Skip to content

Releases: quadrantsec/sagan

Sagan version 2.0.2

29 Dec 20:56
Compare
Choose a tag to compare

Sagan 2.0.2 released.

  • Fixes that allow Sagan to compile using GCC 10.

                https://github.com/quadrantsec/sagan/commit/21f753d2ad0f1c4fe5488ad5e325b9ddb3b8f2c7
    
              * When Sagan finds a "correlated event" (via a "xbit" or "flexbit"),  Sagan will store
                the correlated data within the fired alert EVE.  This means you don't have to search
                for the data! 
    
                https://github.com/quadrantsec/sagan/commit/efed225c0e90b8ea9d975fed1efd390d9c6d2345
    
              * Patch for Stef Roskam chaning the engine order and improve json parsing. Thanks Stef!!
    
                https://github.com/quadrantsec/sagan/pull/14
    
              * Various minor JSON fixes.
    
                https://github.com/quadrantsec/sagan/commit/ac447fb1b75f5d260e761d161167fa82c8bbe53f
                https://github.com/quadrantsec/sagan/commit/7060725730a1311de7cfc8912f4fcc5b495fa1b4
                https://github.com/quadrantsec/sagan/commit/e2e70565fe8f159ae4c249e585ca0129377ac053
    
              * Major code cleanup in processors/engine.c.  Over time,  this code had become 
                harder to maintain.  This cleanup makes the code more maintainable and 
                more efficient.  This cleanup resulted in improved preformance and better
                memory footprint.  Various other code cleanups as well to improve preformance and 
                memory footprint!
    
                https://github.com/quadrantsec/sagan/commit/ac6dcf754d1476ed7e4ceebff317a40f9f19eaf9
                https://github.com/quadrantsec/sagan/commit/90f479b28ef14e55f7fd0652c0a6fd3c90d0485e
                https://github.com/quadrantsec/sagan/commit/54ab349c5f0c07b1c251e874cd55bd7228f27ab4
                https://github.com/quadrantsec/sagan/commit/21f753d2ad0f1c4fe5488ad5e325b9ddb3b8f2c7
    
              * Allow message "mapping" to take place in the signature. For example;  
    
                json_map: "src_ip", ".ClientIP"
    
                This will map the JSON data value of ".ClientIP" to Sagan internal engine of
                "src_ip".  That is,  the ".ClientIP" will become what Sagan knows as "src_ip"
                which can then be used with other keywords (threshold, after, etc).  Removed the
                code for the "json-message.map",  as this is a much more efficient way to map
                JSON data.
    
                https://github.com/quadrantsec/sagan/commit/2382f87c187bccadb453b5aa8287952290906896
                https://github.com/quadrantsec/sagan/commit/977668e9f2e9f0b042ca59518d949263a68e3a1a
    
              * Fix issue when value is "null" in JSON 
             
                https://github.com/quadrantsec/sagan/commit/475cbf97518a6b3b8b0c95cf7192daf66f105e8f
                https://github.com/quadrantsec/sagan/commit/ce9a6d791b8ef6a7232a5d66d462cba0299f590f
                https://github.com/quadrantsec/sagan/commit/54ab349c5f0c07b1c251e874cd55bd7228f27ab4
                https://github.com/quadrantsec/sagan/commit/350edda012b6588b81d1b165b8e7e495e92168b3
    

Sagan version 2.0.1

08 Feb 17:29
Compare
Choose a tag to compare

2021/02/08 - Sagan 2.0.1 released.

            * Multiple bug fixes that address compile time issues with GCC 10. 

            * Can now compile with Google's TCMalloc (--enable-tcmalloc).  This 
              might result in less memory usage and a minor increase in performance.

            * Bug fix for "event_id" not working in certain situations.  Thanks to
              Ivan Kuncl (iku899) at Github for reporting this issue. 

              https://github.com/quadrantsec/sagan/issues/8

            * Bug fix for segfault when running with --daemon flag.  Thanks to 
              Stef Roskam (smr1983) for reporting and patching this.

              https://github.com/quadrantsec/sagan/issues/2

            * A lot of "cleanup" work provided by Jonas Smedegaad (jonassmedegaard). 
              This involved proper git "tagging", typo's, dirty source trees, etc. 

            * Removed unneeded pthead_mutex_locks() in bluedot.c.  This should
              cause a minor performance increase.  Also some other minor Bluedot
              performance enhancements.

            * Removed the "perfmon" function.  Use "stats-json" instead!

            * Added a "Max threads used" statistics.  This assists with properly
              tuning the number of threads in your sagan.yaml.  It displays the 
              max number of threads during the lifetime of Sagan.

            * Bypass content/pcre when syslog "message" is null. 

              https://github.com/quadrantsec/sagan/commit/261adc243a4a43dd5c87483d31c1aacce73b95d2

            * Simplified the was "client-stats" functions.  Now writes out one JSON
              object for each log source detected.   This change is also reflected in
              Meer. 

            * Sagan now records PID on startup & minor typo's fixed. 

Sagan version 2.0.0

27 Jan 01:59
Compare
Choose a tag to compare

Quadrant Information Security (https://quadrantsec.com) is proud to release version 2.0.0 of the Sagan log analysis engine! Some of the major updates to this release are:

  • The Sagan repos have moved! They can now be found at:

https://github.com/quadrantsec/sagan
https://github.com/quadrantsec/sagan-rules

  • New JSON parsing options (json_content, json_pcre, etc). The allows for decoding and writing rules for JSON based logs easier. See https://sagan.readthedocs.io/en/latest/sagan-json.html#sagan-json for more details.

  • Sagan EVE now stores more GeoIP information (if available). With the use of the Maxmind “city” GeoIP2 databases, Sagan will record “city”, “postal codes”, “latitude”, “longitude”, etc.

  • Statistics are now written in a JSON format similar to Suricata JSON stats. This will replace the legacy “perfmon” stats output in 2.0.1.

  • Introduction to “event_id” rule option to automagically part Windows event IDs from logs.

  • New “metadata” rule option for rules. This works the same as Suricata’s “metadata” rule options.

  • Added “normalization” data to EVE output.

  • New “append_program” rule option. This option appends the “program” field to the end of the syslog message. This can be useful when program fields are erratic and cannot be depended on.

  • Removed “Snortsam” and “Unified2” support.

  • Rewrote the way EVE files are written to better handle file rotation and automatic EVE file recreation.

  • Statistics now record “bytes_total” and “bytes_ignored”. This can be useful to determine how much data Sagan has processed.

  • New “client-stats” configuration option. This option will take a single log message every few minutes (user specified) and record it a separate file. This can be useful for providing an “example” of the types of data a host is sending.

  • Better validation of signatures upon start up.

  • A lot of stability, memory and CPU enhancements that make sure Sagan is as stable as possible.

More ChangeLog information is at: https://github.com/quadrantsec/sagan/blob/main/ChangeLog