Friday, July 18, 2003

Sguil 0.2.5 on Windows

Want to become an "F8 monkey?" My friend Bamm Visscher released sguil 0.2.5 yesterday. Sguil is an interface to the Snort intrusion detection engine. By combining Snort with other code, it brings Snort closer to being an implementation of "network security monitoring," and not simply "intrusion detection."


Bamm has made a demo Sguil server available. Here's a step-by-step guide to installing the Sguil client on Windows, so you can access the Sguil server at Bamm's office.


1. Download and install the latest version of ActiveTCL. Below you see I downloaded the ActiveTCL 8.4.3.0 Windows package. I installed it in "C:\Program Files\tcl".




2. Next, download the sguil-client-0.2.5.zip archive from Sourceforge:




3. Extract the contents of the .zip file. I extracted mine to "C:\Program Files\sguil". Once on your hard drive, edit the sguil.conf file located in the "C:\Program Files\sguil\sguil-0.2.5\client\" directory. Make the change as highlighted below to set your Sguil server to Bamm's office machine at bamm.dyndns.org:




4. Now you need to associated the sguil.tk Tcl application with the Tcl interpreter. This will allow you to double-click on the sguil.tk file in "C:\Program Files\sguil\sguil-0.2.5\client\" and launch the application. In the Windows Explorer, right-click on sguil.tk and select properties:




5. You will see a button which says "Change". This allows you to associate the sguil.tk file with a new application. The screen shot shows mine associated with WordPad. We want to change that, so find the associated title "Wish Application" and click "Ok" to associate .tk files with "Wish":




6. When you're done, sguil.tk will be associated with "Wish":




7. That's it! Double-click on "sguil.tk" in the "C:\Program Files\sguil\sguil-0.2.5\client\" directory and you will be prompted for a username and password. Enter the name by which you want to be identified and any password you want:




8. You will be prompted to choose a sensor. Click the 'reset' button (that's the sensor name) and then 'Start SGUIL'.




9. You should a screen like the one below appear. If so, you're using Sguil!




10. This sensor is not monitoring the external interface of the bamm.dyndns.org network, so if you portscan or otherwise attack bamm.dyndns.org, it will not register on the Sguil interface. You can investigate the test alerts, though. For example, you can run a query on the source IP of the entry highlighted below by right-clicking on it:




Here are the results:




11. If you want to chat with other people using Sguil, select the "User Messages" tab and enter messages in the MSG: field. To see who is in using Sguil, type 'who':




If you have questions, the Sguil authors hang out in #snort-gui on irc.freenode.net. Enjoy!