quadrantsec / sagan

Sagan is a multi-threads, high performance log analysis engine. At it's core, Sagan similar to Suricata/Snort but with logs rather than network packets.
GNU General Public License v2.0
156 stars 27 forks source link
,-._,-.    Sagan, the advanced Suricata/Snort like log analysis engine!
\/)"(\/ 
 (_o_)     Champ Clark III & The Quadrant InfoSec Team [quadrantsec.com]
 /   \/)   Copyright (C) 2009-2023 Quadrant Information Security, et al.
(|| ||) 
 oo-oo  

Join the Sagan Discord channel

Discord

Sagan Documentation

Sagan "Read The Docs! https://sagan.readthedocs.io

What is Sagan?

Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine. It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. The Sagan structure and Sagan rules work similarly to the Suricata & Snort IDS engine. This was intentionally done to maintain compatibility with rule management software (oinkmaster/pulledpork/etc) and allows Sagan to correlate log events with your IDS/IPS system.

Sagan can write out to databases via Suricata EVE formats and/or Unified2, it is compatible with all Snort & Suricata consoles. Sagan can write also write out JSON which can be ingested by Elasticsearch and viewed with console like Kibana, EVEbox, etc.

Sagan supports many different output formats, log normalization (via liblognorm), GeoIP detection, script execution on event and automatic firewall support via "Snortsam" (see http://www.snortsam.net).

Sagan uses the GNU "artisic style".

Sagan Features:

Where can I get help with Sagan?

For more general Sagan information, please visit the offical Sagan web site: https://sagan.quadrantsec.com.

For Sagan documentation to assist with installation, rule writing, etc. Check out: https://sagan.readthedocs.io/en/latest/

For help & assistence, check out the Sagan mailing list. If it located at: https://groups.google.com/forum/#!forum/sagan-users. You can also ask questions on the Sagan Discord channel at https://discord.gg/VS6jTjH4gW

If you're looking for Sagan rule sets on Github, they are located at: https://github.com/quadrantsec/sagan-rules

Credits

A lot of people have invested time in Sagan. We list people who have contributed in our source code tree. See the https://github.com/quadrantsec/sagan/blob/main/src/credits.c source file.