This post is the third in a multi-part series designed to introduce Sguil and Squert to beginners.
I'm assuming you've already been through the steps in Introduction to Sguil and Squert: Part 1 and Introduction to Sguil and Squert: Part 2.
In Parts 1 and 2, we compared Sguil and Squert and showed how you can accomplish the same thing in both. In Part 3, we're going to contrast them and see why we need both.
Let's start with Sguil. Sguil's killer feature is the ability to take an alert and pull a full session transcript. By doing this, we not only see the traffic that triggered the alert, but also the traffic in the session that occurred before and after the alert.
Time for an example. Download "Scan of the Month 19" from the Honeynet Project:
Expand the tarball:
tar zxvf scan19.tar.gz
If you haven't already, log into Sguil so that you'll be able to see the alerts as they populate. Now use tcpreplay to replay newdat3.log onto your eth0 interface (you may need/want to use a different interface, just make sure it's one that's being monitored by Sguil):
sudo tcpreplay -i eth0 -t newdat3.log
As soon as you hit Enter, switch over to your Sguil console so that you can see the alerts. You should see something like this:
Go to either of the "GPL FTP SITE ..." events, right-click the Alert ID, and click Transcript. A new window will appear like this:
It may take a few seconds to pull the entire transcript. Once it does, you'll be able to scroll down and see the entire FTP attack, from the buffer overflow to the attacker catting the passwd file:
Can your commercial IDS do that? Come back tomorrow to see one of the killer features that Squert has.