Skip to content

Sagan version 2.0.2

Latest
Compare
Choose a tag to compare
@quadrantsec quadrantsec released this 29 Dec 20:56

Sagan 2.0.2 released.

  • Fixes that allow Sagan to compile using GCC 10.

                https://github.com/quadrantsec/sagan/commit/21f753d2ad0f1c4fe5488ad5e325b9ddb3b8f2c7
    
              * When Sagan finds a "correlated event" (via a "xbit" or "flexbit"),  Sagan will store
                the correlated data within the fired alert EVE.  This means you don't have to search
                for the data! 
    
                https://github.com/quadrantsec/sagan/commit/efed225c0e90b8ea9d975fed1efd390d9c6d2345
    
              * Patch for Stef Roskam chaning the engine order and improve json parsing. Thanks Stef!!
    
                https://github.com/quadrantsec/sagan/pull/14
    
              * Various minor JSON fixes.
    
                https://github.com/quadrantsec/sagan/commit/ac447fb1b75f5d260e761d161167fa82c8bbe53f
                https://github.com/quadrantsec/sagan/commit/7060725730a1311de7cfc8912f4fcc5b495fa1b4
                https://github.com/quadrantsec/sagan/commit/e2e70565fe8f159ae4c249e585ca0129377ac053
    
              * Major code cleanup in processors/engine.c.  Over time,  this code had become 
                harder to maintain.  This cleanup makes the code more maintainable and 
                more efficient.  This cleanup resulted in improved preformance and better
                memory footprint.  Various other code cleanups as well to improve preformance and 
                memory footprint!
    
                https://github.com/quadrantsec/sagan/commit/ac6dcf754d1476ed7e4ceebff317a40f9f19eaf9
                https://github.com/quadrantsec/sagan/commit/90f479b28ef14e55f7fd0652c0a6fd3c90d0485e
                https://github.com/quadrantsec/sagan/commit/54ab349c5f0c07b1c251e874cd55bd7228f27ab4
                https://github.com/quadrantsec/sagan/commit/21f753d2ad0f1c4fe5488ad5e325b9ddb3b8f2c7
    
              * Allow message "mapping" to take place in the signature. For example;  
    
                json_map: "src_ip", ".ClientIP"
    
                This will map the JSON data value of ".ClientIP" to Sagan internal engine of
                "src_ip".  That is,  the ".ClientIP" will become what Sagan knows as "src_ip"
                which can then be used with other keywords (threshold, after, etc).  Removed the
                code for the "json-message.map",  as this is a much more efficient way to map
                JSON data.
    
                https://github.com/quadrantsec/sagan/commit/2382f87c187bccadb453b5aa8287952290906896
                https://github.com/quadrantsec/sagan/commit/977668e9f2e9f0b042ca59518d949263a68e3a1a
    
              * Fix issue when value is "null" in JSON 
             
                https://github.com/quadrantsec/sagan/commit/475cbf97518a6b3b8b0c95cf7192daf66f105e8f
                https://github.com/quadrantsec/sagan/commit/ce9a6d791b8ef6a7232a5d66d462cba0299f590f
                https://github.com/quadrantsec/sagan/commit/54ab349c5f0c07b1c251e874cd55bd7228f27ab4
                https://github.com/quadrantsec/sagan/commit/350edda012b6588b81d1b165b8e7e495e92168b3