Sguil
From Wikipedia, the free encyclopedia
Stable release
0.9.0[1]
/ April 4, 2014
| Sguil | |
|---|---|
| Original author | Bamm Visscher, Steve Halligan |
| Stable release | 0.9.0[1]
/ April 4, 2014 |
| Written in | Tcl/Tk |
| Operating system | Cross-platform |
| Type | Network Security Monitoring |
| License | GPLv3 |
| Website | sguil |
Sguil (pronounced sgweel or squeal) is a collection of free software components for Network Security Monitoring (NSM) and event driven analysis of IDS alerts.[2] The sguil client is written in Tcl/Tk[3][2] and can be run on any operating system that supports these. Sguil integrates alert data from Snort, session data from SANCP, and full content data from a second instance of Snort running in packet logger mode.
Sguil is an implementation of a Network Security Monitoring system. NSM is defined as "collection, analysis, and escalation of indications and warnings to detect and respond to intrusions."
Sguil is released under the GPL 3.0.[4]
| Tool | Purpose |
|---|---|
| MySQL 4.x or 5.x | Data storage and retrieval |
| Snort 2.x / Suricata | Intrusion detection alerts, scan detection, packet logging |
| Barnyard / Barnyard2 | Decodes IDS alerts and sends them to sguil |
| SANCP | TCP/IP session records |
| Tcpflow | Extract an ASCII dump of a given TCP session |
| p0f | Operating system fingerprinting |
| tcpdump | Extracts individual sessions from packet logs |
| Wireshark | Packet analysis tool (used to be called Ethereal) |
