This article can also be found in the Premium Editorial Download "Information Security magazine: Tips from the 2007 Security 7 Awards."
Download it now to read this article plus other related content.
Sguil. SourceForge.Net says Sguil is "built by network security analysts for network security analysts." Its goal is to be the only console used by NSM practitioners, and use grows, evidenced by continued feature enhancements (Modsec2sguil) and an NSMWiki Some find Sguil something of a challenge to install, configure and stabilize, but Knoppix-NSM eliminates those issues by offering a fully configured instance ready for immediate analysis. Web-based consoles typically display alerts by count rather than severity. This can be very problematic when a highly critical alert occurs only one or two times. Sguil has no such shortcoming because "access to each sort of data is immediate and interconnected, allowing fast retrieval of pertinent information," wrote Bejtlich in The Tao of Network Security Monitoring.
Unlike Web-based consoles like BASE, Sguil is fast and makes it easy to spot potentially dangerous events.
This was first published in October 2007