Sguil is a tool for analyzing networks and identifying security risks.
The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk. This includes Linux, *BSD, Solaris, MacOS, and Win32. The software has a few basic requirements, such as barnyard, tcl/tk, mysql, ethereal, tcpflow, and awhois.sh.
In this latest release of Sguil, there have been several changes and bugfixes. It's been a couple of years in the making, so there are quite a few updates to look forward to. The biggest change is the replacement of the sensor agent with individual components for each collection type. Instead of having one agent that collects all types of data, there are separate agents for snort_agent.tcl, pcap_agent.tcl, and sancp_agent.tcl. This allows for collection of different data types on separate hardware and still be correlated via their "NET_NAME".
Another new collection agent in this release is for PADS, although it's still in beta. Additionally, there's an example_agent.tcl script that documents how custom agents can be created. Other agents have been written for ModSecurity and OSSEC as well.
Overall, Sguil is a powerful tool for network security analysts. The GUI is easy to use and provides valuable access to real-time data. With the latest release, this software has become even more flexible and customizable.
Version 0.7.0: N/A