debian/0000755000000000000000000000000011743101024007157 5ustar debian/examples/0000755000000000000000000000000011607757561011023 5ustar debian/examples/rsyslog.d/0000755000000000000000000000000011607757561012747 5ustar debian/examples/rsyslog.d/sagan.conf0000644000000000000000000000066311607757561014714 0ustar # The standard "input" template Sagan uses. Basically the message 'format' Sagan understands. The template is _one_ line. $template sagan,"%fromhost-ip%|%syslogfacility-text%|%syslogpriority-text%|%syslogseverity-text%|%syslogtag%|%timegenerated:1:10:date-rfc3339%|%timegenerated:12:19:date-rfc3339%|%programname%|%msg%\n" # The FIFO/named pipe location. This is what Sagan will read. *.* |/var/run/sagan/sagan.fifo;sagan debian/README.Debian0000644000000000000000000000116611607757561011252 0ustar sagan for Debian ---------------- When Sagan starts, it will create a FIFO: /var/run/sagan/sagan.fifo You have to configure the syslog daemon to send events to this FIFO. For rsyslog, see https://wiki.softwink.com/bin/view/Main/SaganHOWTO#Rsyslog_configuration An example template for rsyslog is provided in the examples directory. To install it, copy the file :: cp /usr/share/doc/sagan/examples/rsyslog.d/sagan.conf /etc/rsyslog.d/ and restart rsyslog. For syslog-ng, see https://wiki.softwink.com/bin/view/Main/SaganHOWTO#Syslog_ng_configuration -- Pierre Chifflier , Sat May 14 07:04:34 UTC 2011 debian/rules0000755000000000000000000000207411743077202010254 0ustar #!/usr/bin/make -f # -*- makefile -*- # # rules file for Sagan # Written by Pierre Chifflier # # This file was originally written by Joey Hess and Craig Small. # As a special exception, when this file is copied by dh-make into a # dh-make output file, you may use that output file without restriction. # This special exception was added by Craig Small in version 0.37 of dh-make. # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 override_dh_auto_configure: dh_testdir dh_auto_configure -- --with-postgresql-includes=/usr/include/postgresql --disable-libdnet LIBS="-lm -lestr -lee" override_dh_auto_install: dh_auto_install rm -rf debian/sagan/var/run/sagan sed -i \ -e 's|/usr/local/etc|/etc|' \ -e 's|/var/run/sagan.fifo|/var/run/sagan/sagan.fifo|' \ -e 's|^\(.*\)apc-emu.rules|#\1apc-emu.rules|' \ -e 's|^\(.*\)bonding.rules|#\1bonding.rules|' \ -e 's|^\(.*\)cacti-thold.rules|#\1cacti-thold.rules|' \ -e 's|^\(.*\)ossec-mi.rules|#\1ossec-mi.rules|' \ -e 's|^\(.*\)sonicwall.rules|#\1sonicwall.rules|' \ debian/sagan/etc/sagan.conf %: dh $@ debian/watch0000644000000000000000000000036111607757561010236 0ustar # watch control file for uscan # Run the "uscan" command to check for upstream updates and more. # See uscan(1) for format # Compulsory line, this is a version 3 file version=3 http://sagan.softwink.com/download/ sagan-([0-9.]*)\.tar\.gz debian/patches/0000755000000000000000000000000011743076041010620 5ustar debian/patches/series0000644000000000000000000000005711673371066012046 0ustar 01-do-not-include-lognorm-private-header.patch debian/patches/01-do-not-include-lognorm-private-header.patch0000644000000000000000000000214511743076041021253 0ustar Index: sagan/src/sagan-config.c =================================================================== --- sagan.orig/src/sagan-config.c 2012-04-16 22:06:28.942723611 +0200 +++ sagan/src/sagan-config.c 2012-04-16 22:07:56.226723930 +0200 @@ -48,7 +48,6 @@ #ifdef HAVE_LIBLOGNORM #include #include -#include #endif #include "version.h" Index: sagan/src/sagan-signal.c =================================================================== --- sagan.orig/src/sagan-signal.c 2012-04-16 22:06:28.942723611 +0200 +++ sagan/src/sagan-signal.c 2012-04-16 22:07:56.230723926 +0200 @@ -41,7 +41,6 @@ #ifdef HAVE_LIBLOGNORM #include #include -#include static ln_ctx ctx; int liblognorm_count; #endif Index: sagan/src/sagan.c =================================================================== --- sagan.orig/src/sagan.c 2012-04-16 22:06:28.942723611 +0200 +++ sagan/src/sagan.c 2012-04-16 22:07:56.230723926 +0200 @@ -58,7 +58,6 @@ #ifdef HAVE_LIBLOGNORM #include #include -#include #endif #ifdef HAVE_LIBDNET debian/sagan.examples0000644000000000000000000000003211607757561012031 0ustar debian/examples/rsyslog.d debian/changelog0000644000000000000000000000231511743101024011032 0ustar sagan (0.2.1.r1-1) unstable; urgency=low * Imported Upstream version 0.2.1-r1 * Refreshed quilt patches * Prepend -lm to LIBS in configure script, to fix a build failure * Bump Standards Version to 3.9.3 * Switch to debhelper 9, and use hardening flags instead of hardening-wrapper -- Pierre Chifflier Mon, 16 Apr 2012 22:33:24 +0200 sagan (0.2.0-1) unstable; urgency=low * Imported Upstream version 0.2.0 - Fifo handling on start should not block now (Closes: #639254) * Add patch to fix build (Closes: #652166) - Do not include lognorm.h directly, this is a private header * Convert to DH version 8 * Add .gitignore file -- Pierre Chifflier Sat, 17 Dec 2011 16:04:27 +0000 sagan (0.1.9-1) unstable; urgency=low * Imported Upstream version 0.1.9 * Enable hardening wrapper * Use LIBS rather than LDFLAGS for additional libs, fix ftbfs with --as-needed (Closes: #632101) * Bump Standards Version to 3.9.2 -- Pierre Chifflier Fri, 15 Jul 2011 21:01:17 +0200 sagan (0.1.9~svn129-1) unstable; urgency=low * Initial release (Closes: #609893) -- Pierre Chifflier Thu, 17 Mar 2011 15:18:58 +0100 debian/control0000644000000000000000000000223111743077171010577 0ustar Source: sagan Section: admin Priority: extra Maintainer: Pierre Chifflier Build-Depends: debhelper (>= 9), autotools-dev, pkg-config, libpcre3-dev, libesmtp-dev, libpcap-dev, libmysqlclient-dev, libpq-dev, libprelude-dev, liblognorm-dev Standards-Version: 3.9.3 Homepage: http://sagan.softwink.com/ #Vcs-Git: git://git.debian.org/collab-maint/sagan.git #Vcs-Browser: http://git.debian.org/?p=collab-maint/sagan.git;a=summary Package: sagan Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, adduser, sagan-rules Description: Real-time System & Event Log Monitoring System Sagan is a multi-threaded, real time system- and event-log monitoring system, but with a twist. Sagan uses a “Snort” like rule set for detecting malicious events happening on your network and/or computer systems. If Sagan detects a potentially bad event, that event can be stored to a Snort database (MySQL/PostgreSQL), send it to a SIEM tool like Prelude, or send an email. Sagan is meant to be used in a ‘centralized’ logging environment, but will work fine as part of a standalone Host IDS system for workstations. debian/sagan.init0000644000000000000000000001110711607757561011163 0ustar #!/bin/sh ### BEGIN INIT INFO # Provides: sagan # Required-Start: $network $local_fs $remote_fs # Required-Stop: $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Real-time System & Event Log Monitoring System # Description: Sagan is a multi-threaded, real time system- and event-log monitoring # system. Sagan uses a “Snort” like rule set for # detecting malicious events happening on your network and/or computer # systems. ### END INIT INFO # Author: Pierre Chifflier # PATH should only include /usr/* if it runs after the mountnfs.sh script PATH=/sbin:/usr/sbin:/bin:/usr/bin DESC=sagan # Introduce a short description here NAME=sagan # Introduce the short server's name here DAEMON=/usr/sbin/sagan # Introduce the server's location here DAEMON_ARGS="-D" # Arguments to run the daemon with PIDFILE=/var/run/$NAME.pid SCRIPTNAME=/etc/init.d/$NAME VARRUN=/var/run/$NAME # Exit if the package is not installed [ -x $DAEMON ] || exit 0 # Read configuration variable file if it is present [ -r /etc/default/$NAME ] && . /etc/default/$NAME # Load the VERBOSE setting and other rcS variables . /lib/init/vars.sh # Define LSB log_* functions. # Depend on lsb-base (>= 3.0-6) to ensure that this file is present. . /lib/lsb/init-functions # # Function that starts the daemon/service # do_start() { [ -d "$VARRUN" ] || mkdir "$VARRUN" chown sagan:adm "$VARRUN" [ -e "$VARRUN/sagan.fifo" ] || mkfifo -m 0770 "$VARRUN/sagan.fifo" chown sagan:adm "$VARRUN/sagan.fifo" # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ || return 1 start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ $DAEMON_ARGS \ || return 2 # Add code here, if necessary, that waits for the process to be ready # to handle requests from services started subsequently which depend # on this one. As a last resort, sleep for some time. } # # Function that stops the daemon/service # do_stop() { # Return # 0 if daemon has been stopped # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME RETVAL="$?" [ "$RETVAL" = 2 ] && return 2 # Wait for children to finish too if this is a daemon that forks # and if the daemon is only ever run from this initscript. # If the above conditions are not satisfied then add some other code # that waits for the process to drop all resources that could be # needed by services started subsequently. A last resort is to # sleep for some time. start-stop-daemon --stop --quiet --oknodo --retry=0/10/KILL/5 --exec $DAEMON [ "$?" = 2 ] && return 2 # Many daemons don't delete their pidfiles when they exit. rm -f $PIDFILE return "$RETVAL" } # # Function that sends a SIGHUP to the daemon/service # do_reload() { # # If the daemon can reload its configuration without # restarting (for example, when it is sent a SIGHUP), # then implement that here. # start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME return 0 } case "$1" in start) [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC " "$NAME" do_start case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; stop) [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" do_stop