Snort mailing list archives

Re: Question about Sguil

From: Matt Martin <MMartin () jwpepper com>
Date: Fri, 20 Jun 2014 20:59:47 +0000

Thanks for the reply Doug,

Ohh ok... Gotcha, thanks for the clarification.

Thanks Again,
Matt


-----Original Message-----
From: Doug Burks [mailto:doug.burks () gmail com] 
Sent: Friday, June 20, 2014 4:42 PM
To: Matt Martin
Cc: Y M; snort-users
Subject: Re: [Snort-users] Question about Sguil

More like this:

Sensor - sniffs traffic, sends IDS alerts to server Server - Receives IDS alerts from sensors, writes alerts to 
database, and interacts with sensors and clients Client - can be on your laptop, interacts with the server

Take a look at these diagrams:

http://nsmwiki.org/File:Sguil-0.7.network.png

http://nsmwiki.org/File:Sguil-0.7.dfd.png

On Fri, Jun 20, 2014 at 4:33 PM, Matt Martin <MMartin () jwpepper com> wrote:

Y M, thanks for the reply…



Ok, that’s the explanation I was looking for. I was a bit confused 
before about that, but I think I got it now…



Basically like this:

            Sensor ---> Goes with the Database

            Server ---> Goes with Snort

            Client ---> Can go anywhere, i.e. my laptop and the like?



Does that sound right?



Thanks again for the explanation!



Thanks,

Matt





From: Y M [mailto:snort () outlook com]
Sent: Friday, June 20, 2014 1:20 PM


To: Matt Martin
Cc: snort-users
Subject: RE: [Snort-users] Question about Sguil



If your database is on the same box as Snort, then you would have to 
run both, the Sguil Sensor and Server on the same box as Snort. If 
your database is on a different server, then Sguil sensor would run on 
the same box as Snort while the Server runs on the database Server.



Sguil Client as it is sometimes referred to as the "analyst console" 
where you get to view your alerts. This can be run on the analyst 
machine. In fact it can be run on either Linux or Windows. The client 
would connect to the database/Server to authenticate and view the alert data.



A third option for the web GUI side is the Squert Project at:
http://www.squertproject.org/. I have been leaning towards using it in 
the future. Unfortunately, the demo site is currently offline but you 
get  an idea by viewing the screenshots.



YM

________________________________

From: MMartin () jwpepper com
To: snort-users () lists sourceforge net
Date: Fri, 20 Jun 2014 16:21:11 +0000
Subject: [Snort-users] Question about Sguil

Hello All,



I am currently using BASE as my frontend for Snort. But I get errors 
when clicking into lots of stuff on the GUI, so I’m looking into other 
GUI frontends for Snort. Not to mention mostly every time I click on 
an “Alert”, when the page loads in the browser it just says in red 
that “Alert Deleted”… Don’t know why would it be deleting alerts…



But anyway, I came across Sguil which seems to be a pretty popular 
choice amongst GUI frontends for Snort. But I am a bit confused by the 
installation process, so I was hoping someone could explain this question below for me…?



I downloaded the most recent version of Sguil (*Sguil Version 0.9.0). 
And reading about the installation process on a number of different 
sites I am still confused by the Client/Server/Sensor architecture of 
it. I currently have my Snort installation, along with Barnyard2, 
MySQL, BASE and Oinkmaster all on the same server (*I downloaded 
PulledPork because I heard good things, but still need to install it 
and replace Oinkmaster…). I have had Snort running now on this server 
for a few weeks and it seems to be going well, except for the frontend...



So since I have Snort all contained on a single server am I supposed 
to install Sguil Client, Server, and Sensor on that server as well? If 
I want to use it simply as a frontend to Snort, do I need all 3 of 
those? I couldn’t find any installation docs for Sguil for when Snort 
and it’s MySQL Database are on the same server. All the docs seemed to 
be for “split” Snort installations, i.e. across multiple servers…



Could anyone explain to me those 3 different parts to Sguil? And 
whether or not I need all 3 of them installed?

Any thoughts or suggestions would be much appreciated!



Thanks in Advance,

Matt


----------------------------------------------------------------------
-------- HPCC Systems Open Source Big Data Platform from LexisNexis 
Risk Solutions Find What Matters Most in Your Big Data with HPCC 
Systems Open Source. Fast.
Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for 
Fast Processing & Easy Data Exploration 
http://p.sf.net/sfu/hpccsystems 
_______________________________________________ Snort-users mailing 
list Snort-users () lists sourceforge net Go to this URL to change user 
options or
unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 
Please visit http://blog.snort.org to stay current on all the latest Snort news!


----------------------------------------------------------------------
-------- HPCC Systems Open Source Big Data Platform from LexisNexis 
Risk Solutions Find What Matters Most in Your Big Data with HPCC 
Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration 
http://p.sf.net/sfu/hpccsystems 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest 
Snort news!




--
Doug Burks
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Question about Sguil, (continued)
- Re: Question about Sguil Jaime Nebrera (Jun 20)
  - Re: Question about Sguil Matt Martin (Jun 20)
    - Re: Question about Sguil Jaime Nebrera (Jun 20)
    - Re: Question about Sguil Matt Martin (Jun 20)
    - Re: Question about Sguil Jaime Nebrera (Jun 20)
    - Re: Question about Sguil Matt Martin (Jun 20)
    - Re: Question about Sguil Jaime Nebrera (Jun 21)
- Re: Question about Sguil Y M (Jun 20)
  - Re: Question about Sguil Matt Martin (Jun 20)
    - Re: Question about Sguil Doug Burks (Jun 20)
    - Re: Question about Sguil Matt Martin (Jun 20)