The Sguil client runs fine on any OS that supports tcl. Using the
ActiveState [0] packages, it's actually easier to run the client on
Windows than it is Linux. ActiveState also has packages available for
AIX, HP-UX, Linux, Mac OS X (both for PowerPC and x86), and Solaris.
Here is an old post on Richard's TaoSecurity blog [1] that explains
the installation process.
Bammkkkk
[0] http://www.activestate.com/Products/ActiveTcl/
[1]
http://taosecurity.blogspot.com/2003/07/want-to-become-f8-monkey-my-friend.html
On 5/27/06, Drew Burchett <DrewB@united-systems.com> wrote:
While I can agree with most of what was said here, I can see one flaw
with Sguil. I don't run any Linux boxes with a GUI frontend, and I
don't have the resources to load one just to run Sguil. I'm using BASE
to help fine tune Snort as it's good to help weed out false positives
and for a good running overview of what is happening in realtime. I
combine that with Snortalog for daily overviews of my data and then use
other programs to provide email and/or pager alerts on events that I
feel are important enough to draw my immediate attention.
I guess if BASE has one fatal flaw, there's no ability to see an IP
conversation that triggered an alert. For example, if you see an ATTACK
RESPONSE 403 FORBIDDEN alert, there's no good way to tell if it was
malicious or if some dummy just typed in the wrong URL.
Drew Burchett
United Systems & Software
http://www.united-systems.com
Phone: (270)527-3293
Fax: (270)527-3132
> -----Original Message-----
> From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-
> admin@lists.sourceforge.net] On Behalf Of Paul Schmehl
> Sent: Friday, May 26, 2006 12:54 PM
> Cc: snort-users@lists.sourceforge.net
> Subject: Re: [Snort-users] consensus on BASE
>
> John Newman wrote:
> > Is the consensus that BASE is the best web front-end for snort out
there
> > (and I mean free, open source stuff)? What are people's experiences
> > with sguil (which I realize is not web based).
> >
> > thanks,
> >
> I think Base is probably the most popular open source front-end
> (although I don't have any data to back that up.) It's certainly easy
> to install and use. The problem with Base is that it gives you a
> sliding window of your events data, which tends to obscure real-time
> events from view unless they are large enough to draw attention (or
you
> just happen to notice them._ So, it's good for summarizing what's
going
> on, but not as good for real-time analysis of discrete events.
>
> Sguil is very difficult to install. It requires quite a bit of
> preparation and installation of ancilliary apps to make it work. (I'm
> trying to solve that on FreeBSD by developing ports for it that take
> care of all the dependencies.) That's a consequence of the decision
to
> use tcl as the programming language, since it's not commonly installed
> on most platforms. (It also uses some other apps which are not so
> common; sancp, p0f, tcpdump
>
> Once it's installed and configured (which is also a bit of work and
> requires a clear understanding of what you're doing), it provides a
> completely different, more detailed look at the data, in real time.
> It's easy to pick out events that need immediate followup and drill
down
> into packets to see what's really going on.
>
> So, I would say, Base is good for folks new to snort and especially
new
> to admining OSes, and sguil is good for folks who clearly understand
> what they're doing and want as much information about events as they
can
> get.
>
> --
> Paul Schmehl (pauls@utdallas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/
--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for
the sole use of the intended recipient(s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.
--
This message has been scanned for viruses and dangerous content by MailScanner
and is believed to be clean.
-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmdlnk&kid�7521&bid$8729&dat�1642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?listsnort-users
--
sguil - The Analyst Console for NSM
http://sguil.sf.net
-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
