[Snort-users] Question about Sguil

Matt Martin MMartin at ...16693...
Fri Jun 20 13:27:15 EDT 2014

Hey Doug, thanks for the reply!

Is security Onion required for Sguil, or just recommended? Because I have Snort already installed on a Dell Poweredge Server (*2950 I think is the model...), with 6 HDDs in a RAID5 Array and 8 Intel Xeon cores, . This server was previously used for other purposes, but since most of our Servers have gone virtual we had a few servers lying around for me to choose from to install Snort on.

From what I read Security Onion it is a OS/Linux Distro in it of itself, based on RedHat. And it comes with Snort, Barnyard2, etc already pre-installed... Is that correct?

While I was writing this I was speaking with my manager and we ARE going to give it a try. We are going to use one of old email servers (*Dell something...) and we're going to install Security  Onion and give it a go... Sounds promising!

Thanks again for the suggestion!

Thanks Again,

-----Original Message-----
From: Doug Burks [mailto:doug.burks at ...11827...] 
Sent: Friday, June 20, 2014 12:36 PM
To: Matt Martin
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Question about Sguil

Hi Matt,

I'd recommend that you download Security Onion and install it in a VM to get a feel for the Sguil architecture.  In just a few minutes you'll have the Sguil client, server, and sensor up and running, along with barnyard2, mysql, pulledpork, and lots of other goodies.


On Fri, Jun 20, 2014 at 12:21 PM, Matt Martin <MMartin at ...16693...> wrote:
> Hello All,
> I am currently using BASE as my frontend for Snort. But I get errors 
> when clicking into lots of stuff on the GUI, so I’m looking into other 
> GUI frontends for Snort. Not to mention mostly every time I click on 
> an “Alert”, when the page loads in the browser it just says in red 
> that “Alert Deleted”… Don’t know why would it be deleting alerts…
> But anyway, I came across Sguil which seems to be a pretty popular 
> choice amongst GUI frontends for Snort. But I am a bit confused by the 
> installation process, so I was hoping someone could explain this question below for me…?
> I downloaded the most recent version of Sguil (*Sguil Version 0.9.0). 
> And reading about the installation process on a number of different 
> sites I am still confused by the Client/Server/Sensor architecture of 
> it. I currently have my Snort installation, along with Barnyard2, 
> MySQL, BASE and Oinkmaster all on the same server (*I downloaded 
> PulledPork because I heard good things, but still need to install it 
> and replace Oinkmaster…). I have had Snort running now on this server 
> for a few weeks and it seems to be going well, except for the frontend...
> So since I have Snort all contained on a single server am I supposed 
> to install Sguil Client, Server, and Sensor on that server as well? If 
> I want to use it simply as a frontend to Snort, do I need all 3 of 
> those? I couldn’t find any installation docs for Sguil for when Snort 
> and it’s MySQL Database are on the same server. All the docs seemed to 
> be for “split” Snort installations, i.e. across multiple servers…
> Could anyone explain to me those 3 different parts to Sguil? And 
> whether or not I need all 3 of them installed?
> Any thoughts or suggestions would be much appreciated!
> Thanks in Advance,
> Matt
> ----------------------------------------------------------------------
> -------- HPCC Systems Open Source Big Data Platform from LexisNexis 
> Risk Solutions Find What Matters Most in Your Big Data with HPCC 
> Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration 
> http://p.sf.net/sfu/hpccsystems 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!

Doug Burks

More information about the Snort-users mailing list