The only keys that should kill the GUI are ^c in the terminal you spawned it from or whatever your "Quit" key is on your OS (e.g., command-q on OS X). Anything else is a bug. I also found a bug during DefCon where it would quit if you clicked on something other than a slug.
As far as color, the cubes start with a base color, which is changed based on their security zone (to make them easy to differentiate) and then shaded according to their OS (right now I think it's just Linux, Windows, Solaris, and "Unknown"). These are in build.py. The slug color corresponds to its cube so you can make a visual correspondence between slug and target. Unless it's defined as a "SensitiveConnection" (which is a Bro term), then it's red. This is arbitrary; there really should be an entry in the config file where you can define what categories turn red.
Finally, the tunnels (currently ssh or Oracle SQL*Net connections) are yellow if they are unencrypted, black if they are encrypted. This should really be changed so that any still-open connection is a tunnel and turns to a slug after it closes - which would be easy with Bro, but I'm not sure how snort handles termination of TCP connections.
Based on some feedback:
The only keys that should kill the GUI are ^c in the terminal you spawned it from or whatever your "Quit" key is on your OS (e.g., command-q on OS X). Anything else is a bug. I also found a bug during DefCon where it would quit if you clicked on something other than a slug.
As far as color, the cubes start with a base color, which is changed based on their security zone (to make them easy to differentiate) and then shaded according to their OS (right now I think it's just Linux, Windows, Solaris, and "Unknown"). These are in build.py. The slug color corresponds to its cube so you can make a visual correspondence between slug and target. Unless it's defined as a "SensitiveConnection" (which is a Bro term), then it's red. This is arbitrary; there really should be an entry in the config file where you can define what categories turn red.
Finally, the tunnels (currently ssh or Oracle SQL*Net connections) are yellow if they are unencrypted, black if they are encrypted. This should really be changed so that any still-open connection is a tunnel and turns to a slug after it closes - which would be easy with Bro, but I'm not sure how snort handles termination of TCP connections.
I'm working on a full bug / ToDo list.