├── .gitignore ├── .travis.yml ├── AUTHORS ├── COPYING ├── ChangeLog ├── FAQ ├── INSTALL ├── LICENSE ├── Makefile.am ├── NEWS ├── README ├── README.md ├── TODO ├── autogen.sh ├── config.h.in ├── configure.ac ├── doc ├── Makefile ├── Makefile.am ├── sagan_freebsd.howto.md └── source │ ├── articles.rst │ ├── blogs │ ├── dynamic-rules-with-sagan.rst │ ├── index.rst │ ├── sagan-1-0-0.rst │ ├── sagan-flowbits.rst │ ├── sagan-output-to-other-siems.rst │ └── what-sagan-is-and-is-not.rst │ ├── command-line-options.rst │ ├── conf.py │ ├── configuration.rst │ ├── contributing-coding-style.rst │ ├── docutils.conf │ ├── getting-help.rst │ ├── high-performance.rst │ ├── index.rst │ ├── install.rst │ ├── journald.rst │ ├── rule-keywords.rst │ ├── rule-syntax.rst │ ├── sagan-json.rst │ ├── saganpeek.rst │ ├── todo.rst │ └── what-is-sagan.rst ├── etc ├── sagan.8 └── sagan.yaml ├── extra ├── README ├── RPM │ ├── README │ ├── sagan-sagan.conf.patch │ ├── sagan-setup.libexec │ ├── sagan.logrotate │ ├── sagan.service │ ├── sagan.spec │ └── sagan.tmpfiles ├── barnyard2 │ ├── barnyard2.cli.conf │ └── barnyard2.snorby.conf ├── bluedot │ ├── code │ │ └── intel.php │ ├── etc │ │ └── bluedot-config.php │ └── sql │ │ └── bluedot.sql ├── build-test │ └── build-test.sh ├── conversion │ └── ossec-sagan.pl ├── external-test │ └── external-program ├── nxfifo │ └── nxfifo.c ├── pulledpork │ ├── fetchcarl.sh │ └── pulledpork.sagan.conf ├── qdee │ ├── README.md │ └── qdee.pl ├── rc.d-freebsd │ └── sagan ├── rsyslog │ └── sagan.conf ├── sagan-gtk │ ├── Makefile │ └── sagan-gtk.c ├── sagan-notify │ ├── Makefile │ └── sagan-notify.c └── simple-offload-program │ ├── go.sum │ └── main.go ├── m4 ├── ax_check_compile_flag.m4 ├── ax_ext.m4 ├── ax_gcc_x86_avx_xgetbv.m4 └── ax_gcc_x86_cpuid.m4 ├── screenshots └── discord.png ├── src ├── Makefile.am ├── aetas.c ├── aetas.h ├── after.c ├── after.h ├── classifications.c ├── classifications.h ├── config-yaml.c ├── config-yaml.h ├── content.c ├── content.h ├── credits.c ├── credits.h ├── debug.c ├── debug.h ├── event-id.c ├── event-id.h ├── flexbit-mmap.c ├── flexbit-mmap.h ├── flexbit.c ├── flexbit.h ├── flow.c ├── flow.h ├── geoip.c ├── geoip.h ├── ignore-list.c ├── ignore-list.h ├── ignore.c ├── ignore.h ├── input-json-map.c ├── input-json-map.h ├── input-json.c ├── input-json.h ├── input-pipe.c ├── input-pipe.h ├── input-plugins │ ├── fifo.c │ ├── fifo.h │ ├── file.c │ ├── file.h │ ├── gzip.c │ └── gzip.h ├── ipc.c ├── ipc.h ├── json-content.c ├── json-content.h ├── json-handler.c ├── json-handler.h ├── json-meta-content.c ├── json-meta-content.h ├── json-pcre.c ├── json-pcre.h ├── key.c ├── key.h ├── liblognormalize.c ├── liblognormalize.h ├── lockfile.c ├── lockfile.h ├── meta-content.c ├── meta-content.h ├── offload.c ├── offload.h ├── output-plugins │ ├── alert.c │ ├── alert.h │ ├── esmtp.c │ ├── esmtp.h │ ├── eve.c │ ├── eve.h │ ├── external.c │ ├── external.h │ ├── fast.c │ ├── fast.h │ ├── syslog-handler.c │ └── syslog-handler.h ├── output.c ├── output.h ├── parsers │ ├── hash.c │ ├── ip.c │ ├── json.c │ ├── json.h │ ├── parsers.h │ ├── proto.c │ └── strstr-asm │ │ ├── .dirstamp │ │ ├── strstr-hook.c │ │ ├── strstr-hook.h │ │ ├── strstr_sse2.S │ │ └── strstr_sse4_2.S ├── pcre-s.c ├── pcre-s.h ├── plog.c ├── plog.h ├── processor-memory.c ├── processor-memory.h ├── processor.c ├── processor.h ├── processors │ ├── blacklist.c │ ├── blacklist.h │ ├── bluedot.c │ ├── bluedot.h │ ├── client-stats.c │ ├── client-stats.h │ ├── dynamic-rules.c │ ├── dynamic-rules.h │ ├── engine.c │ ├── engine.h │ ├── stats-json.c │ ├── stats-json.h │ ├── track-clients.c │ ├── track-clients.h │ ├── zeek-intel.c │ └── zeek-intel.h ├── protocol-map.c ├── protocol-map.h ├── redis.c ├── redis.h ├── references.c ├── references.h ├── routing.c ├── routing.h ├── rules.c ├── rules.h ├── sagan-config.h ├── sagan-defs.h ├── sagan.c ├── sagan.h ├── search-type.c ├── search-type.h ├── send-alert.c ├── send-alert.h ├── signal-handler.c ├── signal-handler.h ├── stats.c ├── stats.h ├── threshold.c ├── threshold.h ├── tracking-syslog.c ├── tracking-syslog.h ├── usage.c ├── usage.h ├── util-base64.c ├── util-base64.h ├── util-strlcat.c ├── util-strlcpy.c ├── util-time.c ├── util-time.h ├── util.c ├── version.h ├── xbit-mmap.c ├── xbit-mmap.h ├── xbit-redis.c ├── xbit-redis.h ├── xbit.c └── xbit.h ├── stamp-h1 └── tools ├── Makefile.am └── saganpeek.c /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Object files 5 | *.o 6 | *.ko 7 | *.obj 8 | *.elf 9 | 10 | # Linker output 11 | *.ilk 12 | *.map 13 | *.exp 14 | 15 | # Precompiled Headers 16 | *.gch 17 | *.pch 18 | 19 | # Libraries 20 | *.lib 21 | *.a 22 | *.la 23 | *.lo 24 | 25 | # Shared objects (inc. Windows DLLs) 26 | *.dll 27 | *.so 28 | *.so.* 29 | *.dylib 30 | 31 | # Executables 32 | *.exe 33 | *.out 34 | *.app 35 | *.i*86 36 | *.x86_64 37 | *.hex 38 | 39 | # Debug files 40 | *.dSYM/ 41 | *.su 42 | *.idb 43 | *.pdb 44 | 45 | # Kernel Module Compile Results 46 | *.mod* 47 | *.cmd 48 | .tmp_versions/ 49 | modules.order 50 | Module.symvers 51 | Mkfile.old 52 | dkms.conf 53 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | # Default parameters, even this default build is excluded in the build 2 | # matrix below. We define so Travis doesn't think this is a Ruby 3 | # project. 4 | os: linux 5 | dist: focal 6 | language: c 7 | compiler: gcc 8 | 9 | # Define the default CFLAGS used by all builds as a YAML anchor. 10 | default-cflags: &default-cflags 11 | CFLAGS="-Wall -Wno-unused-parameter -Wno-unused-function" 12 | #CFLAGS="-Wall -Wextra -Werror -Wno-unused-parameter -Wno-unused-function" 13 | 14 | # The default build is Linux with gcc. Add additional builds to the 15 | # matrix here. 16 | matrix: 17 | # Exclude the default build so any the builds in the matrix will be done. 18 | exclude: 19 | - os: linux 20 | compiler: gcc 21 | include: 22 | # Linux, gcc, tests enabled. 23 | - os: linux 24 | compiler: gcc 25 | env: 26 | - NAME="linux,gcc" 27 | - *default-cflags 28 | # Linux, clang. For this build we'll also enable -Wshadow. 29 | - os: linux 30 | compiler: clang 31 | env: 32 | - NAME="linux,clang" 33 | - *default-cflags 34 | - EXTRA_CFLAGS="-Wshadow" 35 | 36 | # Change this to your needs 37 | script: 38 | - ./autogen.sh 39 | - if [[ "$TRAVIS_OS_NAME" == "linux" ]]; then 40 | ./configure || { echo "!!!! ERROR !!!!"; cat config.log && false; } 41 | fi 42 | - make 43 | - cd tools 44 | - make 45 | 46 | before_install: 47 | - | 48 | if [[ "$TRAVIS_OS_NAME" == "linux" ]]; then 49 | 50 | sudo apt-get update -qq 51 | sudo apt-get install -y libpcre3-dev liblognorm-dev \ 52 | build-essential autoconf automake libyaml-dev \ 53 | pkg-config libhiredis-dev libfastjson-dev 54 | 55 | fi 56 | 57 | -------------------------------------------------------------------------------- /AUTHORS: -------------------------------------------------------------------------------- 1 | Primary code development was done by Champ Clark III (champ@quadrantsec.com). 2 | 3 | For more contributors, please see: 4 | 5 | src/sagan-credits.c 6 | 7 | -------------------------------------------------------------------------------- /FAQ: -------------------------------------------------------------------------------- 1 | See http://sagan.quadrantsec.com 2 | -------------------------------------------------------------------------------- /Makefile.am: -------------------------------------------------------------------------------- 1 | AUTOMAKE_OPIONS=foreign no-dependencies subdir-objects 2 | ACLOCAL_AMFLAGS = -I m4 3 | SUBDIRS = src 4 | 5 | #INCLUDES = @INCLUDES@ 6 | 7 | # Install BFD include file, and others that it needs. 8 | #install-data-local: 9 | # @$(NORMAL_INSTALL) 10 | # $(mkinstalldirs) $(sysconfdir) 11 | # $(INSTALL_DATA)sagan.conf $(sysconfdir)/sagan.yaml 12 | 13 | install-data-local: 14 | test -z "$(DESTDIR)$(sysconfdir)" || /bin/mkdir -p "$(DESTDIR)$(sysconfdir)" 15 | test -f "$(DESTDIR)$(sysconfdir)/sagan.yaml" || $(INSTALL_DATA) etc/sagan.yaml "$(DESTDIR)$(sysconfdir)/sagan.yaml" 16 | test -z "$(DESTDIR)$(bindir)" || /bin/mkdir -p "$(DESTDIR)$(bindir)" 17 | $(INSTALL) -d "$(DESTDIR)$(mandir)/man8" 18 | $(INSTALL) -m 644 etc/sagan.8 "$(DESTDIR)$(mandir)/man8" 19 | $(INSTALL) -m 755 src/sagan "$(DESTDIR)$(bindir)/sagan" 20 | $(INSTALL) -d "$(DESTDIR)/var/log/sagan" 21 | $(INSTALL) -d "$(DESTDIR)/var/run/sagan" 22 | @echo "" 23 | @echo "------------------------------------------------------------------------------" 24 | @echo "Sagan has been installed! You still need to do a few more things before your" 25 | @echo "up and running. For more information, see https://sagan.readthedocs.io" 26 | @echo "------------------------------------------------------------------------------" 27 | @echo "" 28 | 29 | 30 | -------------------------------------------------------------------------------- /NEWS: -------------------------------------------------------------------------------- 1 | See http://sagan.quadrantsec.com 2 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | Please see the README.md 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 
 3 | ,-._,-.    Sagan, the advanced Suricata/Snort like log analysis engine!
 4 | \/)"(\/ 
 5 |  (_o_)     Champ Clark III & The Quadrant InfoSec Team [quadrantsec.com]
 6 |  /   \/)   Copyright (C) 2009-2023 Quadrant Information Security, et al.
 7 | (|| ||) 
 8 |  oo-oo  
 9 |
10 | 11 | 12 | Join the Sagan Discord channel 13 | ------------------------------ 14 | 15 | [![Discord](./screenshots/discord.png)](https://discord.gg/VS6jTjH4gW) 16 | 17 | Sagan Documentation 18 | ------------------- 19 | 20 | Sagan "Read The Docs! https://sagan.readthedocs.io 21 | 22 | What is Sagan? 23 | -------------- 24 | 25 | Sagan is an open source (GNU/GPLv2) high performance, real-time log 26 | analysis & correlation engine. It is written in C and uses a 27 | multi-threaded architecture to deliver high performance log & event 28 | analysis. The Sagan structure and Sagan rules work similarly to the 29 | Suricata & Snort IDS engine. This was intentionally done to maintain 30 | compatibility with rule management software (oinkmaster/pulledpork/etc) 31 | and allows Sagan to correlate log events with your IDS/IPS system. 32 | 33 | Sagan can write out to databases via Suricata EVE formats and/or 34 | Unified2, it is compatible with all Snort & Suricata consoles. Sagan 35 | can write also write out JSON which can be ingested by Elasticsearch 36 | and viewed with console like Kibana, EVEbox, etc. 37 | 38 | Sagan supports many different output formats, log normalization 39 | (via liblognorm), GeoIP detection, script execution on event and 40 | automatic firewall support via "Snortsam" (see http://www.snortsam.net). 41 | 42 | Sagan uses the GNU "artisic style". 43 | 44 | Sagan Features: 45 | --------------- 46 | 47 | * Sagan’s multi-threaded architecture allows it to use all CPUs / cores for real-time log processing. 48 | * Sagan's CPU and memory resources are light weight. 49 | * Sagan uses a similar rule syntax to Cisco’s “Snort” & Suricata which allows for easy rule management and correlation with Snort or Suricata IDS / IPS systems. 50 | * Sagan can store alert data in Cisco’s “Snort” native “unified2” binary data format or Suricata's JSON format for easier log-to-packet correlation. 51 | * Sagan is compatible with popular graphical-base security consoles like Snorby, BASE, Sguil, and EveBox. 52 | * Sagan can easily export data from other SIEMs via syslog. 53 | * Sagan can track events based on geographic locations via IP address source or destination data (e.g., identifying logins from strange geographic locations). 54 | * Sagan can monitor usage based on time of day (e.g., writing a rule to trigger when an administrator logs in at 3:00 AM). 55 | * Sagan has multiple means of parsing and extracting data through liblognorm or built in parsing rule options like parse_src_ip, parse_dst_ip, parse_port, parse_string, parse_hash (MD5, SHA1,SHA256). 56 | * Sagan can query custom blacklists, Bro Intel subscriptions like Critical Stack and “Bluedot”, Quadrant Information Security threat intelligence feeds by IP address, hashes (MD5, SHA1, SHA256), URLs, emails, usernames, and much more. 57 | * Sagan’s “client tracking” can inform you when machines start or stop logging. This helps you verify that you are getting the data you need. 58 | * Sagan uses “xbits” to correlate data between log events which allows Sagan to “remember” and flag events across multiple log lines and sources. 59 | * Sagan uses Intra-Process communications between Sagan processes to share data. Sagan can also use Redis (beta) to share data between Sagan instances within a network. 60 | * To help reduce “alert fatigue”, Sagan can “threshold” or only alert “after” certain criteria have been met. 61 | 62 | Where can I get help with Sagan? 63 | -------------------------------- 64 | 65 | For more general Sagan information, please visit the offical Sagan web site: 66 | https://sagan.quadrantsec.com. 67 | 68 | For Sagan documentation to assist with installation, rule writing, etc. Check out: 69 | https://sagan.readthedocs.io/en/latest/ 70 | 71 | For help & assistence, check out the Sagan mailing list. If it located at: 72 | https://groups.google.com/forum/#!forum/sagan-users. You can also ask questions on the 73 | Sagan Discord channel at https://discord.gg/VS6jTjH4gW 74 | 75 | If you're looking for Sagan rule sets on Github, they are located at: 76 | https://github.com/quadrantsec/sagan-rules 77 | 78 | Credits 79 | ------- 80 | 81 | A lot of people have invested time in Sagan. We list people who have contributed in our source code tree. 82 | See the https://github.com/quadrantsec/sagan/blob/main/src/credits.c source file. 83 | 84 | -------------------------------------------------------------------------------- /TODO: -------------------------------------------------------------------------------- 1 | 2 | For the latest TODO list, see: 3 | 4 | https://wiki.quadrantsec.com/bin/view/Main/SaganTODO 5 | -------------------------------------------------------------------------------- /autogen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This generates Makefiles, ./configure, etc. 4 | 5 | autoreconf -vfi -I m4 6 | -------------------------------------------------------------------------------- /doc/Makefile: -------------------------------------------------------------------------------- 1 | # Minimal makefile for Sphinx documentation 2 | # 3 | 4 | # You can set these variables from the command line. 5 | SPHINXOPTS = 6 | SPHINXBUILD = sphinx-build 7 | SOURCEDIR = source 8 | BUILDDIR = build 9 | 10 | # Put it first so that "make" without argument is like "make help". 11 | help: 12 | @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) 13 | 14 | .PHONY: help Makefile 15 | 16 | # Catch-all target: route all unknown targets to Sphinx using the new 17 | # "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS). 18 | %: Makefile 19 | @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) -------------------------------------------------------------------------------- /doc/Makefile.am: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quadrantsec/sagan/a1805c54024774b9f4494bd5a8535f16a36fa924/doc/Makefile.am -------------------------------------------------------------------------------- /doc/source/articles.rst: -------------------------------------------------------------------------------- 1 | Articles about Sagan 2 | ==================== 3 | 4 | Reading 5 | ------- 6 | 7 | "Logging and processing logs from Windows 7. Timber!" - Linux Magazine - http://www.linux-magazine.com/content/download/61671/482426/version/1/file/072-073_kurt.pdf 8 | 9 | "Analyzing Bro Logs with Sagan" (2015/09/10) - https://blog.zeek.org//2015/09/analyzing-bro-logs-with-sagan.html 10 | 11 | "Sagan as a Log Normalizer" (2013/11/16) - https://isc.sans.edu/forums/diary/Sagan+as+a+Log+Normalizer/17039 12 | 13 | "ELSA with Sagan" (2013/01/31) - http://blog.infosecmatters.net/2013/01/elsa-with-sagan.html 14 | 15 | "Infoworld Sagan BOSSIE award" (2012/09/18) - https://www.infoworld.com/article/2606792/open-source-software/bossie-awards-2012--the-best-open-source-networking-and-security-software.html#slide17 16 | 17 | Audio/Video 18 | ----------- 19 | 20 | Champ discusses Sagan "Pauldotcom Security Weekly" (2013/12/12) - http://traffic.libsyn.com/pauldotcom/PaulDotCom-356-Part1.mp3 21 | 22 | "Taking a bite out of logs with Sagan" at "Hackers On Planet Earth" (HOPE9) (2012/07) - https://www.youtube.com/watch?v=pMlAmteCjQo 23 | 24 | Champ talks with the Jacksonville Linux User group about Sagan - https://www.youtube.com/watch?v=rySjNnEpjbI 25 | 26 | 27 | Presentations/Papers 28 | -------------------- 29 | 30 | "Securing your Mikrotik Network" by Andrew Thrift (Presentation) - http://sagan.io/pdf/2_andrew.pdf 31 | 32 | "Building wireless IDS systems using open source" - 2013? - http://sagan.quadrantsec.com/papers/wireless-ids/ 33 | 34 | "Defending the Homeland: Logging and Monitoring at home" by @nullthreat - http://sagan.io/pdf/BlackLodgeNSMOverview-Nullthreat.pdf 35 | 36 | "Centralized and structured log file analysis with Open Source and Free Software tools" Bachelor Thesis by Jens Kühnel. - http://sagan.io/pdf/bachelor.pdf 37 | 38 | 39 | -------------------------------------------------------------------------------- /doc/source/blogs/index.rst: -------------------------------------------------------------------------------- 1 | Sagan Blogs 2 | =========== 3 | 4 | .. toctree:: 5 | :numbered: 6 | :maxdepth: 2 7 | 8 | dynamic-rules-with-sagan 9 | what-sagan-is-and-is-not 10 | sagan-1-0-0 11 | sagan-output-to-other-siems 12 | sagan-flowbits 13 | 14 | -------------------------------------------------------------------------------- /doc/source/command-line-options.rst: -------------------------------------------------------------------------------- 1 | Command Line Option 2 | =================== 3 | 4 | This document needs to be completed! 5 | 6 | 7 | -------------------------------------------------------------------------------- /doc/source/docutils.conf: -------------------------------------------------------------------------------- 1 | [parsers] 2 | smart_quotes: false 3 | -------------------------------------------------------------------------------- /doc/source/getting-help.rst: -------------------------------------------------------------------------------- 1 | Getting help 2 | ============ 3 | 4 | The primary Sagan site is located at: 5 | 6 | https://sagan.io 7 | 8 | Sagan Github page is located at: 9 | 10 | `https://github.com/beave/sagan `_ 11 | 12 | If you are having issues getting Sagan to work, consider posting in the Sagan mailing list. This list 13 | is good for general configuration, install and usage questions. 14 | 15 | `https://groups.google.com/forum/#!forum/sagan-users `_ 16 | 17 | If you need to report a compile or programming issue, please use our Github.com issues page. That is located at: 18 | 19 | `https://github.com/beave/sagan/issues `_ 20 | 21 | If you want to chat about Sagan you can hit up our Discord channel! 22 | 23 | `https://discord.gg/VS6jTjH4gW `_ 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /doc/source/high-performance.rst: -------------------------------------------------------------------------------- 1 | High Performance Considerations 2 | =============================== 3 | 4 | Depending on your hardware, Sagan can operate comfortably up to about 5k "events per/second" (EPS) 5 | using default configurations. When you hit this level and higher, there are a few configuration 6 | options to take into consideration. 