[Snort-users] Question about Sguil

Matt Martin MMartin at ...16693...
Fri Jun 20 16:27:40 EDT 2014

Very cool Jaime… I’ll be looking forward to your finished product once completed…
Hopefully you can post something to the list once you guys put the new project out there!

Personally, I’m a very visual person, so that “Geolocation” stuff seems pretty awesome. Well thanks for the info, and good luck with the project!

Thanks Again,

From: Jaime Nebrera [mailto:jnebrera at ...16842...]
Sent: Friday, June 20, 2014 4:22 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Question about Sguil

> I was just watching the youtube video, very nice...


> It was hard for me to read any of the text in the GUI on the video,

In essence is just 3 different views:

One is a dashboard you can build to match your needs

Then you have top-k views for each "Metadata variable" (you can see the operator choosing the variables when going to the top right corner)

And then you have a raw view were you see aggregated events as they arrive, again defining the variables you want to group by (this view has a very nice flow visualization built dynamically based on chosen variables)

but was that a building schematic that I was seeing in the video? If so, that’s pretty awesome!

Yes we use geolocation. The building you are seeing is a bit different, is a heat map of users connected to a wireless network. To define it's position, we use MSE data from Cisco specific equipment. From there we can estimate the number of distinct users per minute using Hyperloglog approximation. That part is more specific from Flow but actually would work the same way for IPS if you could nail that well the position of the attacker (we do crossing info from both products, but again, using MSE)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140620/96d5b3e3/attachment.html>

More information about the Snort-users mailing list