Open Source Visualization & Analytics
Today's threat landscape demands that you have all the available tools in your arsenal. Whether you are using the latest commercial, custom or open source tools, SentryWire is your platform. SentryWire comes bundled with Security Onion providing you with the most advanced open source tools for intrusion detection, network security monitoring, and log management.
What is Included
SGUIL (pronounced sgweel) - Out-of-the-box, this is a feature rich graphical user interface which provides real-time access to events, session data and packet data captured by SNORT or SURICATA IDS systems. SGUIL facilitates the practice of Network Security Monitoring and event driven analysis. This functional & integration specifications will detail how to leverage SNORT and SURICATA by playing PCAP files and sending session data coming from the SentryWire to SGUIL.
Enterprise Log Search and Archive (ELSA) - is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web (Holste, 2012). ELSA's integration with SentryWire will provide a SIEM alternative (think ArcSight and Splunk).
SQUERT - is a web-based application which is designed to query SGUIL database and to retrieve IDS alert data. It provides additional context to events through the use of metadata, time series representations and weighted and logically grouped result sets (Halliday 2011). SQUERT is not a replacement for SGUIL client, and it is not intended to be a real-time or near real-time event console. It is merely an additional tool in forensics professional toolbox.
SNORT - is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, it is the most widely deployed IDS/IPS technology worldwide (Snort 2012). The success of SentryWire-SNORT is key to providing IPS at line speed.
The SentryWire-Snort pairing can provide real-time firewalling of cyberattacks. This is accomplished by the ability of the SentryWire to route a segment of an ongoing traffic to an “inline” SNORT or SURICATA so that it can terminate the session.
OSSEC - is an open source Host-based Intrusion Detection System (HIDS). It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows (OSSEC, 2012).
PADS - is a passive asset detection system. It will listen to a network and attempt to provide an up-to-date look at the hosts and services running on the network. The application operates invisibly and will never release a packet in the network (Source Forge, 2005). PADS brings a little bit of asset management to the SentryWire analytical node by recording and identifying assets seen on the network with actively "scanning" a system.
Network Miner - is one of the analytical tools in Network Security professional toolbox that is integrated with SQUIL. Network Miner can be invoked from the SQUIL user interface to provide analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.