Network Instruments GigaStor 114ff User Manual

Page 102

Advertising
background image

Forensic Analysis Profile field descriptions
Chapter 6 Forensic Analysis using Snort

102

rev. 1

TCP Stream
Reassembly
(Continued)

Q

Log preprocessor events—Checking this box causes forensic analysis to display
all activity generated by the TCP stream assembly preprocessor to the log.

Q

Maximum active TCP streams tracked—If this value is set too high given the size
of the buffer being analyzed, performance can suffer because of memory
consumption. If this value is set too low, forensic analysis can be susceptible to
denial of service attacks upon the IDS itself (i.e., the attack on the target is carried
out after the IDS has used up its simultaneous sessions allocation).

Q

Drop TCP streams inactive for this duration—A TCP session is dropped from
analysis as soon as it has been closed by an RST message or FIN handshake, or
after the time-out threshold for inactivity has been reached. Exercise caution
when adjusting the time-out, because hackers can use TCP tear-down policies
(and the differences between how analyzers handle inactivity vs. various
operating systems) to evade detection.

Q

TTL delta alert limit—Some attackers depend on knowledge of the target
system’s location relative to the IDS to send different streams of packets to each
by manipulating TTL (Time To Live) values. Any large swing in Time To Live (TTL)
values within a stream segment can be evidence of this kind of evasion attempt.
Set the value too high, and analysis will miss these attempts. Setting the value
too low can result in excessive false positives.

Q

Overlapping packet alert threshold—The reassembly preprocessor will generate
an alert when more than this number of packets within a stream have
overlapping sequence numbers.

Q

Process only established streams—Check this box if you want analysis to
recognize streams established during the given packet capture.

Q

Reconstruct Client to Server streams—Check this box to have analysis actually
reconstruct streams received by servers.

Q

Reconstruct Server to Client streams—Check this box to have analysis actually
reconstruct streams received by clients.

Q

Overlap method—Different operating systems handle overlapping packets
using one of these methods. Choose one to match the method of the systems
being monitored.

Table 8 Forensic Analysis Profile Settings tab (Continued)

Field

Description

Advertising
Popular Brands
Popular manuals