Written By Analysts, For Analysts

Current Version: Sguil 0.8.0

29 May 2011 - Sguil 0.8.0 Released!

Okay, new direction. Time has been escaping me and Sguil development has suffered. When I do have time to spend on Sguil, I would rather be adding new features and fixing bugs versus testing installs and writing documentation. So starting with this release, I am going to focus on getting code out the door and hope our small community will document their experiences through blogs, wikis, mailing lists, tweets, and #snort-gui.

Go out and download Sguil 0.8.0. Install it. Test it. Break it. And find some bad guys.

Bamm

25 January 2010 - I'm not dead yet

But the demo server is. Well, it is not dead, just in an unpacked box (we moved from Colorado to Western Michigan recently). Seriously. I apologize for the lack updates over the last two years (ouch). The project is not dead, just on hiatus. I have been busy with a huge deployment (over 100 sensors on ~80 appliances) and cannot wait to add what we have learned. Stay tuned.

Bamm

26 March 2008 - Updated Modsec2Sguil

Victor Julien writes:

I've updated the Modsec2sguil agent to work with the latest release. Also, it contains support for ModSecurity 2.5.x contributed by Ryan Cummings.

Get it here: http://www.inliniac.net/modsec2sguil/

Cheers, Victor

26 March 2008 - Bugs!

Well, that didn't take too long. Found a bug with the way the client parses messages for display in the "User Messages" tab. It has been fixed in CVS and a simple diff can be found here. A patched release will follow.

25 March 2008 - Sguil Version 0.7.0 Released

It has been a couple of years of changes and bugfixes since the last release. The biggest change is the replacement of the sensor agent with individual components for each collection type. The new agents are called snort_agent.tcl, pcap_agent.tcl, and sancp_agent.tcl. By splitting out the agents, collection for these different data types can be placed on separate hardware and still be correlated via their "NET_NAME".

A new collection agent for PADS is also included in this release although it is still considered beta. Also included is an example_agent.tcl script that documents how custom agents can be created. Other agents have been written for ModSecurity and OSSEC.

As always, help can be found on the sguil-users mailing list or in IRC on #snort-gui via irc.freenode.net.

David Bianco has provided a great HOWTO and Rich Fifarek has created a yum repository that should be updated soon.

Thanks for everyone's help and happy F8ing,

Bammkkkk

21 March 2007 - Modsec2Sguil 0.7 Released

Victor Julien released version 0.7 of Modsec2sguil recently. Modsec2Sguil is a set of perl scripts to feed ModSecurity alerts to the Sguil NSM system. The main change of this release is that it adds support for alerts produced by ModSecurity 2.x, while 1.9.x remains to be supported. Next to this the conversion between ModSecurity’s severity and Snort’s priority was fixed, so alerts should show up in the right pane in Sguil again.

In future releases, we plan to add the capability for other projects to easily send events to Sguil.

19 March 2007 - Website Updated!

After a much too long hiatus, the Sguil website has been updated. We are using an open source template from Andreas Viklund. Also, Sguil version 0.7.0 is currently being tested in CVS and we plan to get a release candidate out soon!

24 March 2006 - Sguil 0.6.1 VM

Richard Bejtlich of TaoSecurity created another Sguil VM. This edition runs Sguil 0.6.1 on FreeBSD 5.4 and is described here.

13 February 2006 - Sguil 0.6.1 Released

Sguil-0.6.1 has been released. This release adds support for snort statistics, UNION queries, and GUI enhancements.

06 January 2006 - Sguil Client VM

Richard Bejtlich of TaoSecurity a new Sguil VM. This one has the client as well as the components in his first VM.

30 December 2005 - First Sguil VM

Richard Bejtlich of TaoSecurity has started creating virtual machines suitable for use in VMware Player. You can read about the creation of the first Sguil VM in Richard's blog. We've added a page on VMs for future work. The first VM is available here.