7 | 8 | batch-size 9 | ~~~~~~~~~~ 10 | 11 | The most important thing is the ``batch-size`` sagan.yaml configuration option. By default, 12 | when Sagan receives a log line, the data is sent to any available thread. Due to memory protections 13 | (pthread mutex lock/unlock), this isn't efficient. The system starts to spend more time protecting the 14 | memory location of the single line of log data than processing the log line. 15 | 16 | The ``batch-size`` allows Sagan to send more data to worker threads and use less "locks". For example, 17 | with a ``batch-size`` of 10, Sagan can send 10 times more data with only one "lock" being applied. At 18 | even higher rates, you may want to consider setting the ``batch-size`` to 100. 19 | 20 | The default batch sizes are 1 to 100. On very high performance systems (100k+ EPS or more), you may 21 | want to consider rebuilding to handleeven larger batches. To do this, you would edit the 22 | `sagan-defs.h` and change the following. 23 | 24 | :: 25 | 26 | #define MAX_SYSLOG_BATCH 100 27 | 28 | 29 | To 30 | 31 | :: 32 | 33 | #define MAX_SYSLOG_BATCH 1000 34 | 35 | 36 | Then rebuild Sagan and set your ``batch-size`` to 1000. While you will save CPU, Sagan will 37 | use more memory. If you sent the `MAX_SYSLOG_BATCH` to 1000 and only set the ``batch-size`` to 38 | 100, Sagan will still allocate memory for 1000 log lines. In fact, it will do the per-thread! 39 | Think of it this way: 40 | 41 | :: 42 | ( MAX_SYSLOG_BATCH * 10240 bytes ) * Threads = Total memory usage. 43 | 44 | The default allocation per log line is 10240 bytes. 45 | 46 | 47 | Rule sets 48 | ~~~~~~~~~ 49 | 50 | At high rates, consideration should be given to the rules that you are loading. Unneeded and 51 | unused rules waste CPU. 52 | 53 | If you are writing rules, make sure you use simple rule keywords first (``content``, ``meta_content``, 54 | ``program``, etc) before moving to more complex rule options like ``pcre``. The more simple rule 55 | keywords can be used to "short circuit" a rule before it has to do more complex operations. 56 | 57 | Software like ``Snort`` attempts to arrange the rule set in memory to be more efficient. For example, 58 | when ``Snort`` detects multiple ``content`` modifiers, it shifts the shortest lenght ``content`` to 59 | the front (first searched). Regardless of the ``content`` rule keywords placement within a rule. 60 | 61 | Because logs are inherently different than packets, ``Sagan`` does not do this! If you have multiple 62 | ``content`` keywords, ``Sagan`` will use them in the order they are placed in the rule. You will 63 | want to use the least matched keywords as the first ``content``. For example: 64 | 65 | ::: 66 | 67 | # This will use more CPU because "login" is common. 68 | 69 | content: "login"; content: "mary"; 70 | 71 | # This will use less CPU because "mary" is likely less common. 72 | 73 | content: "mary"; content: "login"; 74 | 75 | The same login applied to ``pcre`` and ``meta_content``. 76 | 77 | 78 | Rule order of execution 79 | ~~~~~~~~~~~~~~~~~~~~~~~~~ 80 | 81 | Sagan attempts to use the least CPU intensive rule options first. This means that if a ``Sagan`` rule 82 | has multiple ``content`` keywords and multiple ``pcre`` keywords, the ``content`` rule keywords are 83 | processed first. If the ``content`` keywords do not match, then there is no need to process the ``pcre`` 84 | keywords. The order of execution within a rule is as follows: 85 | 86 | The ``program`` field is the very first thing to be evaluated. 87 | 88 | The ``content`` is the next option Sagan takes into consideration. 89 | 90 | The ``meta_content`` is next. 91 | 92 | Finally the ``pcre`` option, which is consided the heaviest, is the last. 93 | 94 | 95 | -------------------------------------------------------------------------------- /doc/source/index.rst: -------------------------------------------------------------------------------- 1 | Sagan User Guide 2 | ================ 3 | 4 | .. toctree:: 5 | :numbered: 6 | :maxdepth: 2 7 | 8 | what-is-sagan 9 | install.rst 10 | command-line-options 11 | configuration 12 | 13 | rule-syntax 14 | rule-keywords 15 | 16 | saganpeek 17 | liblognorm 18 | 19 | sagan-json 20 | journald 21 | high-performance 22 | contributing-coding-style 23 | blogs/index 24 | articles 25 | getting-help 26 | todo 27 | 28 | -------------------------------------------------------------------------------- /doc/source/journald.rst: -------------------------------------------------------------------------------- 1 | Journald 2 | ======== 3 | 4 | What is "journald"? 5 | ~~~~~~~~~~~~~~~~~~~ 6 | 7 | Journald is a system for collecting logs and data from devices running "systemd". Many distributions 8 | have moved away standard syslog services in favor of "journald". The concept is to replace standard 9 | "text" base logging for a more "database" binary logging approach. 10 | 11 | While this method has advantages, there are several limitations. Software like "Sagan" doesn't natively 12 | read "journald" files. Journald also lacks the ability to send logs to a remote host. Journald relies on 13 | services like ``syslog-ng`` and ``rsyslog`` to send logs to a remote host. While there are some methods 14 | to send logs to a remote host via Journald, most are not mature and more of a "proof of concept" 15 | than a solution. This makes using a service like ``syslog-ng`` or ``rsyslog`` the best method to send 16 | logs generated by Journald. 17 | 18 | 19 | Analyzing journald logs locally 20 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 21 | 22 | Using the "Journald" command ``journalctl``, it is possible to create a JSON stream representing Journald 23 | data. Using Sagan built in JSON processing, it is possible to analyze this data. As Journald writes 24 | log data, the ``journalctl`` converts it to JSON and sends it to ``stdout``. This can be redirected to 25 | a named pipe (FIFO). For example, ``journalctl -f -o json > /var/sagan/fifo/journald.fifo`` will direct 26 | log data to a named pipe which Sagan can read. Within the Sagan configuration file, you would want to 27 | set the following options:: 28 | 29 | input-type: json # pipe or json 30 | json-map: "$RULE_PATH/json-input.map" # mapping file if input-type: json 31 | json-software: journald # by "software" type. 32 | 33 | Analyzing journald logs remotely 34 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 35 | 36 | In situations where ``syslog-ng`` or ``rsyslog`` is not an option, you can using ``journalctl`` to send 37 | logs to a remote host in raw JSON. For example, ``journalctl -f -o json | nc 192.168.1.1 1514``. This 38 | would using ``netcat`` to send logs to 192.168.1.1 on port 1514. Your receiver would need to be configuration 39 | to accepts incoming connection and date in a __raw__ format (non-syslog). Sagan could then be used 40 | on the receiving side to analyze data from various devices. You would likely want to wrap the "journalctl" 41 | in a script and infinite loop so ``journalctl`` will automatically restart if the TCP log connection is broken. 42 | 43 | -------------------------------------------------------------------------------- /doc/source/rule-syntax.rst: -------------------------------------------------------------------------------- 1 | Rule syntax 2 | =========== 3 | 4 | Sagan rule syntax is very similar to that of `Suricata `_ or `Snort `_ . This is was intentionally done to maintain compatibility with rule management software like ``oinkmaster`` 5 | and ``pulledpork`` and allows Sagan to correlate log events with your Snort/Suricata IDS/IPS system. 6 | 7 | This also means that if you are already familiar with signature writing in Suricata and Snort, you already 8 | understand the Sagan syntax! 9 | 10 | To understand the basic Sagan rule syntax, we will be using the following simple rule. This section of the 11 | Sagan user guide only covers up to the first `rule option`. That is, this section will cover up to the 12 | ``msg`` portion of this rule only. The rest of the rule is considered ``rule options``. 13 | 14 | Basic Sagan rule:: 15 | 16 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] System out of disk space"; pcre: "/file system full|No space left on device/i"; classtype: hardware-event; threshold: type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000116; sid:5000116; rev:2;) 17 | 18 | .. option:: alert 19 | 20 | This informs Sagan how to flag the event. Valid options are ``alert``, ``drop`` or ``pass``. When using the ``pass`` option and the signatures conditions are met, no other signatures are processed. 21 | 22 | .. option:: any 23 | 24 | Valid options for this field are ``any``, ``tcp``, ``udp`` or ``icmp``. In most cases, you will 25 | likely want to specify ``any``. The protocal is determined by the ``parse_proto``, ``parse_proto_program`` or liblognorm rule keywords. 26 | 27 | .. option:: $EXTERNAL_NET 28 | 29 | This informs Sagan where the source IP address or addresses must be coming from in order to trigger. By 30 | default the variable ``$EXTERAL_NET`` is used. This is set in the ``sagan.yaml`` configurations file and 31 | defaults to ``any``. most cases, "any" (any source) is what you want. In other cases, 32 | you might want the signature to trigger when it is from a particular host. For example: 33 | 34 | **192.168.1.1** 35 | 36 | Makes Sagan only trigger if the source of the event is from the address 192.168.1.1 (/32 is automatically 37 | assumed). You can also apply multiple networks. For example: 38 | 39 | **[192.168.1.0/24, 10.0.0.0/24]** 40 | 41 | Is valid and will only trigger if the network address is within 192.168.1.0/24 or 10.0.0.0/24. You can 42 | also apply *not* logic to the addresses. For example. 43 | 44 | **!192.168.1.1/32** 45 | 46 | This will only trigger when the IP address is *not* 192.168.1.1. 47 | 48 | This filed is populated by whatever the source IP address within the log might be. For example, if the 49 | signature lacks ``parse_src_ip`` or ``normalize`` (see rule options), then the syslog source is adopted. 50 | If ``parse_src_ip`` or ``normalize`` rule option is used, then data (if any) that is extracted from the 51 | log is used. 52 | 53 | .. option:: any 54 | 55 | The next ``any`` is the source port. If the ``normalize`` or ``default_src_port`` rule option is used, it will be applied here. This can be useful in filtering out certain subnets or syslog clients. 56 | 57 | .. option:: -> 58 | 59 | This would be the direction. From the $EXTERNAL_NET ``->`` $HOME_NETWORK. 60 | 61 | .. option:: $HOME_NETWORK 62 | 63 | This works similarly to how $EXTERNAL_NET functions. Rather than being the source of the traffic, this is 64 | the destination of the traffic. Like $EXTERNAL_NET, this is set in the ``sagan.yaml`` configuration file 65 | and defaults to ``any``. Also like the $EXTERNAL_NET, network CIDR notation can be used ( ie - 192.168.1.0). 66 | Data from this is populated by the ``parse_dst_ip`` and ``normalize`` rule options. 67 | 68 | .. option:: any 69 | 70 | The final rule option is the destination port. If the ``normalize`` or ``default_dst_port`` rule option is used, it will be applied here. This can be useful in filtering out events from certain subnets. 71 | 72 | -------------------------------------------------------------------------------- /doc/source/saganpeek.rst: -------------------------------------------------------------------------------- 1 | Sagan Peek 2 | ========== 3 | 4 | What is "saganpeek" 5 | ------------------- 6 | 7 | ``saganpeek`` is a utility that allows you to "peek" into Sagan memory. The utility reads 8 | the Sagan ``mmap()`` files. It displays the data Sagan is currently using for ``after``, 9 | ``threshold``, ``flexbits`` and ``xbits``. This information can be useful in debugging Sagan 10 | or simply to view what values are currently in memory. Running ``saganpeek`` from the command 11 | line without any flags will show all "active" data in memory. 12 | 13 | ** Note: ``saganpeek`` will not display data in Redis. For example, if you are using 14 | Redis for ``xbits`` or ``flexbits``, this data will not be displayed** 15 | 16 | 17 | ``saganpeek`` --help flags:: 18 | 19 | --[ saganpeek help ]--------------------------------------------------------- 20 | 21 | -t, --type threshold, after, xbit, track, all (default: all) 22 | -h, --help This screen. 23 | -i, --ipc IPC source directory. (default: /var/sagan/ipc) 24 | 25 | Building "saganpeek" 26 | -------------------- 27 | 28 | After building Sagan, simply change into the ``tools/`` directory and run ``make`` and then 29 | ``make install``. 30 | 31 | -------------------------------------------------------------------------------- /doc/source/todo.rst: -------------------------------------------------------------------------------- 1 | TODO 2 | ==== 3 | 4 | - Documentation on new JSON decoders. (did json-input) 5 | - Better documentation on syslog-ng, rsyslog and nxlog setup (pipe and JSON) 6 | - external now powered by json 7 | 8 | -------------------------------------------------------------------------------- /doc/source/what-is-sagan.rst: -------------------------------------------------------------------------------- 1 | What is Sagan? 2 | ============== 3 | 4 | Sagan is a log analysis engine. It was designed with a Security Operations Center (SOC) in mind. 5 | This makes Sagan’s operations different from most log analysis tools. Sagan is designed and meant to analyze 6 | logs across many different platforms in many different locations. A driving principle behind Sagan is for 7 | it to do the “heavy lifting” analysis before putting the event in front of a human. Another driving principle 8 | is to do all analysis of logs in “real time”. This is also a differentiating factor of Sagan. In a SOC 9 | environment, waiting for hours for analysis simply isn’t an option. Delaying analysis gives an attacker an advantage in that they will have been in your network undetected during that lag time. If you are a security professional reading this, you likely understand the real-time aspects of packet analysis. For example, security professionals would never accept prolonged delays in our Intrusion Detection and Intrusion Prevention engines. Nor would reasonable security professionals find it acceptable to analyze packet data the next day for security related events. With this in mind, we demand our packet analysis engines to work in real time or close to it. This premise is how projects like Snort (https://snort.org) and Suricata (https://suricata-ids.org) function. 10 | 11 | Sagan treats log data similar to how IDS or IPS treats packet data. In fact, Sagan treats the data so similarly, that Sagan rules can confuse even the most seasoned security professionals. 12 | 13 | 14 | 15 | License 16 | ------- 17 | 18 | Sagan is licensed under the GNU/GPL version 2. 19 | -------------------------------------------------------------------------------- /etc/sagan.8: -------------------------------------------------------------------------------- 1 | .\" Hey, EMACS: -*- nroff -*- 2 | .\" First parameter, NAME, should be all caps 3 | .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection 4 | .\" other parameters are allowed: see man(7), man(1) 5 | .TH SAGAN 8 "April 15, 2012" 6 | .\" Please adjust this date whenever revising the manpage. 7 | .\" 8 | .\" Some roff macros, for reference: 9 | .\" .nh disable hyphenation 10 | .\" .hy enable hyphenation 11 | .\" .ad l left justify 12 | .\" .ad b justify to both left and right margins 13 | .\" .nf disable filling 14 | .\" .fi enable filling 15 | .\" .br insert line break 16 | .\" .sp insert n+1 empty lines 17 | .\" for manpage-specific macros, see man(7) 18 | .SH NAME 19 | sagan \- Real-time System & Event Log Monitoring System 20 | .SH SYNOPSIS 21 | .B sagan 22 | .RI [ options ] 23 | .br 24 | .SH DESCRIPTION 25 | This manual page documents briefly the 26 | .B sagan 27 | command. 28 | .PP 29 | .\" TeX users may be more comfortable with the \fB\fP and 30 | .\" \fI\fP escape sequences to invode bold face and italics, 31 | .\" respectively. 32 | \fBsagan\fP is a multi-threaded, real time system- and event-log monitoring 33 | system, but with a twist. Sagan uses a "Snort" like rule set for 34 | detecting malicious events happening on your network and/or computer 35 | systems. 36 | .br 37 | If Sagan detects a potentially bad event, that event can be stored to a 38 | Snort database (MySQL/PostgreSQL), send it to a SIEM tool like Prelude, 39 | or send an email. 40 | .br 41 | Sagan is meant to be used in a "centralized" logging environment, but 42 | will work fine as part of a standalone Host IDS system for workstations. 43 | .SH OPTIONS 44 | These programs follow the usual GNU command line syntax, with long 45 | options starting with two dashes (`-'). 46 | A summary of options is included below. 47 | .TP 48 | .B \-h, \-\-help 49 | Show summary of options. 50 | .TP 51 | .B \-d, \-\-debug [option] 52 | Enable debugging. Options are engine, syslog, load, fwsam, external, threads, ipc, limits, malformed, xbit, flexbit, brointel, parse_ip, client-stats. 53 | Also if compiled in: smtp, normalize, plog, bluedot, geoip, redis, json 54 | .TP 55 | .B \-D, \-\-daemon 56 | Make process a daemon (fork to the background) 57 | .TP 58 | .B \-u, \-\-user [username] 59 | Run as user (defaults to 'sagan') 60 | .TP 61 | .B \-c, \-\-chroot [directory] 62 | Chroots the Sagan process to the specified directory 63 | .TP 64 | .B \-f, \-\-config [file] 65 | Sagan configuration file to load 66 | .TP 67 | .B \-F, \-\-file [file] 68 | Sagan FIFO over ride. This forces Sagan to read from a FILE rather than a FIFO. The FILE needs to be in the Sagan format! 69 | .TP 70 | .B \-l, \-\-log [file] 71 | Set log file locaton and name. 72 | .SH AUTHOR 73 | Sagan was written by Champ Clark III 74 | .PP 75 | This manual page was written by Pierre Chifflier , 76 | for the Debian project (and may be used by others). 77 | 78 | 79 | -------------------------------------------------------------------------------- /extra/README: -------------------------------------------------------------------------------- 1 | These are "extra" resources that can be used with Sagan. 2 | 3 | sagan-gtk - Displays a GTK/X11 "popup" window of a Sagan alert. [External 4 | plugin for Sagan] 5 | 6 | sagan-notify - Uses the libnotify X11/GTK function to create a temporary 7 | "popup" message. [External Plugin for Sagan] 8 | 9 | ossec-sagan.pl - This utility takes a series of OSSEC rules, and generates 10 | a series of compatible SAGAN rules. This was written 11 | by Michael Iverson. [OSSEC to Sagan conversion utility] 12 | 13 | RPM - Example RPM spec and system files to build Sagan RPM package 14 | for CentOS 7 15 | 16 | rsyslog - Configuration to send rsyslog data to Sagan. Place this 17 | file in /etc/rsyslog.d 18 | 19 | nxfifo - Program that allows NXlog (http://nxlog.co) to read named 20 | pipes/FIFO's properly. 21 | 22 | -------------------------------------------------------------------------------- /extra/RPM/README: -------------------------------------------------------------------------------- 1 | Example RPM spec and system files for CentOS 7. 