Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).
Files are located in the directory named for where they will be installed.
-
sguil.tk
-- Analysis GUI client and its conf file. -
lib
-- contains some tcl scripts that are needed by the client.
-
snort_agent.tcl
-- a script that runs on the sensor that takes input from barnyard and sends alerts to the sguild server. It also loads portscan, session, and sensor statistics to the sguild server. -
sancp_agent.tcl
-- a script that runs on the sensor, reads session files from the specified directory and pushes them to sguild for where they are loaded into the DB -
pcap_agent.tcl
-- a script that runs on the sensor and processes requests for packet data from sguild -
log_packets.sh
-- a shell script that runs a second instance of snort to log all packets for correlation. Meant to be installed in a crontab. -
./contrib
-- some stuff someone gave us...don't ask me how to use it.
-
sguild
-- The Sguil Server (again a TCL script) and its conf file. This is the brains behind this whole mess. This stuff gets installed on the database server.* `sguild.queries` -- Configuration file for Standard queries * `sguild.access` -- Configuration file for User access- control * `sguild.email` -- Configuration file for automatic emails on alerts from sguild.
-
sql_scripts
-- Scripts to create the sguildb database structure.
A bunch of (hopefully) helpful documents.
some more stuff, ya got me.
Copyright (C) 2002-2014 Robert (Bamm) Visscher bamm@sguil.net
GPLv3 - See LICENSE file for more details