Thursday, June 14, 2007
Network Security Monitoring with Sguil - An Intuitive GUI
Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).
It ties your IDS alerts into a database of TCP/IP sessions, full content packet logs and other information. When you’ve identified an alert that needs more investigation, the sguil client provides you with seamless access to the data you need to decide how to handle the situation. In other words, sguil simply ties together the outputs of various security monitoring tools into a single interface, providing you with the most information in the shortest amount of time.Sguil uses a database backend for most of its data, which allows you to perform SQL queries against several different types of security events.
Sguil’s design centers on providing convenient, quick access to a host of supporting information, which both saves you time and helps you make better decisions. Incidentally, because sguil uses a dedicated client instead of running through a web browser, you get a richer, more responsive user interface as well.
Installing the Sguil client on MicroSoft Windows
Getting the Sguil client up and running in MicroSoft Windows is a fairly easy process. First download and unpack the most recent version of Sguil from here. Next, download and install the freeActiveTcl libraries. Finally, associate the sguil.tk application with the tcl interpreter.
You can read more and download Sguil here