Thursday, January 20, 2011

Introduction to Sguil and Squert: Part 4

This post is the fourth in a multi-part series designed to introduce Sguil and Squert to beginners.

I'm assuming you've already been through the steps in the previous posts in this series:

Introduction to Sguil and Squert: Part 1
Introduction to Sguil and Squert: Part 2
Introduction to Sguil and Squert: Part 3


In Part 3, we saw Sguil's killer feature of being able to pull session transcripts from the full packet captures to show an entire attack from beginning to end.  In Part 4, we're going to see one of Squert's killer features: alert visualization.


Using the alerts from yesterday's demo, we display them in Squert.




Right above the alerts, we click "create" and are then prompted for some options.  We give it a name and keep the other options at their default settings.


We then click the "create" button and then a graph is generated of the alert data.


We can then click on the graph to open a larger version and see more detail.

3 comments:

Raffael said...

What is used underneath to generate the link graph?

Doug Burks said...

Hi Raffael,

From http://www.pintumbler.org/Code/squert:

"Afterglow is used to create the DOT language file which is then fed to the Graphviz to create the image."

Thanks,
Doug Burks

Carlos R. said...

Excelent tutorial, quick, short and easy.. I have been working with sguil a couple of years, and its a little painful install it with multiple adapters because Im not an Linux expert, Im an MCITP. Now with Security Onio I have a Working IDS in a few minutes..

Thanks a lot for your contribution..