[Snort-users] Question about Sguil

Matt Martin MMartin at ...16693...
Fri Jun 20 16:59:47 EDT 2014


Thanks for the reply Doug,

Ohh ok... Gotcha, thanks for the clarification.

Thanks Again,
Matt


-----Original Message-----
From: Doug Burks [mailto:doug.burks at ...11827...] 
Sent: Friday, June 20, 2014 4:42 PM
To: Matt Martin
Cc: Y M; snort-users
Subject: Re: [Snort-users] Question about Sguil

More like this:

Sensor - sniffs traffic, sends IDS alerts to server Server - Receives IDS alerts from sensors, writes alerts to database, and interacts with sensors and clients Client - can be on your laptop, interacts with the server

Take a look at these diagrams:

http://nsmwiki.org/File:Sguil-0.7.network.png

http://nsmwiki.org/File:Sguil-0.7.dfd.png

On Fri, Jun 20, 2014 at 4:33 PM, Matt Martin <MMartin at ...16693...> wrote:
> Y M, thanks for the reply…
>
>
>
> Ok, that’s the explanation I was looking for. I was a bit confused 
> before about that, but I think I got it now…
>
>
>
> Basically like this:
>
>             Sensor ---> Goes with the Database
>
>             Server ---> Goes with Snort
>
>             Client ---> Can go anywhere, i.e. my laptop and the like?
>
>
>
> Does that sound right?
>
>
>
> Thanks again for the explanation!
>
>
>
> Thanks,
>
> Matt
>
>
>
>
>
> From: Y M [mailto:snort at ...15979...]
> Sent: Friday, June 20, 2014 1:20 PM
>
>
> To: Matt Martin
> Cc: snort-users
> Subject: RE: [Snort-users] Question about Sguil
>
>
>
> If your database is on the same box as Snort, then you would have to 
> run both, the Sguil Sensor and Server on the same box as Snort. If 
> your database is on a different server, then Sguil sensor would run on 
> the same box as Snort while the Server runs on the database Server.
>
>
>
> Sguil Client as it is sometimes referred to as the "analyst console" 
> where you get to view your alerts. This can be run on the analyst 
> machine. In fact it can be run on either Linux or Windows. The client 
> would connect to the database/Server to authenticate and view the alert data.
>
>
>
> A third option for the web GUI side is the Squert Project at:
> http://www.squertproject.org/. I have been leaning towards using it in 
> the future. Unfortunately, the demo site is currently offline but you 
> get  an idea by viewing the screenshots.
>
>
>
> YM
>
> ________________________________
>
> From: MMartin at ...16693...
> To: snort-users at lists.sourceforge.net
> Date: Fri, 20 Jun 2014 16:21:11 +0000
> Subject: [Snort-users] Question about Sguil
>
> Hello All,
>
>
>
> I am currently using BASE as my frontend for Snort. But I get errors 
> when clicking into lots of stuff on the GUI, so I’m looking into other 
> GUI frontends for Snort. Not to mention mostly every time I click on 
> an “Alert”, when the page loads in the browser it just says in red 
> that “Alert Deleted”… Don’t know why would it be deleting alerts…
>
>
>
> But anyway, I came across Sguil which seems to be a pretty popular 
> choice amongst GUI frontends for Snort. But I am a bit confused by the 
> installation process, so I was hoping someone could explain this question below for me…?
>
>
>
> I downloaded the most recent version of Sguil (*Sguil Version 0.9.0). 
> And reading about the installation process on a number of different 
> sites I am still confused by the Client/Server/Sensor architecture of 
> it. I currently have my Snort installation, along with Barnyard2, 
> MySQL, BASE and Oinkmaster all on the same server (*I downloaded 
> PulledPork because I heard good things, but still need to install it 
> and replace Oinkmaster…). I have had Snort running now on this server 
> for a few weeks and it seems to be going well, except for the frontend...
>
>
>
> So since I have Snort all contained on a single server am I supposed 
> to install Sguil Client, Server, and Sensor on that server as well? If 
> I want to use it simply as a frontend to Snort, do I need all 3 of 
> those? I couldn’t find any installation docs for Sguil for when Snort 
> and it’s MySQL Database are on the same server. All the docs seemed to 
> be for “split” Snort installations, i.e. across multiple servers…
>
>
>
> Could anyone explain to me those 3 different parts to Sguil? And 
> whether or not I need all 3 of them installed?
>
> Any thoughts or suggestions would be much appreciated!
>
>
>
> Thanks in Advance,
>
> Matt
>
>
> ----------------------------------------------------------------------
> -------- HPCC Systems Open Source Big Data Platform from LexisNexis 
> Risk Solutions Find What Matters Most in Your Big Data with HPCC 
> Systems Open Source. Fast.
> Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for 
> Fast Processing & Easy Data Exploration 
> http://p.sf.net/sfu/hpccsystems 
> _______________________________________________ Snort-users mailing 
> list Snort-users at lists.sourceforge.net Go to this URL to change user 
> options or
> unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
> ----------------------------------------------------------------------
> -------- HPCC Systems Open Source Big Data Platform from LexisNexis 
> Risk Solutions Find What Matters Most in Your Big Data with HPCC 
> Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration 
> http://p.sf.net/sfu/hpccsystems 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!



--
Doug Burks


More information about the Snort-users mailing list