Thursday, January 20, 2011

Introduction to Sguil and Squert: Part 4

This post is the fourth in a multi-part series designed to introduce Sguil and Squert to beginners.

I'm assuming you've already been through the steps in the previous posts in this series:

Introduction to Sguil and Squert: Part 1
Introduction to Sguil and Squert: Part 2
Introduction to Sguil and Squert: Part 3

In Part 3, we saw Sguil's killer feature of being able to pull session transcripts from the full packet captures to show an entire attack from beginning to end.  In Part 4, we're going to see one of Squert's killer features: alert visualization.

Using the alerts from yesterday's demo, we display them in Squert.

Right above the alerts, we click "create" and are then prompted for some options.  We give it a name and keep the other options at their default settings.

We then click the "create" button and then a graph is generated of the alert data.

We can then click on the graph to open a larger version and see more detail.


Anonymous said...

What is used underneath to generate the link graph?

Doug Burks said...

Hi Raffael,


"Afterglow is used to create the DOT language file which is then fed to the Graphviz to create the image."

Doug Burks

Carlos R. said...

Excelent tutorial, quick, short and easy.. I have been working with sguil a couple of years, and its a little painful install it with multiple adapters because Im not an Linux expert, Im an MCITP. Now with Security Onio I have a Working IDS in a few minutes..

Thanks a lot for your contribution..

Search This Blog

Featured Post

Celebrating 10 Years of Security Onion Solutions and Announcing Security Onion Pro!

From Doug Burks, Founder and CEO of Security Onion Solutions:  There’s an old saying that it takes ten years to be an overnight success. Tha...

Popular Posts

Blog Archive