Monday, November 13, 2006

Sguil - Tips of Da Day

Someone is asking me about Sguil, and he raises interesting question - I know you can use Sguil to retrieve most of the data you want as you have collected it in all forms that you need to perform your analysis process. But what if I have to monitor heavy load networks(gigabits) where the data transfer is tremendous(WAN environment perhaps)?

The first thing I can really think of should be bpf filtering, reducing noise and collecting what you really need is important and it can lighten your workload and reduce your analysis time, but yet you are afraid of missing the traffics you may want badly.

Bpf filtering is not your only solution, if you still want to run sguil in heavy loads network, you can reduce the visibility level by discarding the full content data logging, however you are not much into worry as you still have session/flow data that available in hand which allows you to perform analysis and understand the connections between source and destination host.

So everything is about log_packets.sh that comes with sguil source tarball. You can either choose to tune the bpf filtering or not running it when you don't have enough disk storage for full content data. It may eliminate some functions in Sguil but you are still able to perform the necessary steps to monitor your network security in high speed network.

So whoever think that Sguil can't survive big networks - rethink about it!

Cheers (;])

No comments: