Re: Question about Sguil

[Jaime Nebrera <jnebrera () redborder org>]

> I was just watching the youtube video, very nice...

:D

> It was hard for me to read any of the text in the GUI on the video,

In essence is just 3 different views:

One is a dashboard you can build to match your needs

Then you have top-k views for each "Metadata variable" (you can see the
operator choosing the variables when going to the top right corner)

And then you have a raw view were you see aggregated events as they arrive,
again defining the variables you want to group by (this view has a very
nice flow visualization built dynamically based on chosen variables)

but was that a building schematic that I was seeing in the video? If so,
that’s pretty awesome!

Yes we use geolocation. The building you are seeing is a bit different, is
a heat map of users connected to a wireless network. To define it's
position, we use MSE data from Cisco specific equipment. From there we can
estimate the number of distinct users per minute using Hyperloglog
approximation. That part is more specific from Flow but actually would work
the same way for IPS if you could nail that well the position of the
attacker (we do crossing info from both products, but again, using MSE)

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!