Sagan (software)

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Sagan" software – news · newspapers · books · scholar · JSTOR (October 2014) (Learn how and when to remove this message)

This article includes a list of references, related reading, or external links, but its sources remain unclear because it lacks inline citations. Please help improve this article by introducing more precise citations. (July 2024) (Learn how and when to remove this message)

Sagan^[1] is an open source (GNU/GPLv2) multi-threaded, high performance, real-time log analysis & correlation engine developed by Quadrant Information Security that runs on Unix operating systems. It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan's structure and rules work similarly to the Sourcefire Snort IDS/IPS engine. This allows Sagan to be compatible with Snort or Suricata rule management software and gives Sagan the ability to correlate with Snort IDS/IPS data.

Sagan supports different output formats for reporting and analysis, log normalization, script execution on event detection, GeoIP detection/alerting and time sensitive alerting.

• Host-based intrusion detection system comparison

• HOWTO build Sagan on FreeBSD
• Champ Clark talks about Sagan on "Pauldotcom Security weekly" - December, 12th, 2013.
• Log, Log, Log Everything Remotely.

• About Sagan
• Official Sagan Wiki
• Sagan flowbits
• Using Sagan with Bro Intelligence feeds
• Sagan output to other SIEMs.