2 | 3 | To prepare source tarballs from the Git repository execute the following commands: 4 | 5 | 1. For the Sagan 6 | cd ~/rpmbuild/SOURCES 7 | git clone https://github.com/beave/sagan.git sagan-1.0.0RC5 8 | tar --exclude='.git*' -czf sagan-1.0.0RC5.tar.gz sagan-1.0.0RC5 9 | 10 | 2. For the Sagan Rules 11 | cd ~/rpmbuild/SOURCES 12 | git clone https://github.com/beave/sagan-rules.git 13 | tar --exclude='.git*' -czf "sagan-rules-`git -C sagan-rules rev-parse --short HEAD`.tar.gz" sagan-rules 14 | -------------------------------------------------------------------------------- /extra/RPM/sagan-setup.libexec: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | config="$1" 4 | 5 | if [ ! -f "$config" ]; then 6 | echo "config file '$config' does not exist" 7 | exit 1 8 | fi 9 | 10 | while read a b c; do 11 | if [ "$a" = "var" -a "$b" = "FIFO" ]; then 12 | fifo="$c" 13 | fi 14 | done < "$config" 15 | 16 | if [ -z "$fifo" ]; then 17 | echo "var FIFO is not defined" 18 | exit 1 19 | fi 20 | 21 | if [ ! -p "$fifo" ]; then 22 | if ! mkfifo "$fifo" 2>/dev/null; then 23 | echo "can't create fifo '$fifo'" 24 | exit 1 25 | fi 26 | fi 27 | 28 | chmod 0750 "$fifo" 29 | -------------------------------------------------------------------------------- /extra/RPM/sagan.logrotate: -------------------------------------------------------------------------------- 1 | /var/log/sagan/alert 2 | /var/log/sagan/sagan.log 3 | /var/log/sagan/sagan.stats 4 | { 5 | compress 6 | delaycompress 7 | missingok 8 | notifempty 9 | sharedscripts 10 | postrotate 11 | /sbin/service sagan reload 2>/dev/null || true 12 | endscript 13 | } 14 | -------------------------------------------------------------------------------- /extra/RPM/sagan.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Sagan daemon 3 | Documentation=man:sagan(8) 4 | Before=rsyslog.service syslog-ng.service 5 | 6 | [Service] 7 | Environment=CONFIG=/etc/sagan/sagan.conf 8 | ExecStartPre=/usr/libexec/sagan/sagan-setup $CONFIG 9 | ExecStart=/usr/sbin/sagan -f $CONFIG 10 | ExecReload=/bin/kill -HUP $MAINPID 11 | Restart=on-failure 12 | StandardOutput=null 13 | 14 | [Install] 15 | WantedBy=multi-user.target 16 | -------------------------------------------------------------------------------- /extra/RPM/sagan.spec: -------------------------------------------------------------------------------- 1 | %define sagan_user sagan 2 | %define sagan_group sagan 3 | %define sagan_rules 4146f4f 4 | 5 | Name: sagan 6 | Version: 1.0.0RC5 7 | Release: 1%{?dist} 8 | Summary: High performance, real-time log analysis & correlation engine 9 | 10 | Group: Applications/System 11 | License: GPLv2 12 | URL: http://sagan.quadrantsec.com/ 13 | Source0: http://sagan.quadrantsec.com/download/%{name}-%{version}.tar.gz 14 | Source1: %{name}-rules-%{sagan_rules}.tar.gz 15 | Source2: %{name}.logrotate 16 | Source3: %{name}.service 17 | Source4: %{name}.tmpfiles 18 | Source5: %{name}-setup.libexec 19 | Patch0: %{name}-sagan.conf.patch 20 | 21 | BuildRequires: GeoIP-devel 22 | BuildRequires: json-c-devel 23 | BuildRequires: libdnet-devel 24 | BuildRequires: libesmtp-devel 25 | BuildRequires: liblognorm1-devel >= 1.0.0 26 | BuildRequires: pcre-devel 27 | 28 | Requires: %{name}-rules 29 | 30 | %systemd_requires 31 | 32 | 33 | %description 34 | Sagan is an open source (GNU/GPLv2) multi-threaded, high performance, real-time 35 | log analysis & correlation engine developed by Quadrant Information Security 36 | that runs on Unix operating systems. It is written in C and uses a 37 | multi-threaded architecture to deliver high performance log & event analysis. 38 | Sagan's structure and rules work similarly to the Sourcefire Snort IDS/IPS 39 | engine. This allows Sagan to be compatible with Snort rule management software 40 | and give Sagan the ability to correlate with Snort IDS/IPS data. Sagan can 41 | record events to the Snort unified2 output format which makes Sagan compatible 42 | with user interfaces such as Snorby, Sguil, BASE and proprietary consoles. 43 | 44 | Sagan supports different output formats for reporting and analysis, log 45 | normalization, script execution on event detection, automatic firewall support 46 | via Snortsam, GeoIP detection/alerting, multi-line log support, and time 47 | sensitive alerting. 48 | 49 | 50 | %package rules 51 | Release: 1.git%{sagan_rules}%{?dist} 52 | Summary: Sagan engine rule sets 53 | 54 | Group: Applications/System 55 | 56 | BuildArch: noarch 57 | 58 | 59 | %description rules 60 | This package contains the Sagan engine rule sets. You probably won't find these 61 | useful unless you're actually using Sagan. 62 | 63 | 64 | %prep 65 | %setup -q 66 | %patch -P0 -p1 67 | 68 | 69 | %build 70 | %configure \ 71 | --sysconfdir=%{_sysconfdir}/%{name} \ 72 | --enable-esmtp \ 73 | --enable-geoip \ 74 | --enable-libdnet \ 75 | --enable-lognorm \ 76 | --enable-snortsam 77 | make %{?_smp_mflags} 78 | 79 | 80 | %install 81 | make install DESTDIR=%{buildroot} 82 | rm -rf %{buildroot}%{_bindir} 83 | tar -xzf %{S:1} -C %{buildroot}%{_sysconfdir}/%{name} 84 | install -D -m 0644 %{S:2} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} 85 | install -D -m 0644 %{S:3} %{buildroot}%{_unitdir}/%{name}.service 86 | install -D -m 0644 %{S:4} %{buildroot}%{_tmpfilesdir}/%{name}.conf 87 | install -D -m 0755 %{S:5} %{buildroot}%{_libexecdir}/%{name}/%{name}-setup 88 | 89 | 90 | %pre 91 | getent group %{sagan_group} >/dev/null || \ 92 | groupadd -r %{sagan_group} 93 | 94 | getent passwd %{sagan_user} >/dev/null || \ 95 | useradd -c "Sagan daemon" -d %{_localstatedir}/run/%{name} \ 96 | -g %{sagan_group} -M -r -s /sbin/nologin %{sagan_user} 97 | 98 | 99 | %post 100 | %tmpfiles_create %{name}.conf 101 | %systemd_post %{name}.service 102 | 103 | 104 | %preun 105 | %systemd_preun %{name}.service 106 | 107 | 108 | %postun 109 | %systemd_postun_with_restart %{name}.service 110 | 111 | 112 | %files 113 | %defattr(0644, root, root, 0755) 114 | %doc AUTHORS ChangeLog COPYING FAQ INSTALL NEWS README TODO 115 | %config(noreplace) %{_sysconfdir}/logrotate.d/%{name} 116 | %attr(0640, root, %{sagan_group}) %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf 117 | %attr(0750, root, %{sagan_group}) %dir %{_sysconfdir}/%{name} 118 | %attr(0750, %{sagan_user}, %{sagan_group}) %dir %{_localstatedir}/log/%{name} 119 | %attr(0750, %{sagan_user}, %{sagan_group}) %dir %{_localstatedir}/run/%{name} 120 | %dir %{_libexecdir}/%{name} 121 | %attr(0755, root, root) %{_libexecdir}/%{name}/%{name}-setup 122 | %attr(0755, root, root) %{_sbindir}/%{name} 123 | %{_mandir}/man8/sagan.8.gz 124 | %{_tmpfilesdir}/%{name}.conf 125 | %{_unitdir}/%{name}.service 126 | 127 | 128 | %files rules 129 | %defattr(0644, root, root, 0755) 130 | %config(noreplace) %{_sysconfdir}/%{name}/%{name}-rules 131 | 132 | 133 | %changelog 134 | * Fri May 8 2015 Aleksey Chudov - 1.0.0RC5 135 | - Build sagan-rules subpackage 136 | * Fri Apr 17 2015 Aleksey Chudov - 1.0.0RC5 137 | - Initial spec 138 | -------------------------------------------------------------------------------- /extra/RPM/sagan.tmpfiles: -------------------------------------------------------------------------------- 1 | d /var/run/sagan 0750 sagan sagan - 2 | -------------------------------------------------------------------------------- /extra/barnyard2/barnyard2.cli.conf: -------------------------------------------------------------------------------- 1 | # this is not hard, only unified2 is supported ;) 2 | input unified2 3 | 4 | # Step 3: setup the output plugins 5 | 6 | output alert_fast: stdout 7 | -------------------------------------------------------------------------------- /extra/barnyard2/barnyard2.snorby.conf: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------- 2 | # Barnyard2 configuration file 3 | #------------------------------------------------------------- 4 | 5 | # Use flag settings "-D -f sagan.u2 -d /var/log/sagan -c /usr/local/etc/barnyard2.snorby.conf" 6 | 7 | config reference_file: /usr/local/etc/sagan-rules/reference.config 8 | config classification_file: /usr/local/etc/sagan-rules/classification.config 9 | config sid_file: /usr/local/etc/sagan-rules/sagan-sid-msg.map 10 | config hostname: sagan 11 | config interface: misc 12 | config waldo_file: /var/log/sagan/barnyard2.waldo 13 | 14 | input unified2 15 | output database: log, mysql, user=snorby password=s3cr3tsauce dbname=snorby host=snorby 16 | -------------------------------------------------------------------------------- /extra/bluedot/etc/bluedot-config.php: -------------------------------------------------------------------------------- 1 | 16 | -------------------------------------------------------------------------------- /extra/bluedot/sql/bluedot.sql: -------------------------------------------------------------------------------- 1 | -- 2 | -- Table structure for table `q_filename_rep` 3 | -- 4 | 5 | DROP TABLE IF EXISTS `q_filename_rep`; 6 | /*!40101 SET @saved_cs_client = @@character_set_client */; 7 | /*!40101 SET character_set_client = utf8 */; 8 | CREATE TABLE `q_filename_rep` ( 9 | `filename` varchar(255) DEFAULT NULL, 10 | `reputation` int(11) DEFAULT NULL, 11 | `s_id` mediumint(8) unsigned DEFAULT NULL, 12 | `fingerprint` varchar(100) DEFAULT NULL, 13 | `comments` varchar(1024) DEFAULT NULL, 14 | `rep_source` varchar(128) DEFAULT NULL, 15 | `rep_published` datetime DEFAULT NULL, 16 | `rep_last_status` datetime DEFAULT NULL, 17 | KEY `filename` (`filename`) 18 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8; 19 | /*!40101 SET character_set_client = @saved_cs_client */; 20 | 21 | -- 22 | -- Table structure for table `q_hash_rep` 23 | -- 24 | 25 | DROP TABLE IF EXISTS `q_hash_rep`; 26 | /*!40101 SET @saved_cs_client = @@character_set_client */; 27 | /*!40101 SET character_set_client = utf8 */; 28 | CREATE TABLE `q_hash_rep` ( 29 | `hash` varchar(256) DEFAULT NULL, 30 | `reputation` int(11) DEFAULT NULL, 31 | `s_id` mediumint(8) unsigned DEFAULT NULL, 32 | `fingerprint` varchar(200) DEFAULT NULL, 33 | `comments` varchar(1024) DEFAULT NULL, 34 | `rep_source` varchar(128) DEFAULT NULL, 35 | `rep_published` datetime DEFAULT NULL, 36 | `rep_last_status` datetime DEFAULT NULL, 37 | KEY `hash` (`hash`) 38 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8; 39 | /*!40101 SET character_set_client = @saved_cs_client */; 40 | 41 | -- 42 | -- Table structure for table `q_ip_rep` 43 | -- 44 | 45 | DROP TABLE IF EXISTS `q_ip_rep`; 46 | /*!40101 SET @saved_cs_client = @@character_set_client */; 47 | /*!40101 SET character_set_client = utf8 */; 48 | CREATE TABLE `q_ip_rep` ( 49 | `ip_address` varchar(46) DEFAULT NULL, 50 | `reputation` int(11) DEFAULT NULL, 51 | `s_id` mediumint(8) unsigned DEFAULT NULL, 52 | `fingerprint` varchar(100) DEFAULT NULL, 53 | `comments` varchar(1024) DEFAULT NULL, 54 | `rep_source` varchar(128) DEFAULT NULL, 55 | `rep_published` datetime DEFAULT NULL, 56 | `rep_last_status` datetime DEFAULT NULL, 57 | KEY `ip_address` (`ip_address`) 58 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8; 59 | /*!40101 SET character_set_client = @saved_cs_client */; 60 | 61 | -- 62 | -- Table structure for table `q_ja3_rep` 63 | -- 64 | 65 | DROP TABLE IF EXISTS `q_ja3_rep`; 66 | /*!40101 SET @saved_cs_client = @@character_set_client */; 67 | /*!40101 SET character_set_client = utf8 */; 68 | CREATE TABLE `q_ja3_rep` ( 69 | `ja3` varchar(32) DEFAULT NULL, 70 | `reputation` int(11) DEFAULT NULL, 71 | `s_id` mediumint(8) unsigned DEFAULT NULL, 72 | `fingerprint` varchar(100) DEFAULT NULL, 73 | `comments` varchar(1024) DEFAULT NULL, 74 | `rep_source` varchar(128) DEFAULT NULL, 75 | `rep_published` datetime DEFAULT NULL, 76 | `rep_last_status` datetime DEFAULT NULL, 77 | KEY `ja3` (`ja3`) 78 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8; 79 | /*!40101 SET character_set_client = @saved_cs_client */; 80 | 81 | -- 82 | -- Table structure for table `q_url_rep` 83 | -- 84 | 85 | DROP TABLE IF EXISTS `q_url_rep`; 86 | /*!40101 SET @saved_cs_client = @@character_set_client */; 87 | /*!40101 SET character_set_client = utf8 */; 88 | CREATE TABLE `q_url_rep` ( 89 | `url` varchar(10000) DEFAULT NULL, 90 | `reputation` int(11) DEFAULT NULL, 91 | `s_id` mediumint(8) unsigned DEFAULT NULL, 92 | `fingerprint` varchar(200) DEFAULT NULL, 93 | `comments` varchar(1024) DEFAULT NULL, 94 | `rep_source` varchar(128) DEFAULT NULL, 95 | `rep_published` datetime DEFAULT NULL, 96 | `rep_last_status` datetime DEFAULT NULL, 97 | KEY `url` (`url`) 98 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8; 99 | /*!40101 SET character_set_client = @saved_cs_client */; 100 | 101 | -------------------------------------------------------------------------------- /extra/external-test/external-program: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | ############################################################################## 4 | # This is a simple program that will take data from Sagan's "external" rule 5 | # option and decode the JSON. The "external" program is called when a Sagan 6 | # rule is triggered. This can be useful for having Sagan perform an 7 | # operation when a specific log event or events occurs. 8 | # 9 | # Champ Clark III 10 | # 11 | # 2015/08/05 - (original non-JSON format) 12 | # 2019/03/22 - (New JSON format support) 13 | ############################################################################## 14 | 15 | use JSON; 16 | use warnings; 17 | 18 | my $filename = "/tmp/myprogram.$$"; 19 | my $json_d; 20 | 21 | $SIG{'INT'} = \&signal_handler; 22 | $SIG{'TERM'} = \&signal_handler; 23 | $SIG{'HUP'} = \&signal_handler; 24 | 25 | open(MYFILE, ">> $filename") || die "Cannot open $filename!\n"; 26 | 27 | # Wait on stdin and collect the incoming json. 28 | 29 | while (<>) { 30 | 31 | $json_d = decode_json($_); 32 | 33 | print MYFILE "Signature: " . $json_d->{alert}->{signature} . "\n"; 34 | print MYFILE "Signature ID: " . $json_d->{alert}->{signature_id} . "\n"; 35 | print MYFILE "Rev: " . $json_d->{alert}->{rev} . "\n"; 36 | print MYFILE "Severity: " . $json_d->{alert}->{severity} . "\n"; 37 | print MYFILE "Category: " . $json_d->{alert}->{category} . "\n"; 38 | print MYFILE "Timestamp: " . $json_d->{timestamp} . "\n"; 39 | print MYFILE "Event Type: " . $json_d->{event_type} . "\n"; 40 | print MYFILE "Flow ID: " . $json_d->{flow_id} . "\n"; 41 | print MYFILE "Interface: " . $json_d->{in_iface} . "\n"; 42 | print MYFILE "Source IP: " . $json_d->{src_ip} . "\n"; 43 | print MYFILE "Source Port: " . $json_d->{src_port} . "\n"; 44 | print MYFILE "Destination IP: " . $json_d->{dest_ip} . "\n"; 45 | print MYFILE "Destination Port: " . $json_d->{dest_port} . "\n"; 46 | print MYFILE "Protocol: " . $json_d->{proto} . "\n"; 47 | print MYFILE "Facility: " . $json_d->{facility} . "\n"; 48 | print MYFILE "Level: " . $json_d->{level} . "\n"; 49 | print MYFILE "Priority: " . $json_d->{priority} . "\n"; 50 | print MYFILE "Program: " . $json_d->{program} . "\n"; 51 | print MYFILE "Host: " . $json_d->{host} . "\n"; 52 | 53 | # Normalized data is nested in the external JSON. With that in mind, 54 | # you will need to specify the keys you want. For example, if Sagan 55 | # is normalizing the "username" from the log, you would pull the 56 | # $json_d->{normalize}->{username}. 57 | 58 | } 59 | 60 | close(MYFILE); 61 | exit(0); 62 | 63 | sub signal_handler { 64 | close(MYFILE); 65 | exit(0); 66 | } 67 | 68 | -------------------------------------------------------------------------------- /extra/nxfifo/nxfifo.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2023 Quadrant Information Security 3 | ** Copyright (C) 2009-2023 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* Unlike rsyslog & syslog-ng, NXLog (http://nxlog.co) does not 22 | ** natively handle named pipes/fifo's. Attempts at using the om_file 23 | ** didn't work very well. This small program uses NXLog's "om_exec" to 24 | ** properly deal with FIFO input/output. It sets the FIFO size to the 25 | ** max (MAX_FIFO_SIZE) and writes data as it is received to the FIFO 26 | ** in a non-blocking format. In your nxlog.conf, add a output module 27 | ** like this: 28 | 29 | 30 | Module om_exec 31 | Command /usr/local/bin/nxfifo 32 | Arg /var/sagan/fifo/sagan-network.fifo 33 | 34 | 35 | ** Replace "/var/sagan/fifo/sagan-network.fifo" with your FIFO location 36 | ** 37 | ** To build this program, simply type "make nxfifo". 38 | ** 39 | **/ 40 | 41 | #define _GNU_SOURCE 42 | 43 | #include 44 | #include 45 | #include 46 | #include 47 | #include 48 | #include 49 | #include 50 | #include 51 | 52 | #define MAX_FIFO_SIZE 1048576 53 | #define BUFFER_SIZE 10240 54 | 55 | /* Globals */ 56 | 57 | int fd; 58 | 59 | /* Prototypes */ 60 | 61 | void sig_handler(int sig); 62 | 63 | int main(int argc, char **argv) 64 | { 65 | 66 | int current_fifo_size; 67 | int fd_results; 68 | 69 | char input[BUFFER_SIZE+1] = { 0 }; 70 | 71 | signal(SIGINT, sig_handler); 72 | signal(SIGHUP, sig_handler); 73 | signal(SIGTERM, sig_handler); 74 | signal(SIGBUS, sig_handler); 75 | signal(SIGALRM, sig_handler); 76 | signal(SIGSTOP, sig_handler); 77 | signal(SIGSEGV, sig_handler); 78 | signal(SIGUSR1, sig_handler); 79 | signal(SIGUSR2, sig_handler); 80 | 81 | if ( argc != 2 ) 82 | { 83 | fprintf(stderr, "Error: No FIFO specified!\n"); 84 | exit(-1); 85 | } 86 | 87 | fd = open(argv[1], O_RDWR); 88 | 89 | if ( fd < 0 ) 90 | { 91 | fprintf(stderr, "Cannot open %s. Abort\n", argv[1]); 92 | exit(-1); 93 | } 94 | 95 | 96 | current_fifo_size = fcntl(fd, F_GETPIPE_SZ); 97 | fd_results = fcntl(fd, F_SETPIPE_SZ, MAX_FIFO_SIZE); 98 | fcntl(fd, F_SETFL, O_NONBLOCK); 99 | 100 | printf("The %s fifo was %d, not set to %d\n", argv[1], current_fifo_size, MAX_FIFO_SIZE); 101 | 102 | while(1) 103 | { 104 | 105 | 106 | if ( !fgets(input, BUFFER_SIZE, stdin)) 107 | { 108 | fprintf(stderr, "Error getting input\n"); 109 | exit(-1); 110 | }; 111 | 112 | write(fd, input, strlen(input)); 113 | 114 | } 115 | 116 | } 117 | 118 | void sig_handler(int sig) 119 | { 120 | fprintf(stderr, "\nCaught signal %d\n", sig); 121 | close(fd); 122 | exit(0); 123 | } 124 | 125 | 126 | -------------------------------------------------------------------------------- /extra/pulledpork/pulledpork.sagan.conf: -------------------------------------------------------------------------------- 1 | # Pulled Pork Configuration for Sagan 2 | # pulledpork.pl -d -T -vv -c pulledpork.conf 3 | 4 | rule_url=http://sagan.softwink.com/rules/|sagan-rules-current.tar.gz|open 5 | ignore=deleted.rules,experimental.rules,local.rules 6 | 7 | temp_path=/tmp 8 | rule_path=/usr/local/etc/sagan-rules/sagan.rules 9 | local_rules=/usr/local/etc/sagan-rules/local.rules 10 | 11 | sid_msg=/usr/local/etc/sagan-rules/sagan-sid-msg.map 12 | sid_changelog=/var/log/sid_changes.log 13 | 14 | snort_path=/usr/local/sbin/sagan 15 | config_path=/usr/local/etc/sagan.conf 16 | disablesid=/usr/local/etc/pulledpork/disablesid.conf 17 | 18 | distro=FreeBSD-8.1 19 | version=0.6.0 -------------------------------------------------------------------------------- /extra/qdee/README.md: -------------------------------------------------------------------------------- 1 | qdee - (Pronounced - "Q Dee"). This program collects IDS/IPS (and syslog!) 