Sagan User Guide
latest
1. What is Sagan?
2. Installation
3. Compiling Sagan
4. Command Line Option
5. Syslog Configuration
6. Sagan Configuration
7. vars
8. sagan-core
9. processors
10. outputs
11. rule-files
12. Rule syntax
13. Rule Keywords
14. Sagan Peek
15. Sagan & JSON
16. Journald
17. High Performance Considerations
18. Contributing & Coding Style
19. Sagan Blogs
20. Articles about Sagan
21. Getting help
22. TODO
Sagan User Guide
Docs
»
Index
Edit on GitHub
Index
Symbols
|
A
|
B
|
C
|
D
|
E
|
F
|
J
|
L
|
M
|
N
|
O
|
P
|
R
|
S
|
T
|
W
|
X
|
Y
|
Z
|
Symbols
Symbols
"date"
command line option
"facility"
command line option
"level"
command line option
"message"
command line option
"priority"
command line option
"software": "{software type}"
command line option
"time"
command line option
$EXTERNAL_NET
command line option
$HOME_NETWORK
command line option
--disable-libfastjson
command line option
--disable-lognorm
command line option
--disable-snortsam
command line option
--disable-syslog
command line option
--enable-bluedot
command line option
--enable-esmtp
command line option
--enable-geoip
command line option
--enable-libpcap
command line option
--enable-redis
command line option
--enable-system-strstr
command line option
--prefix=/usr/
command line option
--sysconfdir=/etc
command line option
--with-esmtp-includes=DIR
command line option
--with-esmtp-libraries=DIR
command line option
--with-geoip-includes=DIR
command line option
--with-geoip-libraries=DIR
command line option
--with-libfastjson-includes=DIR
command line option
--with-libfastjson-libraries=DIR
command line option
--with-libpcap-includes=DIR
command line option
--with-libpcap-libraries=DIR
command line option
--with-libpcre-includes=DIR
command line option
--with-libpcre-libraries=DIR
command line option
--with-libpthread-includes=DIR
command line option
--with-libpthread-libraries=DIR
command line option
--with-libyaml-includes
command line option
--with-libyaml-includes=DIR
command line option
--with-libyaml-libraries=DIR
command line option
--with-libyaml_libraries
command line option
--with-lognorm-includes=DIR
command line option
--with-lognorm-libraries=DIR
command line option
->
command line option
{dynamic_load: /path/to/rules/to/load}
command line option
A
after: track {by_src|by_dst|by_username|by_string}, count {number of event}, seconds {number of seconds};
command line option
alert
command line option
alert_time: days {days}, hours {hours};
command line option
any
command line option
,
[1]
,
[2]
append_program;
command line option
apt-get install libesmtp-dev
command line option
apt-get install libfastjson-dev libfastjson4
command line option
apt-get install libhiredis-dev
command line option
apt-get install liblognorm-dev liblognorm5
command line option
apt-get install libmaxminddb0 libmaxminddb-dev geoip-database-contrib geoipupdate
command line option
apt-get install libpcap-dev
command line option
apt-get install libyaml-dev
command line option
B
blacklist {by_src|by_dst|both|all};
command line option
bluedot: type {file_hash|url|filename},{category};
command line option
bluedot: type {ip_reputation},track {src|dst|both|all},{none|mdate_effective_period|cdate_effective_period},{category};
command line option
C
cd /usr/ports/devel/pcre && make && sudo make install
command line option
cd /usr/ports/mail/libesmtp && make && sudo make install
command line option
