SGUIL - The Analyst Console for Network Security Monitoring

Sguil consist of three main components, a plugin to barnyard (op_sguil), a GUI server (sguild), and a GUI client (sguil.tk). Once installed, these components allow the analyst to view snort events in near real time. Events can be validated by placing them into one of seven incident categories or marking the event as having no further action required (NA). These actions remove the events from the RealTime tab of all the connected clients but are not deleted from the database.

Archived events can easily be retrieved from the database through preformatted queries, or the analyst can create a custom query using SQL. Also included in the sguil package, is a patch for the portscan preprocessor (logs to a pipe deliminated file), a patch for the stream4 preprocessor (keepstats type 'db' for logging pipe deliminated stats to a file), and a tcl script (sensor_agent.tcl) for loading the modified outputs into the database.

These components give the analyst immediate access to portscan and session data. The final components are for analyzing the raw data associated with a given session. Xscriptd is a daemon that listens for request from sguil.tk and once queried, it parses raw tcpdump files for packets matching the requested session and either feeds the stream through tcpflow creating a transcript or sends the binary data back to the client to be loaded into ethereal.