Sguil
Template:Short description {{#invoke:Infobox|infobox}}Template:Template other{{#invoke:Check for unknown parameters | check | showblankpositional=1 | unknown = Template:Main other | preview = Page using Template:Infobox software with unknown parameter "_VALUE_"|ignoreblank=y | AsOf | author | background | bodystyle | caption | collapsetext | collapsible | developer | discontinued | engine | engines | genre | included with | language | language count | language footnote | latest preview date | latest preview version | latest release date | latest release version | latest_preview_date | latest_preview_version | latest_release_date | latest_release_version | licence | license | logo | logo alt | logo caption | logo upright | logo size | logo title | logo_alt | logo_caption | logo_upright | logo_size | logo_title | middleware | module | name | operating system | operating_system | other_names | platform | programming language | programming_language | released | replaced_by | replaces | repo | screenshot | screenshot alt | screenshot upright | screenshot size | screenshot title | screenshot_alt | screenshot_upright | screenshot_size | screenshot_title | service_name | size | standard | title | ver layout | website | qid }}Template:Main other Sguil (pronounced sgweel or squeal) is a collection of free software components for Network Security Monitoring (NSM) and event driven analysis of IDS alerts.<ref name="NHS"/> The sguil client is written in Tcl/Tk<ref name="RJ1"/><ref name="NHS"/> and can be run on any operating system that supports these. Sguil integrates alert data from Snort, session data from SANCP, and full content data from a second instance of Snort running in packet logger mode.
Sguil is an implementation of a Network Security Monitoring system. NSM is defined as "collection, analysis, and escalation of indications and warnings to detect and respond to intrusions."
Sguil is released under the GPL 3.0.<ref>README file in the tarball</ref>
Tools that make up SguilEdit
| Tool | Purpose |
|---|---|
| MySQL 4.x or 5.x | Data storage and retrieval |
| Snort 2.x / Suricata | Intrusion detection alerts, scan detection, packet logging |
| Barnyard / Barnyard2 | Decodes IDS alerts and sends them to sguil |
| SANCP | TCP/IP session records |
| Tcpflow | Extract an ASCII dump of a given TCP session |
| p0f | Operating system fingerprinting |
| tcpdump | Extracts individual sessions from packet logs |
| Wireshark | Packet analysis tool (used to be called Ethereal) |
<ref name="CoxGerg"/>
See alsoEdit
- Sagan
- Intrusion detection system (IDS)
- Intrusion prevention system (IPS)
- Network intrusion detection system (NIDS)
- Metasploit Project
- nmap
- Host-based intrusion detection system comparison