Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil’s main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis.
tcl/tk (not web-based)
Single central MySQL database
For login information, please see the Passwords section.
For information on ways to connect to Sguil/sguild, please see the ConnectingtoSguil section.
- NIDS alerts from Snort/Suricata (if snort_agent is enabled)
- HIDS alerts from OSSEC (if ossec_agent is enabled)
- pivot to transcript/Wireshark/NetworkMiner by right-clicking the Alert ID.
- automatically pivot to ASCII transcript by middle-clicking the Alert ID.
- pivot to Kibana by right-clicking an IP address and choosing
Kibana IP Lookup.
Sguil can only utilize
1024 sockets for receiving communication from various sensor agents (such as ossec_agent, pcap_agent, and snort_agent). Due to this restriction, you will want to keep in mind the number of sensors and sniffing interfaces you have connected to the master server/accessed by Sguil.
For more information, please see https://groups.google.com/d/msg/security-onion/DJ5NTLEu5MY/-tDQi_1eDQAJ.
resize columns by right-clicking on the column heading in the Sguil client.
change fonts by clicking
Change Fontfrom within the Sguil client.
Sguil client settings are stored in
- You can enable “Show Rule”, “Show Packet Data”, and “Display Detail” (respectively) by setting the following (also see https://groups.google.com/d/topic/security-onion/MJaAlxgpMvU/discussion):
set SHOWRULE 1
set PACKETINFO 1
set DISPLAY_GENERIC 1
You can separate realtime alerts into separate panes, based on severity level, by editing
#Number of RealTime Event Panes #set RTPANES 1 set RTPANES 3 # Specify which priority events go into what pane # According to the latest classification.config from snort, # there are only 4 priorities. The sguil spp_portscan mod # uses a priority of 5. #set RTPANE_PRIORITY(0) "1 2 3 4 5" set RTPANE_PRIORITY(0) "1" set RTPANE_PRIORITY(1) "2 3" set RTPANE_PRIORITY(2) "4 5"
Previously, when pivoting to transcript, the Sguil server would perform DNS lookups on the source and destination IP addresses. That default has since been changed to increase performance and avoid unnecessary information leakage. If you would like to re-enable DNS lookups, you can set the following in
set TRANSCRIPT_DNS_LOOKUP 1