Five Ways Sguil is Different

On Wednesday I mentioned that a chapter from my book appeared in a new form at Informit.com. A snort-users reader asked how Sguil differed from ACID and BASE. In short, there are five reasons:

1. Sguil is a real-time interface to Snort alerts (and more).
2. Sguil is a Snort alert management system with integrated analyst accountability features.
3. Sguil offers growing alert handling capabilities.
4. Sguil is built to minimize "window management," "form management," and other non-analytical tasks.
5. Most importantly, Sguil is not limited to investigating events using Snort alert data alone.

To read explanations of each point, please see my response to the snort-users mailing list. You'll also find in that message three "features" that are not present in Sguil.

I should have mentioned that Sguil is the single tool most likely to provide analysts with the information they need to make a decision. With Sguil, a Snort alert is not the end of the investigation -- it's only the beginning.

Comments

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics