[Snort-users] Tcl/tk Analysis Interface for Snort
bamm at ...539...
Mon Jan 13 13:52:05 EST 2003
I posted this to snort-devel about a month ago. A good four people have
now successfully installed the sguil client on different platforms
(Linux, OpenBSD, and Win2k), so it must be ready for prime time
</sarcasm>. Beware, sguil is still considered "beta" and the
installation requires the addition/modification of plugins/code not
included with the standard snort and barnyard releases. If you have
comments, suggestions, or need help with the installation, I can be
contacted via email or in #snort-gui on irc.freenode.net.
Sguil consist of three main components, a plugin to barnyard (op_sguil),
a GUI server (sguild), and a GUI client (sguil.tk).Once installed, these
components allow the analyst to view snort events in near real time.
Events can be validated by placing them into one of seven incident
categories or marking the event as having no further action required
(NA). These actions remove the events from the RealTime tab of all the
connected clients but are not deleted from the database. Archived events
can easily be retrieved from the database through preformatted queries,
or the analyst can create a custom query using SQL. Also included in the
sguil package, is a modified portscan preprocessor (spp_portscan) and a
tcl script (portscan_loader.tcl) for loading the modified spp_portscan
output into the database. These two components give the analyst
immediate access to portscan data. The final components are for
analyzing the raw data associated with a given session. Xscriptd is a
daemon that listens for request from sguil.tk and once queried, it
parses raw tcpdump files for packets matching the requested session and
either feeds the stream through tcpflow creating a transcript or sends
the binary data back to the client to be loaded into ethereal.
Currently, sguil does not have any sensor or rule management
capabilities. I hope to work on those features once the event management
interface is a little more mature.
More info and downloads are available at the link below. Be gentle.
More information about the Snort-users