Sguil (pronounced sgweel or squeal) is a collection of free software components for Network Security Monitoring (NSM) and event driven analysis of IDS alerts. The sguil client is written in Tcl/Tk and can be run on any operating system that supports these. Sguil integrates alert data from Snort, session data from SANCP, and full content data from a second instance of Snort running in packet logger mode.
|Original author(s)||Bamm Visscher, Steve Halligan|
0.9.0 / March 28, 2014
|Type||Network Security Monitoring|
Sguil is an implementation of a Network Security Monitoring system. NSM is defined as "collection, analysis, and escalation of indications and warnings to detect and respond to intrusions."
Sguil is released under the GPL 3.0.
Tools that make up SguilEdit
|MySQL 4.x or 5.x||Data storage and retrieval|
|Snort 2.x / Suricata||Intrusion detection alerts, scan detection, packet logging|
|Barnyard / Barnyard2||Decodes IDS alerts and sends them to sguil|
|SANCP||TCP/IP session records|
|Tcpflow||Extract an ASCII dump of a given TCP session|
|p0f||Operating system fingerprinting|
|tcpdump||Extracts individual sessions from packet logs|
|Wireshark||Packet analysis tool (used to be called Ethereal)|
- Squil downloads
- Lockhart, Andrew (9 November 2006). "11: Network Intrusion Detection". Network Security Hacks (2nd ed.). O'Reilly Media. ISBN 978-0596527631. Hack 108 - Monitor Your IDS in Real Time - Use Sguil's advanced GUI to monitor and analyze IDS events in a timely manner.
- Bejtlich, Richard (5 August 2013). "8.2 Using sguil". The Practice of Network Security Monitoring: Understanding Incident Detection and Response (1st ed.). No Starch Press. ISBN 978-1593275099.
- README file in the tarball
- Cox, Kerry; Gerg, Christopher (February 2009). "13: Strategies for High-Bandwidth Implementations of Snort". Managing Security with Snort & IDS Tools - Intrusion Detection with Open Source Tools. O'Reilly Media. p. 223. ISBN 978-0596006617. Sguil: An alternative Management Console.