- MySQL's MERGE storage engine is used. The MERGE storage engine, also known as the MRG_MyISAM engine, is a collection of identical MyISAM tables that can be used as one. All Snort alerts and SANCP session data is now stored in MERGE tables, resulting in better scalability and performance. Sguil author Bamm Visscher reports "I went from being able to keep ~6 million rows to >300 million rows."
- All sensor communication is performed through sensor_agent.tcl. This allows Sguil to be seemingly one of the few programs that respects the new licensing of MySQL under the GPL.
- Support for Snort's sfPortscan function has been added. Users no longer need to patch and use the portscan preprocessor.
- Increased use of tabs for window management provides better access to new information like sensor status.
Barring unforeseen issues, Sguil 0.6.0-RC2 will be released soon as 0.6.0. If you'd like to test the RC2, please download it.
I plan to create a VM image using FreeBSD 6.0 RELEASE and Sguil 0.6.0, suitable for use in VMware Player.