2 | events from a Cisco device using the SDEE protocol. Events sucked off the 3 | Cisco device are then sent to a syslog. Sagan can then use it's rules to 4 | detect the events 5 | 6 | Written By Champ Clark III (cclark@quadrantsec.com) 7 | Largely based off of "ids_sdee" (unknown author) 8 | 9 | -------------------------------------------------------------------------------- /extra/rc.d-freebsd/sagan: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # PROVIDE: sagan 4 | # REQUIRE: DAEMON 5 | # BEFORE: LOGIN 6 | # KEYWORD: shutdown 7 | 8 | # Add the following lines to /etc/rc.conf to enable sagan: 9 | # sagan_enable (bool): Set to YES to enable sagan 10 | # Default: NO 11 | # sagan_flags (str): Extra flags passed to sagan 12 | # Default: -D 13 | # sagan_user (str): Run Sagan as this user 14 | # Default: sagan 15 | # sagan_conf (str): sagan configuration file 16 | # Default: /usr/local/etc/sagan/sagan.conf 17 | 18 | . /etc/rc.subr 19 | 20 | name="sagan" 21 | rcvar=sagan_enable 22 | extra_commands=reload 23 | 24 | command="/usr/local/sbin/sagan" 25 | 26 | load_rc_config $name 27 | 28 | [ -z "$sagan_enable" ] && sagan_enable="NO" 29 | [ -z "$sagan_conf" ] && sagan_conf="/usr/local/etc/sagan.conf" 30 | [ -z "$sagan_user" ] && sagan_user="sagan" 31 | [ -z "$sagan_flags" ] && sagan_flags="-D -u $sagan_user" 32 | 33 | [ -n "$sagan_conf" ] && sagan_flags="$sagan_flags -f $sagan_conf" 34 | 35 | pidfile="/var/run/sagan/sagan.pid" 36 | 37 | run_rc_command "$1" 38 | 39 | 40 | -------------------------------------------------------------------------------- /extra/rsyslog/sagan.conf: -------------------------------------------------------------------------------- 1 | # Template and fifo for sending rsyslog data to sagan 2 | # This file can go in /etc/rsyslog.d/ 3 | 4 | $template sagan,"%fromhost-ip%|%syslogfacility-text%|%syslogpriority-text%|%syslogseverity-text%|%syslogtag%|%timegenerated:1:10:date-rfc3339%|%timegenerated:12:19:date-rfc3339%|%programname%|%msg%\n" 5 | 6 | *.* |/var/run/sagan.fifo;sagan 7 | -------------------------------------------------------------------------------- /extra/sagan-gtk/Makefile: -------------------------------------------------------------------------------- 1 | CC = gcc 2 | PROGRAM = sagan-gtk 3 | PROGRAM_FILES = sagan-gtk.c 4 | 5 | CFLAGS += -g 6 | LDFLAGS += -g 7 | LIBS += 8 | GTKFLAGS := $(shell pkg-config --cflags --libs gtk+-2.0 gthread-2.0) 9 | 10 | all: $(PROGRAM) 11 | 12 | %: %.c 13 | $(CC) $(PROGRAM_FILES) $(CFLAGS) $(LDFLAGS) $(GTKFLAGS) -o $(PROGRAM) $(LIBS) 14 | 15 | clean: 16 | @rm -rf $(PROGRAM) 17 | 18 | -------------------------------------------------------------------------------- /extra/sagan-gtk/sagan-gtk.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2023 Quadrant Information Security 3 | ** Copyright (C) 2009-2023 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* sagan-gtk.c 22 | * This program is called via the Sagan configuration option 'output external:' 23 | * option. Using GTK, this creates a "popup" window when a Sagan event 24 | * is triggered. 25 | */ 26 | 27 | #include 28 | #include 29 | #include 30 | 31 | #define MAX_BUF 10240 32 | 33 | static void destroy( GtkWidget *, gpointer ); 34 | 35 | int main() 36 | { 37 | 38 | GtkWidget *window; 39 | GtkWidget *label; 40 | 41 | char input[MAX_BUF]="\0"; 42 | char messageit[MAX_BUF]="\0"; 43 | 44 | while (fgets(input, MAX_BUF-1, stdin)) 45 | { 46 | strncat(messageit, input, MAX_BUF-1-strlen(messageit)); 47 | } 48 | 49 | messageit[MAX_BUF-1] = '\0'; /* Avoid overflow and null terminates */ 50 | 51 | gtk_init(NULL,NULL); 52 | window = gtk_window_new(GTK_WINDOW_TOPLEVEL); 53 | label = gtk_label_new(NULL); 54 | 55 | g_signal_connect (window, "destroy", G_CALLBACK (destroy), NULL); 56 | 57 | gtk_window_set_title(GTK_WINDOW(window), "Sagan Alert Message"); 58 | gtk_label_set_markup(GTK_LABEL(label), messageit ); 59 | gtk_label_set_justify(GTK_LABEL(label), GTK_JUSTIFY_LEFT); 60 | gtk_container_add(GTK_CONTAINER(window), label); 61 | gtk_widget_show(label); 62 | 63 | gtk_window_set_default_size(GTK_WINDOW(window), 300, 100); 64 | gtk_widget_show_all(window); 65 | gtk_main(); 66 | return 0; 67 | } 68 | 69 | static void destroy( GtkWidget *widget, gpointer data ) 70 | { 71 | gtk_main_quit (); 72 | } 73 | 74 | -------------------------------------------------------------------------------- /extra/sagan-notify/Makefile: -------------------------------------------------------------------------------- 1 | CC = gcc 2 | PROGRAM = sagan-notify 3 | PROGRAM_FILES = sagan-notify.c 4 | 5 | CFLAGS += -g 6 | LDFLAGS += -g 7 | LIBS += -lnotify 8 | GTKFLAGS := $(shell pkg-config --cflags gtk+-2.0 glib-2.0) 9 | 10 | all: $(PROGRAM) 11 | 12 | %: %.c 13 | $(CC) $(PROGRAM_FILES) $(CFLAGS) $(LDFLAGS) $(GTKFLAGS) -o $(PROGRAM) $(LIBS) 14 | 15 | clean: 16 | @rm -rf $(PROGRAM) 17 | 18 | -------------------------------------------------------------------------------- /extra/sagan-notify/sagan-notify.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2023 Quadrant Information Security 3 | ** Copyright (C) 2009-2023 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* sagan-notify.c 22 | * This program is called via the Sagan configuration option 'output external:' 23 | * option. Using libnotify, this creates a "popup" window when a Sagan event 24 | * is triggered. 25 | */ 26 | 27 | #include 28 | #include 29 | #include 30 | 31 | #define MAX_BUF 10240 32 | 33 | int main() 34 | { 35 | 36 | char input[MAX_BUF]="\0"; 37 | char messageit[MAX_BUF]="\0"; 38 | 39 | char *title="Sagan Alert"; 40 | 41 | while (fgets(input, MAX_BUF-1, stdin)) 42 | { 43 | strncat(messageit, input, MAX_BUF-1-strlen(messageit)); 44 | } 45 | 46 | messageit[MAX_BUF-1] = '\0'; /* Avoid overflow and null terminates */ 47 | 48 | NotifyNotification *n; 49 | notify_init("Sagan"); 50 | n = notify_notification_new (title,messageit, NULL, NULL); 51 | notify_notification_set_timeout(n, 1000); 52 | 53 | if (!notify_notification_show (n, NULL)) 54 | { 55 | g_error("Failed to send notification.\n"); 56 | return 1; 57 | } 58 | g_object_unref(G_OBJECT(n)); 59 | 60 | return 0; 61 | } 62 | 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /extra/simple-offload-program/main.go: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2023 Quadrant Information Security 3 | ** Copyright (C) 2009-2023 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* This is a example program of how "offload" works. The "offload" 22 | keyword allows customer written programs to do analysis and report back 23 | to Sagan what it found. Your program simply needs to accept inbound 24 | web connection (POST) and return "true" (fire a event) or "false" 25 | (don't fire). 26 | 27 | To build this program, type: 28 | 29 | $ go mod init simple-offload-program 30 | $ go mod tidy 31 | $ go build 32 | $ ./simple-offload-program 33 | 34 | By default, it listens on TCP/4444. You can then write a signature that can all your 35 | program as part of the detection process. For example: 36 | 37 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Test OFFLOAD signature"; content: "testing"; offload: "http://127.0.0.1:4444"; classtype:misc-attack; sid:10000; rev:1;) 38 | 39 | */ 40 | 41 | package main 42 | 43 | import ( 44 | "github.com/gin-gonic/gin" 45 | "log" 46 | "net/http" 47 | ) 48 | 49 | type C struct { 50 | Counter int 51 | } 52 | 53 | var CM = C{} 54 | 55 | /********************************************************/ 56 | /* Main - Setup a webserver to listen for POST requests */ 57 | /********************************************************/ 58 | 59 | func main() { 60 | 61 | var err error 62 | 63 | HTTP_Listen := ":4444" /* Port to listen on */ 64 | gin.SetMode("debug") /* 'debug', 'release' or 'test' */ 65 | 66 | router := gin.Default() 67 | 68 | router.POST("/testme", Process_Data) /* URI to accept POST requests */ 69 | 70 | log.Printf("Listening for unencrypted traffic on %s.", HTTP_Listen) 71 | err = router.Run(HTTP_Listen) 72 | 73 | if err != nil { 74 | log.Fatalf("Cannot bind to %s\n", HTTP_Listen) 75 | } 76 | } 77 | 78 | /*****************************************************/ 79 | /* Process_Data - This is where your logic would sit */ 80 | /*****************************************************/ 81 | 82 | func Process_Data(c *gin.Context) { 83 | 84 | CM.Counter++ 85 | 86 | log.Printf("** Logs Received: %v\n", CM.Counter) 87 | 88 | var jsondata []uint8 89 | 90 | jsondata, _ = c.GetRawData() 91 | 92 | log.Printf("Got this data from Sagan: %s\n", string(jsondata)) 93 | 94 | /* You would do your processing and magic here! */ 95 | 96 | c.Data(http.StatusOK, "text/html", []byte("true")) /* return "true" or "false" */ 97 | 98 | } 99 | -------------------------------------------------------------------------------- /m4/ax_check_compile_flag.m4: -------------------------------------------------------------------------------- 1 | # =========================================================================== 2 | # http://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html 3 | # =========================================================================== 4 | # 5 | # SYNOPSIS 6 | # 7 | # AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS]) 8 | # 9 | # DESCRIPTION 10 | # 11 | # Check whether the given FLAG works with the current language's compiler 12 | # or gives an error. (Warnings, however, are ignored) 13 | # 14 | # ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on 15 | # success/failure. 16 | # 17 | # If EXTRA-FLAGS is defined, it is added to the current language's default 18 | # flags (e.g. CFLAGS) when the check is done. The check is thus made with 19 | # the flags: "CFLAGS EXTRA-FLAGS FLAG". This can for example be used to 20 | # force the compiler to issue an error when a bad flag is given. 21 | # 22 | # NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this 23 | # macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG. 24 | # 25 | # LICENSE 26 | # 27 | # Copyright (c) 2008 Guido U. Draheim 28 | # Copyright (c) 2011 Maarten Bosmans 29 | # 30 | # This program is free software: you can redistribute it and/or modify it 31 | # under the terms of the GNU General Public License as published by the 32 | # Free Software Foundation, either version 3 of the License, or (at your 33 | # option) any later version. 34 | # 35 | # This program is distributed in the hope that it will be useful, but 36 | # WITHOUT ANY WARRANTY; without even the implied warranty of 37 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General 38 | # Public License for more details. 39 | # 40 | # You should have received a copy of the GNU General Public License along 41 | # with this program. If not, see . 42 | # 43 | # As a special exception, the respective Autoconf Macro's copyright owner 44 | # gives unlimited permission to copy, distribute and modify the configure 45 | # scripts that are the output of Autoconf when processing the Macro. You 46 | # need not follow the terms of the GNU General Public License when using 47 | # or distributing such scripts, even though portions of the text of the 48 | # Macro appear in them. The GNU General Public License (GPL) does govern 49 | # all other use of the material that constitutes the Autoconf Macro. 50 | # 51 | # This special exception to the GPL applies to versions of the Autoconf 52 | # Macro released by the Autoconf Archive. When you make and distribute a 53 | # modified version of the Autoconf Macro, you may extend this special 54 | # exception to the GPL to apply to your modified version as well. 55 | 56 | #serial 2 57 | 58 | AC_DEFUN([AX_CHECK_COMPILE_FLAG], 59 | [AC_PREREQ(2.59)dnl for _AC_LANG_PREFIX 60 | AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl 61 | AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [ 62 | ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS 63 | _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1" 64 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM()], 65 | [AS_VAR_SET(CACHEVAR,[yes])], 66 | [AS_VAR_SET(CACHEVAR,[no])]) 67 | _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags]) 68 | AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes], 69 | [m4_default([$2], :)], 70 | [m4_default([$3], :)]) 71 | AS_VAR_POPDEF([CACHEVAR])dnl 72 | ])dnl AX_CHECK_COMPILE_FLAGS 73 | -------------------------------------------------------------------------------- /m4/ax_gcc_x86_avx_xgetbv.m4: -------------------------------------------------------------------------------- 1 | # =========================================================================== 2 | # http://www.gnu.org/software/autoconf-archive/ax_gcc_x86_avx_xgetbv.html 3 | # =========================================================================== 4 | # 5 | # SYNOPSIS 6 | # 7 | # AX_GCC_X86_AVX_XGETBV 8 | # 9 | # DESCRIPTION 10 | # 11 | # On later x86 processors with AVX SIMD support, with gcc or a compiler 12 | # that has a compatible syntax for inline assembly instructions, run a 13 | # small program that executes the xgetbv instruction with input OP. This 14 | # can be used to detect if the OS supports AVX instruction usage. 15 | # 16 | # On output, the values of the eax and edx registers are stored as 17 | # hexadecimal strings as "eax:edx" in the cache variable 18 | # ax_cv_gcc_x86_avx_xgetbv. 19 | # 20 | # If the xgetbv instruction fails (because you are running a 21 | # cross-compiler, or because you are not using gcc, or because you are on 22 | # a processor that doesn't have this instruction), 23 | # ax_cv_gcc_x86_avx_xgetbv_OP is set to the string "unknown". 24 | # 25 | # This macro mainly exists to be used in AX_EXT. 26 | # 27 | # LICENSE 28 | # 29 | # Copyright (c) 2013 Michael Petch 30 | # 31 | # This program is free software: you can redistribute it and/or modify it 32 | # under the terms of the GNU General Public License as published by the 33 | # Free Software Foundation, either version 3 of the License, or (at your 34 | # option) any later version. 35 | # 36 | # This program is distributed in the hope that it will be useful, but 37 | # WITHOUT ANY WARRANTY; without even the implied warranty of 38 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General 39 | # Public License for more details. 40 | # 41 | # You should have received a copy of the GNU General Public License along 42 | # with this program. If not, see . 43 | # 44 | # As a special exception, the respective Autoconf Macro's copyright owner 45 | # gives unlimited permission to copy, distribute and modify the configure 46 | # scripts that are the output of Autoconf when processing the Macro. You 47 | # need not follow the terms of the GNU General Public License when using 48 | # or distributing such scripts, even though portions of the text of the 49 | # Macro appear in them. The GNU General Public License (GPL) does govern 50 | # all other use of the material that constitutes the Autoconf Macro. 51 | # 52 | # This special exception to the GPL applies to versions of the Autoconf 53 | # Macro released by the Autoconf Archive. When you make and distribute a 54 | # modified version of the Autoconf Macro, you may extend this special 55 | # exception to the GPL to apply to your modified version as well. 56 | 57 | #serial 1 58 | 59 | AC_DEFUN([AX_GCC_X86_AVX_XGETBV], 60 | [AC_REQUIRE([AC_PROG_CC]) 61 | AC_LANG_PUSH([C]) 62 | AC_CACHE_CHECK(for x86-AVX xgetbv $1 output, ax_cv_gcc_x86_avx_xgetbv_$1, 63 | [AC_RUN_IFELSE([AC_LANG_PROGRAM([#include ], [ 64 | int op = $1, eax, edx; 65 | FILE *f; 66 | /* Opcodes for xgetbv */ 67 | __asm__(".byte 0x0f, 0x01, 0xd0" 68 | : "=a" (eax), "=d" (edx) 69 | : "c" (op)); 70 | f = fopen("conftest_xgetbv", "w"); if (!f) return 1; 71 | fprintf(f, "%x:%x\n", eax, edx); 72 | fclose(f); 73 | return 0; 74 | ])], 75 | [ax_cv_gcc_x86_avx_xgetbv_$1=`cat conftest_xgetbv`; rm -f conftest_xgetbv], 76 | [ax_cv_gcc_x86_avx_xgetbv_$1=unknown; rm -f conftest_xgetbv], 77 | [ax_cv_gcc_x86_avx_xgetbv_$1=unknown])]) 78 | AC_LANG_POP([C]) 79 | ]) 80 | -------------------------------------------------------------------------------- /m4/ax_gcc_x86_cpuid.m4: -------------------------------------------------------------------------------- 1 | # =========================================================================== 2 | # http://autoconf-archive.cryp.to/ax_gcc_x86_cpuid.html 3 | # =========================================================================== 4 | # 5 | # SYNOPSIS 6 | # 7 | # AX_GCC_X86_CPUID(OP) 8 | # 9 | # DESCRIPTION 10 | # 11 | # On Pentium and later x86 processors, with gcc or a compiler that has a 12 | # compatible syntax for inline assembly instructions, run a small program 13 | # that executes the cpuid instruction with input OP. This can be used to 14 | # detect the CPU type. 15 | # 16 | # On output, the values of the eax, ebx, ecx, and edx registers are stored 17 | # as hexadecimal strings as "eax:ebx:ecx:edx" in the cache variable 18 | # ax_cv_gcc_x86_cpuid_OP. 19 | # 20 | # If the cpuid instruction fails (because you are running a 21 | # cross-compiler, or because you are not using gcc, or because you are on 22 | # a processor that doesn't have this instruction), ax_cv_gcc_x86_cpuid_OP 23 | # is set to the string "unknown". 24 | # 25 | # This macro mainly exists to be used in AX_GCC_ARCHFLAG. 26 | # 27 | # LICENSE 28 | # 29 | # Copyright (c) 2008 Steven G. Johnson 30 | # Copyright (c) 2008 Matteo Frigo 31 | # 32 | # This program is free software: you can redistribute it and/or modify it 33 | # under the terms of the GNU General Public License as published by the 34 | # Free Software Foundation, either version 3 of the License, or (at your 35 | # option) any later version. 36 | # 37 | # This program is distributed in the hope that it will be useful, but 38 | # WITHOUT ANY WARRANTY; without even the implied warranty of 39 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General 40 | # Public License for more details. 41 | # 42 | # You should have received a copy of the GNU General Public License along 43 | # with this program. If not, see . 44 | # 45 | # As a special exception, the respective Autoconf Macro's copyright owner 46 | # gives unlimited permission to copy, distribute and modify the configure 47 | # scripts that are the output of Autoconf when processing the Macro. You 48 | # need not follow the terms of the GNU General Public License when using 49 | # or distributing such scripts, even though portions of the text of the 50 | # Macro appear in them. The GNU General Public License (GPL) does govern 51 | # all other use of the material that constitutes the Autoconf Macro. 52 | # 53 | # This special exception to the GPL applies to versions of the Autoconf 54 | # Macro released by the Autoconf Archive. When you make and distribute a 55 | # modified version of the Autoconf Macro, you may extend this special 56 | # exception to the GPL to apply to your modified version as well. 57 | 58 | AC_DEFUN([AX_GCC_X86_CPUID], 59 | [AC_REQUIRE([AC_PROG_CC]) 60 | AC_LANG_PUSH([C]) 61 | AC_CACHE_CHECK(for x86 cpuid $1 output, ax_cv_gcc_x86_cpuid_$1, 62 | [AC_RUN_IFELSE([AC_LANG_PROGRAM([#include ], [ 63 | int op = $1, eax, ebx, ecx, edx; 64 | FILE *f; 65 | __asm__("cpuid" 66 | : "=a" (eax), "=b" (ebx), "=c" (ecx), "=d" (edx) 67 | : "a" (op)); 68 | f = fopen("conftest_cpuid", "w"); if (!f) return 1; 69 | fprintf(f, "%x:%x:%x:%x\n", eax, ebx, ecx, edx); 70 | fclose(f); 71 | return 0; 72 | ])], 73 | [ax_cv_gcc_x86_cpuid_$1=`cat conftest_cpuid`; rm -f conftest_cpuid], 74 | [ax_cv_gcc_x86_cpuid_$1=unknown; rm -f conftest_cpuid], 75 | [ax_cv_gcc_x86_cpuid_$1=unknown])]) 76 | AC_LANG_POP([C]) 77 | ]) 78 | -------------------------------------------------------------------------------- /screenshots/discord.