11. Rule syntax¶
Sagan rule syntax is very similar to that of Suricata <https://suricata-ids.org>_ or Snort . This is was intentionally done to maintain compatibility with rule management software like
pulledpork and allows Sagan to correlate log events with your Snort/Suricata IDS/IPS system.
This also means that if you are already familiar with signature writing in Suricata and Snort, you already understand the Sagan syntax!
To understand the basic Sagan rule syntax, we will be using the following simple rule. This section of the
Sagan user guide only covers up to the first rule option. That is, this section will cover up to the
msg portion of this rule only. The rest of the rule is considered
Basic Sagan rule:
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] System out of disk space"; pcre: "/file system full|No space left on device/i"; classtype: hardware-event; threshold: type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000116; sid:5000116; rev:2;)
This informs Sagan how to flag the event. Valid options are
Valid options for this field are
icmp. In most cases, you will
likely want to specify
any. The protocal is determined by the
This informs Sagan where the source IP address or addresses must be coming from in order to trigger. By
default the variable
$EXTERAL_NET is used. This is set in the
sagan.yaml configurations file and
any. most cases, “any” (any source) is what you want. In other cases,
you might want the signature to trigger when it is from a particular host. For example:
Makes Sagan only trigger if the source of the event is from the address 192.168.1.1 (/32 is automatically assumed). You can also apply multiple networks. For example:
Is valid and will only trigger if the network address is within 192.168.1.0/24 or 10.0.0.0/24. You can also apply not logic to the addresses. For example.
This will only trigger when the IP address is not 192.168.1.1.
This filed is populated by whatever the source IP address within the log might be. For example, if the
normalize (see rule options), then the syslog source is adopted.
normalize rule option is used, then data (if any) that is extracted from the
log is used.
any is the source port. If the
default_src_port rule option is used, it will be applied here. This can be useful in filtering out certain subnets or syslog clients.
This would be the direction. From the $EXTERNAL_NET
This works similarly to how $EXTERNAL_NET functions. Rather than being the source of the traffic, this is
the destination of the traffic. Like $EXTERNAL_NET, this is set in the
sagan.yaml configuration file
and defaults to
any. Also like the $EXTERNAL_NET, network CIDR notation can be used ( ie - 192.168.1.0).
Data from this is populated by the
normalize rule options.
The final rule option is the destination port. If the
default_dst_port rule option is used, it will be applied here. This can be useful in filtering out events from certain subnets.