1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
|
2018/06/14 - Sagan 1.2.0 released.
* "meta_content" size limitation/truncation issue fixed.
https://github.com/beave/sagan/commit/6640d7384b19712b32603ecde9cc9472e10a5573
* Added new "parse-ip" option to the sagan.yaml. These help
control how "parse_src_ip" and "parse_dst_ip" function. New
options are "ipv6" (enabled by default) and "ipv4-mapped-ipv6"
(disabled by default). This converts IPv4 mapping in IPv6
(for example ffff::192.168.2.1 becomes 192.168.2.1).
* New Bluedot TTL/Host option to prevent overloading DNS servers.
https://github.com/beave/sagan/commit/319f63ef5dab9b9fccab85707cf44701363a78dc
* Better "stripping" of hashes when using the "parse_hash" rule
option.
https://github.com/beave/sagan/commit/d3b0578dbd872544b12a7afca7ef617f9a4b739e
* Fixed issue with "flow.c" when dealing with many flows. Thanks to
Michael Riggs!
https://github.com/beave/sagan/issues/113
https://github.com/beave/sagan/commit/cb5d6e6aaab6a2c2b7dbbc534e6c9fa6cf5197eb
* A lot of processors/bluedot.c fixes that would result in a segfault
under extreme loads.
* Fixed unsigned char[MAXIPBIT] data alignment issues in various places
that might lead to a failure of IP comparisons to fail.
* Removed some left behind "debug" code.
2018/05/29 - Sagan 1.1.9 released.
* Added IPv6 support. Thanks to Kenneth Shelton @ Netwatcher
(https://netwatcher.com).
* Added multi-tenancy through the use of a "selector". Thanks
to Kenneth Shelton @ Netwatcher (https://netwatcher.com).
* "xbits", "after" and "threshold" now store the log
information, signature name and ID used during triggering.
This data can be displayed using the "saganpeek" utility when
this data is using mmap storage.
* Can now use pipes with "meta_content". For example "|3a
3a|"
https://github.com/beave/sagan/commit/50ef014739d0e745e95769b32821d3372b81c430
* Moved liblognorm/normalization structure to thread local.
This should improve normalization preformance.
https://github.com/beave/sagan/commit/2862ecad742f2e32e6fda3af54e03f3ab03bdcf0
* Some getaddrinfo() calls had to be converted back to
inet_pton() due to performance/errors.
https://github.com/beave/sagan/commit/366cc257ab7f03f37b8e5a06520e5b14b5178095
* New "parse_hash" enhancements. These allow extraction of
MD5, SHA1, SHA256 automatically from logs. Useful for Sysmon
support.
https://github.com/beave/sagan/commit/2e6cedafdc9febc1886664734fdff8b33507dce1
* Removed legacy code for isset/isnotset/set for support for &
and |. This added unneeded complexity to the code.
https://github.com/beave/sagan/commit/4e9ddc431b0d2ca733ea75a36a3bf8f336e0df7b
* Fix for issue https://github.com/beave/sagan/issues/107.
Rules should respond to "pri" as well as "priority" rule
options.
https://github.com/beave/sagan/commit/8eb159872c6c0ff99e4435fa2f5f1596dd1dbed7
* Added "force-ipv4" Sagan configuration option. Unified2 can
be somewhat strange with Unified2. This option keep the IP
version type "4" even if an IPv6 address is encountered.
https://github.com/beave/sagan/commit/2dd9b66520c4d8be8c659834669e11e7358d9593
* Sagan will now pass liblognorm JSON output to "external" (rule option)
programs. This allows third party "external" programs to access already
normalized data.
https://github.com/beave/sagan/commit/84970a9bb8f8c3720dbda22914aaa16359687d58
* Fixed Bro-Intel address loading issue. https://github.com/beave/sagan/issues/104
Thanks to Psipher Diaz for reporting this.
https://github.com/beave/sagan/commit/8ee6c6ed1cf5ed27b14fc2ccaccb64674f058886
* Fixed Blacklist segfault:
https://github.com/beave/sagan/issues/111
* Flow checks where broken. Got those fixed.
* Added "xff" EVE/JSON output support.
* Fixed i386 compile time error (Thanks Pierre Chifflier).
* New "xbit: noeve" option to prevent EVE output while xbit is being set.
* A lot of minor bug fixes. For full lists, please see the
Sagan issues page:
https://github.com/beave/sagan/commits/master
* Fix for rules with lots of flows:
https://github.com/beave/sagan/issues/113
* Major re-write of parsers/ip.c. This is used by "parse_src_ip" and
"parse_dst_ip". Now does everything in one pass and "caches" results for
the next rule.
2017/07/25 - Sagan 1.1.8 released.
* Big stability fixes in this release. Mostly involving protecting data with in
global structures (xbit, threshold, after, client tracking, etc). If upgrading,
you'll want to remove all old/legacy IPC data from /var/sagan/ipc or whatever
what you have "ipc-directory" configuration option.
https://github.com/beave/sagan/commit/d10a92c9d0a6ec39f26c149179ce0494a4ceba96
https://github.com/beave/sagan/commit/d10a92c9d0a6ec39f26c149179ce0494a4ceba96
https://github.com/beave/sagan/commit/d2802f9d6cbe26836195e5400e92a707d0cf0062
* Speed up's....
https://github.com/beave/sagan/commit/466a5ea722209ec63cec544c52622f261659dbae
https://github.com/beave/sagan/commit/295221aa6836b017c578663b0185ac63535bfa84
* Sagan threads are now "named". This allows for easier debugging. Thread names
are SaganMain, SaganWorker, SaganKey, SaganPlog, SaganSignal, etc.
https://github.com/beave/sagan/commit/6767ec707044de62166d00fb7f35d7d3050921c5
* Fixes for "parse_hash" rule option. This allows Sagan to automatically extract
MD5, SHA1, SHA256 hashes for lookups.
https://github.com/beave/sagan/commit/58f00606f7912b4c122a4c20eb4321c081842882
* Beta Redis "xbit" sharing code added. This is a work in progress. This allows
Sagan to "share" xbits between devices on the network.
https://github.com/beave/sagan/commit/d25b8e92e00f136623f08f2aee5da442073e5978
https://github.com/beave/sagan/commit/77e33538a054c09ed615a01c6be0e0fc7b373c83
https://github.com/beave/sagan/commit/6a1d6c04c652d4f598e2951949d812578ad53085
https://github.com/beave/sagan/commit/1f288bb6d178ed15859d7fb3cf8ae1ea0ea1e445
https://github.com/beave/sagan/commit/8c2031e21f86a4ec84c62a6d7e0b46d386c3da68
https://github.com/beave/sagan/commit/6828a0ac9cab651046739cd371db8f14cbe0029e
https://github.com/beave/sagan/commit/823163aa8dfe1a205d03d6c975ac0f5a8673c0f8
https://github.com/beave/sagan/commit/d1656a1ba8eb6ffa68fc8224d09d88d97d89e1ec
https://github.com/beave/sagan/commit/c61c0908177129503e839a81007ec2e8139698cb
https://github.com/beave/sagan/commit/8e42d3450afc3c66b5b013b1924df2aed6b13226
* Split after.c and threshold.c from processors/engine.c
https://github.com/beave/sagan/commit/b445cd3aba2c1c6c6128bf819337206f6f253653
https://github.com/beave/sagan/commit/7385473512c6b3aa9ed01a34f9dbc4519a471d3f
* Typo fix issue #95 reported by "CyberTaoFlow".
https://github.com/beave/sagan/commit/b490cf2a9cc3b9d702b1f0c12468a248d2e3e283
* Removed the confusing "email by priority" option. If you want Sagan to e-mail
you event(s), the rule must contain the 'email' rule option.
https://github.com/beave/sagan/commit/8149e923bb37d7a5ff0ec88ff5c5be57c2388ab1
2017/05/31 - Sagan 1.1.7 released.
* The largest and most fundamental change relates to how Sagan rules are written. As of this release, Sagan
rules mimic Snort/Suricata rules. In the past, the first part of a Sagan rule (for example, "alert tcp
$EXTERNAL_NET -> $HOME_NET 22") would be applied to the log message. Sagan would catorgize the log as
being from a "tcp" source and using port "22". This is no longer the case. If Sagan can determine from
the log data the protocol, source port, destination port, source address and destinations address, tradition
"Snort" like logic can then be applied. For example, a Sagan rule can now apply logic to those logs that match
the criteria. The rule writer may only want the rule logic to be applied to logs that are determined to be
from a TCP source and on port 22. The idea is to more closely match Snort and Suricata rule functionality.
In certain situations, you may want to applied a "default" protocol, source or desitination port. For example,
OpenSSH logs do not contain protocol information but we know OpenSSH uses TCP. In those cases, Sagan can apply
defaults by using the new "default_proto" (tcp/udp/icmp), "default_dst_port" and "default_src_port". These new rule
rule options can use hard coded numeric or $VARIABLE options (for example, "default_dst_port: $SSH_PORT");
More information about these changes can be found with the pull request & commits at:
https://github.com/beave/sagan/pull/92
https://github.com/beave/sagan/commit/7eb5caa4ac40f12471f63a3fc9f4759164cd40f9
https://github.com/beave/sagan/commit/709a58f86fd66fb881a4aca2253628d69f4005de
Special thanks a "YoichSec" (Yoichi Sagawa) for the pull/code to make this happen!
* Large cleanup effort involving Snortsam code. This mainly cleaned up many compile time warning messages.
https://github.com/beave/sagan/commit/3a63cb483784ead9a646c66edead9d1610cab98d
* Fixed issue of "external" output not being called correctly.
https://github.com/beave/sagan/issues/93
* Bro-intel support was broken in 1.1.6. This bug has been fixed.
https://github.com/beave/sagan/issues/90
* A large effort and code clean up to standardize the way threads handle data between functions. This greatly increases
the codes "readablity" and brings stability in data handling. More information can be found at:
https://github.com/beave/sagan/issues/89
https://github.com/beave/sagan/commit/9621976e98dec9ffd3ef2d82b844d61ff1efe8ee
https://github.com/beave/sagan/commit/bcb7c0f40d7afc2ee76c93db73d3e2dc7e3d1e2d
https://github.com/beave/sagan/commit/29231c0b7bb094c4c43b4984a966e41835584636
https://github.com/beave/sagan/commit/678a6019443a438ee44917e1d7e2b4b4e45a05c2
https://github.com/beave/sagan/commit/e7cb805e62bb5b41f6f85d1453050e5fc0fe3748
https://github.com/beave/sagan/commit/033fe56b6d67ed1a894dfe3ebd6637d9e16e405b
https://github.com/beave/sagan/commit/033fe56b6d67ed1a894dfe3ebd6637d9e16e405b
https://github.com/beave/sagan/commit/a8ad0bd3f7172750982967b1fac5c12dbb2dedfc
https://github.com/beave/sagan/commit/f797e3620105e825deef744f0a413ec8890a62d0
* Error in SMTP output. Bug caused Sagan to always send e-mails reguardless of priority.
https://github.com/beave/sagan/issues/88
* Many minor bug fixes and cleanups.
2017/03/20 - Sagan 1.1.6-r1 released.
* Resolved minor compile time issues.
2017/03/16 - Sagan 1.1.6 released.
* New Suricata EVE "Alert" compatible JSON output! (still beta!). See the "eve-log" in the sagan.yaml. Test with EveBox!
* Microsecond resolution added in logging for fast, alert.log & unified2.
https://github.com/beave/sagan/commit/5bf1a65270e50a8e1882e4c3a870589dd22b54ad
* Rules will now be distributed with Sagan released (see the "rules" directory).
* Fixed issue #83 - SMTP YAML configation verses rule option bug.
https://github.com/beave/sagan/issues/83
https://github.com/beave/sagan/commit/b2f7e91d6906e87ac436eba91e002bd5729a9940
* Merge YoichSec (https://github.com/YoichSec) new xbit feature to track by source & destination ports.
https://github.com/beave/sagan/pull/85
https://github.com/beave/sagan/commit/546867a4ab7c861168acb861abfc9104c1811da6
* Removed "static __thread" from Sagan_u32_Time_To_Human() function.
https://github.com/beave/sagan/commit/b6a6d01b8119f7576378e4ed1129193043ae9f8e
* Fix for Between_Quotes function related to content:! & meta_content:! rule options.
https://github.com/beave/sagan/commit/2541f2a9e37b56e1ef3bd4a2d5e9c036a9f50e79
* Removed "static __thread" from Between_Quotes() function.
* Removed "static __thread" from DNS_Lookup() function.
* Removed Hex Validate() function (no longer needed)
https://github.com/beave/sagan/commit/188322de08c0ef2ba1b2f11b68e5a5f33bf09c66
* Move strlcpy/strlcat prototypes.
https://github.com/beave/sagan/commit/7e038dc4098c71a4ce7106d91617227166ce21c7
* Complete re-organization of source tree. Dropped all "sagan-?.c" prefixes.
2017/02/15 - Sagan 1.1.5 released.
* Travis-CI (travis.yml) support added to test build Sagan automatically.
* Sagan_Log issue that cause segfault in certain situations with "xbits".
https://github.com/beave/sagan/commit/ce76ebe41f51b21d38a3ece60adf2ad69a5a795d
* Large effort to clean up autoconf/automake fules.
https://github.com/beave/sagan/commit/57a457951670ddb3803fe3bd20a1e4b637d3ddc3
https://github.com/beave/sagan/commit/911e895d2d246c5605bd6fd42da20cb2a3e5f75b
* --daemon bug fix by Ray Ruvinskiy. This fix moves the --daemon logic earlier in the Sagan code (pre-rule loading, etc). This allows for Sagan to load with less memory being used. See commit for more details.
https://github.com/beave/sagan/commit/0a286f06e42a7d509ac662a19bdcc72b777a426f
https://github.com/beave/sagan/commit/f86694adafa76092bdcc1378333227d7945de104
* Remove "force-fifo-ownership" YAML option from configuration/code.
https://github.com/beave/sagan/commit/3d828ca5c91357231e71842c0ac85c2a58cbb9c0
* "include" in YAML configuration would fail to load in certain situations. This has been corrected.
https://github.com/beave/sagan/commit/b27a578082e93eb4f407cdaaa281d57ed4ab88d2
* Bluedot initialization was being called at the wrong time.
https://github.com/beave/sagan/commit/172759a1b6e73eae584b1e6a738a2bf2d3303626
2016/12/30 - Sagan 1.1.4 released.
* Sagan has adopted YAML for future configuration file formats. For more information on YAML see https://en.wikipedia.org/wiki/YAML. The new YAML format allows for a more stream line & easier to understand configuration. The new 'sagan.yaml' is modeled after the Suricata YAML file.
* With the adoption of YAML, Sagan now requires libyaml to be installed.
* configure.in libyaml checks added.
* Sagan "flowbits" are now known as "xbits". "xbits" represents what Sagan is doing with data rather than "flowbits".
* Added new "fast" output format. Works the same as "fast" output format for Suricata/Snort.
* Test for OpenBSD RWX mem segments. If not available, then disable PCRE JIT. Brought up by Victor Julian.
https://github.com/beave/sagan/commit/65aa4dd4d8880d2c54ddbb67a39089d5e6001b69
* Released from Hamburg, Germany after 33c3! :)
2016/11/07 - Sagan 1.1.3 released.
* New "dynamic_load" processor. This allows rules to be created that can load other rules. For example, it is now possible to "detect" new logs coming in and have Sagan automatically load rules for them.
* PCRE JIT support added. This allows faster PCRE processing if your library supports it.
* Modifications to the configure.ac to detect different PCRE library versions and functions. This was taken from the Suricata project.
https://github.com/beave/sagan/commit/04c74d56ac1eff7679636c16fdf853ae4e70c23a
* Fixed bug that caused a segfault on reload (SIGHUP).
https://github.com/beave/sagan/commit/87cd03dc1887e4fa1cef385974180cac77ca1c2d
* Code clean up/redefinition of _Sagan_Event and _Sagan_Proc_Syslog arrays.
https://github.com/beave/sagan/commit/db70eed853719521675e11e95b556edf94565542
2016/09/23 - Sagan 1.1.2 released.
* Added "srcport" for "threshold" and "after".
* Fixes around "dstport" for threshold" and "after"
* Fixed display of source/destination IP addresses in tools/sagan-peek.c
* Change "artistic" style from "GNU" to "Linux". This allows better formatting of source code on smaller screens.
* New pthread mutex to address corruptions of mmap / files.
* tools/sagan-peek.c now has command line option to specify mmap file location. Various other improvements.
* Better error checking in src/processors/sagan-track-clients.c
* New MD5, SHA1 and SHA256 in src/parsers/parse-hash.c
* Minor Bluedot lookup fixes.
* Fixes for "after" and "threshold" when dealing with "usernames". (Username tracking).
* Added "file" option for sagan.conf to reference a file to load. For example, "var MYVAR file:/path/to/my/values.txt".
For more information, see https://github.com/beave/sagan/issues/75
2016/08/17 - Sagan 1.1.1 released.
* Added meta_offset, meta_depth, meta_within and meta_distince Champ Clark (cclark@quadrantsec.com)
* Major changes/restructuring to sagan-meta-content.c - Adam Hall (ahall@quadrantse.com)
* Fix major memory issue when loading large sets of rules. Related to meta_content! (Champ Clark)
* Minor build fix when liblognorm is disabled - Champ Clark
* Minor stdbool.h issue & added PKG_PROG_PKG_CONFIG to configure.ac
* Remove old unneeded liblognorm headers. Champ Clark
* memset replacement of strlcpy, minor clean up, minor bug fixes. (Adam & Champ)
2016/07/06 - Sagan 1.1.0 released.
The Basics:
-----------
* Sagan now "remembers" where it left off between restarts/reboots/etc.
* You can now create rules that focus on certain IP address or IP address ranges (ie - $EXTERNAL_NET/$HOME_NET).
* Sagan can treat "old" Bluedot IP reputation threat Intel differently than "new" threat intel.
* We added "qdee.pl", a SDEE poll routine to the "extra" directory.
* A lot of bugs were fixed
The Details:
------------
* Moved all "threshold", "after", "flowbits", and "client tracking" to mmap files. This means that Sagan "remembers" between restarts where it "left off"!
* Introduced "tools/sagan-peek.c" which allows you to exmaine Sagan mmap files. Useful in debugging or just "seeing" what Sagan is "tracking".
* $EXTERNAL_NET and $HOME_NET now function as expected. Previous versions of Sagan did not have any concept of $EXTERNAL_NET/$HOME_NET and were ignored. Adam Hall @ Quadrant made Sagan "aware" of "traffic flow". Values in a rule for source/destination are tested _after_ normalization.
* Added "mdate" (modification date) and "cdate" (creation data) to Bluedot. This allows Sagan to not trigger "aged" Bluedot Threat Intel. For example, do _not_ alert if an IP address is seen and the Intel is over X hours/days/months/years old.
* Threholding based on 'dstport' merged, thanks to Bruno Coudoin. See: https://github.com/beave/sagan/commit/44d6752acf27d61bcd57e35f930b0f6e11dadbc7
* Added parsing for IPTables "SPT" and "DPT"t port for iptables, thanks to Bruno Coudoin. https://github.com/beave/sagan/commit/9de9cffd224a44f93c80eca62e6ead617a4b97a6
* Added "qdee" to the "extra" directory. This allows Sagan to parse older style Cisco IDS output. This polls using the SDEE protocol. See https://github.com/beave/sagan/commit/61c4a7dd611161697785c889630dd3c8333ec8b5
* Removed support for libjsonc (json-c) and moved to libfastjson.
The Bugs Fixed:
---------------
* Correct issue for when Sagan cannot open a file (-F/--file) due to permissions.
* Removed unused "SigArgs" array.
* Clean exit when Sagan cannot load Maxmind GeoIP2 data file.
* Change "normalize: {type}" to "normalize;". All normalization rules now come from one file. This keeps Sagan in line with liblognorm development.
* Sagan now "warns" the user if old style "normalize" is encountered. See: https://github.com/beave/sagan/commit/ba3de9e43bc8623b361e34ce06a2e7808e045f88 and https://github.com/rsyslog/liblognorm/issues/206
* Fix json_object_object_get_e) compile time warnings. See: https://github.com/beave/sagan/commit/e9bdea5b7fa5b25c1d7e740a4c856c70a1046d1d
* Minor ARM CPU fixes.
* Various "meta_content" fixes. When using "meta_content" with large amounts of search data would sometimes cause failures.
* Major bug fixes involving "client tracking". Thanks to Adam Hall @ Quadrant Information Security!
* Sagan now attempts to create the FIFO if it is not detected. Thanks to Cabrol Perales.
* A lot of smaller bug fixes. See: https://github.com/beave/sagan/commits/master
2015/11/19 - Sagan 1.0.1 released.
* Add unified2 "extra data" field to store the orignal syslog
source.
* Added threshold by "username".
* Minor code clean up.
2015/10/23 - Sagan 1.0.0 released.
|