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quadrantsec/sagan/a1805c54024774b9f4494bd5a8535f16a36fa924/screenshots/discord.png -------------------------------------------------------------------------------- /src/aetas.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | bool Check_Time(uint32_t rule_number); 22 | bool Check_Day(unsigned char day, uint8_t day_current); 23 | 24 | -------------------------------------------------------------------------------- /src/after.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | bool After2 ( uint32_t rule_position, const char *ip_src, uint16_t src_port, const char *ip_dst, uint16_t dst_port, const char *username, const char *syslog_message ); 22 | 23 | -------------------------------------------------------------------------------- /src/classifications.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* Classification strucure */ 22 | 23 | typedef struct _Class_Struct _Class_Struct; 24 | struct _Class_Struct 25 | { 26 | char s_shortname[512]; 27 | char s_desc[512]; 28 | uint_fast8_t s_priority; 29 | }; 30 | 31 | 32 | void Load_Classifications( const char * ); 33 | int Classtype_Lookup( const char *classtype, char *str, size_t size ); 34 | 35 | 36 | -------------------------------------------------------------------------------- /src/config-yaml.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | #ifdef HAVE_LIBYAML 22 | 23 | /************************/ 24 | /* Minimum YAML version */ 25 | /************************/ 26 | 27 | #define YAML_VERSION_MAJOR 1 28 | #define YAML_VERSION_MINOR 1 29 | 30 | /*****************/ 31 | /* Primary types */ 32 | /*****************/ 33 | 34 | #define YAML_TYPE_VAR 1 35 | #define YAML_TYPE_SAGAN_CORE 2 36 | #define YAML_TYPE_PROCESSORS 3 37 | #define YAML_TYPE_OUTPUT 4 38 | #define YAML_TYPE_RULES 5 39 | #define YAML_TYPE_INCLUDES 6 40 | 41 | /*******************/ 42 | /* Secondary types */ 43 | /*******************/ 44 | 45 | /* Sagan core */ 46 | 47 | #define YAML_SAGAN_CORE_CORE 101 48 | #define YAML_SAGAN_CORE_MMAP_IPC 102 49 | #define YAML_SAGAN_CORE_IGNORE_LIST 103 50 | #define YAML_SAGAN_CORE_GEOIP 104 51 | #define YAML_SAGAN_CORE_LIBLOGNORM 105 52 | #define YAML_SAGAN_CORE_PLOG 106 53 | #define YAML_SAGAN_CORE_REDIS 107 54 | #define YAML_SAGAN_CORE_RULESET_TRACKING 108 55 | 56 | 57 | /* Processors */ 58 | 59 | #define YAML_PROCESSORS_TRACK_CLIENTS 200 60 | #define YAML_PROCESSORS_PERFMON 201 61 | #define YAML_PROCESSORS_BLACKLIST 202 62 | #define YAML_PROCESSORS_BLUEDOT 203 63 | #define YAML_PROCESSORS_BROINTEL 204 64 | #define YAML_PROCESSORS_DYNAMIC_LOAD 205 65 | #define YAML_PROCESSORS_CLIENT_STATS 206 66 | #define YAML_PROCESSORS_STATS_JSON 207 67 | 68 | /* Outputs */ 69 | 70 | #define YAML_OUTPUT_UNIFIED2 300 71 | #define YAML_OUTPUT_EXTERNAL 301 72 | #define YAML_OUTPUT_SMTP 302 73 | #define YAML_OUTPUT_SNORTSAM 303 74 | #define YAML_OUTPUT_SYSLOG 304 75 | #define YAML_OUTPUT_FAST 305 76 | #define YAML_OUTPUT_ALERT 306 77 | #define YAML_OUTPUT_EVE 307 78 | 79 | void Load_YAML_Config( char *, bool ); 80 | 81 | #endif 82 | -------------------------------------------------------------------------------- /src/content.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | bool Content ( uint_fast32_t rule_position, const char *syslog_message ); 22 | 23 | -------------------------------------------------------------------------------- /src/credits.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | void Credits( void ); 22 | 23 | -------------------------------------------------------------------------------- /src/debug.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* General debugging functions */ 22 | 23 | 24 | #ifdef HAVE_CONFIG_H 25 | #include "config.h" /* From autoconf */ 26 | #endif 27 | 28 | #include 29 | 30 | #include "sagan.h" 31 | #include "sagan-defs.h" 32 | #include "sagan-config.h" 33 | #include "version.h" 34 | #include "debug.h" 35 | 36 | 37 | void Debug_Sagan_Proc_Syslog ( _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL ) 38 | { 39 | 40 | Sagan_Log(DEBUG, "Data in _Sagan_Proc_Syslog (including extracted JSON)"); 41 | Sagan_Log(DEBUG, "-----------------------------------------------------------------------------"); 42 | Sagan_Log(DEBUG, " * message: \"%s\"", SaganProcSyslog_LOCAL->syslog_message ); 43 | Sagan_Log(DEBUG, " * program: \"%s\"", SaganProcSyslog_LOCAL->syslog_program ); 44 | Sagan_Log(DEBUG, " * host: \"%s\"", SaganProcSyslog_LOCAL->syslog_host ); 45 | Sagan_Log(DEBUG, " * level: \"%s\"", SaganProcSyslog_LOCAL->syslog_level ); 46 | Sagan_Log(DEBUG, " * facility: \"%s\"", SaganProcSyslog_LOCAL->syslog_facility ); 47 | Sagan_Log(DEBUG, " * priority: \"%s\"", SaganProcSyslog_LOCAL->syslog_priority ); 48 | Sagan_Log(DEBUG, " * tag: \"%s\"", SaganProcSyslog_LOCAL->syslog_tag ); 49 | Sagan_Log(DEBUG, " * time: \"%s\"", SaganProcSyslog_LOCAL->syslog_time ); 50 | Sagan_Log(DEBUG, " * date: \"%s\"", SaganProcSyslog_LOCAL->syslog_date ); 51 | Sagan_Log(DEBUG, " * src_ip : \"%s\"", SaganProcSyslog_LOCAL->src_ip ); 52 | Sagan_Log(DEBUG, " * dst_ip : \"%s\"", SaganProcSyslog_LOCAL->dst_ip ); 53 | Sagan_Log(DEBUG, " * src_port : \"%d\"", SaganProcSyslog_LOCAL->src_port ); 54 | Sagan_Log(DEBUG, " * dst_port : \"%d\"", SaganProcSyslog_LOCAL->dst_port ); 55 | Sagan_Log(DEBUG, " * proto : \"%d\"", SaganProcSyslog_LOCAL->proto ); 56 | Sagan_Log(DEBUG, " * ja3: \"%s\"", SaganProcSyslog_LOCAL->ja3 ); 57 | Sagan_Log(DEBUG, " * event_id: \"%s\"", SaganProcSyslog_LOCAL->event_id ); 58 | Sagan_Log(DEBUG, " * md5: \"%s\"", SaganProcSyslog_LOCAL->md5 ); 59 | Sagan_Log(DEBUG, " * sha1: \"%s\"", SaganProcSyslog_LOCAL->sha1 ); 60 | Sagan_Log(DEBUG, " * sha256: \"%s\"", SaganProcSyslog_LOCAL->sha256 ); 61 | Sagan_Log(DEBUG, " * filename: \"%s\"", SaganProcSyslog_LOCAL->filename ); 62 | Sagan_Log(DEBUG, " * hostname: \"%s\"", SaganProcSyslog_LOCAL->hostname ); 63 | Sagan_Log(DEBUG, " * url: \"%s\"", SaganProcSyslog_LOCAL->url ); 64 | Sagan_Log(DEBUG, " * username: \"%s\"", SaganProcSyslog_LOCAL->username ); 65 | 66 | } 67 | -------------------------------------------------------------------------------- /src/debug.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | void Debug_Sagan_Proc_Syslog ( _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL ); 22 | 23 | -------------------------------------------------------------------------------- /src/event-id.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* event-id.h */ 22 | 23 | bool Event_ID ( int position, _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL ); 24 | -------------------------------------------------------------------------------- /src/flexbit-mmap.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | bool Flexbit_Condition_MMAP(uint_fast32_t rule_position, struct _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL ); 22 | 23 | void Flexbit_Cleanup_MMAP( void ); 24 | void Flexbit_Set_MMAP(uint_fast32_t rule_position, const char *ip_src, const char *ip_dst, int src_port, int dst_port, const char *username, const char *syslog_message ); 25 | bool Flexbit_Count_MMAP( uint_fast32_t rule_position, const char *ip_src, const char *ip_dst ); 26 | 27 | typedef struct _Sagan_Flexbit_Track _Sagan_Flexbit_Track; 28 | struct _Sagan_Flexbit_Track 29 | { 30 | char flexbit_name[64]; 31 | uint_fast32_t flexbit_timeout; 32 | uint_fast16_t flexbit_srcport; 33 | uint_fast16_t flexbit_dstport; 34 | }; 35 | 36 | typedef struct _Sagan_IPC_Flexbit _Sagan_IPC_Flexbit; 37 | struct _Sagan_IPC_Flexbit 38 | { 39 | char flexbit_name[64]; 40 | bool flexbit_state; 41 | unsigned char ip_src[MAXIPBIT]; 42 | unsigned char ip_dst[MAXIPBIT]; 43 | int src_port; 44 | int dst_port; 45 | char username[64]; 46 | uint_fast64_t flexbit_date; 47 | uint_fast64_t flexbit_expire; 48 | uint_fast32_t expire; 49 | char syslog_message[MAX_SYSLOGMSG]; 50 | uint_fast64_t sid; 51 | char signature_msg[MAX_SAGAN_MSG]; 52 | 53 | }; 54 | 55 | 56 | -------------------------------------------------------------------------------- /src/flexbit.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* 22 | * flexbit.c - Functions used for tracking events over multiple log 23 | * lines. 24 | * 25 | */ 26 | 27 | 28 | #ifdef HAVE_CONFIG_H 29 | #include "config.h" /* From autoconf */ 30 | #endif 31 | 32 | #include 33 | #include 34 | #include 35 | 36 | #include "sagan.h" 37 | #include "sagan-defs.h" 38 | #include "sagan-config.h" 39 | 40 | #include "flexbit.h" 41 | #include "flexbit-mmap.h" 42 | 43 | extern struct _SaganConfig *config; 44 | 45 | bool Flexbit_Condition(int rule_position, const char *ip_src_char, const char *ip_dst_char, int src_port, int dst_port, const char *username, _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL ) 46 | { 47 | return(Flexbit_Condition_MMAP(rule_position, SaganProcSyslog_LOCAL)); 48 | } 49 | 50 | 51 | bool Flexbit_Count( int rule_position, const char *ip_src_char, const char *ip_dst_char ) 52 | { 53 | return(Flexbit_Count_MMAP(rule_position, ip_src_char, ip_dst_char)); 54 | } 55 | 56 | void Flexbit_Set(int rule_position, const char *ip_src_char, const char *ip_dst_char, int src_port, int dst_port, const char *username, const char *syslog_message ) 57 | { 58 | Flexbit_Set_MMAP(rule_position, ip_src_char, ip_dst_char, src_port, dst_port, username, syslog_message ); 59 | 60 | } 61 | 62 | 63 | uint_fast8_t Flexbit_Type ( const char *type, uint_fast32_t linecount, const char *ruleset ) 64 | { 65 | 66 | if (!strcmp(type, "none")) 67 | { 68 | return(0); 69 | } 70 | 71 | if (!strcmp(type, "both")) 72 | { 73 | return(1); 74 | } 75 | 76 | if (!strcmp(type, "by_src")) 77 | { 78 | return(2); 79 | } 80 | 81 | if (!strcmp(type, "by_dst")) 82 | { 83 | return(3); 84 | } 85 | 86 | if (!strcmp(type, "reverse")) 87 | { 88 | return(4); 89 | } 90 | 91 | if (!strcmp(type, "src_xbitdst")) 92 | { 93 | return(5); 94 | } 95 | 96 | if (!strcmp(type, "dst_xbitsrc")) 97 | { 98 | return(6); 99 | } 100 | 101 | if (!strcmp(type, "both_p")) 102 | { 103 | return(7); 104 | } 105 | 106 | if (!strcmp(type, "by_src_p")) 107 | { 108 | return(8); 109 | } 110 | 111 | if (!strcmp(type, "by_dst_p")) 112 | { 113 | return(9); 114 | } 115 | 116 | if (!strcmp(type, "reverse_p")) 117 | { 118 | return(10); 119 | } 120 | 121 | if (!strcmp(type, "src_xbitdst_p")) 122 | { 123 | return(11); 124 | } 125 | 126 | if (!strcmp(type, "dst_xbitsrc_p")) 127 | { 128 | return(12); 129 | } 130 | 131 | if (!strcmp(type, "username")) 132 | { 133 | return(13); 134 | } 135 | 136 | Sagan_Log(ERROR, "[%s, line %d] Expected 'none', 'both', by_src', 'by_dst', 'reverse', 'src_xbitdst', 'dst_xbitsrc','both_p', by_src_p', 'by_dst_p', 'reverse_p', 'src_xbitdst_p', or 'dst_xbitsrc_p' or 'username'. Got '%s' at line %d.", __FILE__, __LINE__, type, linecount, ruleset); 137 | 138 | return(0); /* Should never make it here */ 139 | 140 | } 141 | 142 | -------------------------------------------------------------------------------- /src/flexbit.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | uint_fast8_t Flexbit_Type ( const char *type, uint_fast32_t linecount, const char *ruleset ); 22 | 23 | bool Flexbit_Count( int rule_position, const char *ip_src_char, const char *ip_dst_char ); 24 | bool Flexbit_Condition(int rule_position, const char *ip_src_char, const char *ip_dst_char, int src_port, int dst_port, const char *username, _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL ); 25 | void Flexbit_Set(int rule_position, const char *ip_src_char, const char *ip_dst_char, int src_port, int dst_port, const char *username, const char *syslog_message ); 26 | 27 | -------------------------------------------------------------------------------- /src/flow.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | bool Check_Flow( uint_fast32_t b, uint_fast8_t ip_proto, unsigned char *ip_src_bits, uint_fast16_t normalize_src_port, unsigned char *ip_dst_bits, uint_fast16_t normalize_dst_port); 22 | -------------------------------------------------------------------------------- /src/geoip.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* geoip.h 22 | * 23 | * Sagan GeoIP prototypes 24 | */ 25 | 26 | #define GEOIP_MISS 0 27 | #define GEOIP_HIT 1 28 | #define GEOIP_SKIP 2 29 | 30 | typedef struct _GeoIP _GeoIP; 31 | struct _GeoIP 32 | { 33 | 34 | uint_fast8_t results; 35 | 36 | char city[32]; 37 | char country[32]; 38 | char subdivision[3]; 39 | // char postal[16]; 40 | // char timezone[32]; 41 | // char latitude[16]; 42 | // char longitude[16]; 43 | 44 | }; 45 | 46 | 47 | typedef struct _Sagan_GeoIP_Skip _Sagan_GeoIP_Skip; 48 | struct _Sagan_GeoIP_Skip 49 | { 50 | 51 | struct 52 | { 53 | unsigned char ipbits[MAXIPBIT]; 54 | unsigned char maskbits[MAXIPBIT]; 55 | } range; 56 | 57 | }; 58 | 59 | void Open_GeoIP2_Database( void ); 60 | int GeoIP2_Lookup_Country( char *ipaddr, uint_fast32_t rule_position, struct _GeoIP *GeoIP ); 61 | 62 | -------------------------------------------------------------------------------- /src/ignore-list.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* ignore-list.c 22 | * 23 | * Loads the "ignore list" into memory 24 | * 25 | */ 26 | 27 | #ifdef HAVE_CONFIG_H 28 | #include "config.h" /* From autoconf */ 29 | #endif 30 | 31 | #include 32 | #include 33 | #include 34 | 35 | #include "sagan.h" 36 | #include "sagan-defs.h" 37 | #include "ignore-list.h" 38 | #include "sagan-config.h" 39 | 40 | struct _Sagan_Ignorelist *SaganIgnorelist; 41 | extern struct _SaganCounters *counters; 42 | extern struct _SaganConfig *config; 43 | 44 | /**************************************************************************** 45 | * "ignore" list. 46 | ****************************************************************************/ 47 | 48 | void Load_Ignore_List ( void ) 49 | { 50 | 51 | FILE *droplist; 52 | 53 | char droplistbuf[IGNORE_SIZE] = { 0 }; 54 | 55 | if (( droplist = fopen(config->sagan_droplistfile, "r" )) == NULL ) 56 | { 57 | Sagan_Log(ERROR, "[%s, line %d] No drop list/ignore list to load (%s)", __FILE__, __LINE__, config->sagan_droplistfile); 58 | config->sagan_droplist_flag=0; 59 | } 60 | 61 | while(fgets(droplistbuf, IGNORE_SIZE, droplist) != NULL) 62 | { 63 | 64 | /* Skip comments and blank linkes */ 65 | 66 | if (droplistbuf[0] == '#' || droplistbuf[0] == 10 || droplistbuf[0] == ';' || droplistbuf[0] == 32) 67 | { 68 | continue; 69 | 70 | } 71 | else 72 | { 73 | 74 | /* Allocate memory for references, not comments */ 75 | 76 | SaganIgnorelist = (_Sagan_Ignorelist *) realloc(SaganIgnorelist, (counters->droplist_count+1) * sizeof(_Sagan_Ignorelist)); 77 | 78 | if ( SaganIgnorelist == NULL ) 79 | { 80 | Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for SaganIgnorelist. Abort!", __FILE__, __LINE__); 81 | } 82 | 83 | Remove_Return(droplistbuf); 84 | 85 | strlcpy(SaganIgnorelist[counters->droplist_count].ignore_string, droplistbuf, sizeof(SaganIgnorelist[counters->droplist_count].ignore_string)); 86 | 87 | __atomic_add_fetch(&counters->droplist_count, 1, __ATOMIC_SEQ_CST); 88 | 89 | 90 | } 91 | } 92 | } 93 | -------------------------------------------------------------------------------- /src/ignore-list.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | #define IGNORE_SIZE 256 22 | 23 | typedef struct _Sagan_Ignorelist _Sagan_Ignorelist; 24 | struct _Sagan_Ignorelist 25 | { 26 | char ignore_string[IGNORE_SIZE]; 27 | }; 28 | 29 | 30 | void Load_Ignore_List ( void ); 31 | 32 | -------------------------------------------------------------------------------- /src/ignore.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #ifdef HAVE_CONFIG_H 4 | #include "config.h" /* From autoconf */ 5 | #endif 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | #include "sagan.h" 16 | #include "sagan-defs.h" 17 | #include "sagan-config.h" 18 | #include "ignore-list.h" 19 | 20 | #include "lockfile.h" 21 | #include "stats.h" 22 | 23 | #include "parsers/parsers.h" 24 | 25 | 26 | extern struct _Sagan_Ignorelist *SaganIgnorelist; 27 | extern struct _SaganCounters *counters; 28 | extern struct _SaganConfig *config; 29 | 30 | 31 | bool Ignore( const char *syslogstring ) 32 | { 33 | 34 | uint32_t k = 0; 35 | 36 | for (k = 0; k < counters->droplist_count; k++) 37 | { 38 | 39 | if (Sagan_strstr(syslogstring, SaganIgnorelist[k].ignore_string)) 40 | { 41 | 42 | /* Found ignore keyword! */ 43 | 44 | counters->bytes_ignored = counters->bytes_ignored + strlen( syslogstring ); 45 | counters->ignore_count++; 46 | 47 | return(true); 48 | 49 | } 50 | } 51 | 52 | 53 | /* Nothing found */ 54 | 55 | return(false); 56 | } 57 | 58 | 59 | -------------------------------------------------------------------------------- /src/ignore.h: -------------------------------------------------------------------------------- 1 | 2 | bool Ignore( const char *syslogstring ); 3 | -------------------------------------------------------------------------------- /src/input-json-map.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | void Load_Input_JSON_Map ( const char *json_map ); 22 | 23 | -------------------------------------------------------------------------------- /src/input-json.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | void SyslogInput_JSON( char *syslog_string, struct _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL, struct _Sagan_JSON *JSON_LOCAL ); 22 | 23 | 24 | -------------------------------------------------------------------------------- /src/input-pipe.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | void SyslogInput_Pipe( char *syslog, struct _Sagan_Proc_Syslog * ); 22 | 23 | 24 | -------------------------------------------------------------------------------- /src/input-plugins/fifo.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security ** Copyright (C) 2009-2025 Champ Clark III 3 | ** 4 | ** This program is free software; you can redistribute it and/or modify 5 | ** it under the terms of the GNU General Public License Version 2 as 6 | ** published by the Free Software Foundation. You may not use, modify or 7 | ** distribute this program under any other version of the GNU General 8 | ** Public License. 9 | ** 10 | ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | ** GNU General Public License for more details. 13 | ** 14 | ** You should have received a copy of the GNU General Public License 15 | ** along with this program; if not, write to the Free Software 16 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 17 | */ 18 | 19 | void FIFO_Input ( void ); 20 | 21 | -------------------------------------------------------------------------------- /src/input-plugins/file.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security ** Copyright (C) 2009-2025 Champ Clark III 3 | ** 4 | ** This program is free software; you can redistribute it and/or modify 5 | ** it under the terms of the GNU General Public License Version 2 as 6 | ** published by the Free Software Foundation. You may not use, modify or 7 | ** distribute this program under any other version of the GNU General 8 | ** Public License. 9 | ** 10 | ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | ** GNU General Public License for more details. 