So What Is Sguil?
Sguil is the brainchild of its lead developer, Robert "Bamm" Visscher. Bamm is a veteran of NSM operations at the Air Force Computer Emergency Response Team and Ball Aerospace & Technologies Corporation, where we both worked. Bamm wrote Sguil to bring the theories behind NSM to life in a single application. At the time of this writing, Sguil is written completely in Tcl/Tk. Tcl is the Tool Command Language, an interpreted programming language suited for rapid application development. Tk is the graphical toolkit that draws the Sguil interface on an analyst's screen.  Tcl/Tk is available for both UNIX and Windows systems, but most users deploy the Sguil server components on a UNIX system. The client, which will be demonstrated in this chapter, can be operated on UNIX or Windows. Sguil screenshots in some parts of the book were taken on a Windows XP system, and those in this chapter are from a FreeBSD laptop.
I do not explain how to deploy Sguil because the application's installation method is constantly being improved. I recommend that you visit http://sguil.sourceforge.net and download the latest version of the Sguil installation manual, which I maintain at that site. The document explains how to install the Sguil client and server components step-by-step.
Sguil applies the following tools to the problem of collecting, analyzing, validating, and escalating NSM information.
Snort provides alert data. With a minor modification to accommodate Sguil's need for alert and packet data, Snort is run in the familiar manner appreciated by thousands of analysts worldwide.
Using the keepstats option of Snort's stream4 preprocessor, Sguil receives TCP-based session data. In the future this may be replaced or supplemented by Argus, John Curry's SANCP (http://sourceforge.net/projects/sancp), or a NetFlow-based alternative.
A second instance of Snort collects full content data. Because this data consists of libpcap trace files, Snort could be replaced by Tcpdump or Tethereal (and may have been so replaced by the time you read this).
Tcpflow rebuilds full content trace files to present application data.
P0f profiles traffic to fingerprint operating systems.
MySQL stores alert and packet data gathered from Snort. PostgreSQL may one day be supported.
Sguil is a client-server system, with components capable of being run on independent hosts. Analysts monitoring a high-bandwidth link may put Snort on one platform, the Sguil database on a second platform, and the Sguil daemon on a third platform. Analysts connect to the Sguil daemon from their own workstations using a client-server protocol. Communication privacy is obtained by using the SSL protocol. No one needs to "push" a window to his or her desktop using the X protocol. Thanks to ActiveState's free ActiveTcl distribution, analysts can deploy the Sguil client on a Windows workstation and connect to the Sguil daemon running on a UNIX system.  Analysts monitoring a low-bandwidth link could conceivably consolidate all client and server functions on a single platform.
This chapter explains the Sguil interface and while doing so illuminates the thought process behind NSM. I start by explaining the interface and use live data collected while monitoring one of my own networks. I then revisit the case study described in Chapter 4. Because I used Tcpreplay to relive the intrusion for Sguil's benefit, the timestamps on the Sguil events do not match the timestamps on the libpcap traces. I trust this does not detract from the learning value of the information.
If you would like to try Sguil without implementing all of the server and sensor components, you are in luck. Curious analysts can download the Sguil client from http://sguil.sourceforge.net and connect to the Sguil demo server running at bamm.dyndns.org. Prospective Sguil users can see Sguil in action on Bamm's server, chat with other users, and get a feel for the interface before deploying the server components on their own network.