Categories

Archives

Integrating NetWitness and Sguil – Take Two

We have finished up our first round of testing against the modified version of the Sguil client (we have modified the 0.7.0 CVS version). Using the alert information displayed in the Sguil client we create a query and feed it into the NetWitness API through a vbscript which calls explorer.exe and passes it a NetWitness [...]

January 15th, 2010 | Tags: , , | Category: NetWitness, Sguil | Leave a comment

Fixing Barnyard2 Duplicate Database Entries With Sguil Output

Well the good folks over at SecurixLive.com have already fixed this and a few other little things and rolled it into their latest release of Barnyard2 v1.8-beta1. Go and get it!

We have identified an issue with Barnyard2 version 1.7 build 255 that causes duplicate entries to be created in the Sguil database. The issue was that the [...]

December 11th, 2009 | Tags: , , , | Category: Barnyard2, Sguil | Leave a comment

Integrating NetWitness and Sguil – Take One

We will be deploying NetWitness soon and we have been looking for how to leverage it for the packet capture portion of our new centralized Sguil deployment instead of sancp or daemonlogger. We have come up with a way, all be it a bit hackish, of modifying the Sguil client to allow you to view [...]

December 8th, 2009 | Tags: , , | Category: NetWitness, Sguil | Leave a comment

jSguil

We really do love Sguil, but the client and server lack a few desirable things. As far as I can tell, there is only one SQL connection shared between the server and all the clients connecting to it. Obviously if someone runs a SANCP query that is a little over the top, until it comes back [...]

December 1st, 2009 | Tags: , | Category: Sguil | One comment