Thursday, January 12, 2006

post-HRSUG

Last night's HRSUG meeting went pretty well. David used us as guinea pigs, trying his presentation on us prior to the "formal" presentation on Saturday at Shmoo. It was enough to rekindle my interest in Sguil, something that had died a painful death years ago due to extreme difficulty in getting all of its components up and running.

There are now two easy ways to get Sguil up and running: the VM (blogged previously) and InstantNSM, which is a bundling of the usual components in one package.

One thing to keep in mind: this is a security monitoring tool, not a Snort event browswer. The differnce (other than the quantity of the data and the number of tools providing input)(Snort is not the only input) is that Sguil is a way to manage those events, i.e., categorize them, escalate them, or correlate them.