[Snort-users] Base vs. Acid

Richard Bejtlich taosecurity at ...11827...
Fri Nov 26 20:35:13 EST 2004

Stef wrote:

> Could someone explain to me the exact needs being addressed by either,
> from an Intrusion Analyst point of view, when having at one's disposal Sguil?
> http://www.informit.com/articles/article.asp?p=350390
> Stef

Hi Stef,

I am the author of the book from which that Informit.com story was
derived. [0]  I did not invent the title "Why Sguil Is the Best Option
for Network Security Monitoring Data."  I guess the original title of
chapter 10, "Alert Data: NSM Using Sguil" wasn't cool enough for
Informit.com.  :)

Here's five reasons why Sguil is different from ACID, BASE, and
similar products:

1.  Sguil is a real-time interface to Snort alerts (and more).  Sguil
is not used with a Web browser.  As Snort generates alerts, they
appear in near-real-time (generally within a second or two) within a
Tcl/Tk interface.  Contrary to the reporting in O'Reilly's "Managing
Snort and IDS Tools," which says "the only way to get a remote client
to connect to a central server is by using an exported X-session" --
Sguil is natively client-server and does NOT need to export X
sessions. [1]

2.  Sguil is a Snort alert management system with integrated analyst
accountability features.  Users are not expected to passively let
Snort pump alerts into the Sguil display for days and days.  Analysts
investigating security incidents using Sguil have the option to
classify Snort events with a range of categories (I through VII,
derived from the incident categories we used in the USAF).  [2]  When
an analyst categorizes a Snort alert, it is marked in our database
with the category, the analyst's login, a timestamp, and an optional
comment.  This accountability feature allows higher tier analysts to
quality-review the work of lower tier analysts.  For post-event
investigations, analysts can query by category (say Cat VI --
reconnaissance) to see all activity of a certain type.  They don't
need to string together a possible set of Snort alert messages and
query by those parameters.

3.  Sguil offers growing alert handling capabilities.  If an alert
arrives that meets a type of your choosing, Sguil can email you
selected alert details.  If you want Snort to alert on certain types
of activity, you can let Sguil auto-categorize the Snort alerts.  For
example, you could tell Sguil to always mark SQL Slammer events as Cat
IIIs (attempted compromise).  If a lower tier analyst doesn't know how
to categorize an alert upon first review, she can escalate that alert
to a new Sguil section reserved for higher tier review.  (This is
Sguil's "Escalated" tab.)  This feature facilitates a multi-tiered
analysis process where lower tier analysts deal with front-line alerts
and more senior analysts deal with the more interesting alerts.

4. Sguil is built to minimize "window management," "form management,"
and other non-analytical tasks.  Anyone who's used the interface from
a large IDS company in Atlanta knows what I mean.  The more time an
analyst spends clicking through drill-down menus or moving around
windows, the less time she spends investigating incidents.  Querying
the Sguil database can be done with pre-built queries, a query
builder, or via raw, hand-built SQL statements.  Sguil can be as
flexible as the analyst using it.

5.  Most importantly, Sguil is not limited to investigating events
using Snort alert data alone.  Sguil is the analyst console for
Network Security Monitoring (NSM).  NSM is the collection, analysis,
and escalation of indications and warning to detect and respond to
intrusions.  Snort alerts are one form of NSM data; the others are
session data, full content data, and statistical data.  Sguil collects
session data by integrating with SANCP, allowing analysts to collect
summaries of conversations (or flows) between hosts, COMPLETELY
INDEPENDENT of whether or not Snort generated an alert.  [3]  Sguil
also collects full content data (libpcap traffic) COMPLETELY
INDEPENDENT of whether or not Snort generated an alert.

Sounds great, right?  Here's what Sguil is not:

1.  Sguil is not easy to install.  Sguil 0.5.3 will arrive soon, but
we have lots of work to do to ease installation prior to 1.0.  Since
Sguil is mostly written in Tcl/Tk, your host OS needs a variety of
libraries that sometimes aren't installed by default.  My install
guide (tested on FreeBSD) addresses all of these issues.  [4]  Newbies
worried about installation but looking to start using IDSs should
start by sending their Snort alerts to a text file.  (That would
reduce the "no alerts in ACID database" messages to snort-users!)

2.  Sguil is not a SIM or SEM product.  We don't take in syslog, NT
event logs, other host-based data, firewall logs, whatever.  Sguil
collects the NSM data we've found to be most useful for detecting and
responding to incidents.  Sguil has been deployed to investigate
intrusions in some very interesting locations, and has been used to
identify and resolve issues using the alert, session, and full content
data Sguil collects --independent of router logs, etc.

3.  Sguil is not an IPS (aka a layer-7 firewall.)  If we said Sguil
was an IPS, we might get more attention.  The Sguil devs believe
detection and prevention are separate security layers that should be
provided by separate devices and processes.  [5]  Still, we are
working with Frank Knobbe to integrate SnortSam.  In the future
analysts could right-click on an IP and shun it in the future.  We
haven't experimented with the new snort-inline functions of Snort 2.3
but they should work by default, as they are part of Snort itself.

If you have any questions about Sguil or need help with installation,
visit us in IRC at irc.freenode.net, #snort-gui.  I also recommend
reading the aforementioned book chapter or checking out the Sguil
Flash demo.  [6]



[0] The Tao of Network Security Monitoring: Beyond Intrusion Detection
(Addison-Wesley, 2005) http://www.taosecurity.com/books.html
[1] http://www.mcabee.org/lists/snort-users/Sep-04/msg00588.html
[2] http://sguil.sourceforge.net/index.php?page=incident_categories
[3] http://www.metre.net/sancp.html
[4] http://sguil.sourceforge.net/sguil_guide_latest.txt
[5] Considering Convergence?  http://www.taosecurity.com/publications.html
[6] http://sguil.sourceforge.net/index.php?page=flashdemo

More information about the Snort-users mailing list