Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.
doug edited this page Aug 27, 2019 · 33 revisions

Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/Sguil.

Description

From http://sguil.net:

Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis.

Authentication

For login information, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Passwords#sguil

For information on ways to connect to Sguil/sguild, please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/ConnectingtoSguil

Data Types

  • NIDS alerts from Snort/Suricata (if snort_agent is enabled)
  • HIDS alerts from OSSEC (if ossec_agent is enabled)
  • session data from PRADS (if PRADS and sancp_agent are enabled)
  • asset data from PRADS (if PRADS and pads_agent are enabled)
  • HTTP logs from Bro (if http_agent is enabled)

Pivot

  • pivot to transcript/Wireshark/NetworkMiner by right-clicking the Alert ID.
  • automatically pivot to ASCII transcript by middle-clicking the Alert ID.
  • pivot to Kibana by right-clicking an IP address and choosing "Kibana IP Lookup".

Agents

Because Sguil is written in tcl/tk, it can only utilize1024 sockets for receiving communication from various sensor agents (ossec_agent, pcap_agent, snort_agent). Due to this restriction, you will want to keep in mind the number of sensors and sniffing interfaces you have connected to the master server/accessed by Sguil.

See the following for more information:
https://groups.google.com/d/msg/security-onion/DJ5NTLEu5MY/-tDQi_1eDQAJ

Management

Customize (Sguil client)

  • resize columns by right-clicking on the column heading in the Sguil client.

  • change fonts by clicking File --> Change Font from within the Sguil client.

  • Sguil client settings are stored in /etc/sguil/sguil.conf:

    • You can enable "Show Rule", "Show Packet Data", and "Display Detail" (respectively) by setting the following (also see https://groups.google.com/d/topic/security-onion/MJaAlxgpMvU/discussion):
      set SHOWRULE 1
      set PACKETINFO 1
      set DISPLAY_GENERIC 1

    • You can separate realtime alerts into separate panes, based on severity level, by editing /etc/sguil/sguil.conf as follows:

      #Number of RealTime Event Panes    
      #set RTPANES 1    
      set RTPANES 3    
    
      # Specify which priority events go into what pane   
      # According to the latest classification.config from snort,   
      # there are only 4 priorities. The sguil spp_portscan mod   
      # uses a priority of 5.    
      #set RTPANE_PRIORITY(0) "1 2 3 4 5"  
      set RTPANE_PRIORITY(0) "1"  
      set RTPANE_PRIORITY(1) "2 3"  
      set RTPANE_PRIORITY(2) "4 5"   
    

DNS Lookups

Previously, when pivoting to transcript, the Sguil server would perform DNS lookups on the source and destination IP addresses. That default has since been changed to increase performance and avoid unnecessary information leakage. If you would like to re-enable DNS lookups, you can set the following in /etc/nsm/securityonion/sguild.conf:

set TRANSCRIPT_DNS_LOOKUP 1
Clone this wiki locally