cd /usr/ports/textproc/libyaml/ && sudo make install
command line option
classtype: {classification}
command line option
command line option
"date"
"facility"
"level"
"message"
"priority"
"software": "{software type}"
"time"
$EXTERNAL_NET
$HOME_NETWORK
--disable-libfastjson
--disable-lognorm
--disable-snortsam
--disable-syslog
--enable-bluedot
--enable-esmtp
--enable-geoip
--enable-libpcap
--enable-redis
--enable-system-strstr
--prefix=/usr/
--sysconfdir=/etc
--with-esmtp-includes=DIR
--with-esmtp-libraries=DIR
--with-geoip-includes=DIR
--with-geoip-libraries=DIR
--with-libfastjson-includes=DIR
--with-libfastjson-libraries=DIR
--with-libpcap-includes=DIR
--with-libpcap-libraries=DIR
--with-libpcre-includes=DIR
--with-libpcre-libraries=DIR
--with-libpthread-includes=DIR
--with-libpthread-libraries=DIR
--with-libyaml-includes
--with-libyaml-includes=DIR
--with-libyaml-libraries=DIR
--with-libyaml_libraries
--with-lognorm-includes=DIR
--with-lognorm-libraries=DIR
->
LOOK THIS UP
,
[1]
,
[2]
after: track {by_src|by_dst|by_username|by_string}, count {number of event}, seconds {number of seconds};
alert
alert_time: days {days}, hours {hours};
any
,
[1]
,
[2]
append_program;
apt-get install libesmtp-dev
apt-get install libfastjson-dev libfastjson4
apt-get install libhiredis-dev
apt-get install liblognorm-dev liblognorm5
apt-get install libmaxminddb0 libmaxminddb-dev geoip-database-contrib geoipupdate
apt-get install libpcap-dev
apt-get install libyaml-dev
blacklist {by_src|by_dst|both|all};
bluedot: type {file_hash|url|filename},{category};
bluedot: type {ip_reputation},track {src|dst|both|all},{none|mdate_effective_period|cdate_effective_period},{category};
cd /usr/ports/devel/pcre && make && sudo make install
cd /usr/ports/mail/libesmtp && make && sudo make install
cd /usr/ports/textproc/libyaml/ && sudo make install
classtype: {classification}
country_code: track {by_src|by_dst}, {is|isnot} {ISO3166 Country Codes}
date
default_dst_port: {port number}
default_proto: {tcp/udp/icmp}
default_src_port: {port number}
depth: {depth value}
distance: {distance value}
dst_ip
dst_port
email: {email address}
emerge -av libesmtp
emerge -av libpcap
emerge -av libpcre
emerge -av libyaml
event_id
event_id: {id},{id},{id}...;
event_type
external: {path/and/program};
facility
flexbits: set, {flexbit name}, {expire time};
flexbits_pause: {seconds};
flexbits_upause: {microseconds};
json_contains;
json_content: ".{key}", "{search}";
json_map: "internal_value", "key";
json_meta_contains;
json_meta_content: ".key", value1,value2,value3... ;
json_meta_nocase;
json_nocase;
json_pcre: ".key", "/regularexpression/";
level
message
meta_content: "string %sagan% string",$VAR;
meta_depth: {depth value}
meta_distance: {distance value}
meta_offset: {offset value};
meta_within: {within value};
msg: "human readable message";
nocase
normalize;
offset: {offset value};
parse_dst_ip: {destination position}
parse_hash: {md5|sha1|sha256};
parse_port;
parse_proto;
parse_src_ip: {source position};
pcre: "{regular expression}"
program
program: {program name|another program name}
proto
reference: {reference name}, {reference url}
rev: {revision number};
sid: {signature id};
src_ip
src_port
sudo apt-get install libpcre3-dev libpcre3
sudo yum install pcre-devel
sudo yum install redis
syslog-source-ip
syslog_facility: {syslog facility}
syslog_level: {syslog level};
syslog_tag: {syslog tag};
tag.
