Network Security Monitoring With Sguil (Build It!) presented at ShmooCon 2006

by Richard Bejtlich,

Tags: Security Monitoring

Summary : This talk will introduce the open source network security monitoring suite called Sguil ( Sguil is a Tcl/Tk interface to alert data from Snort, session data from the Security Analyst Network Connection Profiler (SANCP), and full content data from Tcpdump or a second instance of Snort. Sguil is unlike any Web-based alert GUI used to perform so-called "analysis" of Snort alerts, like ACID or BASE. While products like ACID and BASE are limited to browsing Snort alerts and frustrating analysts with their lack of data, Sguil uses a Snort alert as the beginning of a network-centric investigation -- not the end.
The speaker will describe Sguil's architecture, the tool's main features, and how Sguil helps analysts detect and respond to real intrusions. Attendees will no doubt wish to run from the room as soon as the talk ends to install Sguil on their favorite Unix platform. Even Windows users will feel warm and fuzzy about installing the Sguil client on their laptops. (The Sguil server side components are not supported on Windows, however.)
The author of the talk is a member of the Sguil project and has used Sguil in his books The Tao of Network Security Monitoring (2004, Addison-Wesley) and Extrusion Detection (2006, Addison-Wesley). The author has deployed Sguil in locations under active attack and compromise and used the data to eject real bad guys from victim enterprises.
Richard Bejtlich is founder of TaoSecurity (, a company that helps clients detect, contain, and remediate intrusions using network security monitoring (NSM) principles. Richard was previously a principal consultant at Foundstone, performing incident response, emergency NSM, and security research and training. He created NSM operations for ManTech International Corporation and Ball Aerospace & Technologies Corporation. From 1998 to 2001 then-Captain Bejtlich defended global American information assets in the AFCERT, performing and supervising the real-time intrusion detection mission.
Formally trained as an intelligence officer, Richard is a graduate of Harvard University and the United States Air Force Academy. He authored the critically acclaimed Tao of Network Security Monitoring in 2004 and Extrusion Detection in 2005. Richard co-authored Real Digital Forensics, and contributed to Hacking Exposed, 4th Ed., Incident Response, 2nd Ed. He holds the CISSP, CIFI, and CCNA certifications. Richard writes for his Web log ( and teaches at USENIX.