Comments on: Sguil - Intuitive GUI for Network Security Monitoring with Snort

By: Torvaun

Torvaun — Tue, 05 Jun 2007 07:54:13 +0000

Ooh, new toy to play with, on company time no less. Will review and report back later.

By: Darknet

Darknet — Sun, 03 Jun 2007 09:43:57 +0000

mubix: I’d echo what Hanashi said, you are better off configuring your sensors properly so they don’t generate the alert rather than filtering it out in the results. It’s pretty easy to setup and I do like it, I tend to use the web-based systems more though as I find them more portable (I can access from anywhere).

Hanashi: Will add the source link in when your FAQ is back up. I don’t tend to link source for tool/software posts at it can be assumed the text is from the site being linked to. Cheers!

By: Hanashi

Hanashi — Fri, 01 Jun 2007 17:46:10 +0000

mubix, NSMWiki, the official Sguil wiki, has a section for Installation and HOWTO guides. You’ll find some pretty detailed instructions, which should take some of the pain out of it. If you’re on RHEL, you can even use InstantNSM to automate most of the install.

And yes, you can configure sguil to ignore alerts like that, but it’s probably better to tune Snort itself so that they are never generated in the first place.

BTW, most of the text in this article was cribbed from the Sguil FAQ. Thanks to the Darknet folks for promoting sguil, just please remember to cite your source next time.

By: mubix

mubix — Fri, 01 Jun 2007 15:31:58 +0000

The people from SQUIL gave a talk at ShmooCon 06 and I was quite impressed with it then, but I never had the time to dedicate to get it working. Dark, have you gotten it working and, if so, do you like it? Does it have Snort configuration options? Can I tell it to ignore the very annoying “DOUBLE DECODING ATTACK” alert?