来自Sagan官网:https://quadrantsec.com/services_technology/product_technology/
Sagan是一个多线程的,实时的安全信息事件管理分析软件,它跟Snort很像,并且它能够使用Snort的规则,包含7500多个攻击特征,用来检测攻击。
Furthermore, the Sagan console also has these unique features:
QSearch - Allows the customer to be able to search through their logs, and provides faster results than searching logs themselves or waiting on results from analysts. All of the data is indexed allowing for expedited searches. Tested results thus far have shown that the new search algorithms are even capable of processing more data in less time. This functionality was built in-house allowing for constant growth and future add-ons.
Reporting - The new report tool is a web application that provides customizable report generation using modular tools. Customers will be able to identify the sets of data that they are most interested in, quickly create various data visualizations, and save their favorite templates to their report dashboard. You can access our reporting tools from the Sagan console.
Reputation Database - Quadrant has accumulated, and continues to pursue, information regarding numerous malicious IP addresses. Threats validated by security analysts, and the associated sources of those threats, are "injected" into a reputation database. Addresses placed into the reputation database will be immediately accessible to a Sagan API, enabling Sagan to more quickly identify threats from the known malicious sources.
Threat Intelligence (Bluedot) - Threat intelligence is one of the big buzzwords in InfoSec today. Where many organizations fall short, however, is in understanding what intelligence is and how it should be leveraged. Intelligence is a product resulting from the collection, exploitation, and analyses of information which is used to support decision making by reducing uncertainty. Intelligence must be actionable, relevant, and timely. Blacklists do not provide context with respect to industries, attacker TTP's, or the ability to identify trends or forecast threats, whereas intelligence does. Intelligence helps determine "Why", "So what", and "What next,” among other things. Quadrant understands what threat intelligence is, and is currently engaged in developing a robust intelligence platform designed to support the tactical, operational, and strategic goals of your organization.
What does Quadrant use Sagan for?
Quadrant utilizes the product in-house to manage our 24/7 Managed IDS / IPS services for customers. We also provide the Sagan software (command line version / Open Source) to the security community. Sagan has the capability to manage events from the following assets:
- -Routers (Cisco, etc)
- -Managed network switches
- -Firewalls (Sonicwall, Fortigate, etc)
- -IDS/IPS systems (Cisco, Fortigate, etc)
- -Linux and Unix systems (services, kernel messages, etc)
- -Windows based networks (Event logs, etc)
- -Wireless access points (Cisco, D-Link, etc)
- -Host based IDS systems (HIDS) ( AIDE, OSSEC, etc)
- -Detection of rogue devices on networks (via Arpalert, etc)
- -Much, much more…..Sagan gives us a broad range of devices, services, applications that we can monitor. For example, if your organization is a "Cisco shop" and you don't want to deploy Snort based IDS/IPS sensors, it really doesn't matter to our staff. We can monitor the Cisco devices just as we would a Snort based IDS/IPS solution.
Snort