Network Instruments GigaStor 114ff User Manual

Forensic Analysis Profile field descriptions

Chapter 6 Forensic Analysis using Snort

101

rev. 1

Table 8 Forensic Analysis Profile Settings tab

Field

Description

Settings Profile

Settings Profiles provide a mechanism to save and load different preprocessor
settings, and share them with other Observer consoles.

IP Flow

Packets belong to the same IP flow if they share the same layer 3 protocol, and also
share the same source and destination addresses and ports. If this box is checked,
forensic analysis identifies IP flows (also known as conversations), allowing Snort
rules to isolate packets by direction and connection state via the flow option. If this
pre-processor is disabled, flow keywords are ignored, but the rest of the rule is
processed. The remaining settings allow you to throttle flow analysis by limiting the
number of flows tracked, and by decreasing the time window within which a flow is
considered active.

IP Defragmentation

Some types of attacks use packet fragmentation to escape detection. Enabling this
preprocessor causes forensic analysis to identify and reconstruct fragmented
packets based on the specified fragment reassembly policy. Rules are then run
against the reconstructed packets during forensic analysis. The fragment
reassembly policy mimics the behavior of various operating systems in what to do
when ambiguous fragments are received. Choose the policy to match the OS of the
server (or servers) being monitored (see the table below). If the buffer contains
traffic targeting hosts with different operating systems, use post-filtering to isolate
the traffic before forensic analysis so that you can apply the correct policy.

Defragmentation Policy is:

BSD = AIX, FreeBSD, HP-UX B.10.20, IRIX, IRIX64, NCD Thin Clients, OpenVMS, OS/2,
OSF1, SunOS 4.1.4, Tru64 Unix, VAX/VMS

Last data in = Cisco IOS

BSD-right = HP JetDirect (printer)

First data in = HP-UX 11.00, MacOS, SunOS 5.5.1 through 5.8

Linux = Linux, OpenBSD

Solaris = Solaris

Windows = Windows (95/98/NT4/W2K/XP)

Refer to www.snort.org for more detailed version-specific information. The
remaining options allow you to enable logging of alerts and reconstruction
progress, limit the number of active packet fragments to track, and change the
length of fragment inactivity that causes the fragment to be dropped from analysis.

TCP Stream
Reassembly

Another IDS evasion technique is to fragment the attack across multiple TCP
segments. Because hackers know that IDS systems attempt to reconstruct TCP
streams, they use a number of techniques to confuse the IDS so that it reconstructs
an incorrect stream (in other words, the IDS processes the stream differently from
that of the intended target). As with IP fragmentation, forensic analysis must
configured to mimic how the host processes ambiguous and overlapping TCP
segments, and the topology between attacker and target to accurately reassemble
the same stream that landed on the target. Re-assembly options are described
below: