Releases: quadrantsec/sagan
Sagan version 2.0.2
Sagan 2.0.2 released.
-
Fixes that allow Sagan to compile using GCC 10.
https://github.com/quadrantsec/sagan/commit/21f753d2ad0f1c4fe5488ad5e325b9ddb3b8f2c7 * When Sagan finds a "correlated event" (via a "xbit" or "flexbit"), Sagan will store the correlated data within the fired alert EVE. This means you don't have to search for the data! https://github.com/quadrantsec/sagan/commit/efed225c0e90b8ea9d975fed1efd390d9c6d2345 * Patch for Stef Roskam chaning the engine order and improve json parsing. Thanks Stef!! https://github.com/quadrantsec/sagan/pull/14 * Various minor JSON fixes. https://github.com/quadrantsec/sagan/commit/ac447fb1b75f5d260e761d161167fa82c8bbe53f https://github.com/quadrantsec/sagan/commit/7060725730a1311de7cfc8912f4fcc5b495fa1b4 https://github.com/quadrantsec/sagan/commit/e2e70565fe8f159ae4c249e585ca0129377ac053 * Major code cleanup in processors/engine.c. Over time, this code had become harder to maintain. This cleanup makes the code more maintainable and more efficient. This cleanup resulted in improved preformance and better memory footprint. Various other code cleanups as well to improve preformance and memory footprint! https://github.com/quadrantsec/sagan/commit/ac6dcf754d1476ed7e4ceebff317a40f9f19eaf9 https://github.com/quadrantsec/sagan/commit/90f479b28ef14e55f7fd0652c0a6fd3c90d0485e https://github.com/quadrantsec/sagan/commit/54ab349c5f0c07b1c251e874cd55bd7228f27ab4 https://github.com/quadrantsec/sagan/commit/21f753d2ad0f1c4fe5488ad5e325b9ddb3b8f2c7 * Allow message "mapping" to take place in the signature. For example; json_map: "src_ip", ".ClientIP" This will map the JSON data value of ".ClientIP" to Sagan internal engine of "src_ip". That is, the ".ClientIP" will become what Sagan knows as "src_ip" which can then be used with other keywords (threshold, after, etc). Removed the code for the "json-message.map", as this is a much more efficient way to map JSON data. https://github.com/quadrantsec/sagan/commit/2382f87c187bccadb453b5aa8287952290906896 https://github.com/quadrantsec/sagan/commit/977668e9f2e9f0b042ca59518d949263a68e3a1a * Fix issue when value is "null" in JSON https://github.com/quadrantsec/sagan/commit/475cbf97518a6b3b8b0c95cf7192daf66f105e8f https://github.com/quadrantsec/sagan/commit/ce9a6d791b8ef6a7232a5d66d462cba0299f590f https://github.com/quadrantsec/sagan/commit/54ab349c5f0c07b1c251e874cd55bd7228f27ab4 https://github.com/quadrantsec/sagan/commit/350edda012b6588b81d1b165b8e7e495e92168b3
Sagan version 2.0.1
2021/02/08 - Sagan 2.0.1 released.
* Multiple bug fixes that address compile time issues with GCC 10.
* Can now compile with Google's TCMalloc (--enable-tcmalloc). This
might result in less memory usage and a minor increase in performance.
* Bug fix for "event_id" not working in certain situations. Thanks to
Ivan Kuncl (iku899) at Github for reporting this issue.
https://github.com/quadrantsec/sagan/issues/8
* Bug fix for segfault when running with --daemon flag. Thanks to
Stef Roskam (smr1983) for reporting and patching this.
https://github.com/quadrantsec/sagan/issues/2
* A lot of "cleanup" work provided by Jonas Smedegaad (jonassmedegaard).
This involved proper git "tagging", typo's, dirty source trees, etc.
* Removed unneeded pthead_mutex_locks() in bluedot.c. This should
cause a minor performance increase. Also some other minor Bluedot
performance enhancements.
* Removed the "perfmon" function. Use "stats-json" instead!
* Added a "Max threads used" statistics. This assists with properly
tuning the number of threads in your sagan.yaml. It displays the
max number of threads during the lifetime of Sagan.
* Bypass content/pcre when syslog "message" is null.
https://github.com/quadrantsec/sagan/commit/261adc243a4a43dd5c87483d31c1aacce73b95d2
* Simplified the was "client-stats" functions. Now writes out one JSON
object for each log source detected. This change is also reflected in
Meer.
* Sagan now records PID on startup & minor typo's fixed.
Sagan version 2.0.0
Quadrant Information Security (https://quadrantsec.com) is proud to release version 2.0.0 of the Sagan log analysis engine! Some of the major updates to this release are:
- The Sagan repos have moved! They can now be found at:
https://github.com/quadrantsec/sagan
https://github.com/quadrantsec/sagan-rules
-
New JSON parsing options (json_content, json_pcre, etc). The allows for decoding and writing rules for JSON based logs easier. See https://sagan.readthedocs.io/en/latest/sagan-json.html#sagan-json for more details.
-
Sagan EVE now stores more GeoIP information (if available). With the use of the Maxmind “city” GeoIP2 databases, Sagan will record “city”, “postal codes”, “latitude”, “longitude”, etc.
-
Statistics are now written in a JSON format similar to Suricata JSON stats. This will replace the legacy “perfmon” stats output in 2.0.1.
-
Introduction to “event_id” rule option to automagically part Windows event IDs from logs.
-
New “metadata” rule option for rules. This works the same as Suricata’s “metadata” rule options.
-
Added “normalization” data to EVE output.
-
New “append_program” rule option. This option appends the “program” field to the end of the syslog message. This can be useful when program fields are erratic and cannot be depended on.
-
Removed “Snortsam” and “Unified2” support.
-
Rewrote the way EVE files are written to better handle file rotation and automatic EVE file recreation.
-
Statistics now record “bytes_total” and “bytes_ignored”. This can be useful to determine how much data Sagan has processed.
-
New “client-stats” configuration option. This option will take a single log message every few minutes (user specified) and record it a separate file. This can be useful for providing an “example” of the types of data a host is sending.
-
Better validation of signatures upon start up.
-
A lot of stability, memory and CPU enhancements that make sure Sagan is as stable as possible.
More ChangeLog information is at: https://github.com/quadrantsec/sagan/blob/main/ChangeLog