13 | ** 14 | ** You should have received a copy of the GNU General Public License 15 | ** along with this program; if not, write to the Free Software 16 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 17 | */ 18 | 19 | void File_Input( const char *input_file ); 20 | 21 | -------------------------------------------------------------------------------- /src/input-plugins/gzip.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security ** Copyright (C) 2009-2025 Champ Clark III 3 | ** 4 | ** This program is free software; you can redistribute it and/or modify 5 | ** it under the terms of the GNU General Public License Version 2 as 6 | ** published by the Free Software Foundation. You may not use, modify or 7 | ** distribute this program under any other version of the GNU General 8 | ** Public License. 9 | ** 10 | ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | ** GNU General Public License for more details. 13 | ** 14 | ** You should have received a copy of the GNU General Public License 15 | ** along with this program; if not, write to the Free Software 16 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 17 | */ 18 | 19 | void GZIP_Input( const char *input_file ); 20 | -------------------------------------------------------------------------------- /src/ipc.h: -------------------------------------------------------------------------------- 1 | 2 | /* $Id$ */ 3 | /* 4 | ** Copyright (C) 2009-2025 Quadrant Information Security 5 | ** Copyright (C) 2009-2025 Champ Clark III 6 | ** 7 | ** This program is free software; you can redistribute it and/or modify 8 | ** it under the terms of the GNU General Public License Version 2 as 9 | ** published by the Free Software Foundation. You may not use, modify or 10 | ** distribute this program under any other version of the GNU General 11 | ** Public License. 12 | ** 13 | ** This program is distributed in the hope that it will be useful, 14 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | ** GNU General Public License for more details. 17 | ** 18 | ** You should have received a copy of the GNU General Public License 19 | ** along with this program; if not, write to the Free Software 20 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 21 | */ 22 | 23 | /* ipc.h 24 | * 25 | * This allows Sagan to share data with other Sagan processes. This is for 26 | * Inter-process communications (IPC). 27 | * 28 | */ 29 | 30 | void IPC_Init(void); 31 | bool Clean_IPC_Object( uint_fast8_t type ); 32 | void IPC_Check_Object(char *tmp_object_check, bool new_counters, char *object_name); 33 | void IPC_Close( void ); 34 | 35 | 36 | -------------------------------------------------------------------------------- /src/json-content.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | bool JSON_Content(uint_fast32_t rule_position, _Sagan_JSON *JSON_LOCAL); 22 | 23 | -------------------------------------------------------------------------------- /src/json-handler.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* sagan-json.h 22 | * 23 | * Functions that handle JSON output 24 | * 25 | */ 26 | 27 | void Format_JSON_Alert_EVE( _Sagan_Event *, char *, size_t); 28 | void Format_JSON_Log_EVE( _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL, struct timeval tp, char *, size_t ); 29 | 30 | 31 | -------------------------------------------------------------------------------- /src/json-meta-content.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | bool JSON_Meta_Content(uint_fast32_t rule_position, _Sagan_JSON *JSON_LOCAL); 22 | bool JSON_Meta_Content_Search(uint_fast32_t rule_position, const char *json_string, uint_fast16_t i ); 23 | 24 | 25 | -------------------------------------------------------------------------------- /src/json-pcre.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* json-pcre.c controls how 'json_pcre: "{key}", "/{pcre}/";' rule options 22 | works. This works similar to "pcre" but on JSON key/value pairs */ 23 | 24 | #ifdef HAVE_CONFIG_H 25 | #include "config.h" /* From autoconf */ 26 | #endif 27 | 28 | #ifdef HAVE_LIBFASTJSON 29 | 30 | #include 31 | #include 32 | #include 33 | 34 | #include "sagan.h" 35 | #include "sagan-defs.h" 36 | #include "sagan-config.h" 37 | #include "rules.h" 38 | #include "json-content.h" 39 | #include "util-base64.h" 40 | 41 | #include "parsers/parsers.h" 42 | 43 | extern struct _Rule_Struct *rulestruct; 44 | extern struct _SaganConfig *config; 45 | 46 | bool JSON_Pcre(int rule_position, _Sagan_JSON *JSON_LOCAL) 47 | { 48 | 49 | int i=0; 50 | int a=0; 51 | int rc=0; 52 | 53 | char *tmp_string = malloc( config->message_buffer_size ); 54 | 55 | if ( tmp_string == NULL ) 56 | { 57 | Sagan_Log(ERROR, "[%s, line %d] Error allocating memory.", __FILE__, __LINE__); 58 | } 59 | 60 | tmp_string[0] = '\0'; 61 | 62 | int ovector[PCRE_OVECCOUNT]; 63 | 64 | for (i=0; i < rulestruct[rule_position].json_pcre_count; i++) 65 | { 66 | 67 | for (a=0; a < JSON_LOCAL->json_count; a++) 68 | { 69 | 70 | if ( !strcmp(JSON_LOCAL->json_key[a], rulestruct[rule_position].json_pcre_key[i] ) ) 71 | { 72 | 73 | if ( rulestruct[rule_position].json_decode_base64_pcre[i] == true ) 74 | { 75 | 76 | Base64Decode( (const unsigned char*)JSON_LOCAL->json_value[a], strlen(JSON_LOCAL->json_value[a]), tmp_string, config->message_buffer_size); 77 | 78 | } 79 | else 80 | { 81 | 82 | memcpy( tmp_string, JSON_LOCAL->json_value[a], config->message_buffer_size); 83 | 84 | } 85 | 86 | rc = pcre_exec( rulestruct[rule_position].json_re_pcre[i], rulestruct[rule_position].json_pcre_extra[i], tmp_string, (int)strlen(tmp_string), 0, 0, ovector, PCRE_OVECCOUNT); 87 | 88 | /* If it's _not_ a match, no need to test other conditions */ 89 | 90 | if ( rc < 0 ) 91 | { 92 | free(tmp_string); 93 | return(false); 94 | } 95 | } 96 | } 97 | } 98 | 99 | /* All conditions matched, so return true */ 100 | 101 | free(tmp_string); 102 | return(true); 103 | } 104 | 105 | #endif 106 | -------------------------------------------------------------------------------- /src/json-pcre.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | bool JSON_Pcre(int rule_position, _Sagan_JSON *JSON_LOCAL); 22 | 23 | -------------------------------------------------------------------------------- /src/key.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* key.c 22 | * 23 | * This runs as a thread for stdin. This allows users, when running 24 | * in the foreground, to hit "enter" to see statistics of sagan. 25 | * 26 | */ 27 | 28 | #ifdef HAVE_CONFIG_H 29 | #include "config.h" /* From autoconf */ 30 | #endif 31 | 32 | #include 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | 39 | #ifdef HAVE_SYS_PRCTL_H 40 | #include 41 | #endif 42 | 43 | #include "version.h" 44 | 45 | #include "sagan.h" 46 | #include "sagan-defs.h" 47 | #include "key.h" 48 | #include "stats.h" 49 | 50 | extern struct _SaganConfig *config; 51 | 52 | void Key_Handler( void ) 53 | { 54 | 55 | #ifdef HAVE_SYS_PRCTL_H 56 | (void)SetThreadName("SaganKeyhandler"); 57 | #endif 58 | 59 | while(1) 60 | { 61 | 62 | int key; 63 | 64 | key=getchar(); 65 | 66 | if ( key != 0 ) 67 | { 68 | Statistics(); 69 | } 70 | 71 | } 72 | } 73 | -------------------------------------------------------------------------------- /src/key.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | void Key_Handler( void ); 22 | -------------------------------------------------------------------------------- /src/liblognormalize.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | 22 | #include 23 | 24 | #include "sagan-defs.h" 25 | 26 | /* liblognorm struct */ 27 | 28 | typedef struct liblognorm_struct liblognorm_struct; 29 | struct liblognorm_struct 30 | { 31 | char type[50]; 32 | char filepath[MAXPATH]; 33 | }; 34 | 35 | typedef struct liblognorm_toload_struct liblognorm_toload_struct; 36 | struct liblognorm_toload_struct 37 | { 38 | char type[50]; 39 | char filepath[MAXPATH]; 40 | }; 41 | 42 | void Liblognorm_Load( const char *infile ); 43 | void Normalize_Liblognorm( struct _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL ); 44 | void Liblognorm_Close(void); 45 | 46 | 47 | -------------------------------------------------------------------------------- /src/lockfile.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | void Remove_Lock_File ( void ); 22 | void CheckLockFile ( void ); 23 | 24 | -------------------------------------------------------------------------------- /src/meta-content.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | bool Meta_Content(uint_fast32_t rule_position, const char *syslog_message); 22 | bool Meta_Content_Search(char *syslog_msg, uint_fast32_t rule_position, uint_fast32_t meta_content_count); 23 | 24 | 25 | -------------------------------------------------------------------------------- /src/offload.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | bool Offload( uint_fast32_t rule_position, const char *syslog_host, const char *syslog_facility, const char *syslog_priority, const char *syslog_level, const char *syslog_tag, const char *syslog_date, const char *syslog_time, const char *syslog_program, const char *syslog_message ); 22 | 23 | size_t static write_callback_func(void *buffer, size_t size, size_t nmemb, void *userp); 24 | -------------------------------------------------------------------------------- /src/output-plugins/alert.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* alert.c 22 | * 23 | * Provides logging functionality in a 'snort like' format. Usually in 24 | * the /var/log/sagan directory named 'alert' 25 | * 26 | */ 27 | 28 | #ifdef HAVE_CONFIG_H 29 | #include "config.h" /* From autoconf */ 30 | #endif 31 | 32 | #include 33 | #include 34 | #include 35 | #include 36 | #include 37 | 38 | #include "sagan.h" 39 | 40 | #include "alert.h" 41 | #include "util-time.h" 42 | #include "rules.h" 43 | #include "references.h" 44 | #include "sagan-config.h" 45 | 46 | extern struct _Rule_Struct *rulestruct; 47 | extern struct _SaganConfig *config; 48 | extern struct _SaganCounters *counters; 49 | 50 | void Alert_File( _Sagan_Event *Event ) 51 | { 52 | 53 | char tmpref[256]; 54 | char timebuf[64]; 55 | 56 | FILE *sagan_alert_stream; 57 | int sagan_alert_stream_int = 0; 58 | 59 | CreateTimeString(&Event->event_time, timebuf, sizeof(timebuf), 1); 60 | 61 | if (( sagan_alert_stream = fopen( config->sagan_alert_filepath, "a" )) == NULL ) 62 | { 63 | Sagan_Log(ERROR, "[%s, line %d] Cannot open %s (%s). Abort", __FILE__, __LINE__, config->sagan_alert_filepath, strerror(errno)); 64 | } 65 | 66 | sagan_alert_stream_int = fileno( sagan_alert_stream ); 67 | 68 | File_Lock( sagan_alert_stream_int ); 69 | 70 | fprintf(sagan_alert_stream, "\n[**] [1:%" PRIu64 ":%" PRIuFAST16 "] %s [**]\n", Event->sid, Event->rev, Event->f_msg); 71 | fprintf(sagan_alert_stream, "[Classification: %s] [Priority: %d] [%s]\n", Event->class, Event->pri, Event->host ); 72 | fprintf(sagan_alert_stream, "[Alert Time: %s]\n", timebuf); 73 | 74 | fprintf(sagan_alert_stream, "%s ", Event->date); 75 | fprintf(sagan_alert_stream, "%s ", Event->time); 76 | fprintf(sagan_alert_stream, "%s:", Event->ip_src); 77 | fprintf(sagan_alert_stream, "%" PRIuFAST16 " ", Event->src_port); 78 | 79 | fprintf(sagan_alert_stream, " -> "); 80 | 81 | fprintf(sagan_alert_stream, "%s:", Event->ip_dst ); 82 | fprintf(sagan_alert_stream, "%" PRIuFAST16 " ", Event->dst_port); 83 | 84 | fprintf(sagan_alert_stream, "%s ", Event->facility); 85 | fprintf(sagan_alert_stream, "%s ", Event->priority); 86 | fprintf(sagan_alert_stream, "%s", Event->program); 87 | 88 | fprintf(sagan_alert_stream, "\n"); 89 | 90 | fprintf(sagan_alert_stream, "Message: %s\n", Event->message); 91 | 92 | if ( Event->rule_position != 0 ) 93 | { 94 | 95 | Reference_Lookup( Event->rule_position, 0, tmpref, sizeof(tmpref) ); 96 | 97 | if (strcmp(tmpref, "" )) 98 | { 99 | fprintf(sagan_alert_stream, "%s\n", tmpref); 100 | } 101 | } 102 | 103 | File_Unlock( sagan_alert_stream_int ); 104 | fclose(sagan_alert_stream); 105 | 106 | } 107 | -------------------------------------------------------------------------------- /src/output-plugins/alert.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | void Alert_File( _Sagan_Event *); 22 | 23 | -------------------------------------------------------------------------------- /src/output-plugins/esmtp.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* sagan-esmtp.h */ 22 | 23 | #ifdef HAVE_LIBESMTP 24 | 25 | 26 | #define ESMTPTO 32 /* 'To' buffer size max */ 27 | #define ESMTPFROM 32 /* 'From' buffer size max */ 28 | #define ESMTPSERVER 32 /* SMTP server size max */ 29 | #define MAX_EMAILSIZE 15360 /* Largest e-mail that can be sent */ 30 | 31 | const char *esmtp_cb ( void **, int *, void * ); 32 | int ESMTP_Thread( _Sagan_Event * ); 33 | int FixLF(_SaganConfig *, char *, char *); 34 | 35 | #endif 36 | 37 | -------------------------------------------------------------------------------- /src/output-plugins/eve.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* eve.c 22 | * 23 | * Write alerts in a JSON/Suricata like format 24 | * 25 | */ 26 | 27 | 28 | #ifdef HAVE_CONFIG_H 29 | #include "config.h" /* From autoconf */ 30 | #endif 31 | 32 | #ifdef HAVE_LIBFASTJSON 33 | 34 | #include 35 | #include 36 | #include 37 | #include 38 | 39 | #include "sagan.h" 40 | #include "sagan-defs.h" 41 | #include "json-handler.h" 42 | #include "output-plugins/eve.h" 43 | 44 | #include "sagan-config.h" 45 | 46 | extern struct _SaganConfig *config; 47 | 48 | void Alert_JSON( const char *alert_data ) 49 | { 50 | 51 | FILE *eve_stream; 52 | int eve_stream_int = 0; 53 | 54 | if (( eve_stream = fopen( config->eve_filename, "a" )) == NULL ) 55 | { 56 | Sagan_Log(ERROR, "[%s, line %d] Cannot open %s (%s). Abort", __FILE__, __LINE__, config->eve_filename, strerror(errno)); 57 | } 58 | 59 | eve_stream_int = fileno( eve_stream ); 60 | 61 | File_Lock( eve_stream_int ); 62 | fprintf(eve_stream, "%s\n", alert_data); 63 | 64 | File_Unlock( eve_stream_int ); 65 | fclose(eve_stream); 66 | 67 | } 68 | 69 | void Log_JSON ( _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL, struct timeval tp ) 70 | { 71 | 72 | FILE *eve_stream; 73 | int eve_stream_int = 0; 74 | 75 | char *log_data = malloc( config->message_buffer_size ); 76 | 77 | if ( log_data == NULL ) 78 | { 79 | Sagan_Log(ERROR, "[%s, line %d] Error allocating memory.", __FILE__, __LINE__); 80 | } 81 | 82 | log_data[0] = '\0'; 83 | 84 | if (( eve_stream = fopen( config->eve_filename, "a" )) == NULL ) 85 | { 86 | Sagan_Log(ERROR, "[%s, line %d] Cannot open %s (%s). Abort", __FILE__, __LINE__, config->eve_filename, strerror(errno)); 87 | } 88 | 89 | eve_stream_int = fileno( eve_stream ); 90 | 91 | File_Lock( eve_stream_int ); 92 | 93 | Format_JSON_Log_EVE( SaganProcSyslog_LOCAL, tp, log_data, sizeof(log_data) ); 94 | fprintf(eve_stream, "%s\n", log_data); 95 | 96 | File_Unlock( eve_stream_int ); 97 | fclose(eve_stream); 98 | 99 | free( log_data ); 100 | 101 | } 102 | 103 | #endif 104 | -------------------------------------------------------------------------------- /src/output-plugins/eve.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* sagan-alert-json.h 22 | * 23 | * Write alerts in a JSON/Suricata like format 24 | * 25 | */ 26 | 27 | void Log_JSON ( _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL, struct timeval tp ); 28 | void Alert_JSON( const char *alert_data ); 29 | 30 | -------------------------------------------------------------------------------- /src/output-plugins/external.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | void External_Thread( char *alert_data, char *execute_script); 22 | -------------------------------------------------------------------------------- /src/output-plugins/fast.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* fast.c 22 | * 23 | * Provides logging functionality in a 'snort like' fast format. 24 | * 25 | */ 26 | 27 | #ifdef HAVE_CONFIG_H 28 | #include "config.h" /* From autoconf */ 29 | #endif 30 | 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | 37 | #include "sagan.h" 38 | #include "references.h" 39 | #include "sagan-config.h" 40 | #include "util-time.h" 41 | 42 | #include "output-plugins/alert.h" 43 | 44 | extern struct _Rule_Struct *rulestruct; 45 | extern struct _SaganConfig *config; 46 | 47 | void Fast_File( _Sagan_Event *Event ) 48 | { 49 | 50 | char timebuf[64]; 51 | FILE *sagan_fast_stream; 52 | int sagan_fast_stream_int = 0; 53 | 54 | CreateTimeString(&Event->event_time, timebuf, sizeof(timebuf), 0); 55 | 56 | if (( sagan_fast_stream = fopen( config->fast_filename, "a" )) == NULL ) 57 | { 58 | Sagan_Log(ERROR, "[%s, line %d] Cannot open %s (%s). Abort", __FILE__, __LINE__, config->sagan_alert_filepath, strerror(errno)); 59 | } 60 | 61 | sagan_fast_stream_int = fileno( sagan_fast_stream ); 62 | 63 | File_Lock( sagan_fast_stream_int ); 64 | 65 | fprintf( sagan_fast_stream, "%s [**] [1:%" PRIuFAST64 ":%" PRIuFAST32 "] %s [**] [Classification: %s] [Priority: %d] [Program: %s] ", timebuf, 66 | Event->sid, Event->rev, Event->f_msg, Event->class, Event->pri, Event->program); 67 | 68 | if ( Event->ip_proto == 1 ) 69 | { 70 | fprintf(sagan_fast_stream, "{ICMP}"); 71 | } 72 | 73 | else if ( Event->ip_proto == 6 ) 74 | { 75 | fprintf(sagan_fast_stream, "{TCP}"); 76 | } 77 | 78 | else if ( Event->ip_proto == 17 ) 79 | { 80 | fprintf(sagan_fast_stream, "{UDP}"); 81 | } 82 | 83 | else if ( Event->ip_proto != 1 && Event->ip_proto !=6 && Event->ip_proto != 17 ) 84 | { 85 | fprintf(sagan_fast_stream, "{UNKNOWN}"); 86 | } 87 | 88 | fprintf(sagan_fast_stream," %s:%" PRIuFAST16 " -> %s:%" PRIuFAST16 "\n", Event->ip_src, Event->src_port, Event->ip_dst, Event->dst_port); 89 | 90 | File_Unlock( sagan_fast_stream_int ); 91 | 92 | fclose(sagan_fast_stream); 93 | 94 | } 95 | -------------------------------------------------------------------------------- /src/output-plugins/fast.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | void Fast_File( _Sagan_Event *); 22 | 23 | -------------------------------------------------------------------------------- /src/output-plugins/syslog-handler.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* syslog-handler.c 22 | * 23 | * Send Sagan alerts to a remote syslog server using the same format that 24 | * Snort uses. 25 | * 26 | */ 27 | 28 | #ifdef HAVE_CONFIG_H 29 | #include "config.h" /* From autoconf */ 30 | #endif 31 | 32 | #ifdef WITH_SYSLOG 33 | 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | 40 | #include "sagan.h" 41 | #include "classifications.h" 42 | #include "sagan-config.h" 43 | 44 | #include "output-plugins/syslog-handler.h" 45 | 46 | extern struct _Rule_Struct *rulestruct; 47 | extern struct _SaganConfig *config; 48 | 49 | void Alert_Syslog( _Sagan_Event *Event ) 50 | { 51 | 52 | char syslog_message_output[1024] = { 0 }; 53 | char *tmp_proto = NULL; 54 | 55 | char classbuf[64]; 56 | 57 | /* Template to mimic Snort syslog output */ 58 | 59 | char *syslog_template = "[1:%" PRIu64 ":%d] %s [Classification: %s] [Priority: %d] [Program: %s] %s %s:%d -> %s:%d - %s"; 60 | 61 | if ( Event->ip_proto != 1 || Event->ip_proto != 6 || Event->ip_proto != 17 ) 62 | { 63 | tmp_proto = "{UNKNOWN}"; 64 | } 65 | 66 | if ( Event->ip_proto == 1 ) 67 | { 68 | tmp_proto = "{ICMP}"; 69 | } 70 | 71 | if ( Event->ip_proto == 6 ) 72 | { 73 | tmp_proto = "{TCP}"; 74 | } 75 | 76 | if ( Event->ip_proto == 17 ) 77 | { 78 | tmp_proto = "{UDP}"; 79 | } 80 | 81 | Classtype_Lookup( Event->class, classbuf, sizeof(classbuf) ); 82 | 83 | snprintf(syslog_message_output, sizeof(syslog_message_output), syslog_template, Event->sid, Event->rev, Event->f_msg, classbuf, Event->pri, Event->program, tmp_proto, Event->ip_src, Event->src_port, Event->ip_dst, Event->dst_port, Event->message); 84 | 85 | /* Send syslog message */ 86 | 87 | openlog("sagan", config->sagan_syslog_options, config->sagan_syslog_facility); 88 | syslog(config->sagan_syslog_priority, "%s", syslog_message_output); 89 | closelog(); 90 | 91 | 92 | } 93 | 94 | #endif 95 | -------------------------------------------------------------------------------- /src/output-plugins/syslog-handler.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* sagan-syslog.c 22 | * 23 | * Send Sagan alerts to a remote syslog server using the same format that 24 | * Snort uses. 25 | * 26 | */ 27 | 28 | void Alert_Syslog( _Sagan_Event * ); 29 | 30 | -------------------------------------------------------------------------------- /src/output.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | void Output( struct _Sagan_Event * ); 22 | 23 | 24 | -------------------------------------------------------------------------------- /src/parsers/json.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | void Parse_JSON ( char *syslog_string, struct _Sagan_JSON *JSON_LOCAL ); 22 | void Get_Key_Value( struct _Sagan_JSON *JSON_LOCAL, const char *key, char *value, size_t size); 23 | 24 | -------------------------------------------------------------------------------- /src/parsers/parsers.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | #include "parsers/strstr-asm/strstr-hook.h" 22 | 23 | /* IP Lookup cache */ 24 | 25 | uint_fast32_t Parse_IP( const char *syslog_message, struct _Sagan_Lookup_Cache_Entry *lookup_cache ); 26 | 27 | uint_fast8_t Parse_Proto_Program( const char *program ); 28 | uint_fast8_t Parse_Proto( const char *syslog_message ); 29 | 30 | void Parse_Hash(char *syslog_message, uint_fast8_t type, char *str, size_t size); 31 | void Parse_Hash_Cleanup(char *, char *str, size_t size ); 32 | 33 | -------------------------------------------------------------------------------- /src/parsers/proto.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* This routine search the syslog message and/or program for clues about 22 | * what protocol generated an event. For more information, see the 23 | * protocol-map.c and protocol.map files. 24 | */ 25 | 26 | #ifdef HAVE_CONFIG_H 27 | #include "config.h" /* From autoconf */ 28 | #endif 29 | 30 | #include 31 | #include 32 | #include 33 | 34 | #include "sagan-defs.h" 35 | #include "sagan.h" 36 | #include "version.h" 37 | #include "parsers/parsers.h" 38 | 39 | #include "protocol-map.h" 40 | 41 | extern struct _SaganConfig *config; 42 | extern struct _SaganCounters *counters; 43 | struct _Sagan_Protocol_Map_Message *map_message; 44 | struct _Sagan_Protocol_Map_Program *map_program; 45 | 46 | /**************************************************************************** 47 | * Parse_Proto_Program - Attempts to determine the protocol that generate 48 | * the event by the program that generate it. 49 | ****************************************************************************/ 50 | 51 | uint_fast8_t Parse_Proto_Program( const char *program ) 52 | { 53 | 54 | uint_fast16_t i; 55 | 56 | for (i = 0; i < counters->mapcount_program; i++) 57 | { 58 | 59 | if ( map_program[i].nocase == 1 ) 60 | { 61 | if (Sagan_stristr(program, map_program[i].program, true)) 62 | { 63 | return(map_program[i].proto); 64 | } 65 | } 66 | else 67 | { 68 | if (Sagan_strstr(program, map_program[i].program)) 69 | { 70 | return(map_program[i].proto); 71 | } 72 | } 73 | } 74 | return(0); 75 | } 76 | 77 | 78 | /**************************************************************************** 79 | * Sagan_Parse_Proto - Searches for simple clues from the message about what 80 | * protocl might have generated this event 81 | ****************************************************************************/ 82 | 83 | uint_fast8_t Parse_Proto( const char *syslog_message ) 84 | { 85 | 86 | int i; 87 | 88 | for (i = 0; i < counters->mapcount_message; i++) 89 | { 90 | 91 | if ( map_message[i].nocase == 1 ) 92 | { 93 | if (Sagan_stristr(syslog_message, map_message[i].search, true)) 94 | { 95 | return(map_message[i].proto); 96 | } 97 | } 98 | else 99 | { 100 | if (Sagan_strstr(syslog_message, map_message[i].search)) 101 | { 102 | return(map_message[i].proto); 103 | } 104 | } 105 | } 106 | return(0); 107 | } 108 | 109 | -------------------------------------------------------------------------------- /src/parsers/strstr-asm/.dirstamp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quadrantsec/sagan/a1805c54024774b9f4494bd5a8535f16a36fa924/src/parsers/strstr-asm/.dirstamp -------------------------------------------------------------------------------- /src/parsers/strstr-asm/strstr-hook.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* sagan-strstr-hook.c 22 | * 23 | * This "hooks" in the "Sagan_strstr" function for CPUs supporting SSE2. 24 | * This code is based on work by Ondra Bílk and the glibc projects. 25 | * 26 | * His code/original post can be found at: 27 | * 28 | * http://comments.gmane.org/gmane.comp.lib.glibc.alpha/34531 29 | * 30 | */ 31 | 32 | #ifdef HAVE_CONFIG_H 33 | #include "config.h" /* From autoconf */ 34 | #endif 35 | 36 | #include 37 | #include 38 | 39 | #include "sagan.h" 40 | #include "sagan-defs.h" 41 | #include "sagan-config.h" 42 | 43 | #include "parsers/strstr-asm/strstr-hook.h" 44 | 45 | extern struct _SaganConfig *config; 46 | 47 | #ifndef WITH_SYSSTRSTR /* If NOT using system built in strstr */ 48 | 49 | #if defined(HAVE_SSE2) && SIZEOF_SIZE_T == 8 /* And our CPU supports SSE2 & is the CPU 64 bit */ 50 | 51 | static void* function_func[]= { __strstr_sse2_unaligned, __strstr_sse42, NULL}; 52 | 53 | /* This function takes advantage of CPUs with SSE2 */ 54 | 55 | char *Sagan_strstr(const char *_x,const char *_y) 56 | { 57 | char *x= (char*) _x, *y=(char*)_y; 58 | char* (*fn)(char *,char *) = function_func[0]; 59 | char * p=fn(x,y); 60 | return p; 61 | } 62 | 63 | #else 64 | 65 | /* 66 | * Non-SSE2 CPUs get to use the pure C function. This code is based 67 | * off Dale Moore mine3a. Information can be found at: 68 | * 69 | * http://computer-programming-forum.com/47-c-language/69de641587bbb919.htm 70 | * 71 | */ 72 | 73 | char *Sagan_strstr(const char *_x, const char *_y) 74 | { 75 | 76 | size_t len = strlen (_y); 77 | if (!*_y) return (char *) _x; 78 | for (;;) 79 | { 80 | if (!(_x = strchr (_x, *_y))) return NULL; 81 | if (!strncmp (_x, _y, len)) return (char *) _x; 82 | _x++; 83 | } 84 | } 85 | 86 | #endif 87 | 88 | /* This works similar to "strcasestr". The "needle" (_y) is assumed to 89 | * already be converted to lowercase if "needle_lower" is FALSE. 90 | * 91 | * 0/FALSE == Don't convert needle 92 | * 1/TRUE == Convert needle 93 | */ 94 | 95 | char *Sagan_stristr(const char *_x, const char *_y, bool needle_lower ) 96 | { 97 | 98 | char *p = NULL; 99 | 100 | char *haystack_string = malloc( config->message_buffer_size ); 101 | 102 | if ( haystack_string == NULL ) 103 | { 104 | Sagan_Log(ERROR, "[%s, line %d] Error allocating memory.", __FILE__, __LINE__); 105 | } 106 | 107 | haystack_string[0] = '\0'; 108 | char needle_string[512] = { 0 }; 109 | 110 | strlcpy(haystack_string, _x, config->message_buffer_size); 111 | 112 | To_LowerC(haystack_string); 113 | 114 | strlcpy(needle_string, _y, sizeof(needle_string)); 115 | 116 | if ( needle_lower ) 117 | { 118 | To_LowerC(needle_string); 119 | } 120 | 121 | p = Sagan_strstr( (const char*)haystack_string, needle_string); 122 | 123 | free( haystack_string ); 124 | return p; 125 | 126 | } 127 | 128 | #else 129 | 130 | /**************************************************************************** 131 | * To use the system standard strstr() 132 | ****************************************************************************/ 133 | 134 | char *Sagan_strstr(const char *_x, const char *_y) 135 | { 136 | return (strstr(_x, _y)); 137 | } 138 | 139 | char *Sagan_stristr(const char *_x, const char *_y, bool needle_lower ) 140 | { 141 | return (strcasestr(_x, _y)); 142 | } 143 | #endif 144 | -------------------------------------------------------------------------------- /src/parsers/strstr-asm/strstr-hook.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* sagan-strstr-hook.c 22 | * 23 | * This "hooks" in the "Sagan_strstr" function for CPUs supporting SSE2. 24 | * This code is based on work by Ondra B�lk and the glibc projects. 25 | * 26 | * His code/original post can be found at: 27 | * 28 | * http://comments.gmane.org/gmane.comp.lib.glibc.alpha/34531 29 | * 30 | */ 31 | 32 | #ifdef HAVE_CONFIG_H 33 | #include "config.h" /* From autoconf */ 34 | #endif 35 | 36 | #ifdef HAVE_SSE2 37 | #ifndef WITH_SYSSTRSTR 38 | 39 | int __strstr_sse2_unaligned(); 40 | int __strstr_sse42(); 41 | 42 | #endif 43 | #endif 44 | 45 | char *Sagan_strstr(const char *, const char *); 46 | char *Sagan_stristr(const char *, const char *, bool); 47 | 48 | -------------------------------------------------------------------------------- /src/pcre-s.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* This controls the "pcre" rule options */ 22 | 23 | #ifdef HAVE_CONFIG_H 24 | #include "config.h" /* From autoconf */ 25 | #endif 26 | 27 | #include 28 | #include 29 | #include 30 | #include 31 | 32 | #include "sagan.h" 33 | #include "sagan-defs.h" 34 | #include "rules.h" 35 | 36 | extern struct _Rule_Struct *rulestruct; 37 | 38 | 39 | bool PcreS ( uint_fast32_t rule_position, const char *syslog_message ) 40 | { 41 | 42 | 43 | uint_fast8_t z = 0; 44 | uint_fast8_t match = 0; 45 | int rc = 0; 46 | int ovector[PCRE_OVECCOUNT]; 47 | 48 | 49 | for(z=0; z 0 ) 55 | { 56 | match++; 57 | } 58 | 59 | } 60 | 61 | if ( match == rulestruct[rule_position].pcre_count ) 62 | { 63 | return(true); 64 | } 65 | 66 | return(false); 67 | 68 | } 69 | -------------------------------------------------------------------------------- /src/pcre-s.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | bool PcreS ( uint_fast32_t rule_position, const char *syslog_message ); 22 | 23 | -------------------------------------------------------------------------------- /src/plog.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | #ifdef HAVE_LIBPCAP 22 | 23 | void Plog_Handler( void ); 24 | 25 | #endif 26 | 27 | -------------------------------------------------------------------------------- /src/processor-memory.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | void Processor_Memory( _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL ); 4 | -------------------------------------------------------------------------------- /src/processor.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | void Processor ( void ); 22 | -------------------------------------------------------------------------------- /src/processors/blacklist.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | void Sagan_Blacklist_Load ( void ); 22 | void Sagan_Blacklist_Init( void ); 23 | bool Sagan_Blacklist_IPADDR ( unsigned char *ipaddr ); 24 | bool Sagan_Blacklist_IPADDR_All ( char *syslog_message, _Sagan_Lookup_Cache_Entry *lookup_cache, uint_fast8_t lookup_cache_size ); 25 | 26 | typedef struct _Sagan_Blacklist _Sagan_Blacklist; 27 | struct _Sagan_Blacklist 28 | { 29 | 30 | struct 31 | { 32 | unsigned char ipbits[MAXIPBIT]; 33 | unsigned char maskbits[MAXIPBIT]; 34 | } range; 35 | 36 | }; 37 | 38 | -------------------------------------------------------------------------------- /src/processors/client-stats.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | void Client_Stats_Init( void ); 22 | void Client_Stats_Handler( void ); 23 | void Client_Stats_Add_Update_IP( const char *ip, const char *program, const char *message, const char *tag, uint_fast32_t bytes ); 24 | void Client_Stats_Close( void ); 25 | 26 | /* Client Stats strucure */ 27 | 28 | typedef struct _Client_Stats_Struct _Client_Stats_Struct; 29 | struct _Client_Stats_Struct 30 | { 31 | uint_fast32_t hash; 32 | char ip[64]; 33 | char tag[MAX_SYSLOG_TAG]; 34 | uint_fast64_t epoch; 35 | uint_fast64_t old_epoch; 36 | uint_fast64_t number_of_events; 37 | uint_fast64_t bytes; 38 | char program[MAX_SYSLOG_PROGRAM]; 39 | char message[MAX_SYSLOGMSG]; 40 | }; 41 | -------------------------------------------------------------------------------- /src/processors/dynamic-rules.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | void Dynamic_Rules ( struct _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL, uint_fast32_t rule_position, const char *ip_src, const char *ip_dst ); 22 | 23 | -------------------------------------------------------------------------------- /src/processors/engine.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | 22 | void Sagan_Engine ( struct _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL, struct _Sagan_JSON *JSON_LOCAL, bool dynamic_rule_flag ); 23 | 24 | void Sagan_Engine_Init ( void ); 25 | -------------------------------------------------------------------------------- /src/processors/stats-json.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | void Stats_JSON_Init( void ); 22 | void Stats_JSON_Close( void ); 23 | void Stats_JSON_Handler( void ); 24 | 25 | -------------------------------------------------------------------------------- /src/processors/track-clients.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Adam Hall 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* sagan-track-clients.h 22 | * 23 | * Simple pre-processors that keeps track of reporting syslog clients/agents. 24 | * This is based off the IP address the clients, not based on normalization. 25 | * If a client/agent hasn't sent a syslog/event message in X minutes, then 26 | * generate an alert. 27 | * 28 | */ 29 | 30 | void Track_Clients_Thread ( void ); 31 | 32 | #include "sagan-defs.h" 33 | 34 | typedef struct _Sagan_Track_Clients_IPC _Sagan_Track_Clients_IPC; 35 | struct _Sagan_Track_Clients_IPC 36 | { 37 | unsigned char hostbits[MAXIPBIT]; 38 | long utime; /* need to be long for ctime() */ 39 | uint_fast32_t expire; 40 | bool status; 41 | }; 42 | 43 | typedef struct _Track_Clients_Networks _Track_Clients_Networks; 44 | struct _Track_Clients_Networks 45 | { 46 | 47 | struct 48 | { 49 | unsigned char ipbits[MAXIPBIT]; 50 | unsigned char maskbits[MAXIPBIT]; 51 | } range; 52 | 53 | }; 54 | 55 | void Track_Clients ( const char *host ); 56 | -------------------------------------------------------------------------------- /src/processors/zeek-intel.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* zeek-intel.c 22 | * 23 | * This allows Sagan to read in Bro Intel files, like those from Critical 24 | * Stack (https://intel.criticalstack.com). 25 | * 26 | */ 27 | 28 | 29 | #ifdef HAVE_CONFIG_H 30 | #include "config.h" /* From autoconf */ 31 | #endif 32 | 33 | typedef struct _ZeekIntel_Intel_Addr _ZeekIntel_Intel_Addr; 34 | struct _ZeekIntel_Intel_Addr 35 | { 36 | unsigned char bits_ip[MAXIPBIT]; 37 | }; 38 | 39 | typedef struct _ZeekIntel_Intel_Domain _ZeekIntel_Intel_Domain; 40 | struct _ZeekIntel_Intel_Domain 41 | { 42 | char domain[255]; 43 | }; 44 | 45 | typedef struct _ZeekIntel_Intel_File_Hash _ZeekIntel_Intel_File_Hash; 46 | struct _ZeekIntel_Intel_File_Hash 47 | { 48 | char hash[64]; 49 | }; 50 | 51 | typedef struct _ZeekIntel_Intel_URL _ZeekIntel_Intel_URL; 52 | struct _ZeekIntel_Intel_URL 53 | { 54 | char url[10240]; 55 | }; 56 | 57 | typedef struct _ZeekIntel_Intel_Software _ZeekIntel_Intel_Software; 58 | struct _ZeekIntel_Intel_Software 59 | { 60 | char software[128]; 61 | }; 62 | 63 | typedef struct _ZeekIntel_Intel_Email _ZeekIntel_Intel_Email; 64 | struct _ZeekIntel_Intel_Email 65 | { 66 | char email[128]; 67 | }; 68 | 69 | typedef struct _ZeekIntel_Intel_User_Name _ZeekIntel_Intel_User_Name; 70 | struct _ZeekIntel_Intel_User_Name 71 | { 72 | char username[64]; 73 | }; 74 | 75 | typedef struct _ZeekIntel_Intel_File_Name _ZeekIntel_Intel_File_Name; 76 | struct _ZeekIntel_Intel_File_Name 77 | { 78 | char file_name[128]; 79 | }; 80 | 81 | typedef struct _ZeekIntel_Intel_Cert_Hash _ZeekIntel_Intel_Cert_Hash; 82 | struct _ZeekIntel_Intel_Cert_Hash 83 | { 84 | char cert_hash[64]; 85 | }; 86 | 87 | 88 | void ZeekIntel_Init(void); 89 | void ZeekIntel_Load_File(void); 90 | 91 | bool ZeekIntel_IPADDR ( unsigned char *ip, const char *ipaddr ); 92 | bool ZeekIntel_IPADDR_All ( const char *syslog_message, struct _Sagan_Lookup_Cache_Entry *lookup_cache, uint_fast8_t lookup_cache_size ); 93 | 94 | bool ZeekIntel_DOMAIN ( const char *syslog_message ); 95 | bool ZeekIntel_FILE_HASH ( const char *syslog_message ); 96 | bool ZeekIntel_URL ( const char *syslog_message ); 97 | bool ZeekIntel_SOFTWARE( const char *syslog_message ); 98 | bool ZeekIntel_EMAIL( const char *syslog_message ); 99 | bool ZeekIntel_USER_NAME ( const char *syslog_message ); 100 | bool ZeekIntel_FILE_NAME ( const char *syslog_message ); 101 | bool ZeekIntel_CERT_HASH ( const char *syslog_message ); 102 | 103 | -------------------------------------------------------------------------------- /src/protocol-map.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* Storage for protocol.map (program search) */ 22 | 23 | typedef struct _Sagan_Protocol_Map_Program _Sagan_Protocol_Map_Program; 24 | struct _Sagan_Protocol_Map_Program 25 | { 26 | // int type; 27 | uint_fast8_t proto; 28 | bool nocase; 29 | char program[64]; 30 | }; 31 | 32 | /* Storage for protocol.map (message search) */ 33 | 34 | typedef struct _Sagan_Protocol_Map_Message _Sagan_Protocol_Map_Message; 35 | struct _Sagan_Protocol_Map_Message 36 | { 37 | // int type; 38 | uint_fast8_t proto; 39 | bool nocase; 40 | char search[512]; 41 | }; 42 | 43 | void Load_Protocol_Map( const char * ); 44 | 45 | -------------------------------------------------------------------------------- /src/redis.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | #ifdef HAVE_LIBHIREDIS 22 | 23 | #include 24 | 25 | #define MAX_REDIS_KEY_SIZE 128 26 | 27 | 28 | void Redis_Reader_Connect ( void ); 29 | void Redis_Writer (void); 30 | void Redis_Writer_Init (void); 31 | void Redis_Reader ( const char *redis_command, char *str, size_t size ); 32 | 33 | typedef struct _Sagan_Redis_Write _Sagan_Redis_Write; 34 | struct _Sagan_Redis_Write 35 | { 36 | char command[16]; 37 | char *key; 38 | char *value; 39 | uint_fast32_t expire; 40 | }; 41 | 42 | #endif 43 | -------------------------------------------------------------------------------- /src/references.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* Reference structure */ 22 | 23 | typedef struct _Ref_Struct _Ref_Struct; 24 | struct _Ref_Struct 25 | { 26 | char s_refid[512]; 27 | char s_refurl[2048]; 28 | }; 29 | 30 | 31 | void Load_Reference ( const char * ); 32 | void Reference_Lookup( uint_fast32_t rulemem, bool type, char *str, size_t size ); 33 | -------------------------------------------------------------------------------- /src/routing.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | typedef struct _Sagan_Routing _Sagan_Routing; 22 | struct _Sagan_Routing 23 | { 24 | uint_fast32_t position; 25 | bool check_flow_return; 26 | bool flexbit_count_return; 27 | bool flexbit_return; 28 | bool xbit_return; 29 | bool event_id_return; 30 | bool alert_time_trigger; 31 | bool geoip2_isset; 32 | bool blacklist_results; 33 | bool zeekintel_results; 34 | 35 | #ifdef WITH_BLUEDOT 36 | 37 | bool bluedot_hash_flag; 38 | bool bluedot_filename_flag; 39 | bool bluedot_url_flag; 40 | bool bluedot_ip_flag; 41 | bool bluedot_ja3_flag; 42 | 43 | #endif 44 | 45 | }; 46 | 47 | bool Sagan_Check_Routing( _Sagan_Routing *SaganRouting ); 48 | 49 | -------------------------------------------------------------------------------- /src/search-type.