Sagan User GuideΒΆ
- 1. What is Sagan?
- 2. Installation
- 3. Compiling Sagan
- 4. Command Line Option
- 5. Syslog Configuration
- 6. Sagan Configuration
- 7. vars
- 8. sagan-core
- 9. processors
- 10. outputs
- 11. rule-files
- 12. Rule syntax
- 13. Rule Keywords
- 13.1. after
- 13.2. alert_time
- 13.3. append_program
- 13.4. blacklist
- 13.5. bluedot
- 13.6. classtype
- 13.7. content
- 13.8. country_code
- 13.9. default_proto
- 13.10. default_dst_port
- 13.11. default_src_port
- 13.12. depth
- 13.13. distance
- 13.14. dynamic_load
- 13.15. email
- 13.16. event_id
- 13.17. external
- 13.18. syslog_facility
- 13.19. flexbits
- 13.20. flexbits_pause
- 13.21. json_content
- 13.22. json_contains
- 13.23. json_decode_base64
- 13.24. json_decode_base64_pcre
- 13.25. json_decode_base64_meta
- 13.26. json_nocase
- 13.27. json_pcre
- 13.28. json_meta_content
- 13.29. json_meta_nocase
- 13.30. json_meta_contains
- 13.31. syslog_level
- 13.32. meta_content
- 13.33. meta_depth
- 13.34. meta_distance
- 13.35. meta_offset
- 13.36. meta_nocase
- 13.37. meta_within
- 13.38. msg
- 13.39. nocase
- 13.40. normalize
- 13.41. offset
- 13.42. parse_dst_ip
- 13.43. parse_port
- 13.44. parse_proto
- 13.45. parse_proto_program
- 13.46. parse_hash
- 13.47. parse_src_ip
- 13.48. pcre
- 13.49. priority
- 13.50. program
- 13.51. reference
- 13.52. rev
- 13.53. sid
- 13.54. syslog_tag
- 13.55. threshold
- 13.56. within
- 13.57. xbits
- 13.58. xbits_pause
- 13.59. xbits_upause
- 13.60. zeek-intel
- 14. Sagan Peek
- 15. Sagan & JSON
- 16. Journald
- 17. High Performance Considerations
- 18. Contributing & Coding Style
- 19. Sagan Blogs
- 20. Articles about Sagan
- 21. Getting help
- 22. TODO