threshold: type {limit|suppress}, track {by_src|by_dst|by_username|by_string}, count {number of event}, seconds {number of seconds}
time
within: {within value};
xbits:{set|unset|isset},{name},track {ip_src|ip_dst|ip_pair} [,expire <seconds>];
xbits_pause: {seconds};
xbits_upause: {microseconds};
yum install GeoIP GeoIP-devel GeoIP-data
yum install liblognorm
yum install libpcap
yum install libyaml-devel
zeek-intel: {src_ipaddr},{dst_ipaddr},{both_ipaddr},{all_ipaddr},{file_hash},{url},{software},{email},{user_name},{file_name},{cert_hash};
{dynamic_load: /path/to/rules/to/load}
“syslog-source-ip”
country_code: track {by_src|by_dst}, {is|isnot} {ISO3166 Country Codes}
command line option
D
date
command line option
default_dst_port: {port number}
command line option
default_proto: {tcp/udp/icmp}
command line option
default_src_port: {port number}
command line option
depth: {depth value}
command line option
distance: {distance value}
command line option
dst_ip
command line option
dst_port
command line option
E
email: {email address}
command line option
emerge -av libesmtp
command line option
emerge -av libpcap
command line option
emerge -av libpcre
command line option
emerge -av libyaml
command line option
event_id
command line option
event_id: {id},{id},{id}...;
command line option
event_type
command line option
external: {path/and/program};
command line option
F
facility
command line option
flexbits: set, {flexbit name}, {expire time};
command line option
flexbits_pause: {seconds};
command line option
flexbits_upause: {microseconds};
command line option
J
json_contains;
command line option
json_content: ".{key}", "{search}";
command line option
json_map: "internal_value", "key";
command line option
json_meta_contains;
command line option
json_meta_content: ".key", value1,value2,value3... ;
command line option
json_meta_nocase;
command line option
json_nocase;
command line option
json_pcre: ".key", "/regularexpression/";
command line option
L
level
command line option
LOOK THIS UP
command line option
,
[1]
,
[2]
M
message
command line option
meta_content: "string %sagan% string",$VAR;
command line option
meta_depth: {depth value}
command line option
meta_distance: {distance value}
command line option
meta_offset: {offset value};
command line option
meta_within: {within value};
command line option
msg: "human readable message";
command line option
N
nocase
command line option
normalize;
command line option
O
offset: {offset value};
command line option
P
parse_dst_ip: {destination position}
command line option
parse_hash: {md5|sha1|sha256};
command line option
parse_port;
command line option
parse_proto;
command line option
parse_src_ip: {source position};
command line option
pcre: "{regular expression}"
command line option
program
command line option
program: {program name|another program name}
command line option
proto
command line option
R
reference: {reference name}, {reference url}
command line option
rev: {revision number};
command line option
S
sid: {signature id};
command line option
src_ip
command line option
src_port
command line option
sudo apt-get install libpcre3-dev libpcre3
command line option
sudo yum install pcre-devel
command line option
sudo yum install redis
command line option
syslog-source-ip
command line option
syslog_facility: {syslog facility}
command line option
syslog_level: {syslog level};
command line option
syslog_tag: {syslog tag};
command line option
T
tag.
command line option
threshold: type {limit|suppress}, track {by_src|by_dst|by_username|by_string}, count {number of event}, seconds {number of seconds}
command line option
time
command line option
W
within: {within value};
command line option
X
xbits:{set|unset|isset},{name},track {ip_src|ip_dst|ip_pair} [,expire <seconds>];
command line option
xbits_pause: {seconds};
command line option
xbits_upause: {microseconds};
command line option
Y
yum install GeoIP GeoIP-devel GeoIP-data
command line option
yum install liblognorm
command line option
yum install libpcap
command line option
yum install libyaml-devel
command line option
Z
zeek-intel: {src_ipaddr},{dst_ipaddr},{both_ipaddr},{all_ipaddr},{file_hash},{url},{software},{email},{user_name},{file_name},{cert_hash};
command line option
Symbols
“syslog-source-ip”
command line option
Read the Docs
v: latest
Versions
latest
stable
Downloads
pdf
html
epub
On Read the Docs
Project Home
Builds
Free document hosting provided by
Read the Docs
.