[Snort-users] Question about Sguil

Jeremy Hoel jthoel at ...11827...
Fri Jun 20 13:49:31 EDT 2014


Nothing to special.. it's Ruby on rails.. it's creator is also working on a
a commercial cloud based product based off snorby itself.  If you need help
with the SELinux parts or want to secure it, just drop a line on the user
mailing list for it.

Doug's SO is also great tool to see how they all work.  You should install
it in a VM to get an idea of the different options and choices. I know
redoing the IDS isn't always an options and it is possible to install all
the bits separate (not via SO, but from the individual packages), but it's
a great way to test drive and play and even use full time if you are
starting from scratch or a clean server.




On Fri, Jun 20, 2014 at 5:33 PM, Matt Martin <MMartin at ...16693...> wrote:

>  Hey Jeremy, thanks for the reply!
>
>
>
> Yea, I was actually just reading about Snorby. Looks pretty cool, reminds
> me of our Packetshaper’s web frontends…
>
> I think I’m going to install that first before I really dive into Sguil.
> Anything I need to be aware of with Snorby?
>
>
>
> Thanks again for the reply, much appreciated!
>
>
>
> Thanks,
>
> Matt
>
>
>
>
>
>
>
> *From:* Jeremy Hoel [mailto:jthoel at ...11827...]
> *Sent:* Friday, June 20, 2014 12:38 PM
>
> *To:* Matt Martin
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Question about Sguil
>
>
>
> Base relies on Barnyard2 to send alerts to a databse.  Snorby works the
> same way and has a more modern front end, you might try that first before
> jumping into sguil.
>
>
> sguil doesn't use barnyard, it has tcl agents that look at snort (and can
> also look at pcap, session, ossec and other data) and sends it all to a
> server running the sguil server and that goes into it's own database in a
> completely different format.
>
> Base and snorby are web based, not client based; sguil you need to run a
> client (tcl based, but I have seen a exe around for windows machines).
>
>   Depending on your sensor OS, there are guides for rolling our sguil,
> but if you have everything else working right now, you might just want to
> check out snorby first.
>
>
>
>
>
> On Fri, Jun 20, 2014 at 4:21 PM, Matt Martin <MMartin at ...16693...> wrote:
>
> Hello All,
>
>
>
> I am currently using BASE as my frontend for Snort. But I get errors when
> clicking into lots of stuff on the GUI, so I’m looking into other GUI
> frontends for Snort. Not to mention mostly every time I click on an
> “Alert”, when the page loads in the browser it just says in red that “Alert
> Deleted”… Don’t know why would it be deleting alerts…
>
>
>
> But anyway, I came across Sguil which seems to be a pretty popular choice
> amongst GUI frontends for Snort. But I am a bit confused by the
> installation process, so I was hoping someone could explain this question
> below for me…?
>
>
>
> I downloaded the most recent version of Sguil *(*Sguil Version 0.9.0)*.
> And reading about the installation process on a number of different sites I
> am still confused by the Client/Server/Sensor architecture of it. I
> currently have my Snort installation, along with Barnyard2, MySQL, BASE and
> Oinkmaster all on the same server *(*I downloaded PulledPork because I
> heard good things, but still need to install it and replace Oinkmaster…).*
> I have had Snort running now on this server for a few weeks and it seems to
> be going well, except for the frontend...
>
>
>
> So since I have Snort all contained on a single server am I supposed to
> install Sguil Client, Server, and Sensor on that server as well? If I want
> to use it simply as a frontend to Snort, do I need all 3 of those? I
> couldn’t find any installation docs for Sguil for when Snort and it’s MySQL
> Database are on the same server. All the docs seemed to be for *“split”*
> Snort installations, i.e. across multiple servers…
>
>
>
> Could anyone explain to me those 3 different parts to Sguil? And whether
> or not I need all 3 of them installed?
>
> Any thoughts or suggestions would be much appreciated!
>
>
>
> Thanks in Advance,
>
> Matt
>
>
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> http://p.sf.net/sfu/hpccsystems
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140620/7262c0d2/attachment.html>


More information about the Snort-users mailing list