What is Sguil used for?

Sguil is a console used to view and manage alerts produced by network security monitoring systems. In a network security monitoring setup, sensors like Snort generate alerts and log events, and Sguil provides a centralized, searchable interface that lets analysts see those alerts with details such as the signature, source and destination IPs, ports, and timestamps. It enables drilling down into individual events, pulling related evidence like PCAPs, and linking related alerts to build a coherent picture of what happened. Sguil also stores event data in a database, which supports correlation across multiple sensors, plus tagging, annotation, and case tracking to support incident response workflows. This focus on viewing, triaging, and investigating alerts distinguishes it from other tools: it’s not a firewall appliance, not a vulnerability scanner, and not a web proxy.