Connecting to the Server
Once the server (sguild) is running and the client (sguil.tk) can connect, you can manage events on a near realtime basis. Events populate the panes based on their priority (this is configurable). Multiple clients can connect to a server at a time. This client/server configuration also allows analyst to connect remotely more easily. For example, if an analyst has remote ssh access to the server network, he/she can tunnel the client/server communication over ssh:
$ ssh mysystem.server.net -L 7734:sguildsystem:7734
Now fire up sguil.tk and point it toward localhost.
Once an event has been reviewed, its status can be updated and the event deleted from the client. To expire an event and set its status to 1, select the event to expire->right click in status (ST) column ->Select Expire from the menu. Events validated as malicious can also be placed into one of seven incident categories (see File->Display Incident Categories for a description) by selecting Update Event Status->Category from the menu. When an event is expired or placed into Incident Category, it is removed from all connected clients. Hot keys can also be used:
<F1>-<F7>: Place the event into Category I - VII <F8>: Expire the event.
Querying the DB
Searches can be initiated using different "templates". For a blank template, use Query->Event Query. Once selected, a query builder allowing you to edit the query will pop up. Only the WHERE statement can be edited. Other templates are available by selecting an event and right clicking on the src/dst ip columns. NOTE: JOINs are now handled internally. The WHERE will be scanned and the appropriate FROM table1 JOIN table2 ON table1.foo=table2.foo will be prepended to your query.
A blank template for session queries can be found under Query->Session Query and a completely blank query builder can be found under Query->Query Builder.
If you wish to save a query for future use use Query->Standard Queries. In the Standard Query dialog, select File->Add Query to add a new user query. User queries are saved locally and therefore are only available on the machine used to create them. To create a standard query for global use, edit the sguild.queries file on your sguild server. In order to have sguild reload the sguild.queries file and update the clients, send a -HUP signal to the sguild process.
Events that have the same src IP and signature/message are correlated under the same event in the appropriate RT pane. Each time an event is "correlated" the CNT field is incremented by one. To view all the correlated events, select the event->right click on the CNT column->View Correlated Events. The shortcut for this info is to middle click on the CNT column of a selected event.
Generating Transcripts, loading data into Wireshark: Make sure Wireshark is installed on the client system. Select an alert, right click on the sid.cid column. Select Transcript or Wireshark. Middle clicking on the sid.cid column of a highlighted event will also request a transcript.
Plain Text or Email reports can be created by selecting the events to report and choosing Report-><Report Type>. Summary reports contain the full packet headers, detail reports add the payloads. You can also elect to sanitize your reports and have all IP addresses obfuscated. Keep in mind that IP addresses encoded into payloads (ie. ICMP Dest Unreachable events) will still exist in the output.
Query output can also be saved to a text file (human-readable, or delimited (CSV, <TAB>, |, etc) by clicking the "Export" button in a query pane. This will export only the infomation that is contained in the query pane (ie. no header details, no payloads, etc).
Check the Reporting and Data Mining page for more information.
Sguil users who are interested in more comprehensive reports should visit the Sguil Reports with BIRT HOWTO page authored by Hanashi. BIRT is a very flexible package for creating reports consisting of both table and chart elements, which is ideal for presenting Network Security Monitoring (NSM) data to both analysts and managers. When it is used to run reports (as opposed to creating or editing new report designs), BIRT runs as a Java applet under control of an application server such as Tomcat or JBoss. The report designs are simply XML files, which means that they are easy to distributed and modify.
You can have sguild automatically categorize events by editing the autocat.conf file on the sguild server. These event will have a status automatically assigned to them and will not appear in any analyst's console. Analysts can query for "auto-catted" events by selecting the "Auto Cats" global standard query. In order to have sguild reload the autocat.conf file, send a -HUP signal to the sguild process. A HUP will only effect future events, if you want to auto-cat previously received events, sguild must be restarted.
The up/down arrows can be used to select previous/next event in the pane. <Esc> will unselect all options (dns, whois, packet date, etc) at once.
Help or Suggestions
Check the Sguil Help page. Subscribe and post to the sguil-users list at http://lists.sourceforge.net/lists/listinfo/sguil-users or visit #snort-gui on irc.freenode.net.
bamm _at_ sguil.net