Multi-threaded real-time log analysis and correlation engine with Snort and Suricata-style rules
- Stars197
- Forks35
- Open Issues45
GPL-2.0
- C
- M4
- Perl
About Sagan
Sagan is a real-time log analysis and correlation engine for security events. Written in C with a multi-threaded architecture, it inspects log data rather than network packets, and mirrors Suricata and Snort so existing rule management and IDS/IPS workflows carry straight over.
It writes alerts in Snort unified2 or Suricata JSON, ships events to databases and SIEMs over syslog, and feeds Elasticsearch consoles such as Kibana and EveBox. Parsing uses liblognorm, with GeoIP detection, on-event script execution, thresholding, xbits correlation, and blacklist and threat-intel lookups.
It can share state between instances through Redis, letting distributed sensors correlate events together. Rules and detection logic stay open under GPLv2, so analysts can tune or author their own signatures for local log sources.
Key features
- Multi-threaded real-time log processing
- Snort and Suricata-style rule syntax
- Unified2 and Suricata JSON output
- liblognorm parsing and GeoIP detection
- Threat-intel lookups and xbits correlation
Details
- On GitHub since
- 2021
- License
- GNU GPLv2
- Language
- C
- Rule model
- Snort and Suricata-like
- Output
- Unified2, JSON, syslog
- Correlation
- xbits, thresholding