Tuesday, May 03, 2005

Sguil on Gentoo

Finally, I can manage to install Sguil on Gentoo.From its website:
"Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides realtime events from snort/barnyard. It also includes other components which facilitate the practice of Network Security Monitoring and event driven analysis of IDS alerts."

Basically, Sguil has 4 components:
- sensor, running snort IDS and using Barnyard to send the alert to database
- database, running mysql as central repository of all the alerts
- sguil server, connecting the client to sensors and as front-end interface for any SQL queries to database
- sguil client, graphical front end interface for users which is very cool and can be used to chat within users as well!

Sguil now is considered the best monitoring tool for snort IDS. ACID is the alternative but it can't provide "real-time" alert as Sguil does, since ACID use web-based interface that needs to be refreshed all the time.

I won't write the step-by-step installation here, because the documentation is very clear.
I recommend to follow the instruction from Richard Bejtlijh in here.
The documentation is focused on the installation under freebsd. For Gentoo users, if you can't find the required packages in "emerge -s", then you have to download from the source.
Btw, my sguild is still not running TLS since I haven't yet found the tcltls source code.

For window$ client, follow the instruction how to install the client in here.
For Mac OS client:
- install X11
- install Tcl/Tk Agua
- download sguil client

If you don't modify the sguil.conf file, you will be connected to demo sguil server. Use 'sguil' for both username and password.
If you have setup your own server, just modify the "set SERVERHOST" parameter in the sguil.conf file.