Written By Analysts, For Analysts

Current Version: Sguil 0.9.0

04 Apr 2014 - Sguil 0.9.0 Released!

Shhhhh, don't tell Richard or he will give me crap for this not being a 1.0. I am thinking version 0.9.99999999999 is gonna be the bomb.

This release includes some bugfixes, a wizard for adding autocat rules, and an interface for viewing current autocat rules. Event selections are now pushed to all connected clients and the selector's ID is displayed in peers ST column of the selected event. Sending "who" in the User Msgs window will display a list of connected users, their user id, and what event they have currently selected. Custom URLs to open based on the SID can now be defined in your sguil.conf.

Go out and download Sguil 0.9.0. Install it. Test it. Break it. Find some bad guys. And let me know if the clicky clicky no worky worky.


24 Oct 2013 - Hello GitHub

By popular demand, I have switched the source repository to git and github. Things are slowly migrating this way and I am still trying get comfortable with git and github. I also changed the license of Sguil from QPL to the GPLv3.


29 May 2011 - Sguil 0.8.0 Released!

Okay, new direction. Time has been escaping me and Sguil development has suffered. When I do have time to spend on Sguil, I would rather be adding new features and fixing bugs versus testing installs and writing documentation. So starting with this release, I am going to focus on getting code out the door and hope our small community will document their experiences through blogs, wikis, mailing lists, tweets, and #snort-gui.

Go out and download Sguil 0.8.0. Install it. Test it. Break it. And find some bad guys.


25 January 2010 - I'm not dead yet

But the demo server is. Well, it is not dead, just in an unpacked box (we moved from Colorado to Western Michigan recently). Seriously. I apologize for the lack updates over the last two years (ouch). The project is not dead, just on hiatus. I have been busy with a huge deployment (over 100 sensors on ~80 appliances) and cannot wait to add what we have learned. Stay tuned.


26 March 2008 - Updated Modsec2Sguil

Victor Julien writes:

I've updated the Modsec2sguil agent to work with the latest release. Also, it contains support for ModSecurity 2.5.x contributed by Ryan Cummings.

Get it here: http://www.inliniac.net/modsec2sguil/

Cheers, Victor

26 March 2008 - Bugs!

Well, that didn't take too long. Found a bug with the way the client parses messages for display in the "User Messages" tab. It has been fixed in CVS and a simple diff can be found here. A patched release will follow.

25 March 2008 - Sguil Version 0.7.0 Released

It has been a couple of years of changes and bugfixes since the last release. The biggest change is the replacement of the sensor agent with individual components for each collection type. The new agents are called snort_agent.tcl, pcap_agent.tcl, and sancp_agent.tcl. By splitting out the agents, collection for these different data types can be placed on separate hardware and still be correlated via their "NET_NAME".

A new collection agent for PADS is also included in this release although it is still considered beta. Also included is an example_agent.tcl script that documents how custom agents can be created. Other agents have been written for ModSecurity and OSSEC.

As always, help can be found on the sguil-users mailing list or in IRC on #snort-gui via irc.freenode.net.

David Bianco has provided a great HOWTO and Rich Fifarek has created a yum repository that should be updated soon.

Thanks for everyone's help and happy F8ing,


21 March 2007 - Modsec2Sguil 0.7 Released

Victor Julien released version 0.7 of Modsec2sguil recently. Modsec2Sguil is a set of perl scripts to feed ModSecurity alerts to the Sguil NSM system. The main change of this release is that it adds support for alerts produced by ModSecurity 2.x, while 1.9.x remains to be supported. Next to this the conversion between ModSecurity’s severity and Snort’s priority was fixed, so alerts should show up in the right pane in Sguil again.

In future releases, we plan to add the capability for other projects to easily send events to Sguil.

19 March 2007 - Website Updated!

After a much too long hiatus, the Sguil website has been updated. We are using an open source template from Andreas Viklund. Also, Sguil version 0.7.0 is currently being tested in CVS and we plan to get a release candidate out soon!

24 March 2006 - Sguil 0.6.1 VM

Richard Bejtlich of TaoSecurity created another Sguil VM. This edition runs Sguil 0.6.1 on FreeBSD 5.4 and is described here.

13 February 2006 - Sguil 0.6.1 Released

Sguil-0.6.1 has been released. This release adds support for snort statistics, UNION queries, and GUI enhancements.

06 January 2006 - Sguil Client VM

Richard Bejtlich of TaoSecurity a new Sguil VM. This one has the client as well as the components in his first VM.

30 December 2005 - First Sguil VM

Richard Bejtlich of TaoSecurity has started creating virtual machines suitable for use in VMware Player. You can read about the creation of the first Sguil VM in Richard's blog. We've added a page on VMs for future work. The first VM is available here.