Snort mailing list archives
Re: Question about Sguil
From: Matt Martin <MMartin () jwpepper com>
Date: Fri, 20 Jun 2014 20:27:40 +0000
Very cool Jaime… I’ll be looking forward to your finished product once completed… Hopefully you can post something to the list once you guys put the new project out there! Personally, I’m a very visual person, so that “Geolocation” stuff seems pretty awesome. Well thanks for the info, and good luck with the project! Thanks Again, Matt From: Jaime Nebrera [mailto:jnebrera () redborder org] Sent: Friday, June 20, 2014 4:22 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Question about Sguil
I was just watching the youtube video, very nice...
:D
It was hard for me to read any of the text in the GUI on the video,
In essence is just 3 different views: One is a dashboard you can build to match your needs Then you have top-k views for each "Metadata variable" (you can see the operator choosing the variables when going to the top right corner) And then you have a raw view were you see aggregated events as they arrive, again defining the variables you want to group by (this view has a very nice flow visualization built dynamically based on chosen variables) but was that a building schematic that I was seeing in the video? If so, that’s pretty awesome! Yes we use geolocation. The building you are seeing is a bit different, is a heat map of users connected to a wireless network. To define it's position, we use MSE data from Cisco specific equipment. From there we can estimate the number of distinct users per minute using Hyperloglog approximation. That part is more specific from Flow but actually would work the same way for IPS if you could nail that well the position of the attacker (we do crossing info from both products, but again, using MSE)
------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Question about Sguil, (continued)
- Re: Question about Sguil Doug Burks (Jun 20)
- Re: Question about Sguil Jeremy Hoel (Jun 20)
- Re: Question about Sguil Matt Martin (Jun 20)
- Re: Question about Sguil Doug Burks (Jun 20)
- Re: Question about Sguil Jeremy Hoel (Jun 20)
- Re: Question about Sguil Matt Martin (Jun 20)
- Re: Question about Sguil Jaime Nebrera (Jun 20)
- Re: Question about Sguil Matt Martin (Jun 20)
- Re: Question about Sguil Jaime Nebrera (Jun 20)
- Re: Question about Sguil Matt Martin (Jun 20)
- Re: Question about Sguil Jaime Nebrera (Jun 20)
- Re: Question about Sguil Matt Martin (Jun 20)
- Re: Question about Sguil Jaime Nebrera (Jun 21)
- Re: Question about Sguil Matt Martin (Jun 20)
- Re: Question about Sguil Matt Martin (Jun 20)
- Re: Question about Sguil Doug Burks (Jun 20)
- Re: Question about Sguil Matt Martin (Jun 20)