case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; #reload|force-reload) # # If do_reload() is not implemented then leave this commented out # and leave 'force-reload' as an alias for 'restart'. # #log_daemon_msg "Reloading $DESC" "$NAME" #do_reload #log_end_msg $? #;; restart|force-reload) # # If the "reload" option is implemented then remove the # 'force-reload' alias # log_daemon_msg "Restarting $DESC" "$NAME" do_stop case "$?" in 0|1) do_start case "$?" in 0) log_end_msg 0 ;; 1) log_end_msg 1 ;; # Old process is still running *) log_end_msg 1 ;; # Failed to start esac ;; *) # Failed to stop log_end_msg 1 ;; esac ;; *) #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 exit 3 ;; esac : debian/sagan.manpages0000644000000000000000000000001711607757561012011 0ustar debian/sagan.8 debian/docs0000644000000000000000000000002511607757561010055 0ustar FAQ NEWS README TODO debian/source/0000755000000000000000000000000011607757561010505 5ustar debian/source/format0000644000000000000000000000001411607757561011713 0ustar 3.0 (quilt) debian/sagan.80000644000000000000000000000441011607757561010366 0ustar .\" Hey, EMACS: -*- nroff -*- .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) .TH SAGAN 8 "February 15, 2011" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: .\" .nh disable hyphenation .\" .hy enable hyphenation .\" .ad l left justify .\" .ad b justify to both left and right margins .\" .nf disable filling .\" .fi enable filling .\" .br insert line break .\" .sp insert n+1 empty lines .\" for manpage-specific macros, see man(7) .SH NAME sagan \- Real-time System & Event Log Monitoring System .SH SYNOPSIS .B sagan .RI [ options ] .br .SH DESCRIPTION This manual page documents briefly the .B sagan command. .PP .\" TeX users may be more comfortable with the \fB\fP and .\" \fI\fP escape sequences to invode bold face and italics, .\" respectively. \fBsagan\fP is a multi-threaded, real time system- and event-log monitoring system, but with a twist. Sagan uses a “Snort” like rule set for detecting malicious events happening on your network and/or computer systems. .br If Sagan detects a potentially bad event, that event can be stored to a Snort database (MySQL/PostgreSQL), send it to a SIEM tool like Prelude, or send an email. .br Sagan is meant to be used in a ‘centralized’ logging environment, but will work fine as part of a standalone Host IDS system for workstations. .SH OPTIONS These programs follow the usual GNU command line syntax, with long options starting with two dashes (`-'). A summary of options is included below. .TP .B \-h, \-\-help Show summary of options. .TP .B \-d, \-\-debug Enable debugging .TP .B \-D, \-\-daemon Make process a daemon (fork to the background) .TP .B \-U, \-\-user Run as user (defaults to 'sagan') .TP .B \-c, \-\-chroot Chroot to username 'sagan's home .TP .B \-f, \-\-config Sagan configuration file to load .TP .B \-p, \-\-program Run Sagan in syslog-ng's 'program' mode .SH AUTHOR sagan was written by Champ Clark III .PP This manual page was written by Pierre Chifflier , for the Debian project (and may be used by others). debian/compat0000644000000000000000000000000211743076756010404 0ustar 9 debian/copyright0000644000000000000000000000516311607757561011145 0ustar Format: http://dep.debian.net/deps/dep5 Upstream-Name: sagan Source: http://sagan.softwink.com/ Files: * Copyright: 2009-2010 Softwink, Inc. 2009-2010 Champ Clark III License: GPL-2 This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . On Debian systems, the complete text of the GNU General Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". Files: debian/* Copyright: 2011 Pierre Chifflier License: GPL-2+ This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . On Debian systems, the complete text of the GNU General Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". # The following files have a different license or copyright : Files: src/sagan-strlcat.c src/sagan-strlcpy.c Copyright: 1998 Todd C. Miller License: ISC Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. . THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. debian/postinst0000644000000000000000000000036011607757561011012 0ustar #!/bin/sh set -e add_sysuser() { if ! getent passwd sagan >/dev/null; then adduser --system --disabled-login --no-create-home --ingroup adm sagan 2>&1 > /dev/null fi } add_sysuser chown sagan:adm /var/log/sagan #DEBHELPER# exit 0 debian/postrm0000644000000000000000000000013311607757561010451 0ustar #!/bin/sh -e if [ "$1" = "purge" ] then deluser sagan || true fi #DEBHELPER# exit 0 debian/sagan.default0000644000000000000000000000034511607757561011646 0ustar # Defaults for sagan initscript # sourced by /etc/init.d/sagan # installed at /etc/default/sagan by the maintainer scripts # # This is a POSIX shell fragment # # Additional options that are passed to the Daemon. DAEMON_OPTS=""