[Snort-users] Question about Sguil

Jaime Nebrera jnebrera at ...16842...
Fri Jun 20 16:21:30 EDT 2014

> I was just watching the youtube video, very nice...


> It was hard for me to read any of the text in the GUI on the video,

In essence is just 3 different views:

One is a dashboard you can build to match your needs

Then you have top-k views for each "Metadata variable" (you can see the
operator choosing the variables when going to the top right corner)

And then you have a raw view were you see aggregated events as they arrive,
again defining the variables you want to group by (this view has a very
nice flow visualization built dynamically based on chosen variables)

but was that a building schematic that I was seeing in the video? If so,
that’s pretty awesome!

Yes we use geolocation. The building you are seeing is a bit different, is
a heat map of users connected to a wireless network. To define it's
position, we use MSE data from Cisco specific equipment. From there we can
estimate the number of distinct users per minute using Hyperloglog
approximation. That part is more specific from Flow but actually would work
the same way for IPS if you could nail that well the position of the
attacker (we do crossing info from both products, but again, using MSE)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140620/4ee7b2e8/attachment.html>

More information about the Snort-users mailing list