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* search-type.c is used by json-content.c & json-meta-content.c to determine 22 | if a search will be done via strcmp/strcasecmp or Sagan_strstr/Sagan_stristr. 23 | This works with the "json_strstr", "json_meta_strstr" or lack of (strcmp). */ 24 | 25 | #ifdef HAVE_CONFIG_H 26 | #include "config.h" /* From autoconf */ 27 | #endif 28 | 29 | #include 30 | #include 31 | #include 32 | 33 | #include "sagan.h" 34 | #include "sagan-defs.h" 35 | #include "search-type.h" 36 | 37 | #include "parsers/parsers.h" 38 | 39 | bool Search_Case ( const char *haystack, const char *needle, bool type) 40 | { 41 | 42 | /* Search via Sagan_strstr */ 43 | 44 | if ( type == true ) 45 | { 46 | if ( Sagan_strstr( haystack, needle) ) 47 | { 48 | return(true); 49 | } 50 | 51 | return(false); 52 | 53 | } 54 | else 55 | { 56 | 57 | /* Search via strcmp */ 58 | 59 | if ( !strcmp( haystack, needle ) ) 60 | { 61 | return(true); 62 | } 63 | 64 | return(false); 65 | } 66 | 67 | 68 | } 69 | 70 | bool Search_Nocase ( const char *haystack, const char *needle, bool needle_lower, bool type) 71 | { 72 | 73 | /* Search via Sagan_stristr (case insenstive) */ 74 | 75 | if ( type == true ) 76 | { 77 | if ( Sagan_stristr( haystack, needle, type) ) 78 | { 79 | return(true); 80 | } 81 | 82 | return(false); 83 | 84 | } 85 | else 86 | { 87 | 88 | /* Search via strcasecmp */ 89 | 90 | if ( !strcasecmp( haystack, needle ) ) 91 | { 92 | return(true); 93 | } 94 | 95 | return(false); 96 | } 97 | 98 | } 99 | 100 | -------------------------------------------------------------------------------- /src/search-type.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | bool Search_Case ( const char *haystack, const char *needle, bool type); 22 | bool Search_Nocase ( const char *haystack, const char *needle, bool needle_lower, bool type); 23 | 24 | -------------------------------------------------------------------------------- /src/send-alert.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | 22 | //void Send_Alert ( struct _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL, uint32_t rule_position, struct timeval tp, char *bluedot_json, unsigned char bluedot_results, struct _GeoIP *GeoIP_SRC, struct _GeoIP *GeoIP_DEST ); 23 | 24 | void Send_Alert ( struct _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL, uint32_t rule_position, struct timeval tp, char *bluedot_json, unsigned char bluedot_results, uint_fast16_t json_count ); 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /src/signal-handler.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | void Sig_Handler( void ); 22 | 23 | -------------------------------------------------------------------------------- /src/stats.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | void Statistics( void ); 22 | -------------------------------------------------------------------------------- /src/threshold.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | bool Threshold2 ( uint_fast32_t rule_position, const char *ip_src, uint16_t src_port, const char *ip_dst, uint16_t dst_port, const char *username, const char *syslog_message ); 22 | 23 | 24 | -------------------------------------------------------------------------------- /src/tracking-syslog.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | void RuleTracking_Syslog( void ); 22 | 23 | -------------------------------------------------------------------------------- /src/usage.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | void Usage( void ); 22 | -------------------------------------------------------------------------------- /src/util-base64.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | int Base64Encode(const unsigned char *, unsigned long, unsigned char *, unsigned long *); 22 | int Base64Decode(const unsigned char *src, size_t len, char *str, size_t size); 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /src/util-strlcat.c: -------------------------------------------------------------------------------- 1 | /* strlcat 2 | * 3 | * Provided by the OpenBSD team. This is here for systems that do not 4 | * support the strlcat call. 5 | * 6 | */ 7 | 8 | 9 | /* $OpenBSD: strlcat.c,v 1.13 2005/08/08 08:05:37 espie Exp $ */ 10 | /* 11 | * Copyright (c) 1998 Todd C. Miller 12 | * 13 | * Permission to use, copy, modify, and distribute this software for any 14 | * purpose with or without fee is hereby granted, provided that the above 15 | * copyright notice and this permission notice appear in all copies. 16 | * 17 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 18 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 19 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 20 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 21 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 22 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 23 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 24 | */ 25 | 26 | #ifdef HAVE_CONFIG_H 27 | #include "config.h" /* From autoconf */ 28 | #endif 29 | 30 | #ifndef HAVE_STRLCAT 31 | 32 | #include 33 | #include 34 | 35 | /* 36 | * Appends src to string dst of size siz (unlike strncat, siz is the 37 | * full size of dst, not space left). At most siz-1 characters 38 | * will be copied. Always NUL terminates (unless siz <= strlen(dst)). 39 | * Returns strlen(src) + MIN(siz, strlen(initial dst)). 40 | * If retval >= siz, truncation occurred. 41 | */ 42 | size_t 43 | strlcat(char *dst, const char *src, size_t siz) 44 | { 45 | char *d = dst; 46 | const char *s = src; 47 | size_t n = siz; 48 | size_t dlen; 49 | 50 | /* Find the end of dst and adjust bytes left but don't go past end */ 51 | while (n-- != 0 && *d != '\0') 52 | d++; 53 | dlen = d - dst; 54 | n = siz - dlen; 55 | 56 | if (n == 0) 57 | return(dlen + strlen(s)); 58 | while (*s != '\0') 59 | { 60 | if (n != 1) 61 | { 62 | *d++ = *s; 63 | n--; 64 | } 65 | s++; 66 | } 67 | *d = '\0'; 68 | 69 | return(dlen + (s - src)); /* count does not include NUL */ 70 | } 71 | 72 | #endif 73 | -------------------------------------------------------------------------------- /src/util-strlcpy.c: -------------------------------------------------------------------------------- 1 | /* strlcpy 2 | * 3 | * Provided by the OpenBSD team. This file is here for systems that 4 | * do not support the strlcpy call. 5 | * 6 | */ 7 | 8 | /* $OpenBSD: strlcpy.c,v 1.11 2006/05/05 15:27:38 millert Exp $ */ 9 | 10 | /* 11 | * Copyright (c) 1998 Todd C. Miller 12 | * 13 | * Permission to use, copy, modify, and distribute this software for any 14 | * purpose with or without fee is hereby granted, provided that the above 15 | * copyright notice and this permission notice appear in all copies. 16 | * 17 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 18 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 19 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 20 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 21 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 22 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 23 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 24 | */ 25 | 26 | #ifdef HAVE_CONFIG_H 27 | #include "config.h" /* From autoconf */ 28 | #endif 29 | 30 | #ifndef HAVE_STRLCPY 31 | 32 | #include 33 | #include 34 | 35 | /* 36 | * Copy src to string dst of size siz. At most siz-1 characters 37 | * will be copied. Always NUL terminates (unless siz == 0). 38 | * Returns strlen(src); if retval >= siz, truncation occurred. 39 | */ 40 | size_t 41 | strlcpy(char *dst, const char *src, size_t siz) 42 | { 43 | char *d = dst; 44 | const char *s = src; 45 | size_t n = siz; 46 | 47 | /* Copy as many bytes as will fit */ 48 | if (n != 0) 49 | { 50 | while (--n != 0) 51 | { 52 | if ((*d++ = *s++) == '\0') 53 | break; 54 | } 55 | } 56 | 57 | /* Not enough room in dst, add NUL and traverse rest of src */ 58 | if (n == 0) 59 | { 60 | if (siz != 0) 61 | *d = '\0'; /* NUL-terminate dst */ 62 | while (*s++) 63 | ; 64 | } 65 | 66 | return(s - src - 1); /* count does not include NUL */ 67 | } 68 | 69 | #endif 70 | -------------------------------------------------------------------------------- /src/util-time.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2009-2025 Quadrant Information Security 3 | ** Copyright (C) 2009-2025 Champ Clark III 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | struct tm *Sagan_LocalTime(time_t, struct tm *); 22 | void CreateTimeString (const struct timeval *, char *, size_t, bool ); 23 | void CreateIsoTimeString (const struct timeval *, char *, size_t ); 24 | void Return_Date( uint32_t, char *str, size_t size ); 25 | void Return_Time( uint32_t, char *str, size_t size ); 26 | void u32_Time_To_Human ( uint_fast64_t utime, char *str, size_t size ); 27 | uint64_t Return_Epoch( void ); 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /src/version.h: -------------------------------------------------------------------------------- 1 | #define VERSION "2.1.0" 2 | -------------------------------------------------------------------------------- /src/xbit-mmap.h: -------------------------------------------------------------------------------- 1 | /* $Id$ */ 2 | /* 3 | ** Copyright (C) 2009-2025 Quadrant Information Security 4 | ** Copyright (C) 2009-2025 Champ Clark III 5 | ** 6 | ** This program is free software; you can redistribute it and/or modify 7 | ** it under the terms of the GNU General Public License Version 2 as 8 | ** published by the Free Software Foundation. You may not use, modify or 9 | ** distribute this program under any other version of the GNU General 10 | ** Public License. 11 | ** 12 | ** This program is distributed in the hope that it will be useful, 13 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | ** GNU General Public License for more details. 16 | ** 17 | ** You should have received a copy of the GNU General Public License 18 | ** along with this program; if not, write to the Free Software 19 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 20 | */ 21 | 22 | 23 | void Xbit_Set_MMAP(uint_fast32_t rule_position, const char *ip_src_char, const char *ip_dst_char, const char *syslog_message ); 24 | bool Xbit_Condition_MMAP( uint_fast32_t rule_position, struct _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL ); 25 | void Clean_Xbit_MMAP(void); 26 | 27 | typedef struct _Sagan_IPC_Xbit _Sagan_IPC_Xbit; 28 | struct _Sagan_IPC_Xbit 29 | { 30 | char xbit_name[64]; 31 | uint_fast32_t xbit_hash; 32 | uint_fast32_t xbit_name_hash; 33 | uint_fast64_t xbit_expire; 34 | uint_fast32_t expire; 35 | char syslog_message[0]; 36 | uint_fast64_t sid; 37 | char signature_msg[MAX_SAGAN_MSG]; 38 | 39 | }; 40 | -------------------------------------------------------------------------------- /src/xbit-redis.h: -------------------------------------------------------------------------------- 1 | /* $Id$ */ 2 | /* 3 | ** Copyright (C) 2009-2025 Quadrant Information Security 4 | ** Copyright (C) 2009-2025 Champ Clark III 5 | ** 6 | ** This program is free software; you can redistribute it and/or modify 7 | ** it under the terms of the GNU General Public License Version 2 as 8 | ** published by the Free Software Foundation. You may not use, modify or 9 | ** distribute this program under any other version of the GNU General 10 | ** Public License. 11 | ** 12 | ** This program is distributed in the hope that it will be useful, 13 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | ** GNU General Public License for more details. 16 | ** 17 | ** You should have received a copy of the GNU General Public License 18 | ** along with this program; if not, write to the Free Software 19 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 20 | */ 21 | 22 | void Xbit_Set_Redis( uint_fast32_t rule_position, struct _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL ); 23 | bool Xbit_Condition_Redis(uint_fast32_t rule_position, struct _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL ); 24 | void Xbit_Return_Tracking_IP ( uint_fast32_t rule_position, uint_fast8_t xbit_position, const char *ip_src_char, const char *ip_dst_char, char *str, size_t size ); 25 | -------------------------------------------------------------------------------- /src/xbit.c: -------------------------------------------------------------------------------- 1 | /* $Id$ */ 2 | /* 3 | ** Copyright (C) 2009-2025 Quadrant Information Security 4 | ** Copyright (C) 2009-2025 Champ Clark III 5 | ** 6 | ** This program is free software; you can redistribute it and/or modify 7 | ** it under the terms of the GNU General Public License Version 2 as 8 | ** published by the Free Software Foundation. You may not use, modify or 9 | ** distribute this program under any other version of the GNU General 10 | ** Public License. 11 | ** 12 | ** This program is distributed in the hope that it will be useful, 13 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | ** GNU General Public License for more details. 16 | ** 17 | ** You should have received a copy of the GNU General Public License 18 | ** along with this program; if not, write to the Free Software 19 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 20 | */ 21 | 22 | /* xbit.c - Handles and routes requests for xbits via mmap() or redir */ 23 | 24 | #ifdef HAVE_CONFIG_H 25 | #include "config.h" /* From autoconf */ 26 | #endif 27 | 28 | #include 29 | #include 30 | #include 31 | 32 | #include "sagan.h" 33 | #include "sagan-defs.h" 34 | #include "sagan-config.h" 35 | #include "rules.h" 36 | 37 | #include "xbit.h" 38 | #include "xbit-mmap.h" 39 | 40 | #ifdef HAVE_LIBHIREDIS 41 | 42 | #include "redis.h" 43 | #include "xbit-redis.h" 44 | 45 | #endif 46 | 47 | extern struct _Rule_Struct *rulestruct; 48 | extern struct _SaganConfig *config; 49 | 50 | /***************************************************/ 51 | /* Xbit_Set - "set", "unset" and "toggle" and xbit */ 52 | /***************************************************/ 53 | 54 | void Xbit_Set(uint_fast32_t rule_position, struct _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL ) 55 | { 56 | 57 | #ifdef HAVE_LIBHIREDIS 58 | 59 | if ( config->redis_flag && config->xbit_storage == XBIT_STORAGE_REDIS ) 60 | { 61 | Xbit_Set_Redis(rule_position, SaganProcSyslog_LOCAL ); 62 | return; 63 | } 64 | 65 | #endif 66 | 67 | Xbit_Set_MMAP(rule_position, SaganProcSyslog_LOCAL->src_ip, SaganProcSyslog_LOCAL->dst_ip, SaganProcSyslog_LOCAL->syslog_message ); 68 | 69 | } 70 | 71 | /*********************************************************************************/ 72 | /* Xbit_Return_Tracking_Hash - Used by mmap() xbit tracking. This is used to */ 73 | /* determine the direction an xbit and returns a hash for association */ 74 | /*********************************************************************************/ 75 | 76 | uint_fast32_t Xbit_Return_Tracking_Hash ( uint_fast32_t rule_position, uint_fast8_t xbit_position, const char *ip_src_char, const char *ip_dst_char ) 77 | { 78 | 79 | char hash_pair[MAXIP*2] = { 0 }; 80 | 81 | if ( rulestruct[rule_position].xbit_direction[xbit_position] == 1 ) 82 | { 83 | return(Djb2_Hash(ip_src_char)); 84 | } 85 | 86 | else if ( rulestruct[rule_position].xbit_direction[xbit_position] == 2 ) 87 | { 88 | return(Djb2_Hash(ip_dst_char)); 89 | } 90 | 91 | else if ( rulestruct[rule_position].xbit_direction[xbit_position] == 3 ) 92 | { 93 | snprintf(hash_pair, sizeof(hash_pair), "%s:%s", ip_src_char, ip_dst_char); 94 | return(Djb2_Hash(hash_pair)); 95 | } 96 | 97 | 98 | /* Should never get here */ 99 | 100 | Sagan_Log(WARN, "[%s, line %d] Bad xbit_direction for sid %" PRIu64 "", __FILE__, __LINE__, rulestruct[rule_position].s_sid); 101 | return(0); 102 | 103 | } 104 | 105 | /****************************************************************************/ 106 | /* Xbit_Condition - This handles xbit conditions like "isset", "issnotset". */ 107 | /****************************************************************************/ 108 | 109 | bool Xbit_Condition(uint_fast32_t rule_position, struct _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL ) 110 | { 111 | 112 | #ifdef HAVE_LIBHIREDIS 113 | 114 | if ( config->redis_flag && config->xbit_storage == XBIT_STORAGE_REDIS ) 115 | { 116 | return( Xbit_Condition_Redis(rule_position, SaganProcSyslog_LOCAL) ); 117 | } 118 | 119 | #endif 120 | 121 | return( Xbit_Condition_MMAP(rule_position, SaganProcSyslog_LOCAL) ); 122 | 123 | } 124 | 125 | -------------------------------------------------------------------------------- /src/xbit.h: -------------------------------------------------------------------------------- 1 | /* $Id$ */ 2 | /* 3 | ** Copyright (C) 2009-2025 Quadrant Information Security 4 | ** Copyright (C) 2009-2025 Champ Clark III 5 | ** 6 | ** This program is free software; you can redistribute it and/or modify 7 | ** it under the terms of the GNU General Public License Version 2 as 8 | ** published by the Free Software Foundation. You may not use, modify or 9 | ** distribute this program under any other version of the GNU General 10 | ** Public License. 11 | ** 12 | ** This program is distributed in the hope that it will be useful, 13 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | ** GNU General Public License for more details. 16 | ** 17 | ** You should have received a copy of the GNU General Public License 18 | ** along with this program; if not, write to the Free Software 19 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 20 | */ 21 | 22 | #define XBIT_SET 1 23 | #define XBIT_UNSET 2 24 | #define XBIT_ISSET 3 25 | #define XBIT_ISNOTSET 4 26 | 27 | bool Xbit_Condition(uint_fast32_t rule_position, struct _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL ); 28 | uint_fast32_t Xbit_Return_Tracking_Hash ( uint_fast32_t rule_position, uint_fast8_t xbit_position, const char *ip_src_char, const char *ip_dst_char ); 29 | void Xbit_Set(uint_fast32_t rule_position, struct _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL ); 30 | 31 | -------------------------------------------------------------------------------- /stamp-h1: -------------------------------------------------------------------------------- 1 | timestamp for config.h 2 | -------------------------------------------------------------------------------- /tools/Makefile.am: -------------------------------------------------------------------------------- 1 | ACLOCAL_AMFLAGS = -I m4 2 | 3 | AUTOMAKE_OPIONS=foreign no-dependencies subdir-objects 4 | 5 | bin_PROGRAMS = saganpeek 6 | saganpeek_CPPFLAGS = -I../src $(LIBFASTJSON_CFLAGS) $(LIBESTR_CFLAGS) 7 | saganpeek_LDADD = $(LIBFASTJSON_LIBS) $(LIBLOGNORM_LIBS) $(LIBESTR_LIBS) 8 | 9 | saganpeek_SOURCES = saganpeek.c \ 10 | ../src/util-strlcpy.c \ 11 | ../src/util-strlcat.c \ 12 | ../src/util.c \ 13 | ../src/util-time.c \ 14 | ../src/lockfile.c \ 15 | ../src/parsers/strstr-asm/strstr-hook.c \ 16 | ../src/parsers/strstr-asm/strstr_sse2.S \ 17 | ../src/parsers/strstr-asm/strstr_sse4_2.S 18 | 19 | install-data-local: 20 | 21 | --------------------------------------------------------------------------------