Re: Question about Sguil

[Jeremy Hoel <jthoel () gmail com>]

Nothing to special.. it's Ruby on rails.. it's creator is also working on a
a commercial cloud based product based off snorby itself.  If you need help
with the SELinux parts or want to secure it, just drop a line on the user
mailing list for it.

Doug's SO is also great tool to see how they all work.  You should install
it in a VM to get an idea of the different options and choices. I know
redoing the IDS isn't always an options and it is possible to install all
the bits separate (not via SO, but from the individual packages), but it's
a great way to test drive and play and even use full time if you are
starting from scratch or a clean server.




On Fri, Jun 20, 2014 at 5:33 PM, Matt Martin <MMartin () jwpepper com> wrote:

>  Hey Jeremy, thanks for the reply!
>
>
>
> Yea, I was actually just reading about Snorby. Looks pretty cool, reminds
> me of our Packetshaper’s web frontends…
>
> I think I’m going to install that first before I really dive into Sguil.
> Anything I need to be aware of with Snorby?
>
>
>
> Thanks again for the reply, much appreciated!
>
>
>
> Thanks,
>
> Matt
>
>
>
>
>
>
>
> *From:* Jeremy Hoel [mailto:jthoel () gmail com]
> *Sent:* Friday, June 20, 2014 12:38 PM
>
> *To:* Matt Martin
> *Cc:* snort-users () lists sourceforge net
> *Subject:* Re: [Snort-users] Question about Sguil
>
>
>
> Base relies on Barnyard2 to send alerts to a databse.  Snorby works the
> same way and has a more modern front end, you might try that first before
> jumping into sguil.
>
>
> sguil doesn't use barnyard, it has tcl agents that look at snort (and can
> also look at pcap, session, ossec and other data) and sends it all to a
> server running the sguil server and that goes into it's own database in a
> completely different format.
>
> Base and snorby are web based, not client based; sguil you need to run a
> client (tcl based, but I have seen a exe around for windows machines).
>
>   Depending on your sensor OS, there are guides for rolling our sguil,
> but if you have everything else working right now, you might just want to
> check out snorby first.
>
>
>
>
>
> On Fri, Jun 20, 2014 at 4:21 PM, Matt Martin <MMartin () jwpepper com> wrote:
>
> Hello All,
>
>
>
> I am currently using BASE as my frontend for Snort. But I get errors when
> clicking into lots of stuff on the GUI, so I’m looking into other GUI
> frontends for Snort. Not to mention mostly every time I click on an
> “Alert”, when the page loads in the browser it just says in red that “Alert
> Deleted”… Don’t know why would it be deleting alerts…
>
>
>
> But anyway, I came across Sguil which seems to be a pretty popular choice
> amongst GUI frontends for Snort. But I am a bit confused by the
> installation process, so I was hoping someone could explain this question
> below for me…?
>
>
>
> I downloaded the most recent version of Sguil *(*Sguil Version 0.9.0)*.
> And reading about the installation process on a number of different sites I
> am still confused by the Client/Server/Sensor architecture of it. I
> currently have my Snort installation, along with Barnyard2, MySQL, BASE and
> Oinkmaster all on the same server *(*I downloaded PulledPork because I
> heard good things, but still need to install it and replace Oinkmaster…).*
> I have had Snort running now on this server for a few weeks and it seems to
> be going well, except for the frontend...
>
>
>
> So since I have Snort all contained on a single server am I supposed to
> install Sguil Client, Server, and Sensor on that server as well? If I want
> to use it simply as a frontend to Snort, do I need all 3 of those? I
> couldn’t find any installation docs for Sguil for when Snort and it’s MySQL
> Database are on the same server. All the docs seemed to be for *“split”*
> Snort installations, i.e. across multiple servers…
>
>
>
> Could anyone explain to me those 3 different parts to Sguil? And whether
> or not I need all 3 of them installed?
>
> Any thoughts or suggestions would be much appreciated!
>
>
>
> Thanks in Advance,
>
> Matt
>
>
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> http://p.sf.net/sfu/hpccsystems
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!