On Wednesday I mentioned that a chapter from my book appeared in a new form at Informit.com. A snort-users reader asked how Sguil differed from ACID and BASE. In short, there are five reasons:
1. Sguil is a real-time interface to Snort alerts (and more).
2. Sguil is a Snort alert management system with integrated analyst accountability features.
3. Sguil offers growing alert handling capabilities.
4. Sguil is built to minimize "window management," "form management," and other non-analytical tasks.
5. Most importantly, Sguil is not limited to investigating events using Snort alert data alone.
To read explanations of each point, please see my response to the snort-users mailing list. You'll also find in that message three "features" that are not present in Sguil.
I should have mentioned that Sguil is the single tool most likely to provide analysts with the information they need to make a decision. With Sguil, a Snort alert is not the end of the investigation -- it's only the beginning.