# This should be enabled! "classifications.config" allows correlation between
# a short name (for example, "attempted-admin") and a priority level
# (for example, "1"). "reference.config" gives your various places to learn
# more information pertaining to an alert.
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config
#############################################################################
# Sagan normalization 'rule base'. (liblognorm)
#############################################################################
# These "rules" are for the liblognorm library. These are use to further
# "normalize" (extract useful information out of) log messages. These rules
# are loaded in a dynamic method. That is, rather than load all these
# at run time, they are loaded 'as needed' by the Sagan rule sets. These
# get triggered by the 'normalize:' flag within a Sagan rule.
normalize: cisco, $RULE_PATH/cisco-normalize.rulebase
normalize: openssh, $RULE_PATH/openssh-normalize.rulebase
normalize: smtp, $RULE_PATH/smtp-normalize.rulebase
normalize: dns, $RULE_PATH/dns-normalize.rulebase
normalize: imap, $RULE_PATH/imap-normalize.rulebase
normalize: su, $RULE_PATH/su-normalize.rulebase
normalize: vmware, $RULE_PATH/vmware-normalize.rulebase
normalize: linux-kernel, $RULE_PATH/linux-kernel-normalize.rulebase
normalize: windows, $RULE_PATH/windows-normalize.rulebase
# These are the specific rule sets of events which are of interest and require
# notification. Tailor these to your specific needs and check from time to
# time for new rule sets that might be of benefit.
include $RULE_PATH/apache.rules
include $RULE_PATH/apc-emu.rules
include $RULE_PATH/arp.rules
include $RULE_PATH/asterisk.rules
include $RULE_PATH/attack.rules
include $RULE_PATH/bash.rules
include $RULE_PATH/bind.rules
include $RULE_PATH/bonding.rules
include $RULE_PATH/bro-ids.rules
include $RULE_PATH/cacti-thold.rules
include $RULE_PATH/cisco-ios.rules
include $RULE_PATH/cisco-pixasa.rules
include $RULE_PATH/courier.rules
include $RULE_PATH/dovecot.rules
include $RULE_PATH/fortinet.rules
include $RULE_PATH/ftpd.rules
include $RULE_PATH/grsec.rules
include $RULE_PATH/hordeimp.rules
include $RULE_PATH/hostapd.rules
include $RULE_PATH/imapd.rules
include $RULE_PATH/ipop3d.rules
include $RULE_PATH/juniper.rules
include $RULE_PATH/kismet.rules
include $RULE_PATH/knockd.rules
include $RULE_PATH/milter.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/nginx.rules
include $RULE_PATH/ntp.rules
include $RULE_PATH/openssh.rules
include $RULE_PATH/ossec-mi.rules
include $RULE_PATH/ossec.rules
include $RULE_PATH/php.rules
include $RULE_PATH/postfix.rules
include $RULE_PATH/postgresql.rules
include $RULE_PATH/pptp.rules
include $RULE_PATH/proftpd.rules
include $RULE_PATH/pure-ftpd.rules
include $RULE_PATH/racoon.rules
include $RULE_PATH/roundcube.rules
include $RULE_PATH/rsync.rules
include $RULE_PATH/samba.rules
include $RULE_PATH/sendmail.rules
include $RULE_PATH/snort.rules
include $RULE_PATH/solaris.rules
include $RULE_PATH/sonicwall.rules
include $RULE_PATH/squid.rules
include $RULE_PATH/su.rules
include $RULE_PATH/syslog.rules
include $RULE_PATH/tcp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/tripwire.rules
include $RULE_PATH/vmpop3d.rules
include $RULE_PATH/vmware.rules
include $RULE_PATH/vpopmail.rules
include $RULE_PATH/vsftpd.rules
include $RULE_PATH/windows.rules
include $RULE_PATH/wordpress.rules
include $RULE_PATH/xinetd.rules
include $RULE_PATH/zeus.rules
include $RULE_PATH/linux-kernel.rules
Jump to Line
Something went wrong with that request. Please try again.