Sguil

Sguil (pronounced sgweel or squeal) is a collection of free software components for Network Security Monitoring (NSM) and event driven analysis of IDS alerts.^[2] The sguil client is written in Tcl/Tk^[3][2] and can be run on any operating system that supports these. Sguil integrates alert data from Snort, session data from SANCP, and full content data from a second instance of Snort running in packet logger mode.

Sguil
Original author(s)	Bamm Visscher, Steve Halligan
Stable release	0.9.0[1] / April 4, 2014; 11 years ago (2014-04-04)
Written in	Tcl/Tk
Operating system	Cross-platform
Type	Network Security Monitoring
License	GPLv3
Website	sguil.sourceforge.net

Sguil is an implementation of a Network Security Monitoring system. NSM is defined as "collection, analysis, and escalation of indications and warnings to detect and respond to intrusions."

Sguil is released under the GPL 3.0.^[4]

Tools that make up Sguil

Tool	Purpose
MySQL 4.x or 5.x	Data storage and retrieval
Snort 2.x / Suricata	Intrusion detection alerts, scan detection, packet logging
Barnyard / Barnyard2	Decodes IDS alerts and sends them to sguil
SANCP	TCP/IP session records
Tcpflow	Extract an ASCII dump of a given TCP session
p0f	Operating system fingerprinting
tcpdump	Extracts individual sessions from packet logs
Wireshark	Packet analysis tool (used to be called Ethereal)

^[5]

See also

• Free Software portal

• Sagan
• Intrusion detection system (IDS)
• Intrusion prevention system (IPS)
• Network intrusion detection system (NIDS)
• Metasploit Project
• nmap
• Host-based intrusion detection system comparison