Sguil Feature Wish List

From NSMWiki
Jump to: navigation, search

Got a suggestion for a new feature in Sguil? List it here!

Note: if the description is short, feel free to just add it on this page. If it's longer, though, please create a new wiki page and just insert a link below. This will help keep the page manageable. Thanks!

  1. VulnerabilityCorrelation
  2. Undo - for when you press the wrong function key when your blood/caffeine ratio is suboptimal (CunningPike)
  3. Turn the Escalated Events tab red when there are alerts listed there (CunningPike)
  4. Turn the Sensor Status tab red when any of the services are down (CunningPike)
  5. InstaShun(tm) - have the sguil console speak to snortsam so that you can right click on an IP and shun it (CunningPike)
  6. An event tagging system. I'd really love to be able to tag IDS alerts or SANCP rows with arbitrary tags, then search and group on them later. I've written this up on my blog.
  7. When you select the hex of packet contents, have it mark the plaintext side and vice versa (CunningPike)
  8. The Escalated events tab should be correlated, just like the RT tab. (Hanashi)
  9. An integrated monitor that could detect when a sguil process has died or become non-functional and do something about it (either fix it or alert someone). (Hanashi)
  10. A specialized "Query PADS info" search that would limit itself to PADS asset events. Good for a quick "What services are on this system" query during analysis. (Hanashi)
  11. Have a way of marking the rules that are in sid-block.map so that it is easy to see which rules are already there (CunningPike)
  12. Ability to change the title of query result tabs. This would make it easier to keep track of query results and organize multiple simultaneous investigations. "Sancp Query 1" and "Sancp Query 2" are not descriptive enough. (nr)
  13. It would be nice to have File -> Print option when viewing the transcript. (iamnowonmai)
  14. It would be really nice if the sguil console recognized and parsed out the X-Forwarded-For header so that the rDNS, WHOIS etc could be run on that instead of/as well as the proxy IP (CunningPike)
  15. Add a scrollbar to the sensor selection page at logon. If you have a lot of sensors and analysts, and/or bad screen resolution, the buttons scroll off the screen. (nr)
  16. Modify the query builder so that every time you typed in something like #HOSTNAME# it'd do a DNS lookup for the HOSTNAME and substitute INET_ATON("x.x.x.x") in the query (Hanashi)
  17. Snort GUI (for Lamerz?) - Be able to administer snort rules on sensors. Deploy new rules, edit rules etc. (edward)
  18. Configurable Keyboard Shortcuts and other UI enhancements (barrygould)
  19. Extracting HTTP Request Headers (barrygould)
  20. Modify sguild to handle deletion of old database records, e.g. drop the oldest day's tables each day without having to stop sguild, manually drop/delete the records, and then start it to recreate MERGE tables. (nr)
  21. The possibility to add users with restricted access. UserA can only see events from NET_GROUP A, and UserB can see events from NET_GROUP A and B... UserC can see events from NET_GROUP A, B and N etc. (Edwardbf)
  22. It would be nice/better? to have autocat.conf in the database as its own table, and have the ability to update/maintain it from sguil-client GUI (Think of just right-clicking an event and autocat'ing it). (edward)
  23. Implement rightclick on $IP [choose SRC or DST], opens http://www.geoiptool.com/?IP= $IP in browser (Firefox) Just like the dshield lookup (edward)